Malware Analysis Report

2025-08-11 07:08

Sample ID 241017-r9mhbsvflq
Target 526be06edea4e2e860adfe833b09dd51_JaffaCakes118
SHA256 e36b4c5aaff9be0e99fedeae418a75c0cb0fa685c83aafe0fb3a1ea545c344c9
Tags
banker discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e36b4c5aaff9be0e99fedeae418a75c0cb0fa685c83aafe0fb3a1ea545c344c9

Threat Level: Shows suspicious behavior

The file 526be06edea4e2e860adfe833b09dd51_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 14:53

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 14:53

Reported

2024-10-17 14:56

Platform

android-x86-arm-20240624-en

Max time kernel

68s

Max time network

130s

Command Line

wpz.wrov.otgsak

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

wpz.wrov.otgsak

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.120.242:80 ip.taobao.com tcp
US 1.1.1.1:53 www.wosdk.cn udp
US 38.33.59.28:80 www.wosdk.cn tcp
US 1.1.1.1:53 wap.xykernel.cn udp
US 1.1.1.1:53 www.qingqu360.cn udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
HK 38.238.135.232:80 www.qingqu360.cn tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
HK 38.238.135.232:80 www.qingqu360.cn tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
HK 38.238.135.232:80 www.qingqu360.cn tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/wpz.wrov.otgsak/databases/xUtils_http_cookie.db-journal

MD5 fd1271e80f2be33c36e5b24afba97a02
SHA1 8c02820161c3457e8b6c83bc35a0ef597797daf2
SHA256 b641509e29233764c86884e70319f17f553af564dbba674de4772ed97a6529cb
SHA512 b1739f7e2ee2086528b98cfd41db7635cbf3789a1d38276705a59843284a6088336a81ada64b2d1afcbee45c0167592a8a91164c37eeb5eb10edda9d04d2c02f

/data/data/wpz.wrov.otgsak/databases/xUtils_http_cookie.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/wpz.wrov.otgsak/databases/xUtils_http_cookie.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/wpz.wrov.otgsak/databases/xUtils_http_cookie.db-wal

MD5 05935ec418fd7c8ecacffb09ce80fed4
SHA1 9299e5c584eed55e5e94e4796ede9f32524fee34
SHA256 63f79cc00dd4fb6a0872a8218de102db9c157dd8e219dc5ebcb08a4de8952e29
SHA512 edc7c3d627d75e0700a8e126f5e35263576d8b37113a086382743d34efc1d3706fe63babcab63c2fb616d211b08666eefef4a887bfdae3cc011b9d863f80b984

/data/data/wpz.wrov.otgsak/files/umeng_it.cache

MD5 0d1a29d4a5c01fc184ef2173116dcb26
SHA1 8053ca274f9c1bbf05d5dfd1b1eab0321cbba34d
SHA256 3e9203322916001205b77cf39b38e7676668fee438da32bf347a68729475ada0
SHA512 42c0248768fff88a6d981f9edfb00f6ae4fd5db93f89f1f8e145bf151462ca99abd8a495245895e5a99a70b3ce78bc47f09955df890abdb0bdb31c4b4deba86a

/data/data/wpz.wrov.otgsak/files/.umeng/exchangeIdentity.json

MD5 fd94e98ce20d1c92a67a7fc65be407d4
SHA1 087553f36e5c4a245b28553079a022e0db6eb8c0
SHA256 aa65a86acac215abeb489e3ae927fa11e424a635110fa182415feac581577353
SHA512 468d53c9862e11e7a398fd531c69cf9bccab0e4577ad1e29baa17f4ca3f7af6b609ed4dab5cddc08687a81d81db8570b8553ef0e3e04e03080e4c0c72a14cb2d

/data/data/wpz.wrov.otgsak/files/.um/um_cache_1729176893164.env

MD5 7e503d2fb933e6b9589418edf014b7fe
SHA1 945fcb0ccf0e3b5ee2bcadbb2375b56c9852ecc6
SHA256 ce266afe0ecab2ea48ec2462f8ff71fbcd05e408f53447238ee0e234e42f6814
SHA512 c6b077b7203900523e776cb2818690e52f75483cf3047b9b7d0668b6a47fdfa6197f4e4ce86a9cee98408476a9b43663950a9ee4f2973502354a15dd929b6aeb