Malware Analysis Report

2025-08-11 07:08

Sample ID 241017-sscr8ssfle
Target 527fea1558daa57b405f858d82a5826e_JaffaCakes118
SHA256 ef16e5b99f0809d749417ce067bee383c31700e197e2e649847d422be965c2ad
Tags
banker discovery evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ef16e5b99f0809d749417ce067bee383c31700e197e2e649847d422be965c2ad

Threat Level: Shows suspicious behavior

The file 527fea1558daa57b405f858d82a5826e_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery evasion

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests dangerous framework permissions

Reads information about phone network operator.

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 15:22

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 15:22

Reported

2024-10-17 15:25

Platform

android-x86-arm-20240624-en

Max time kernel

5s

Max time network

130s

Command Line

com.android.liulingwu

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /storage/emulated/0/Android/data/wu/cu.zip N/A N/A
N/A /storage/emulated/0/Android/data/wu/cu.zip N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Reads information about phone network operator.

discovery

Processes

com.android.liulingwu

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/storage/emulated/0/Android/data/wu/cu.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/storage/emulated/0/Android/data/wu/oat/x86/cu.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp

Files

/storage/emulated/0/Android/data/wu/cu.zip

MD5 27767da9a20e0c7944d7c61dff416cf0
SHA1 f801cb3cbd26f526c2905fa77f4678217076685c
SHA256 1eb0b938c3a1b0008b289c53d0db83731119ad26066a1aea3f565908b95216b3
SHA512 0ffaacb3d917d133ffcf0418f8b2e4ae3e9a2a6028c44a7c4f1427185d9cce078bc364925f1507a8be5626edd8cc72bc01edba3851bbbe5c6f810a7e7beb3ebc

/storage/emulated/0/Android/data/wu/cu.zip

MD5 fcfd1aa04d087b04919326dea53bdc8e
SHA1 9ca95ef4ae5d69d98526c52596771aaacb462b64
SHA256 c635ecd002b8e136b813ed7d79e451ecd758137e9319a6a1a11f8339f772267c
SHA512 f142596fdb19a1719ede2ef1f5f44367ddd3c759468871db82b476a93a49231f467e9778694fe1766338b84c6c6b383a518ace39ac691e1f974f9878a788f944