Malware Analysis Report

2025-08-10 13:47

Sample ID 241017-vd9vjavgqb
Target 52b6db2c04a04e316c1aa8fee122e753_JaffaCakes118
SHA256 a887f5a8629725f6c8704e0784be357fe2ff2e45900e0ac5ce8b652d7d813339
Tags
banker discovery evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a887f5a8629725f6c8704e0784be357fe2ff2e45900e0ac5ce8b652d7d813339

Threat Level: Shows suspicious behavior

The file 52b6db2c04a04e316c1aa8fee122e753_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery evasion

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads information about phone network operator.

Requests dangerous framework permissions

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 16:53

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 16:53

Reported

2024-10-17 16:56

Platform

android-x86-arm-20240910-en

Max time kernel

1s

Max time network

152s

Command Line

com.android.amili

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /storage/emulated/0/Android/data/li/ci.zip N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.android.amili

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.42:443 tcp
GB 216.58.204.68:80 tcp
GB 216.58.204.68:443 tcp
GB 142.250.200.35:80 tcp
GB 216.58.201.98:443 tcp

Files

/storage/emulated/0/Android/data/li/ci.zip

MD5 b8c3d87fb67344cda23e9edc6e9e87a8
SHA1 75c8b016a0d10188eea4ac4cab45d371cdd377f4
SHA256 849298ae09391e6f07f738c44d5d1e379f7b853b7bf70996096fe29ad3474bf7
SHA512 7337f0c9d078e39a8b9c59115679491a913ae23a4d606bfa7962d25aa371cbc238bec926bcbccc45850de26888855d326fa893dcf32ccb57c39c7d56b8e3e94d

/storage/emulated/0/Android/data/li/ci.zip

MD5 f67d9fa0dce06f29ecc5f0203b5d8bce
SHA1 ee2bc5071821a9cc573f559c64d7eaf103befdf4
SHA256 222b771e63a3360884cc59f544190d744177d1de6d8ed20ae13a6611bedbf5fc
SHA512 1c144cd9081a59ab20c2acd147d08582efc78b303a75773e0bcf9b6c5436a43d2c8a44fdd19bf1fde62a0c0e3dda2feb4ef8f20f605987d343fedc6fddc46f0b