Malware Analysis Report

2025-08-10 13:47

Sample ID 241017-vvpwpawemb
Target 52d067cb22ad6ef2b03e4f91468920be_JaffaCakes118
SHA256 cda975fef4ea0ef0f218ab99dbfc060ed2b807c2b34f25b8bd63414cebade0d4
Tags
banker discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cda975fef4ea0ef0f218ab99dbfc060ed2b807c2b34f25b8bd63414cebade0d4

Threat Level: Shows suspicious behavior

The file 52d067cb22ad6ef2b03e4f91468920be_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery evasion impact persistence

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 17:18

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 17:18

Reported

2024-10-17 17:22

Platform

android-x86-arm-20240910-en

Max time kernel

3s

Max time network

153s

Command Line

esxfxca.qd.bp

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/esxfxca.qd.bp/oko.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

esxfxca.qd.bp

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 172.217.169.42:443 tcp
N/A 224.0.0.251:5353 udp
CN 27.50.130.152:8102 tcp
CN 27.50.130.152:8102 tcp
CN 27.50.130.152:8102 tcp
CN 27.50.130.152:8102 tcp
US 1.1.1.1:53 gp.like383.com udp
US 1.1.1.1:53 abcll0.us udp
US 1.1.1.1:53 s4.cnzz.com udp
CN 27.50.130.152:8102 tcp
CN 27.50.130.152:8102 tcp
US 1.1.1.1:53 gp.like383.com udp
US 1.1.1.1:53 gp.like383.com udp
US 170.39.226.155:80 gp.like383.com tcp
US 1.1.1.1:53 ww88.like383.com udp
US 1.1.1.1:53 ww88.like383.com udp
US 199.59.243.227:80 ww88.like383.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 216.58.204.68:80 tcp
GB 216.58.204.68:443 tcp
GB 142.250.200.35:80 tcp
GB 216.58.201.98:443 tcp

Files

/data/data/esxfxca.qd.bp/oko.jar.tmp

MD5 8a6e99c5d0023705adb9d397d2d5b434
SHA1 45b7dff87441deefbcd3b9c864bcd1987595e24a
SHA256 d91e754a8098a6ed7e1f3713598cb067a89ffaea6d52a8c615521340fc00d205
SHA512 1f92827f3c999c8289a34a0d05b82aee8c3dc95a0993afbfd73428329a3bc1023687da793414dbba8abe08feed6886d7121ee8047da0d1ba34a8f346b51f07e0

/data/data/esxfxca.qd.bp/oko.jar

MD5 4d271112b02d0ef90b36a24a6b1ceb43
SHA1 7ae2004a73e1ee67c08ab620fae7a3f6c10e30aa
SHA256 d39982077825dc257b9258dad2b9011ad0bd286fbdcce24f4dacb814d24b0676
SHA512 f0093461ea915e5de904f16c40c941e8b74492b81cdda9c8f53109c44eb2498986dd763a12f7ae81fa435f9c488b1c0edc5b9e3fca4b1fc06875d90c4f0680ab

/data/user/0/esxfxca.qd.bp/oko.jar

MD5 4821a760a00e3eee0fa594232a74d482
SHA1 d968db780a779d2ef3d2e8b6872b0a0d36952131
SHA256 b8e371291b4a6def026b736fa8ef72cb60a19e8a8957ec1a2cd6f433f773b9c2
SHA512 fee4acaa652779d51f1fdda74f105cb103caadc1e95ab8a598726efe93bdb90c283a9549aa6333b4df993657e2cc0933b27f7de8d4022438ff2e01799956f4ba

/data/data/esxfxca.qd.bp/databases/myqqdb-journal

MD5 b2e1d7f1ba1a5918c68b67cca0894b41
SHA1 fc70100209969888defdeae4b84aada5152c29cb
SHA256 dbb24c4d2f69fa9c2e056f859e129c34f07354159b3e6f65d1e5309658c78e2e
SHA512 476b3f8c7c1cd9c61d270ebd21c09e308e239b19c666d945d5c36da9e4cd479d0b995ffef381931cdd4efb7450c3ef31a41f6959735df7411a3be5b0098c3d0b

/data/data/esxfxca.qd.bp/databases/myqqdb

MD5 a8469352bcab1100e621f71e85df5f2b
SHA1 2876a9fd6a9d646183c0f389c97a8730422e3bc8
SHA256 6e01f1d316dd6282c4f5d812df0dba21b28f3df8e38b8e65388301d437f1a91a
SHA512 447e472f090588d4b43f2a8356971222975a68a3f7a77f11bd4bd2573aff3dba469eca45f6ed9f3be798b22913d7989cfa6c3c432e1f966c255a070fe72f12de

/data/data/esxfxca.qd.bp/databases/myqqdb-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/esxfxca.qd.bp/databases/myqqdb-wal

MD5 d8dac81cdefa8d63926479588bb7dfe1
SHA1 e31846df7d5d8fb51a16db04e7a5ec2aca70c0b4
SHA256 240418365eed49e5ebc4429e1afc611997c35565a1a5ffaf587a9b1abe675266
SHA512 57ff8dc10f765b68bd1c877e8bbcb4021deadabc9b494599401a66f13fd638fba291f5e905e97ad231b681a70a38d6cfd608f11f412830915a9c9d7e2a54c44d

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-17 17:18

Reported

2024-10-17 17:21

Platform

android-x86-arm-20240624-en

Max time network

133s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-17 17:18

Reported

2024-10-17 17:22

Platform

android-x64-20240910-en

Max time network

151s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-17 17:18

Reported

2024-10-17 17:22

Platform

android-x64-arm64-20240910-en

Max time network

150s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.46:443 www.youtube.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.187.193:443 tcp
GB 142.250.187.225:443 tcp
US 216.239.32.223:443 tcp
US 216.239.32.223:443 tcp

Files

N/A