Malware Analysis Report

2025-08-10 13:47

Sample ID 241017-w4wk9syejf
Target 531469fedd0085f4d2471cbe11b53b38_JaffaCakes118
SHA256 6ffee7d16d48d1eb6472db7fc48f42f0423bfa791dab14c0f364cc85cbcf2ecb
Tags
banker discovery evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6ffee7d16d48d1eb6472db7fc48f42f0423bfa791dab14c0f364cc85cbcf2ecb

Threat Level: Shows suspicious behavior

The file 531469fedd0085f4d2471cbe11b53b38_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery evasion

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 18:29

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 18:29

Reported

2024-10-17 18:31

Platform

android-x86-arm-20240624-en

Max time kernel

4s

Max time network

130s

Command Line

com.android.liulingwu

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /storage/emulated/0/Android/data/wu/cu.zip N/A N/A
N/A /storage/emulated/0/Android/data/wu/cu.zip N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Reads information about phone network operator.

discovery

Processes

com.android.liulingwu

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/storage/emulated/0/Android/data/wu/cu.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/storage/emulated/0/Android/data/wu/oat/x86/cu.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp

Files

/storage/emulated/0/Android/data/wu/cu.zip

MD5 27767da9a20e0c7944d7c61dff416cf0
SHA1 f801cb3cbd26f526c2905fa77f4678217076685c
SHA256 1eb0b938c3a1b0008b289c53d0db83731119ad26066a1aea3f565908b95216b3
SHA512 0ffaacb3d917d133ffcf0418f8b2e4ae3e9a2a6028c44a7c4f1427185d9cce078bc364925f1507a8be5626edd8cc72bc01edba3851bbbe5c6f810a7e7beb3ebc

/storage/emulated/0/Android/data/wu/cu.zip

MD5 fcfd1aa04d087b04919326dea53bdc8e
SHA1 9ca95ef4ae5d69d98526c52596771aaacb462b64
SHA256 c635ecd002b8e136b813ed7d79e451ecd758137e9319a6a1a11f8339f772267c
SHA512 f142596fdb19a1719ede2ef1f5f44367ddd3c759468871db82b476a93a49231f467e9778694fe1766338b84c6c6b383a518ace39ac691e1f974f9878a788f944