Malware Analysis Report

2025-08-10 13:46

Sample ID 241017-w6fb3asarm
Target 5317bbac93b3477260ab2ffbb840826e_JaffaCakes118
SHA256 2c64b3570597f0a8a6ca83943be338b78e0d048309596ee171ab535cbc253d28
Tags
banker discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2c64b3570597f0a8a6ca83943be338b78e0d048309596ee171ab535cbc253d28

Threat Level: Shows suspicious behavior

The file 5317bbac93b3477260ab2ffbb840826e_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery impact persistence

Queries information about running processes on the device

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 18:31

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 18:31

Reported

2024-10-17 18:34

Platform

android-x86-arm-20240624-en

Max time kernel

133s

Max time network

151s

Command Line

com.sogou.appmall

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sogou.appmall

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api2.sharesdk.cn udp
CN 115.227.43.65:5566 api2.sharesdk.cn tcp
US 1.1.1.1:53 api.app.i.sogou.com udp
US 1.1.1.1:53 pb.sogou.com udp
CN 36.155.183.169:80 pb.sogou.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
CN 36.155.167.208:80 pb.sogou.com tcp
CN 36.155.183.168:80 pb.sogou.com tcp
CN 36.155.166.212:80 pb.sogou.com tcp
CN 36.150.217.117:80 pb.sogou.com tcp
US 1.1.1.1:53 api2.sharesdk.cn udp
CN 115.227.43.65:5566 api2.sharesdk.cn tcp

Files

/data/data/com.sogou.appmall/databases/appmall.db-journal

MD5 ff153e66ac95138b69691ae4a4e70672
SHA1 d221b88da2f87656f9e130821696c534c6548b97
SHA256 776c4c80e9990977bd33dd1abf78a221f0d5a6b7088cd04720b17feddb2c212c
SHA512 125e4d2ad6267eb074d51b76fa5186aac76400f3184ab5e074d8d199a577ce347cb442ad5e64f97a7d1afcdaa3754fc4becc579b59614eae0c430326f500b76b

/data/data/com.sogou.appmall/databases/appmall.db

MD5 3a9fc2769bc39c698ecb05e61110f951
SHA1 554f2ce58813a9496f0592c9965a5e180e5126ed
SHA256 a74b00f41f411b651cdfa7915d744930faceb3a65fc3f64dda8365860d4ba78d
SHA512 4a4f5d207f9e5db20678a8d678d583f5fcab4fff14196f45f348e57879bf0ce8bbbd86a290da34dd83a211943fb095b4dd333717f31a2c6cf5269f0a378d320c

/data/data/com.sogou.appmall/databases/appmall.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.sogou.appmall/databases/appmall.db-wal

MD5 67513d3d3e7099f1a90df6760f3afc25
SHA1 f1cb8e0ed6b7b2d3c1fb0f8ff147eb70794f8f85
SHA256 c4fb7a910014565d6c43f455f72cf373fff5f17a4aea361f91030b1ceaddac8d
SHA512 541c68ad9cfca6b40e0cd91259239ab776c98417e68b50318c27cb95bed3b471a562d7f1e04f0a3092650dfe499175e919abd4d7ba5d7e7734e2d89234e0f2a1

/data/data/com.sogou.appmall/files/from.cfg

MD5 5a1c145c55125fb2e1ed38f69d7b6af8
SHA1 64f16262542fca0724eaaa12d533d6318006cee1
SHA256 48ff134c8b60b845bb4d76dd291748356d0fc20d6366bf8caa60a82055d119ef
SHA512 665434921a604b12e7c3449337050692ad51a38668e18373cc61e0e8fcab3ff3b9a60957a9898a2a7cbabab0b8c593921087a86f013ecaa92efd8df77f8ec200

/data/data/com.sogou.appmall/databases/sogou_upd_downloads.db-journal

MD5 d119f8fe0c4fe8e79e45355369607ece
SHA1 cd7152e111c481460e5ed741d1f7703746f8eff1
SHA256 463eae74fa3744501918645fa220e1110fceba17e2c3271a5fcf8edcaba7f2d4
SHA512 84a76e63ac96141e83a578d872e500607dbd48c18f871318689005a135f1c88e596a3afa0509d0a8b90b6bf54ed220876829305c71e657fb99a2303b4239ab18

/data/data/com.sogou.appmall/databases/sogou_upd_downloads.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.sogou.appmall/databases/sogou_upd_downloads.db-wal

MD5 19d8fe08c06dd8d9657bbcfad0d5aaa6
SHA1 4345f980be69510fb1c779cbf4f704747695fb4d
SHA256 9697acb013ba2dd5531d609e46707fdd3cfe664879761d224764b4e00fa03e20
SHA512 3600f5a5266db4707305985ceb5beab9c8319861bd8c9fec5ad4dd24b7c8eb25453b2e4d888f306aa8e422fe47498ce1d8b347ad2e50ca613f7880fd9e6ec61a

/data/data/com.sogou.appmall/databases/remnant_fp.db

MD5 6b784e56b1f695399bf853cd14e73526
SHA1 d0a6aff2f3f2c515af7ca643fa30c7c2fc445265
SHA256 3ec1f9d73d13e495322f2bc2f4188d24fe2d81917c2b1446cdf39082e00cb568
SHA512 24a2b464195193f730e88f275e95688addbef971ea7eb15bf031d4448a2d50be106954a0d8b56f8d7ec2f891391f3a56e3aa3de34b19cbf5febad2c8d18c7894

/data/data/com.sogou.appmall/databases/remnant_fp.db-journal

MD5 65a8ad05e13642a2b50f74a61b39842d
SHA1 0ddcd74919c0dbf485fad96cf6b23d7881233e42
SHA256 0190ed7663ddd873fe1848e1456540b27cd69f760115e902a988548c6a176572
SHA512 8f822050b8596369618b738ef98058aed7b9b218000ad4d59b062b48f6c230f3490c665fa91f078e7496c03dc6ec2a1e788c55db995a11a8c23d24f75bc5f741

/data/data/com.sogou.appmall/databases/remnant_fp.db

MD5 47c80b07db4ce22f3dea0ce05e360050
SHA1 a3850d41186da11ecaf9211b0c7b41452888e2e6
SHA256 e6f1592bca3fa3b834bb5ac6b304e560f0d4006523442024ea0930e383a13242
SHA512 2b844035359fe00aac41693429d2ec12e71219bd8b1bf161335e644305a9c49db649cec0c2c40a07543e93f3d7fe4aa8e085762f06871abed82d97dbbe4cf8fb