Malware Analysis Report

2025-08-10 13:46

Sample ID 241017-wwktssyape
Target 530610bdc8ff48013317fefcf7876dc5_JaffaCakes118
SHA256 70ea01d008463fb8cb32922eb46f7747ad8553bb0557e524ba9258388f6a3bde
Tags
banker discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

70ea01d008463fb8cb32922eb46f7747ad8553bb0557e524ba9258388f6a3bde

Threat Level: Shows suspicious behavior

The file 530610bdc8ff48013317fefcf7876dc5_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Requests dangerous framework permissions

Queries information about active data network

Queries the unique device ID (IMEI, MEID, IMSI)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 18:16

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 18:16

Reported

2024-10-17 18:18

Platform

android-x86-arm-20240624-en

Max time kernel

7s

Max time network

130s

Command Line

com.eggplant.taskkiller

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.eggplant.taskkiller

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 app.wapx.cn udp
US 1.1.1.1:53 mob.guohead.com udp
US 1.1.1.1:53 ads.wapx.cn udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/storage/emulated/0/Android/Package.dat

MD5 3cd41d0d27ed9183574f40035687778e
SHA1 1daf4833d59a6bfa10289c6b7c5f1b59f142f976
SHA256 4b4c83e907d6cf43ad55d20e9c0c435978ce6f5972de2b7b2e23e45972cbe733
SHA512 275e020e7b34039c96b3a843d6eb291fde320dc7ba0d8116ea7778db9209fc328976e1d2b8103629f330b55299d97785c5e25e347087547e154cc3371777ccc0

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-17 18:16

Reported

2024-10-17 18:18

Platform

android-x64-20240624-en

Max time kernel

3s

Max time network

142s

Command Line

com.eggplant.taskkiller

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

com.eggplant.taskkiller

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 mob.guohead.com udp
US 1.1.1.1:53 app.wapx.cn udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
GB 142.250.200.34:443 tcp
GB 216.58.201.99:443 tcp
GB 216.58.201.99:443 tcp
GB 216.58.201.99:443 tcp
US 216.239.38.223:443 tcp
BE 142.251.173.188:5228 tcp
US 216.239.38.223:443 tcp
GB 142.250.180.14:443 tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.133.84:443 accounts.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
GB 142.250.200.10:443 g.tenor.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 172.217.169.74:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 142.250.178.10:443 safebrowsing.googleapis.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp
GB 216.58.201.100:443 www.google.com tcp
US 1.1.1.1:53 growth-pa.googleapis.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
GB 74.125.71.84:443 accounts.google.com tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-17 18:16

Reported

2024-10-17 18:18

Platform

android-x64-arm64-20240910-en

Max time kernel

5s

Max time network

151s

Command Line

com.eggplant.taskkiller

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.eggplant.taskkiller

Network

Country Destination Domain Proto
US 216.239.34.223:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.14:443 www.youtube.com tcp
GB 142.250.179.238:443 www.youtube.com tcp
US 216.239.32.223:443 tcp
US 1.1.1.1:53 app.wapx.cn udp
US 1.1.1.1:53 mob.guohead.com udp
US 1.1.1.1:53 ads.wapx.cn udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.179.225:443 tcp
GB 142.250.200.33:443 tcp
US 216.239.32.223:443 tcp
US 216.239.32.223:443 tcp

Files

/storage/emulated/0/Android/Package.dat

MD5 3cd41d0d27ed9183574f40035687778e
SHA1 1daf4833d59a6bfa10289c6b7c5f1b59f142f976
SHA256 4b4c83e907d6cf43ad55d20e9c0c435978ce6f5972de2b7b2e23e45972cbe733
SHA512 275e020e7b34039c96b3a843d6eb291fde320dc7ba0d8116ea7778db9209fc328976e1d2b8103629f330b55299d97785c5e25e347087547e154cc3371777ccc0