Malware Analysis Report

2025-08-10 13:46

Sample ID 241017-xp3lpstejq
Target 53389b449280c29c1f078960a467facd_JaffaCakes118
SHA256 ecb48190068500e532387f2e5183787d2c9f747ee2e4e84aa60ff1399d32c46c
Tags
banker discovery evasion
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ecb48190068500e532387f2e5183787d2c9f747ee2e4e84aa60ff1399d32c46c

Threat Level: Likely malicious

The file 53389b449280c29c1f078960a467facd_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 19:02

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 19:02

Reported

2024-10-17 19:05

Platform

android-x86-arm-20240624-en

Max time kernel

120s

Max time network

130s

Command Line

com.coco2dx.org

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.coco2dx.org

/system/bin/sh

ls -l /sbin/su

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 cf.gdatacube.net udp
US 1.1.1.1:53 rd.gdatacube.net udp
US 1.1.1.1:53 update.pandoe.com udp
US 1.1.1.1:53 update.pandoe.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp

Files

/storage/emulated/0/.SystemService/DEID/com.coco2dx.org/oid

MD5 85b0dfa4c2ca0ba08c5355367fed8642
SHA1 22843598ac8a2b3c8e2ab00186a5693a14d4e5e1
SHA256 11191fd2fe0e0a636771c72f4f7a529e1b0bc89a032d3d9bded766ef503692ef
SHA512 42a7d903f62b8535a8202849f94473b0980aaed4730041b73710cabfb4a8498e6bdb57ff76efbd1183df1e36cee2e1d8c9aa08d47d997507a5e1dd0edd2c07ce

/storage/emulated/0/.SystemService/com.coco2dx.org/uid

MD5 9271895893dbdadd1f054640b625ae37
SHA1 f0263a846f1f17cdb8efa6fe1e43c43a6c90c539
SHA256 95985bf9f84e7e59f7fa0ada1b6e53f87cbd42349f2a2ff8aa1f6f294bd83eab
SHA512 d10e039d9089dad3a4f5a694584b677ef8d84dfe6898597cf3e24b32b6e62c9f99dab18a1f4b5fab59f7ba8e8ee03be3bbcb2c0d642ae6d8e3c67e74e7388975

/data/data/com.coco2dx.org/databases/dataeye_database.db-journal

MD5 70c043e4468e3bcda39f9b94a980ec77
SHA1 b4eee6e3e7ca301245183cc0f22a3b48bc183e54
SHA256 b8262f60b0fd0302f5429803caf89177ea13e01778908de1d79d6ef5d22e4d77
SHA512 1416faa03e525dcdac364adf3040879481ac8ef1bd17dab3c555e967d79056aa246282b5605075046d42ab7b62b26b3643847f57dd1be6c595ff7b3c4f87d42a

/data/data/com.coco2dx.org/databases/dataeye_database.db

MD5 388f908642292feafa5b00dccd8d37ed
SHA1 3d1e7786bd4f849a5e4aeed1e1f1db5775b69186
SHA256 786cf8c14d77d427087eb4c1e8722ea3cf576c79812cc19a4cd57b50157e93a1
SHA512 c630ad7a7a446a98c70f875902c23704df8f97e8f06342eb93c01d16af8f72f566e448672f747aded15650a570b4502ef52a1692cd8b3f11406d31d737e0b6ba

/data/data/com.coco2dx.org/databases/dataeye_database.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.coco2dx.org/databases/dataeye_database.db-wal

MD5 28fc8228c7bb643ec0c54ff794d50cef
SHA1 82d402137ecf29630bfc302d5a0924a82de2319f
SHA256 f28ffc48c04bda65e127fb98b52750df39770ec475113491591674756e7064a3
SHA512 93fb6f020424592a0117451e521fe31eae69a6d28c4fca88a57f7260bcaef48f9b814641e580a4078d30196fb7f1948cf5c71786c015d313db4ed9279e6acaa3

/data/data/com.coco2dx.org/databases/dataeye_database.db-wal

MD5 3e56abde677c6fcbf23611402385887a
SHA1 64dd57c245f3b4e77069811b8deb2d579d8e6f3d
SHA256 ca5b604d5a94e0a90a05952b8d709fd6bd3e73170eeb4ec7a7d3646e2f8cd994
SHA512 6af4944f34488fda3950050294bac4b5b45538e6f93668d5d214abb07420aeb4baebea4ee99bd4f2220513132aa8205ee50513c5cc565ab48ce19654d7cd5a70

/data/data/com.coco2dx.org/databases/dataeye_database.db

MD5 ce1d1a5192e0ac4fd5530cd0754c3b93
SHA1 474518ab4081fc822cedba6cdd84b9f9f813ddfa
SHA256 41b07fbc8df4da1fa681a6be11f83340a7523f8b94fcb95c4cd6eba93eab1683
SHA512 03e287822bea2a8fac1bc5b9596d071c3293036bc851114cb7c1732ac427f14c4370eccb590122dd99398fc4cf0c781a222453f10205537b85769ba3b0918478

/data/data/com.coco2dx.org/databases/dataeye_database.db-wal

MD5 31dfab2c76bb98a49ba043ac918be084
SHA1 0da307c13643fae7dd26a7783161e2d27fecd94c
SHA256 79b47a42a3986c01cb1e543c266916f677934aa70ea92d6a61e0b62c185b7d4c
SHA512 91e7b294b07cbfa585b297be46b29591d938717e33ac580664331ce405b66f120cec5d7dae5189b8f58c66b7e241356c1610f48f2f4ff86580b5657c55ca1bd7

/data/data/com.coco2dx.org/databases/dataeye_database.db

MD5 7f546ef76c493d2770486adde68ed942
SHA1 8f13b50d67756759c2bde09292ad84d254c293a1
SHA256 5a634a5b597da8a9ed9634b67a80f451f7cf0c07800e75b8e5e8c5bbdb74bcd8
SHA512 7ad801769c79d389ed0248faff4d73e128603cff67e94d9cdc758db977afb515a932ef7fb1047ccefa83a5d4c6d42565ad4246691d536b30f5c4badbd249d43f