Malware Analysis Report

2025-08-06 01:23

Sample ID 241018-px3yfaxdkh
Target 5781188cae90337bec12ae0e353e5b4b_JaffaCakes118
SHA256 d35ccc58e26691df745531bb9ac636c6715c89c842eccfc023a57fee4cbe27ce
Tags
banker discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d35ccc58e26691df745531bb9ac636c6715c89c842eccfc023a57fee4cbe27ce

Threat Level: Shows suspicious behavior

The file 5781188cae90337bec12ae0e353e5b4b_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about the current nearby Wi-Fi networks

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 12:43

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 12:43

Reported

2024-10-18 12:46

Platform

android-x86-arm-20240624-en

Max time kernel

7s

Max time network

130s

Command Line

cn.leaves.sdclean

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

cn.leaves.sdclean

/system/bin/sh

ls /data/local/tmp

su

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 hmma.baidu.com udp
HK 103.235.46.195:80 hmma.baidu.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp

Files

/data/data/cn.leaves.sdclean/files/INSTALLATION

MD5 8a58fed97f032f93108f9219af41d7cd
SHA1 dceac5b59eda88c60ded959d6077c500a2664e9c
SHA256 21562d9a7b79cd1d9860cc4359db4e9e2a667aab5771afecc6372ab72c18f268
SHA512 c636f2ae5f4cb9df0083ff433c3b611e498926be03c37929613734c1d1bca53be78c37f8fa74d10ca3267994f33377660ccc1449aaa7fa9700818db483d49d8f

/data/data/cn.leaves.sdclean/files/prop.properties

MD5 826c5d64aad25dff6755ccd55e45126d
SHA1 ab5259e84906b20d2dee7c48e25a91340514589f
SHA256 856212fa4be14edeb0747a253895bd54eae0703644ce83e6b59817341d3c1368
SHA512 e7032c1908e29b65813f6aaad3968eaf4ac99aa966a6de902558679fb233f96c08f6fccd1b7ec11292d94b3466a11d4af6cce54d168761e46f364a2c9f684112

/data/data/cn.leaves.sdclean/databases/db.db

MD5 503d7a2603b85185ee7380b3d44242a4
SHA1 e78ad0f4a0aef74d5f4db639861c5394476a03f4
SHA256 5a944692d5fefdf005f055931c67692ce3e9ae3afb5cae72a16cf0b355c83ac4
SHA512 d6276cd3660ec1d5163f65403652ff19a9243df31f4196638f77c155b96e1d1b00d3b0c5811cce36ff30c6d22b4576bddfde24895f6bb4d191295757bb2d6b9d

/data/data/cn.leaves.sdclean/files/__local_stat_cache.json

MD5 19fbbcc1a6dc8adea99e855c8d835061
SHA1 9d6ca2a353669daff56adc0f3c7a5f1b14e00753
SHA256 221247f67c0a497ec55cd3198448a25fc25e6824f0722d8066ea7f41fa22cdd4
SHA512 a92fb0f4c2e7f2c89f11ac79f1074aa9a89a9840ab5c53271610494841ca9ddf542df57981124463ff6bd19acfaf360be6ff7060ac2ca15df6e0f0e764fc971e

/data/data/cn.leaves.sdclean/files/__local_stat_cache.json

MD5 c727c5b718fbbc0c86acca4c710570c5
SHA1 259ebc280877ada05adae459b2550e18a986af7e
SHA256 8c79996ebaace68dee2ce614caef9de0c8788228da2451e085f277cc364b2e2a
SHA512 d44776ffb528ce9ee1a88193aad38eb1621fb37fd08621323d5898663e65dc23fb7fbc322103d203bd1c51653b856fd5885ff5d4732682fa3dfbcd15c7a0e5c0

/data/data/cn.leaves.sdclean/files/__local_stat_cache.json

MD5 2d805b13f2f28dc3ca9bbcc000f49bb5
SHA1 9eac165b4d81258fd3967cde5cc53b53b1dabcb1
SHA256 c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19
SHA512 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 12:43

Reported

2024-10-18 12:46

Platform

android-x64-20240624-en

Max time kernel

7s

Max time network

149s

Command Line

cn.leaves.sdclean

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

cn.leaves.sdclean

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 hmma.baidu.com udp
HK 103.235.46.195:80 hmma.baidu.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/cn.leaves.sdclean/files/INSTALLATION

MD5 f9283eaadaeaf61e9260e5b60785cbd8
SHA1 1dc5a87f82836811ffc568f310e4c1b8154993e5
SHA256 810eea1469407554035b3db95547b72543bc6b757bb928e49976fb7c4d9787fb
SHA512 3bc5a7529a4b5ad06aec888ef71463fa67ef75918dfee3f309a10b36678543d9f354aec3434f58710179e1bb08bb4a5e6793bb410b55375012f98c968f4d1345

/data/data/cn.leaves.sdclean/files/prop.properties

MD5 826c5d64aad25dff6755ccd55e45126d
SHA1 ab5259e84906b20d2dee7c48e25a91340514589f
SHA256 856212fa4be14edeb0747a253895bd54eae0703644ce83e6b59817341d3c1368
SHA512 e7032c1908e29b65813f6aaad3968eaf4ac99aa966a6de902558679fb233f96c08f6fccd1b7ec11292d94b3466a11d4af6cce54d168761e46f364a2c9f684112

/data/data/cn.leaves.sdclean/databases/db.db

MD5 503d7a2603b85185ee7380b3d44242a4
SHA1 e78ad0f4a0aef74d5f4db639861c5394476a03f4
SHA256 5a944692d5fefdf005f055931c67692ce3e9ae3afb5cae72a16cf0b355c83ac4
SHA512 d6276cd3660ec1d5163f65403652ff19a9243df31f4196638f77c155b96e1d1b00d3b0c5811cce36ff30c6d22b4576bddfde24895f6bb4d191295757bb2d6b9d

/data/data/cn.leaves.sdclean/files/__local_stat_cache.json

MD5 e8de294c97b797be269e099a35397f9b
SHA1 269763e9206dc7d7739d99f137261b272f2f4288
SHA256 883fc2a338167d2cfbb2fa0305fbb527a057300300bc88807a1187f47927c830
SHA512 e5ba3feced7d14d1957d020f2902e204c570c3e48672b4940aa77f6ab015a2d2acb1a0f1467f39c6a7c3cd983539027e2a0455c35f82f3f4e2d35534d56dfd17

/data/data/cn.leaves.sdclean/files/__local_stat_cache.json

MD5 3c485686b80b728de9e674433ec20686
SHA1 e19bc0d8e89a2be2528ea84159acacee10cbf062
SHA256 e64ca142ecae43441e96e26aadc8f554619cf17adcb0522ec2087e7fa721155f
SHA512 7e91772084646b01236c581e67e9e8cd3f91d6823de5be1cc7e1c46204ab2c7d0950d77627a9fec58987844e7bbc1c816ef8889670c1aac5dfb0e87d1eef96a3

/data/data/cn.leaves.sdclean/files/__local_stat_cache.json

MD5 2d805b13f2f28dc3ca9bbcc000f49bb5
SHA1 9eac165b4d81258fd3967cde5cc53b53b1dabcb1
SHA256 c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19
SHA512 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-18 12:43

Reported

2024-10-18 12:46

Platform

android-x64-arm64-20240624-en

Max time kernel

7s

Max time network

130s

Command Line

cn.leaves.sdclean

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

cn.leaves.sdclean

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 hmma.baidu.com udp
HK 103.235.46.195:80 hmma.baidu.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/user/0/cn.leaves.sdclean/files/INSTALLATION

MD5 fb77bb32ea76677717a4a7e44cfd6a3d
SHA1 6e486278745ffc7071749251c53e856751fd089b
SHA256 b21fe960769ac19437fdec0093eeb83bab2762a29539a22f91a0079b61502365
SHA512 c7509966865b6f9d844028dd877ea83775676d7cecc5bfbb3083b56fad1f4be2e5854b3269468eace00b9d14bc9b615714f68f7f759ea907aba61bde366eded4

/data/user/0/cn.leaves.sdclean/files/prop.properties

MD5 88b3f802cda07232c2e4b153857257f8
SHA1 f38a457417077da6efc4514764ae861d40d839d3
SHA256 a9487beb8b2a4c5a021771f50941c482167f618782cc522c56facb63b0b2eb8f
SHA512 0554d22fefd9030c05c1bd1ed19723378c3fe841de4a70a3c227d916dcfd01e39a72ccadbba09fb194f0051460bb7149865b2e40549c25110351ea6685333b74

/data/user/0/cn.leaves.sdclean/databases/db.db

MD5 503d7a2603b85185ee7380b3d44242a4
SHA1 e78ad0f4a0aef74d5f4db639861c5394476a03f4
SHA256 5a944692d5fefdf005f055931c67692ce3e9ae3afb5cae72a16cf0b355c83ac4
SHA512 d6276cd3660ec1d5163f65403652ff19a9243df31f4196638f77c155b96e1d1b00d3b0c5811cce36ff30c6d22b4576bddfde24895f6bb4d191295757bb2d6b9d

/data/user/0/cn.leaves.sdclean/files/__local_stat_cache.json

MD5 15edad51ecb4c8c262f107c6979c4ad0
SHA1 b085e449ff07d074b8114e07eb9258d94c66c4d5
SHA256 c8dd0a2dc2d9298e94bad4eadd8c424fff32f46fcb45269fdd28c67a16f5536e
SHA512 1a78f83352f8f35c0766b1b20d459b6314ea21b6befc0abb14644457464cc0b8212b25e444bd3e6d3f7930c03cae5448bac9571068d79d86ca59f5ef79530151

/data/user/0/cn.leaves.sdclean/files/__local_stat_cache.json

MD5 f817ca8888dece280a98407d21a8d5d9
SHA1 c1dc224d17e7afa5ae5b508ba96d5b2639fcfd01
SHA256 e7543aada9fec988354bcb9ed64d6cdd374f178fb779f5b4024872a771a2bbfb
SHA512 51e3238b3c128cc352380a495763c06299318fbb8cf2c95e5d3d9909ae19a604b9e4fb9cddd683bc080c0a8021380e1673856652a4a285f1a29a5da6064b9c3e

/data/user/0/cn.leaves.sdclean/files/__local_stat_cache.json

MD5 2d805b13f2f28dc3ca9bbcc000f49bb5
SHA1 9eac165b4d81258fd3967cde5cc53b53b1dabcb1
SHA256 c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19
SHA512 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0