Malware Analysis Report

2025-08-06 01:24

Sample ID 241018-rggflstcjm
Target 57dd974e400ea936f5d4e3260f792428_JaffaCakes118
SHA256 5cbdc05183fb0ce11248ead0c4a5de031cc724171360b38214a4b3facf58ce7d
Tags
banker discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5cbdc05183fb0ce11248ead0c4a5de031cc724171360b38214a4b3facf58ce7d

Threat Level: Shows suspicious behavior

The file 57dd974e400ea936f5d4e3260f792428_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Queries information about active data network

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 14:09

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 14:09

Reported

2024-10-18 14:12

Platform

android-x86-arm-20240624-en

Max time kernel

123s

Max time network

152s

Command Line

com.lbeing.word.kaoyan

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.lbeing.word.kaoyan

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 app.wapx.cn udp
US 1.1.1.1:53 www.umeng.com udp
CN 59.82.29.162:80 www.umeng.com tcp
CN 59.82.29.163:80 www.umeng.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 59.82.29.248:80 www.umeng.com tcp
CN 59.82.29.249:80 www.umeng.com tcp
CN 59.82.31.154:80 www.umeng.com tcp
CN 59.82.31.160:80 www.umeng.com tcp
CN 59.82.31.210:80 www.umeng.com tcp
CN 59.82.31.92:80 www.umeng.com tcp
CN 59.82.31.95:80 www.umeng.com tcp
CN 59.82.60.43:80 www.umeng.com tcp
CN 59.82.60.44:80 www.umeng.com tcp
CN 59.82.112.112:80 www.umeng.com tcp
US 1.1.1.1:53 www.umeng.co udp
US 1.1.1.1:53 www.umeng.com udp
CN 59.82.29.162:80 www.umeng.com tcp
CN 59.82.29.163:80 www.umeng.com tcp
CN 59.82.29.248:80 www.umeng.com tcp

Files

/data/data/com.lbeing.word.kaoyan/files/ky

MD5 d8ce491db29e31bdcf05c4d5dbc522f7
SHA1 b0129ebae577fc35bf405bbf84df5339647dc36b
SHA256 6ba5073f14ed2c1ef3ee85d38c7a0f68493bc7e6c0ae293e1c409d333f530705
SHA512 6d9200e3096c6a11bc66e598a6849bbb0f65f3dd307fa305a3dd118b02f3291b49835bc85f962380bcafbbdae50948f2759c3642f52226ecb23550627b5a2584

/data/data/com.lbeing.word.kaoyan/files/ky_plus

MD5 75b3129e0db314f16a2d5cf30c48ceee
SHA1 d215527de64ea8fb51d26f2a314a2492e3b27132
SHA256 e34f754a95a179ccf5abe6aa38300e280b2a8af7b2db21fa50b076e134fa8e1b
SHA512 ed2d15017f526756bfba8bf54a1dea83014bd9e17764383b680d3d7961a73b59fea77e5bab081a6d713028cb69a0c068c127014095deeabaf9740e45111149e8

/storage/emulated/0/Android/data/cache/CacheTime.dat

MD5 2012c9229f55fb03fcb3d4b7dd739507
SHA1 4a4afa54adc9f363bf7264bc4838b72a45c176ad
SHA256 6dc0fb3f3379c7682164fed3a8ea26a5dd00e5416283d51c2ad58a4e2d00cf37
SHA512 2a7e6a1ee5fa4f63fe9467c59805a9001162bdc4000aa0ba53763b96e75906a4534641490cf80de48c8bcb20eb35708af4b4857763359190aab8ced352a2194a

/storage/emulated/0/Android/Package.dat

MD5 1d6e256292874124f0dfd5e2a4a0309f
SHA1 f5b6976fed1ca499a6b9ebca320296473766d57a
SHA256 92aecd706a7a49df24f0a6af56c2d70c8be5b795243bcbe1637b6918b9e09255
SHA512 10513ab466c43d96f55b1ac68c3cc0f26e5f0ccfa9789bdf060fd3a692e407d52afe62ac5a409e2956fe76241bcc09b6813873fdc212c81cea240ce7e76ab1bd

/storage/emulated/0/Android/data/cache/UnPackage.dat

MD5 560f77d585f5e016cc9c596f17a9df4c
SHA1 583da15bf76713120a99fccdd06abb68d43226cd
SHA256 68da782533a64203db2961ea6114f94255233548e7233457519e66f5598c05bd
SHA512 b3fb7f4f436fb046568f1e5a9d857b298e64965f71ce574251f9b347a8fd2bb463bb7fc5d3e52944f1422a18ebd2065bb111c9253d7996791de4c215ce2906ca

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 14:09

Reported

2024-10-18 14:12

Platform

android-x64-20240624-en

Max time kernel

124s

Max time network

153s

Command Line

com.lbeing.word.kaoyan

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.lbeing.word.kaoyan

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 app.wapx.cn udp
US 1.1.1.1:53 www.umeng.com udp
CN 59.82.29.162:80 www.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
CN 59.82.29.163:80 www.umeng.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
CN 59.82.29.248:80 www.umeng.com tcp
CN 59.82.29.249:80 www.umeng.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
CN 59.82.31.154:80 www.umeng.com tcp
CN 59.82.31.160:80 www.umeng.com tcp
CN 59.82.31.210:80 www.umeng.com tcp
CN 59.82.31.92:80 www.umeng.com tcp
CN 59.82.31.95:80 www.umeng.com tcp
CN 59.82.60.43:80 www.umeng.com tcp
CN 59.82.60.44:80 www.umeng.com tcp
CN 59.82.112.112:80 www.umeng.com tcp
US 1.1.1.1:53 www.umeng.co udp
US 1.1.1.1:53 www.umeng.com udp
CN 59.82.29.162:80 www.umeng.com tcp
CN 59.82.29.163:80 www.umeng.com tcp
CN 59.82.29.248:80 www.umeng.com tcp

Files

/data/data/com.lbeing.word.kaoyan/files/ky

MD5 d8ce491db29e31bdcf05c4d5dbc522f7
SHA1 b0129ebae577fc35bf405bbf84df5339647dc36b
SHA256 6ba5073f14ed2c1ef3ee85d38c7a0f68493bc7e6c0ae293e1c409d333f530705
SHA512 6d9200e3096c6a11bc66e598a6849bbb0f65f3dd307fa305a3dd118b02f3291b49835bc85f962380bcafbbdae50948f2759c3642f52226ecb23550627b5a2584

/data/data/com.lbeing.word.kaoyan/files/ky_plus

MD5 75b3129e0db314f16a2d5cf30c48ceee
SHA1 d215527de64ea8fb51d26f2a314a2492e3b27132
SHA256 e34f754a95a179ccf5abe6aa38300e280b2a8af7b2db21fa50b076e134fa8e1b
SHA512 ed2d15017f526756bfba8bf54a1dea83014bd9e17764383b680d3d7961a73b59fea77e5bab081a6d713028cb69a0c068c127014095deeabaf9740e45111149e8

/storage/emulated/0/Android/data/cache/CacheTime.dat

MD5 cc29a785efc3abd871fe032760e258c7
SHA1 399cccf524f3fc5c4f626eee40759a37346912a5
SHA256 5407c4145ee026983735199300faab8f3d08492ab79933b1dd62b561e4d6eaa5
SHA512 0dbbde6274658ee0c834aa6d99d2ed38a536097bc22b7e938191ac67240c55cbd75838915e07fccca2506a50b425b076f55dbd08588273808b21973e50d1456a

/storage/emulated/0/Android/Package.dat

MD5 1d6e256292874124f0dfd5e2a4a0309f
SHA1 f5b6976fed1ca499a6b9ebca320296473766d57a
SHA256 92aecd706a7a49df24f0a6af56c2d70c8be5b795243bcbe1637b6918b9e09255
SHA512 10513ab466c43d96f55b1ac68c3cc0f26e5f0ccfa9789bdf060fd3a692e407d52afe62ac5a409e2956fe76241bcc09b6813873fdc212c81cea240ce7e76ab1bd

/storage/emulated/0/Android/data/cache/UnPackage.dat

MD5 560f77d585f5e016cc9c596f17a9df4c
SHA1 583da15bf76713120a99fccdd06abb68d43226cd
SHA256 68da782533a64203db2961ea6114f94255233548e7233457519e66f5598c05bd
SHA512 b3fb7f4f436fb046568f1e5a9d857b298e64965f71ce574251f9b347a8fd2bb463bb7fc5d3e52944f1422a18ebd2065bb111c9253d7996791de4c215ce2906ca

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-18 14:09

Reported

2024-10-18 14:12

Platform

android-x64-arm64-20240624-en

Max time kernel

124s

Max time network

155s

Command Line

com.lbeing.word.kaoyan

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.lbeing.word.kaoyan

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.umeng.com udp
US 1.1.1.1:53 app.wapx.cn udp
CN 59.82.29.162:80 www.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
CN 59.82.29.163:80 www.umeng.com tcp
CN 59.82.29.248:80 www.umeng.com tcp
CN 59.82.29.249:80 www.umeng.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
CN 59.82.31.154:80 www.umeng.com tcp
CN 59.82.31.160:80 www.umeng.com tcp
CN 59.82.31.210:80 www.umeng.com tcp
CN 59.82.31.92:80 www.umeng.com tcp
CN 59.82.31.95:80 www.umeng.com tcp
CN 59.82.60.43:80 www.umeng.com tcp
CN 59.82.60.44:80 www.umeng.com tcp
CN 59.82.112.112:80 www.umeng.com tcp
US 1.1.1.1:53 www.umeng.co udp
US 1.1.1.1:53 www.umeng.com udp
CN 59.82.29.162:80 www.umeng.com tcp
CN 59.82.31.154:80 www.umeng.com tcp
CN 59.82.29.248:80 www.umeng.com tcp

Files

/data/user/0/com.lbeing.word.kaoyan/files/ky

MD5 d8ce491db29e31bdcf05c4d5dbc522f7
SHA1 b0129ebae577fc35bf405bbf84df5339647dc36b
SHA256 6ba5073f14ed2c1ef3ee85d38c7a0f68493bc7e6c0ae293e1c409d333f530705
SHA512 6d9200e3096c6a11bc66e598a6849bbb0f65f3dd307fa305a3dd118b02f3291b49835bc85f962380bcafbbdae50948f2759c3642f52226ecb23550627b5a2584

/data/user/0/com.lbeing.word.kaoyan/files/ky_plus

MD5 75b3129e0db314f16a2d5cf30c48ceee
SHA1 d215527de64ea8fb51d26f2a314a2492e3b27132
SHA256 e34f754a95a179ccf5abe6aa38300e280b2a8af7b2db21fa50b076e134fa8e1b
SHA512 ed2d15017f526756bfba8bf54a1dea83014bd9e17764383b680d3d7961a73b59fea77e5bab081a6d713028cb69a0c068c127014095deeabaf9740e45111149e8

/storage/emulated/0/Android/Package.dat

MD5 1d6e256292874124f0dfd5e2a4a0309f
SHA1 f5b6976fed1ca499a6b9ebca320296473766d57a
SHA256 92aecd706a7a49df24f0a6af56c2d70c8be5b795243bcbe1637b6918b9e09255
SHA512 10513ab466c43d96f55b1ac68c3cc0f26e5f0ccfa9789bdf060fd3a692e407d52afe62ac5a409e2956fe76241bcc09b6813873fdc212c81cea240ce7e76ab1bd