Malware Analysis Report

2025-08-06 01:23

Sample ID 241018-ttl8qswfla
Target 58670eb1b4c55ea11a947a0c6974cd41_JaffaCakes118
SHA256 be2e063c922c12ec57f128f0be388d1da9849fa5a6ca90c497797b36f34d70c2
Tags
banker discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

be2e063c922c12ec57f128f0be388d1da9849fa5a6ca90c497797b36f34d70c2

Threat Level: Shows suspicious behavior

The file 58670eb1b4c55ea11a947a0c6974cd41_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 16:21

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 16:21

Reported

2024-10-18 16:23

Platform

android-x86-arm-20240624-en

Max time kernel

47s

Max time network

137s

Command Line

com.wy.dsshelper

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.wy.dsshelper

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 app.wapx.cn udp
US 1.1.1.1:53 xiying18da.freevar.com udp
US 1.1.1.1:53 app.waps.cn udp
US 23.179.32.37:80 xiying18da.freevar.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/com.wy.dsshelper/databases/WYGDDB.db-journal

MD5 2649fca69dfeb72fb3d1f83816ed9f0e
SHA1 2ed2dba8d2a24dbc4ea8794bbe867536b8d00fb1
SHA256 7f2ffba628733a0cb0aad97917692252b54aa79d549f379333f734643866abdf
SHA512 c2d3306cbc83248628c9f5089a1b08af419622dab6f6e7c87f40326717d6326ea95920f45df8f42ab3a4c25c47fbbb75206f395a48cef4bc4bf752b1ed56692a

/data/data/com.wy.dsshelper/databases/WYGDDB.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.wy.dsshelper/databases/WYGDDB.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.wy.dsshelper/databases/WYGDDB.db-wal

MD5 c4ec670af957d8bb22e7266ad6cc72e1
SHA1 d80482323986697afc0eea9c371d0dc66dc25005
SHA256 cbc078b578c2b06b635c6fe31286404af1ad3a14e6f3ca2c3da1f1ecce0f5a27
SHA512 f87201962745e93ed6675dcc8ca1317134f2fb23b93d41e5f99fb25816148e82f7e5c0c436b1fda4f93f2107b8b8c57ca36d281badd55dca8189949b4eb62d58

/storage/emulated/0/Android/data/cache/CacheTime.dat

MD5 78758bc355c2be89396925e3c7bd8326
SHA1 fba415fa3e7d0bb58fda7855984cb046fe6e4683
SHA256 f9984b43e696107a1a23384f651789a4851dc79a5a7e6f89138e399dc5ab45cc
SHA512 139016d9f067658f594109d5f94f76bb8396065342c94af8285fe27850a54f0d51440dc2f16d479e9546ad5342711f2eca3ad7a9daa6f17fa8e4879736095bab

/storage/emulated/0/Android/data/cache/AppPackage.dat

MD5 55e74432da53a36f15f8fc18d3eb2cca
SHA1 8a317fcaaecaeeb8203bfd671ff96e579872db49
SHA256 1636aca78f3bd62752709e302862c863c0570261b2fdddc0a85b4876ae3c6f96
SHA512 bd2f57ac8dae41502aee8ef10d0b3550170e7554ffb26562ef63efb1c83c054219b27a209ada5c3f636d19722dbb15ef890608862dc57e8d48a5141b33e503f2

/storage/emulated/0/Android/data/cache/UnPackage.dat

MD5 d4f1e960890faefabd3da2a89817a1aa
SHA1 52e85323f5dc1c70e8a5593ae3fc606c7d7f3cd3
SHA256 6a0ba59c2cd87c7000c4855f2dcbd6fd9cdfaf1c47fce169bd70f05df437e2f6
SHA512 c80b924e4537c3685e2a564209ed4b6075eec0015e8b6b2ea3f121aa18dfed6155bff4bfbbf6812c47f4673c9f63269bc37b7d7bbed3ba3f532da09b606d20cf

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 16:21

Reported

2024-10-18 16:23

Platform

android-x64-20240910-en

Max time kernel

46s

Max time network

150s

Command Line

com.wy.dsshelper

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.wy.dsshelper

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.202:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 app.wapx.cn udp
US 1.1.1.1:53 xiying18da.freevar.com udp
US 23.179.32.37:80 xiying18da.freevar.com tcp
US 1.1.1.1:53 app.waps.cn udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 216.58.213.14:443 android.apis.google.com tcp
GB 216.58.212.234:443 tcp

Files

/data/data/com.wy.dsshelper/databases/WYGDDB.db-journal

MD5 7606da8763e9ec7bbcb03829f25c6c1b
SHA1 3b27abb4193da304eb43cbb70bd9c8160d31347b
SHA256 aaaf6fdb7eea446ee144616c37397670e39974e465ed0c2b45b9eacf56af7214
SHA512 c34e0a12a1564094d81c17b2f0e0100d0671040ba07fbe2c7107a16b632d26027c5c02516fded1762348d91cec957e5cc46c04d7be23641e4f30b21533680c26

/data/data/com.wy.dsshelper/databases/WYGDDB.db

MD5 58593d38267dfbefe9d90480b085d6e5
SHA1 5237a298bfe9b1e146b437bf08bd211bd8fe5ab4
SHA256 a9fe3701e2be537588c81336886b6e54520371885b2aa6420b17a55a8c1aee9a
SHA512 e821e6d0f52e74e8c40069a1c95a2c72b12b73605625b87f7a963180909de342c0b0562ab5ec2e5fb0112ecec31fe38ec830fc4d6a784f9a809d588e170f7da0

/data/data/com.wy.dsshelper/databases/WYGDDB.db-journal

MD5 2e4d14c45624ce84c01476b4d27ac172
SHA1 f4cf021e07535ad8a07938e6759776d1448c0b84
SHA256 cf3d6b3c0b24c4a7cbaf12ecbd3a8c4bd212d48e0d86b9eb06b3604906e17249
SHA512 487d0c54343ece3d57c8080e4c69aaae42595ec488a67ca2340dd88f68921e8058dd7df6cdf2fc5499e220411e77684edc964b2cf94fbff5487ae5900ff888d4

/data/data/com.wy.dsshelper/databases/WYGDDB.db-journal

MD5 6d2cbef804a1472f458d872fab6bcb42
SHA1 5113dac4e125efbbf7d71678a1361a6691ddc035
SHA256 07d4f12fa687fb3bd1075f0b49b163603a5b386c58d329ea6096ee1838ce9a2b
SHA512 8d48c3d084fb9ba5f743e0501d4b7e9d2fe48aeea5fb171ef9ba858066638276bba13006b3b5736323de157aa56d10a083b2d55557bbeddbed86f2f0211d6cf3

/data/data/com.wy.dsshelper/databases/WYGDDB.db-journal

MD5 aab6db12310245a1044db745931b29d4
SHA1 737f0f919b890e8ece5978dea0e3f93864d882f0
SHA256 502956133fec8a796ded9097fd866e82f5601808cccfac2895f35932366ee0fb
SHA512 d6d86eedaf4f0cfe2fcc173ec08432bab8ee4f68e01aff72da1d6252d7243e088f717a1845beb76ec054f82f5771ff9701e7217b1be034efab3fba07b3429596

/data/data/com.wy.dsshelper/databases/WYGDDB.db-journal

MD5 54befcc4300f50b573cf8b6104a98ba6
SHA1 74a1ddfc526ff3204383bfb6999912ca2ccb72cc
SHA256 ea4e8b98d2de0012b6843d572a6178cb9503a1e20f503a96b3da74f74a713be8
SHA512 b08d21264f1fa9829f0bb56bc00f32c94ee466c3125475971bb4488d14dc63bb70895a04162542e357f3f33b6cfe4e69c6c4ddf05de5ee81e72b2d8f0dbe6f53

/data/data/com.wy.dsshelper/databases/WYGDDB.db-journal

MD5 ea51ae96027f346ce987ece23f2ffa80
SHA1 22652b3cfd0213326343b2bf3ec59e7052fddfd3
SHA256 228307a26fab2c6c707e793bbb30b7e341e70703d207bba834551bc3f8f04a67
SHA512 36951adeed28f8d8752de9d41101bdbb207f058222270b8ca7a4034dc3b8bf845ad5aa5ad249879dc4231819527c5739f56cd15651a1aa2bad3a72de415f3840

/storage/emulated/0/Android/data/cache/CacheTime.dat

MD5 2fd1c53f1eb28e50c35e4ae8d1c313b7
SHA1 e2236d15d33e4fe7b63f960acbbc667e5df0ce5e
SHA256 b209175a8fb0101429a2d54fc9203fd3167104131c4f8900c7fedb0491399bb0
SHA512 8cbbc364c5787a27161eb19f9a250eddd9e480c1234a3333a90d9509365c140f219dbbb93274a36f9458ec387094cb513fcd572fe377817a0f361e97bc90c76d

/storage/emulated/0/Android/data/cache/AppPackage.dat

MD5 55e74432da53a36f15f8fc18d3eb2cca
SHA1 8a317fcaaecaeeb8203bfd671ff96e579872db49
SHA256 1636aca78f3bd62752709e302862c863c0570261b2fdddc0a85b4876ae3c6f96
SHA512 bd2f57ac8dae41502aee8ef10d0b3550170e7554ffb26562ef63efb1c83c054219b27a209ada5c3f636d19722dbb15ef890608862dc57e8d48a5141b33e503f2

/storage/emulated/0/Android/data/cache/UnPackage.dat

MD5 d4f1e960890faefabd3da2a89817a1aa
SHA1 52e85323f5dc1c70e8a5593ae3fc606c7d7f3cd3
SHA256 6a0ba59c2cd87c7000c4855f2dcbd6fd9cdfaf1c47fce169bd70f05df437e2f6
SHA512 c80b924e4537c3685e2a564209ed4b6075eec0015e8b6b2ea3f121aa18dfed6155bff4bfbbf6812c47f4673c9f63269bc37b7d7bbed3ba3f532da09b606d20cf

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-18 16:21

Reported

2024-10-18 16:23

Platform

android-x64-arm64-20240624-en

Max time kernel

47s

Max time network

132s

Command Line

com.wy.dsshelper

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Processes

com.wy.dsshelper

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 app.wapx.cn udp
US 1.1.1.1:53 xiying18da.freevar.com udp
US 1.1.1.1:53 app.waps.cn udp
US 23.179.32.37:80 xiying18da.freevar.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/user/0/com.wy.dsshelper/databases/WYGDDB.db-journal

MD5 63028ce38fa1fb4c107526e24f4af640
SHA1 f7a83debe1e1aedefebfd510a46cd64f09e39fc7
SHA256 9506cdebbda128116c357d07be7e625b0506ad7641902919bbfa74159e233d89
SHA512 7df87d923bd20d1a1190ff0ed216a93a323b3bfc3248f336a8cb679cb6de60519ddffb8ba381cd99b4820847f7e962159d6a7e16b5384b4080d10d81a7fea95a

/data/user/0/com.wy.dsshelper/databases/WYGDDB.db

MD5 d368b1910cf8588f49821310c8122982
SHA1 3f443ca22249bddf69c0f118191e3afaac554e41
SHA256 1b29069433ef80d02b8195c549f5c4f7c16693a354d76568c8d7553edfc50c3b
SHA512 21dc26e1d41e5f3252f6132d78812d9bc7e2c0b357a20b23e9829c857a00d42c9bde0fa7a23f6e4a8b0f552731f3047f2de2ce23a983b0c525a44f581bc4d74e

/data/user/0/com.wy.dsshelper/databases/WYGDDB.db-journal

MD5 ea62c84d8839987f62f491d88a8f9bb6
SHA1 df901328590b47083d3af5f275efc4c554e2905f
SHA256 d65786029ee5a2de3a87e11f73b4176b751f02fd3487ec5e1fabafc387fa2896
SHA512 04b1bf4f77e3a8a4b37b615467cfe8a83ece4d3f11a6725726591142651c99660fca8e4f467cef81a8e5bdf07665ccd5ebc59ccbc2d95184cd799d6c6aa734d6

/data/user/0/com.wy.dsshelper/databases/WYGDDB.db-journal

MD5 474cba0f4381bbdaa4c27aca9c5b33b5
SHA1 97a0f25ebb62c395b65c7ebab008685effe4a41d
SHA256 0b22fc984146cc40b866fbaaadf66e7a1c6936d4c72675d472740f23e75a21ef
SHA512 76afac0815ab7cb99d0b36f32b758ea89b5ed0049b4a0620e522329ca9270c1e1af0ef7654e0a1ce78ac400ef931961ca32e2aadcc5e3a7ee11074ebd8610014

/data/user/0/com.wy.dsshelper/databases/WYGDDB.db-journal

MD5 cbe0fa471fac78a510b362feae0fad52
SHA1 4105107284fb5181d73f88eb6c84a1804a5b8c14
SHA256 cfac0c694d604b007a63f26bcd1f733a097d03a5364a4282345981e097d377f2
SHA512 2f63c391b7b7eea104ecbc6c905f365ae1318d11578386676aaf286c3d35edd2109dde8131182bbda68ed51f57cf6b6993617c6474ffc96b63aa65d99358440e

/data/user/0/com.wy.dsshelper/databases/WYGDDB.db-journal

MD5 9ec1a46b1f350ea3978bbed758f5c67d
SHA1 3d8e6bb660343abc75ae7a844190ca5e6a3437bf
SHA256 1cb70da5c4119172e3ddce99fe5ae52ec872ae98e9780e05d61e83c0c20b08fd
SHA512 65aa46e40fffedd0da356f049d84444022aca1bc8d3989c4b860f71d98a9bf42b5265b264ad4356376061e2dab7b2905bf40680c261afce96356b4d0f1c6f640

/data/user/0/com.wy.dsshelper/databases/WYGDDB.db-journal

MD5 c896d913ff0f10d63d8e106e74b00edc
SHA1 1fd0e8e8d82e9c4310acdb2d255e394c674745f2
SHA256 01b76f70a8e7a2b27c7ecf13d7a47ffa958de71a9cc841c175d6d2f1d206a94a
SHA512 7782679e2bfae7897849a7063b918ac64a3eb9cc226d2291d077c44ac3873414a2effe4105c5c3e0f3020c92895987caf61c011eb07afd2a527380ab430a0ce3