Malware Analysis Report

2025-08-06 01:24

Sample ID 241018-tvfgkswfpe
Target 58681885e412b7011865e570adce180e_JaffaCakes118
SHA256 5efcd7a24ecf6d207014cfc15e576789106df38833c8db225e0581d9554e6edc
Tags
banker discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5efcd7a24ecf6d207014cfc15e576789106df38833c8db225e0581d9554e6edc

Threat Level: Shows suspicious behavior

The file 58681885e412b7011865e570adce180e_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about active data network

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 16:22

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 16:22

Reported

2024-10-18 16:25

Platform

android-x86-arm-20240910-en

Max time kernel

6s

Max time network

151s

Command Line

com.lq.MagicTouchWizardforHire

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.lq.MagicTouchWizardforHire

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 api.is.apmob.cn udp
US 1.1.1.1:53 www.nitrome.com udp
US 54.193.0.235:80 www.nitrome.com tcp
US 1.1.1.1:53 impact.applifier.com udp
US 130.211.33.175:443 impact.applifier.com tcp
US 54.193.0.235:443 www.nitrome.com tcp
US 54.193.0.235:80 www.nitrome.com tcp
US 54.193.0.235:443 www.nitrome.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.200.2:443 tcp

Files

/data/data/com.lq.MagicTouchWizardforHire/files/gaClientId

MD5 1faf74138f486aa247772d59f275d5e5
SHA1 9b817bf7da9f07027df5233fd4e9b509f3ea6d13
SHA256 b40a4a5b3ecca2b838a4aac1087a4d4597cebd4326ed49e23acf50133485ccd2
SHA512 db663947fd67b6db1fca65dc72602a85cc9571890f9611d21537201ec38462eb4768b139e96c1fe13d79ef2f3f8cef6f1d8c3ade2ee9dd199d29433943f49d78

/data/data/com.lq.MagicTouchWizardforHire/files/magictouch.xml

MD5 af86efe98d8e6813e7bc6eead8516663
SHA1 20f44b8ae1c3287b8f2a775ef43bc94cafeba0a7
SHA256 ddc91593e47e1d2b4c698d455ee295bce87edeca99d9af5d055f1d2bc79bb720
SHA512 a072dfcb8246e6e327dd5fc8ddf92ffa5a7066767d89d1214280941e033ca15b3536ad8e5ba4cc12fe94f013e7b6687092f39e3d754b2cf08e13a3d1296fda01