Malware Analysis Report

2025-06-16 00:53

Sample ID 241031-p18m4axjet
Target 8315c1e2d49e9df3c4f0712dc1915429_JaffaCakes118
SHA256 c0df12897fb6166a9dfeab613c50538aaf211b62471158283a6971f4488aaa4f
Tags
banker discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c0df12897fb6166a9dfeab613c50538aaf211b62471158283a6971f4488aaa4f

Threat Level: Shows suspicious behavior

The file 8315c1e2d49e9df3c4f0712dc1915429_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery persistence collection credential_access impact

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Obtains sensitive information copied to the device clipboard

Queries information about active data network

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 12:48

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 12:48

Reported

2024-10-31 12:51

Platform

android-x86-arm-20240624-en

Max time kernel

47s

Max time network

131s

Command Line

com.greensoft.chaoMengXiaoYaZi

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.greensoft.chaoMengXiaoYaZi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 app.wapx.cn udp
US 1.1.1.1:53 zkq051.chinaw3.com udp
US 1.1.1.1:53 zkq051.chinaw3.com udp
US 1.1.1.1:53 zkq051.chinaw3.com udp
US 1.1.1.1:53 app.waps.cn udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/storage/emulated/0/Android/data/cache/CacheTime.dat

MD5 6b6bca7422516b537ecf9586ae451786
SHA1 7c7cb207ef871aff63d693f500f3f978894ef2aa
SHA256 ba2b33b533b092ef0b564b46ac8226dba9d8f51fdbc3d06c0f9cae0a9efb5ea2
SHA512 a63ad08322b36022fb4069e251c5e9a3032871a7e3af54836460d3b3c1172d160b5f96f0ed894c671ea857a205ed9487fe9a706a56c90b4e9a8c2e06b513a1e2

/storage/emulated/0/Android/custom.dat

MD5 a5703c8edee4400863167c723c77edec
SHA1 dafbeb75ad0b1f49404ead3d3a41d3e322045264
SHA256 4a607d8da8bf8a07bb7c11fa2322ee6fd440ee4d2a3ae3eb0dbff58365b43a53
SHA512 9dcc74f7862d06e697e170d1727d4fb9a90598d13c957640bbe3a1e68fcd4232e0265899399ec01087c78b0f0d9d278a12c12dcc98e09f624a16644f92ca88ee

/storage/emulated/0/Android/data/cache/AppPackage.dat

MD5 1f3f50f4ace77b48a8e4059a5dece933
SHA1 95d6e34ac9c6ad13d5e457adabb6af51d1e56129
SHA256 3d88a54b59b282920c19d5ad82d38943eb3f37245a10b20109e3453a0084ae8b
SHA512 8f0d5c37cdd5c174ceef47172ef9672fefdd314203dab3bce35f51333709e17f167f60993710be83d6adaa7096d1c7d2fb60a4c4ac44348d0d0b37bd407fbde0

/storage/emulated/0/Android/data/cache/UnPackage.dat

MD5 206d6abe48ca9814b7b6a55540ff2dd8
SHA1 739946047324a9819a49fe0aca6b1a572b5579f2
SHA256 b40156ae0f78d0e548b00638f28a1c4bb70a0ec5469b1c9d22b222e780c9fa27
SHA512 067a033b0e3a54a05dae1df5a87dad736db9ed751d4fc1cabc3c490e2b759b875491cc92e80f8152031ea122ddc5643261f60611c4359848b552637046950329

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 12:48

Reported

2024-10-31 12:49

Platform

android-x64-20240624-en

Max time kernel

3s

Max time network

10s

Command Line

com.greensoft.chaoMengXiaoYaZi

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.greensoft.chaoMengXiaoYaZi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 app.wapx.cn udp
US 1.1.1.1:53 zkq051.chinaw3.com udp
US 1.1.1.1:53 app.waps.cn udp

Files

/storage/emulated/0/Android/data/cache/CacheTime.dat

MD5 d217c189dd8f91c0368199dccae74291
SHA1 3167a7f346e322ec56f16b167420f93c50913395
SHA256 aef1930ea9f893c55a0823d76d7c657bcc186f5a2e7d2612df4b06ba28eb8e58
SHA512 ab1fb203f19b96e14d0a7465e66e571cea9f69419976080cf880c70de1cb8063f21dfc34d5fb933670317b35d7c7d9f68356855908c668329bc358730cfa0858

/storage/emulated/0/Android/custom.dat

MD5 f9ec8927104c34c4237bfddfaf05d0d2
SHA1 b5d578ec71322d2c7270fe3cfcc7261876c649e1
SHA256 a7fcf17d531514e209f59fadc33625ad39f2e3707fe2197b3d674a43bcc59cdf
SHA512 11a40e5172c226b251b0c0fb74c8b3115bb6d711bdd0217c86590f5d3d0eb457a575757f7d1c34040190d462ddceefa1cf766791097f86ce3fc085f3b5dd462b

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-31 12:48

Reported

2024-10-31 12:51

Platform

android-x64-arm64-20240624-en

Max time kernel

47s

Max time network

132s

Command Line

com.greensoft.chaoMengXiaoYaZi

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.greensoft.chaoMengXiaoYaZi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 app.wapx.cn udp
US 1.1.1.1:53 app.waps.cn udp
US 1.1.1.1:53 zkq051.chinaw3.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/storage/emulated/0/Android/custom.dat

MD5 708766cc8c7028a366de1057cd666445
SHA1 ba56a13a05ece430923da3e1cf32b7db53b780b9
SHA256 5ef7e28e825d817b069d7fc4bf277956734785de07b7ec57751c6bae5c5464c5
SHA512 0f73917e407476b32202c41df4dd89b63aaa36f8a191c61add7c75d7001399eca4fd8e03d45a314fff2a1768262839f9ef7a9b779bf2294f5e75c2e8068e3453