Malware Analysis Report

2025-06-15 23:17

Sample ID 241102-2562aaxngy
Target 885296e8bcc1272c71bfaba29d53822e_JaffaCakes118
SHA256 d0ae64254cf57c871171844a3524118debf769b4e9cef071eb45e00f96750f66
Tags
banker discovery evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d0ae64254cf57c871171844a3524118debf769b4e9cef071eb45e00f96750f66

Threat Level: Shows suspicious behavior

The file 885296e8bcc1272c71bfaba29d53822e_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery evasion

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-02 23:10

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-02 23:10

Reported

2024-11-02 23:13

Platform

android-x86-arm-20240624-en

Max time kernel

4s

Max time network

137s

Command Line

com.android.erqiwu

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /storage/emulated/0/Android/data/wu/cu.zip N/A N/A
N/A /storage/emulated/0/Android/data/wu/cu.zip N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Processes

com.android.erqiwu

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/storage/emulated/0/Android/data/wu/cu.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/storage/emulated/0/Android/data/wu/oat/x86/cu.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/storage/emulated/0/Android/data/wu/cu.zip

MD5 12d9b38e85d542f5f0610fa92b71ce2c
SHA1 800abdeb5c83cfde70ba248795bded9037bf736e
SHA256 83ddc41be3975cd18d2e1c9bcee7b2e024396e93ca109d72e392bdc40ab521fb
SHA512 4e33929bcbfcd7110a14d386f7329baeb22009b03a663b3ae922004ace9478b216fd07b52f94f73bea317cac591f7d7ae2e69c1b57157c1b800a2d4a4384dd1d

/storage/emulated/0/Android/data/wu/cu.zip

MD5 173fe4e906168cffd0260cfebe58e979
SHA1 04a8bd61bda158d453aea084cbf9d8e75cfb5f9c
SHA256 f5ce1e2bfe5af7cc9ec1e877cd4f1f85845444e2cb79945187e4f5d794419c1e
SHA512 273e775d5ab3a92340269ee130c2be4d80a0791a060d3ad404d6cdce902e250978631c1d55339e58ed1a9e319cf0b4b5638eaaddf9b8936a0db0f057128dfa44