Malware Analysis Report

2025-06-15 23:16

Sample ID 241102-3f5mlayekm
Target 8866f3f3f07a43af3fcc0594feae6719_JaffaCakes118
SHA256 e7013d5a097aeeec409e369499dad6d580fdb5ac7b2012ab01fcb9d73d7aa183
Tags
banker discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e7013d5a097aeeec409e369499dad6d580fdb5ac7b2012ab01fcb9d73d7aa183

Threat Level: Shows suspicious behavior

The file 8866f3f3f07a43af3fcc0594feae6719_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-02 23:28

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-02 23:28

Reported

2024-11-02 23:31

Platform

android-x64-arm64-20240624-en

Max time network

136s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-02 23:28

Reported

2024-11-02 23:31

Platform

android-x86-arm-20240624-en

Max time kernel

7s

Max time network

133s

Command Line

com.alipay.android.app

Signatures

N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-02 23:28

Reported

2024-11-02 23:28

Platform

android-33-x64-arm64-20240624-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.200.42:443 udp
GB 142.250.200.42:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-02 23:28

Reported

2024-11-02 23:31

Platform

android-x86-arm-20240624-en

Max time kernel

6s

Max time network

155s

Command Line

com.hexin.plat.android

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.hexin.plat.android

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 aplugin.hexin.cn udp
CN 1.94.25.74:80 aplugin.hexin.cn tcp
US 1.1.1.1:53 mobi2.hexin.cn udp
HK 94.74.101.253:9528 mobi2.hexin.cn tcp
US 1.1.1.1:53 push.hexin.cn udp
CN 124.71.32.132:8887 push.hexin.cn tcp
US 1.1.1.1:53 register.xmpush.xiaomi.com udp
NL 20.47.97.231:443 register.xmpush.xiaomi.com tcp
CN 116.63.12.240:80 aplugin.hexin.cn tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
CN 121.36.212.121:80 aplugin.hexin.cn tcp
CN 122.9.36.252:80 aplugin.hexin.cn tcp
CN 113.44.51.94:80 aplugin.hexin.cn tcp
CN 122.9.8.175:80 aplugin.hexin.cn tcp
CN 114.116.203.81:80 aplugin.hexin.cn tcp
CN 1.94.130.0:80 aplugin.hexin.cn tcp
CN 114.116.206.27:80 aplugin.hexin.cn tcp
CN 113.44.55.80:80 aplugin.hexin.cn tcp
CN 114.116.201.177:80 aplugin.hexin.cn tcp
CN 60.204.151.124:80 aplugin.hexin.cn tcp
CN 122.9.35.12:80 aplugin.hexin.cn tcp
CN 119.3.30.246:8887 push.hexin.cn tcp
CN 123.60.158.27:80 aplugin.hexin.cn tcp
CN 122.9.41.100:80 aplugin.hexin.cn tcp

Files

/data/data/com.hexin.plat.android/databases/file.db-journal

MD5 4bde2423818fe025c9054627708a7c5d
SHA1 0b085d686a9ae20c33d5414fef8658c7917c37c4
SHA256 33600c2f8d906f37df035a8b5b78b99210718b31f0e3945977f6420302cdd84e
SHA512 05a094667249713ea222b8c897b742ce56db581412ef6d8fc85bcafcf2b9fb6a7e0df82a314c62fa917647e8b6cbbd46837ebd27cf2a15aa01db1b83d4f3cfc1

/data/data/com.hexin.plat.android/databases/file.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.hexin.plat.android/databases/file.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.hexin.plat.android/databases/file.db-wal

MD5 b3f9c525b8dc59591b0a333ccd6348a6
SHA1 0aa3dc256e8e58ce42cf631adef2a61e36c62e2e
SHA256 7154eb2c6ef54d97e2fc127c77bd5284d959fbc7df4b8609558c90696201f78a
SHA512 d2e0e88b0b5893e2b8d37b87b32a9949536ca6ac60ca1c57a4b7d5f976dcdcbdfd6969f21e6245eba5528759c9588655e8bc2350487f4a82f1c25aceb1bbf79b

/data/data/com.hexin.plat.android/databases/logo.db-journal

MD5 6b657d7fc1fecca1c2754d1933b1b0ca
SHA1 8a5b3e2b75b12261b0bf14799ff3fc3431f3bacf
SHA256 9e3eb06d6ebbc566919c9efb34452ddf0c10fe4e4d141fb24ac085a5c73b4753
SHA512 3e5e7071c7acdd6c3dc4219396e391fa7cc6fca1e8a76958999401ccaeb3c8baef82ef198dcba155afd83e9043d3785eb66f71c1049bdae4d214430390897fed

/data/data/com.hexin.plat.android/databases/logo.db-wal

MD5 1aac6a64878922334474f598f72a04ea
SHA1 db3abfcdb78bd8672758e91cc0f028951ed0b7ac
SHA256 97d689ea12f317345e336820d122e291d6bef186cb2b4e8cfb67128dc6675e25
SHA512 3d22514a49807aa8a5a52d3f9d7bf70bbfd1024237875d98f48e0998e4dcb7577aef3d840a2bb78220aa652f70363323b5e6a1727fe1d1d8334d12a2baeae3e6

/data/data/com.hexin.plat.android/cache/httpcache/journal.tmp

MD5 c448e350ca6bd58ca55901f1881cb796
SHA1 851725b5b6f347a67978ca08fc63a8f020cab049
SHA256 89aa012f1beee774fb5a934411aa81ad1a45026f445df6e38c9a98caf101e327
SHA512 250b302fc4e1f7db1e1265042b232341de74b784dcfbaad012af286dffab5f7537268366fcd99afd81a2838d90e263bc87539bd22501d5e84811977c2fc66db4

/data/data/com.hexin.plat.android/databases/hexin.db

MD5 7b0c32c609591101c048c3bf0a86b7a1
SHA1 d0e470de942a6eaff876834661116af09167dc49
SHA256 00d0ca12b6eb0708557fc8173ce392db1ea9c17834dafe5e650ea834db49a4a6
SHA512 3feb01f1960152b457b29cd80002f9f01b0dc3eb79d5b1717309115b3aace8af92738e5a7ce8b2340c80825b71f1437e1b82dab24ad609acd8a4a16cb1c0c22a

/data/data/com.hexin.plat.android/databases/hexin.db-journal

MD5 7abb822d45788fa32cbeb1bb2275a537
SHA1 ec7ab8328733f575398a4404f3291a4c16299a16
SHA256 c72456db310d919db49ab984397945262d701f76a7289df0e0c2417a90f974c8
SHA512 406b55b09911b5911b0465abadf51ff5dbbe511a0a2d213dcc99467e63d36fa887081afe40ecee708a07892a46923c36adc65c8a7460e8fa677e751bf84dcce0

/data/data/com.hexin.plat.android/databases/hexin.db

MD5 8c53a0b6fd87e5fab59fd2b8f14e36cf
SHA1 31f7ced8cbb4a389463759f148d859033ece984b
SHA256 54b54a0091f27149710394cbd4043ea5a46850b61003574e2ba148e58a70e467
SHA512 f5c0f4adeb25e87c655690fefa504d63e815a0dae24a64dcd8e88824397de0727e3aa4a2fcda08e35f482c08c74ad575238aa0f6868864938c6ee172a9c9b277

/data/data/com.hexin.plat.android/databases/hexin.db-wal

MD5 a71b7d83ad08df9cd21c1b044b8897fa
SHA1 d2b4220150f74102725b2f81bf6d1e325dbaa9cf
SHA256 21bebb56a66241c6f88c6718f4f9bf9b8e30da9d8d447c5044970d38394d979a
SHA512 559ba9fd657f993e754b4a8138e780c40bb3232a6fee72a35eb09e08a0a919e3f5816e0bd9fb201e2c952d060f5cc94ccb2bcf2e8e74a587ac20c09dd7a683e0

/data/data/com.hexin.plat.android/databases/push.db-journal

MD5 d24b93fc87565c05142873fe5f635085
SHA1 f7293f511ce2429aed37619a71a4a93a1f9a1aa5
SHA256 05a6a9f40b70698b284e1cb5e494c1d295337b39740091f4650198f12530cfe9
SHA512 c811b6629aced2b1d0def1a55f954f31d9e5f5a2b0450931fd316345851ec187380cec38dab74088beb5abcfafc49792426941d16866b4f7d8f6ff318a606598

/data/data/com.hexin.plat.android/databases/push.db-wal

MD5 41a4c2f696e998995cc78ce08f25c938
SHA1 9e5a577ee647f00648a09b43df34e5ba403b935c
SHA256 a3d4080896264b6ac341dd6fe06b6c24e0b61b6c5305fec0a48e26f27bcaed65
SHA512 0a09f93fe1121a46f49b8863aa4fe8c3fc4b629933641ebb767ab50a30d7a68166678498a78b74d05fd6ac6213e23136b786af37364f152fa651f3ed4272fb12

/data/data/com.hexin.plat.android/files/saveConnectInfo.txt

MD5 ab205f404db316edc851ee49c58ae608
SHA1 bd75a810edbae73fad2a8d3ceda003ef02dace05
SHA256 64e540f9bf52d0ac86f96b729fb5f66d105ea97be82e493e605f322787dc6dcb
SHA512 c5a16dc7f5290e03eb45a22ac316ad41c5e94166767a4acc22206d56eaa38059ac5290a9765432f30a1c4bae69dc6246d7af81c94912a4766fee720d98454145

/data/data/com.hexin.plat.android/files/saveConnectInfo.txt

MD5 6f7542773c8e37d2848f0804c4f38bd0
SHA1 b6d55c811ff894df5e44eee7fc6fe2adfe3680cf
SHA256 9410a64f9ee01100cd26af97c5dfc271ba7fa75a4ea6f455264a6527f84ce4e9
SHA512 b1d634dd32589a133e4bcb33d5cdc4b2dbf12bc3e9bbdae5747f739175d6d2a9e7c98a1d00a27fc5e5a088b74fda0f391eb2b71e27f8d91eeb7fc21c83ecfe92

/data/data/com.hexin.plat.android/files/champions.dat

MD5 cbce68574abef5a8692b8ec4e79dbf78
SHA1 f6f10284dfd66d42f7d39abe60d0f7a12d339946
SHA256 f62f444c2f03fe0bb53b0aec25f2dccab70cb4fd07ed8a44be429f47afc52fb6
SHA512 41caf46ced64ff8f3edeb1ecfe1f26b89303ffe30e22ede21c8ff174f3e7560f7afd8ce113ef94e516433c37993b64b3c699f42d054a95b2772c6276df84145f

/data/data/com.hexin.plat.android/files/user_info.dat

MD5 d7e9e2a8418eed1771af28e6fa95d2fa
SHA1 7014f2914cfa7c71fa796d9d828d463236bbe9b4
SHA256 b63f5cc7bcd78574ae58a136b1425733ac708ad28205efc68adaf998bb48e60b
SHA512 12453f8ef47871528edadf22834796f8786ad7c1278f005184bdb8279a588005114b04f286c408e744934a9c2b2e12b159eed3e3b9c2c64c99fc670da7cc5fb9

/data/data/com.hexin.plat.android/cache/push/pushServerinfo.txt

MD5 c3cec8ab3ffd83eab1d5aca5810ccc37
SHA1 62c09a89b1d182fe834173c242ba1dfaa16de59f
SHA256 8633f14658e0b6d6cbe1192a656545fc412ea8eb7e50bffef1406460768ef3ab
SHA512 dbd10eb55b1f915c3f4dc33ee11dd21376e31c1680a7092607550beb078b2a9776c48779cb00e7cd2a7d26dd0ea527a1ac397ecbb2c02e2f490fab57746da4e6

/data/data/com.hexin.plat.android/files/selfstock_list

MD5 abaf401cc66c7a8e0754013167ce0f16
SHA1 51d26c0242f7ac45f085186382d7bdea7294b216
SHA256 bb102e2811de0b1044716796b666d2665614a2e47b71bdc087b2016cc3aa4fe7
SHA512 dbb17ef79e5fb05844c7e9d457b5408f55e481f5fb089f24d1edb36220ab1c50cbe054df7991a5240020ed4775762ab80b2390ffc3dea08ba3ed1e0f58f91435

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-02 23:28

Reported

2024-11-02 23:28

Platform

android-33-x64-arm64-20240624-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-02 23:28

Reported

2024-11-02 23:31

Platform

android-x86-arm-20240624-en

Max time network

129s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-02 23:28

Reported

2024-11-02 23:31

Platform

android-x64-20240624-en

Max time network

158s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

N/A