Malware Analysis Report

2025-06-15 23:16

Sample ID 241102-3m8mts1rap
Target 8873436c80ff14237fb4407af7ed781e_JaffaCakes118
SHA256 221d5ed99d465d96de767db904eca84e478d80f26ee9cb4cd9130a6d63ef7965
Tags
banker discovery evasion execution impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

221d5ed99d465d96de767db904eca84e478d80f26ee9cb4cd9130a6d63ef7965

Threat Level: Likely malicious

The file 8873436c80ff14237fb4407af7ed781e_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion execution impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Checks known Qemu files.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about the current Wi-Fi connection

Acquires the wake lock

Queries information about active data network

Reads information about phone network operator.

Declares services with permission to bind to the system

Requests dangerous framework permissions

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-02 23:39

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-02 23:38

Reported

2024-11-02 23:41

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

159s

Command Line

com.qihoo.appstore

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /system/lib/libc_malloc_debug_qemu.so N/A N/A
N/A /sys/qemu_trace N/A N/A
N/A /system/bin/qemu-props N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A

Processes

com.qihoo.appstore

com.qihoo.daemon

/system/bin/sh

com.qihoo.appstore:critical

/system/bin/sh /system/bin/pm list packages

app_process32 / com.qihoo.appstore.rootcommand.persistent.CoreDaemon --nice-name=com.qihoo.appstore_CoreDaemon --daemon

cmd package list packages

/system/bin/ping -i 0.5 -s 56 -w 10 -c 10 221.130.199.88

/system/bin/ping -i 0.5 -s 56 -w 10 -c 10 221.130.199.88

/system/bin/ping -i 0.5 -s 56 -w 10 -c 10 221.130.199.88

/system/bin/ping -i 0.5 -s 56 -w 10 -c 10 221.130.199.88

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 openbox.mobilem.360.cn udp
CN 180.163.251.81:80 openbox.mobilem.360.cn tcp
US 1.1.1.1:53 m.irs01.com udp
US 1.1.1.1:53 p.s.360.cn udp
DE 47.254.148.188:80 p.s.360.cn tcp
US 1.1.1.1:53 update.api.sj.360.cn udp
CN 180.163.251.81:80 update.api.sj.360.cn tcp
CN 180.163.251.81:80 update.api.sj.360.cn tcp
US 1.1.1.1:53 s.360.cn udp
CN 171.8.167.90:80 s.360.cn tcp
US 1.1.1.1:53 api.kuaidi.360.cn udp
US 1.1.1.1:53 sdk.s.360.cn udp
CN 101.198.1.205:80 api.kuaidi.360.cn tcp
US 104.192.108.22:80 sdk.s.360.cn tcp
DE 47.254.148.188:80 p.s.360.cn tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
CN 125.88.193.234:80 tcp
CN 180.163.251.81:80 update.api.sj.360.cn tcp
CN 123.125.82.206:80 tcp
CN 221.130.199.88:7 tcp
CN 180.163.251.81:80 update.api.sj.360.cn tcp
CN 221.130.199.88:7 tcp
CN 218.30.118.222:80 tcp
CN 101.198.1.205:80 api.kuaidi.360.cn tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 125.88.193.234:80 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:80 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:80 tcp
CN 101.198.1.205:80 api.kuaidi.360.cn tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:80 tcp
CN 101.198.1.205:80 api.kuaidi.360.cn tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
US 1.1.1.1:53 md.openapi.360.cn udp
US 104.192.110.235:80 md.openapi.360.cn tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:80 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 101.198.2.147:80 s.360.cn tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp
CN 221.130.199.88:7 tcp

Files

/data/data/com.qihoo.appstore/databases/filelist.db-journal

MD5 31e65866cbdc0ac5ef6a113b53ac9ebd
SHA1 8b5f274c92b64739e0f0196510e8aa3b190f3e33
SHA256 2263fe8fa41561d622d9c4fe17c12c01bb22e6471540ce6f2b55bfa0ae0432c1
SHA512 c4dc7b0dd8b5fe9d29d40f28114daa4cd2967b50933c1b9eb632f562c6a1af5a16bafcb43262353e5ea2c5955f22f5632834dca38ae51af1da7554a362542293

/data/data/com.qihoo.appstore/files/sllak/opt/4249/finalcore.jar

MD5 f113a25b26661f5dd6da8d6da00d8da7
SHA1 8d1ab96cb2f584814129f1f0daaf46e9990b3e9d
SHA256 63b1c36df33ebbebf6af6f7610e99acc658daf4a8d2b7ddf517227dc1688bbb7
SHA512 a2af435bcb7c2f653b038b67b3200a0c5b212447ad14d2aa2beb3a58ac5f89d0c0eaa0acfcaefaa1ea227058f02cf8a8ebfd0c9b1ece8c5298f7dd560d5483ad

/data/data/com.qihoo.appstore/databases/filelist.db

MD5 908c3e77354be74e5c4f41cf9ef69eba
SHA1 6815cc47ddc033fbefe926b212a68c2af9812acd
SHA256 490b84cdf2f4aa33fc2d9ae0ec4259b83e5798fd9545e4d38b9a1e263d087e34
SHA512 a87ed6c79ea6614293d378d17bfee6c95930678e58e1f44d3d2dd6fd9b8016ea94e0def96d9bc7f76460bf61ec2bc285af72ccfee94d3949d134b40173ed3dfc

/data/data/com.qihoo.appstore/databases/filelist.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.qihoo.appstore/databases/filelist.db-wal

MD5 1713b7f6d340992fb3c713d96a2c83ea
SHA1 f266eed6a27052cecfae1bc70b27a07fb54d2429
SHA256 e361e4e1dfa865de0f49fc24fe3af93fe0610a17864ffe19e42458d2b9e3d71c
SHA512 ed5df315470d7d33f09237c1eb8ac25f26e2ab36453ecfe93b08fd8235f7a512e35d43dc7fe5419b19be86bcacf882ea9fd56c0e1a40da0eba00b8c79ac69e1d

/data/data/com.qihoo.appstore/databases/download5.db-journal

MD5 f3c00b27cdfa7d8ce50cc892f11e9fad
SHA1 78047a6fe0468ca1dc321779aae82ca430abd336
SHA256 0fdd55da9489388da440329133c37a5934fe50dd8bb02dd7c7788902a14a436a
SHA512 8baa22bb1dfeb55ef8ac27cfaa379f8b17432a49f7e87efa88e11f8b14c8313416c755ce09cb02b16a7d2fbfdeb2f3f7ba6699c7a5e3a0e2579d06b1c5707643

/data/data/com.qihoo.appstore/databases/download5.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.qihoo.appstore/databases/download5.db-wal

MD5 c9b9c68f5445dc86719b1a33de4c1eca
SHA1 753412d9c946050fa089747e867337d464731c88
SHA256 1a8532c7cbb0c05ef5d1aa7b298574fdd6d1de262a2d07d59f6b7c0938fb3e37
SHA512 70b4f8abec5f39eba616780fa877ff8bbafb0ee3f567113c428cc771a66b052e864a66d8feb4a4184451910a78079a8af9bfa7d054710749fb3e8a4abc55c038

/data/data/com.qihoo.appstore/databases/new_downloads.db-journal

MD5 f6981bdafb86f0d591a9b551d7c17b73
SHA1 0c5b1f4910f3e093a12d2bb92e8f13c2fe11e526
SHA256 b18bc7a69872504ce07e099d8a36b8ce2ae5b5049a182c93a7967594055d4652
SHA512 d6f710e9e420cbff008a03a01abaf3922bdf74c5336ad55f4392664b4063a693adcbfd2644214bf0ac0c213aa011a9b7e32a7a49a9bddbf19fc3cab04d258694

/data/data/com.qihoo.appstore/databases/new_downloads.db

MD5 3fe30614d7e0d11db870b4624f6c50e0
SHA1 053ff0fc621ab40f2afeddb3e7b4a73ee41ec533
SHA256 67c532f0324228dd33b445cd399c1426e3a0e0cdc7b9358c66b402c5d40a838d
SHA512 c7c09e97a408e88aacaf8099ad4d1fa604d58113393500a384eb3c2eb7c3c105af41314934b86eca2f088045cbab5a20d768bbb295448dc1ae6cb6c3f59821ae

/data/data/com.qihoo.appstore/databases/new_downloads.db-wal

MD5 2482c79d6602bcf2f179dddedc8b410b
SHA1 f0a658c055e38776f59f20d6b96e23fa7ac76ac4
SHA256 48eaa83435a117fe6d075ace8a9c9c554ab74e5898489160af7525b1f77fe388
SHA512 37200e4f3a71bd9e8fe86ea0634e885ce924608fd191fe8da375076ad61304194e9970fd50e652658b28ef03d9c0c586ea6383bc7927a5903d6ab349ae00eb47

/data/data/com.qihoo.appstore/databases/_ire-journal

MD5 fb3f5307102bfb95a4d8dc31558af09a
SHA1 5238cae8189e7e261be9424f0681ca8526c55ea6
SHA256 ad3a2d3f0504a574a8203cd0cb1ff2504ffb492acae02f4bc9c06292fc14a929
SHA512 a2b5b72c1ab47b3b69370faa44c3604c30b41ca432a155ccd65561a638b2419aeb95d395cdc59ca599273c55a040f7a113f712efe802052ac488a7229f002fa2

/data/data/com.qihoo.appstore/databases/_ire-wal

MD5 195fd7ab3fa09afcb44f08527653f9d2
SHA1 82a30b4e8aeb8e7a58020ef7a717cbc1b28ff904
SHA256 a091c507e28a85e18875eb3cd6e956c2e50a1751ea06f8a1e55f20178b981d9f
SHA512 5b1ac7c2ca2e7a1060a6eba4588c0812755b33c0761791f8078ba133f3a1af73103c036e2b7959cb326888f35b6a228cf3b89520e959409c108dd9dc69b89e97

/data/data/com.qihoo.appstore/files/360/sdk/persistence/data/Y29tLnFpaG9vLmFwcHN0b3Jl

MD5 66c108415a6dd3a64192d648991a724d
SHA1 e35e3309004c734c1acce4281cb1eb28541c10cf
SHA256 22bb6c68d7ea2840ab5afda912bc70342737dfe3bef708d429f6d9509b89ed38
SHA512 482648691a0cb063804762bc69a4c8c8fcb970ddb62fa8bb61d57f8b552bc0b3cf06b6232ae38cf6f9589d1af178914524c64c46791de4d531dbc483852fb496

/data/data/com.qihoo.appstore/files/360/sdk/persistence/Y29tLnFpaG9vLmFwcHN0b3Jl

MD5 c81e728d9d4c2f636f067f89cc14862c
SHA1 da4b9237bacccdf19c0760cab7aec4a8359010b0
SHA256 d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35
SHA512 40b244112641dd78dd4f93b6c9190dd46e0099194d5a44257b7efad6ef9ff4683da1eda0244448cb343aa688f5d3efd7314dafe580ac0bcbf115aeca9e8dc114

/data/data/com.qihoo.appstore/files/360/sdk/persistence/data/Y29tLnFpaG9vLmFwcHN0b3Jl

MD5 20133fef35d18a5bfc2a27863c9f93aa
SHA1 60dd93afcd18951d16f976cbba4e4ec5c9e0b89b
SHA256 eafb19915011eb9bd8d879ab54564507eab9f623e6ebe9116b9c16442fbbed8a
SHA512 a4b0dc8fc4c0a538685a61b78444a0520b1070f6027be390c2e4c9909562f7686610c08c629587749cd1af620a4537b5b57371bae3aa4ab8d4320555437c21fb

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-02 23:38

Reported

2024-11-02 23:39

Platform

android-33-x64-arm64-20240624-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-02 23:38

Reported

2024-11-02 23:41

Platform

android-x86-arm-20240624-en

Max time network

128s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-02 23:38

Reported

2024-11-02 23:41

Platform

android-x64-20240624-en

Max time network

133s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-02 23:38

Reported

2024-11-02 23:41

Platform

android-x64-arm64-20240624-en

Max time network

135s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

N/A