Malware Analysis Report

2025-06-15 22:32

Sample ID 241102-ghf65azfmk
Target 84da1c0827485fae82eccead3341bf4f_JaffaCakes118
SHA256 e5e31186fff8498590d7c8ba9aac784f84d5bd82867ba0c37112260f6f312043
Tags
collection discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e5e31186fff8498590d7c8ba9aac784f84d5bd82867ba0c37112260f6f312043

Threat Level: Shows suspicious behavior

The file 84da1c0827485fae82eccead3341bf4f_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion persistence

Queries information about running processes on the device

Queries the phone number (MSISDN for GSM devices)

Requests cell location

Loads dropped Dex/Jar

Queries the unique device ID (IMEI, MEID, IMSI)

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-02 05:48

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-02 05:48

Reported

2024-11-02 05:51

Platform

android-x86-arm-20240910-en

Max time kernel

3s

Max time network

157s

Command Line

com.ddy.qmgslm.mi

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ddy.qmgslm.mi/app_mimo/mimo_asset.apk N/A N/A
N/A /data/user/0/com.ddy.qmgslm.mi/cache/mubiao/SDK1830_dex.jar N/A N/A
N/A /data/user/0/com.ddy.qmgslm.mi/cache/mubiao/SDK1830_dex.jar N/A N/A
N/A /data/user/0/com.ddy.qmgslm.mi/app_analytics/analytics.apk N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.ddy.qmgslm.mi

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ddy.qmgslm.mi/cache/mubiao/SDK1830_dex.jar --output-vdex-fd=78 --oat-fd=81 --oat-location=/data/user/0/com.ddy.qmgslm.mi/cache/mubiao/oat/x86/SDK1830_dex.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 sdkconfig.ad.xiaomi.com udp
NL 20.33.39.104:443 sdkconfig.ad.xiaomi.com tcp
NL 20.33.39.104:443 sdkconfig.ad.xiaomi.com tcp
US 1.1.1.1:53 zeus.ad.xiaomi.com udp
NL 20.47.97.231:443 zeus.ad.xiaomi.com tcp
US 1.1.1.1:53 file.market.xiaomi.com udp
GB 23.56.238.88:80 file.market.xiaomi.com tcp
GB 23.56.238.88:443 file.market.xiaomi.com tcp
US 1.1.1.1:53 f1.market.xiaomi.com udp
US 1.1.1.1:53 f5.market.xiaomi.com udp
US 152.199.21.175:443 f5.market.xiaomi.com tcp
US 152.199.21.175:443 f5.market.xiaomi.com tcp
CN 47.105.111.65:80 tcp
US 1.1.1.1:53 sdkconfig.xiaomi.com udp
US 1.1.1.1:53 sdkconfig.intl.xiaomi.com udp
NL 20.33.39.104:443 sdkconfig.intl.xiaomi.com tcp
NL 20.33.39.105:443 sdkconfig.intl.xiaomi.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.196:80 tcp
GB 142.250.178.4:443 tcp
GB 142.250.187.195:80 tcp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.ddy.qmgslm.mi/app_mimo/mimo_asset.apk

MD5 bf0be21e40885f5f682349db415ba2f8
SHA1 823bcad773983ab798565f7b64b95783dce14d80
SHA256 aca4c8f0522c09a77bcc790b10c772611525456cc88da97b0240ffdfe1c4a2eb
SHA512 3c837718ddcc19885e00d54f9b7c336d83406571affdf64411e85a1ca317d67399e1cd56c5472a725568897dcd45bc5d94b87747be72b15e37e565034544be81

/data/user/0/com.ddy.qmgslm.mi/app_mimo/mimo_asset.apk

MD5 5a15af670a78139158914e6c23a74dab
SHA1 86ebd3ce9d7b325aaf25daa601b79ef10bdc0ac4
SHA256 454d49ed08121de604effae547020357ca79798a558451b688481aea9c7383b2
SHA512 b8b6e18f68edeb80ddc14ccdac1ecc8e0523083f55da52da4baf86a75d255cab1b47e25265e5e5668c9ba583a18feddffcd41db1dc2fe0945e2c1b723421ce1d

/data/data/com.ddy.qmgslm.mi/cache/top.zip

MD5 7c2b7bb3a3882c90db54a2401542c506
SHA1 b1b5828d2394d2af926726df72e252d7017f5425
SHA256 2210f072d4a1af9f74e16e30dd7f03c98b011380aa43c335fd2f9c6904b28d28
SHA512 398ff41cd84f267aa82ecde1c32f3b5afa5d7c68a458783f7f4670400ed513f074a96247030f7ac5fcbda17d87aa5afc77c6584a0c2cc92300f3953f35a692ab

/data/data/com.ddy.qmgslm.mi/cache/mubiao/SDK1830_dex.jar

MD5 8150db917306f1642f2294889378ca00
SHA1 5d8ff47ef804ad22522211fffb6fa03ceb8c9a1f
SHA256 7664b5d6ef65c86d3551db06ceea123c8d98a70072f17889980c72150aedc29a
SHA512 c517294004cf525f39095b233fefb9f918f80e9a5b50b71fd0e49d7a9e26cc81d1d068c50fdc937d206da4b15898d0575f923c014ad740d3a3de72250d4ed1d4

/data/data/com.ddy.qmgslm.mi/cache/mubiao/bjddy.txt

MD5 5b2bade469748e3374cfae55ff888421
SHA1 efceacb62c4ba6627c6ee0c38d17889b6349a071
SHA256 445cd83b75ce6553a38547d6cab9bd8c88ce62fb2646ad2100e02f84b95ae04d
SHA512 b99635e86930e7c7110650b94fdeadc3942404eb2a862406cee0c7484842aa1fbf330b298b9979dcb5de49330840be716b01e47506b6a39489a2032aafa32730

/data/data/com.ddy.qmgslm.mi/app_mimo/mimo_download.apk.tmp

MD5 3e86b24cfe8ea3644e3a6bb2f3bc75a1
SHA1 7881136fb412166d04ad5b6c4fdb9550a66fd99f
SHA256 1b01837a2b9004309bff95248adc60d39ffdadc90e52ebf645b2c5ce76f28bc7
SHA512 40ec714867b4a3e0aaa920abb648f331ce43e8bef442e782eff5ebaacb1052785e681c23b85f6ec50bc4e57e5b9924e61ca4fd72589f810ce8c670b5094b612b

/data/data/com.ddy.qmgslm.mi/app_analytics/analytics.apk.tmp

MD5 dada334a335ffebdb3ffb5905ec57e0c
SHA1 bebd385b1356a1f5c840f41a516c866768c9b1a7
SHA256 df954f00ca2e742573b431e1128ce725bad3f37073c4ec7c7916a522324058ff
SHA512 5f60e27cf4cda6a5f5240bb241b4300655a92d3f4f00930749b28906fb16dd665f94a59656ce175044f185fc6987e5a5d26a748e50b8fc532eaa61094dd87630

/data/user/0/com.ddy.qmgslm.mi/cache/mubiao/SDK1830_dex.jar

MD5 ef9e4942e81823a2a92ac17071ceb65e
SHA1 6e0cebc64c4ea4813e6f04aa8849f2e14b0ff114
SHA256 ff4d13f723f2ef6ca8e9497f506b381b6362a89f97f64bc077d26d7e22a39409
SHA512 a0b41ff9c51d58d8ace96b2cf1a58271a15d7ee5af0efe1d4da50316c4052611bad971dabe01ad2ee4f6f3ffc97e4ff9b1af28dddbb441da97bc76dd648c56a6

/data/user/0/com.ddy.qmgslm.mi/cache/mubiao/SDK1830_dex.jar

MD5 b1b860e2b03355f4ede444dfb9594e70
SHA1 ed9b15a431794f113675a93120db51242d0c2bbb
SHA256 52a4989788ad665c4b3b2c54605e73d7a992da2a6b7cb24078cac6d17a90d87e
SHA512 7846ce890f36e3368921f5463fdd38954e195d3af4f5afdd89be69a5c0511aa0a4616e67bcb6b8b9e9500ec440021bf76598334aaa775027d423937382fd531b

/data/user/0/com.ddy.qmgslm.mi/app_analytics/analytics.apk

MD5 d55f8223492e988bb77d7ae79a0694b0
SHA1 11ff0b520dc646ed002796df812e754099c7930b
SHA256 7e99efd9066858db3c0b7679dddcea79784afe107412ef5e5bee9377b478f52d
SHA512 f3f2e6a7df827f2f4a51161476c319ed9c040f58df0119bcf725640a41d6ac6e969ea86fc683a60ea8acf6d9c12ad2ba904c5d6541146d87e856095b1632aed7

/data/data/com.ddy.qmgslm.mi/files/suryua_d/suryua_f.zip

MD5 43512117ab2deaee3f0c7acc3cca56c7
SHA1 fb5abfec28be51d96839c035e99b5176d0dbb811
SHA256 a3c20c4fd85fdbe39be7f0fbc05c85a33f976cf8f4789dca8b34b96f7678196a
SHA512 9813180b502bcd3a2b5cca952acb213895c8c8b902bc8b81912f145ad1233fce366f99908f7cce5e1159260209e81590ff380124190347fcbed77f1d48bd3c1e

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-02 05:48

Reported

2024-11-02 05:51

Platform

android-x86-arm-20240910-en

Max time kernel

6s

Max time network

153s

Command Line

com.miui.ad.mimo.plugin

Signatures

N/A

Processes

com.miui.ad.mimo.plugin

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.16.234:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-02 05:48

Reported

2024-11-02 05:51

Platform

android-x64-20240624-en

Max time kernel

7s

Max time network

155s

Command Line

com.miui.ad.mimo.plugin

Signatures

N/A

Processes

com.miui.ad.mimo.plugin

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 172.217.16.238:443 tcp
GB 216.58.204.66:443 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-02 05:48

Reported

2024-11-02 05:51

Platform

android-x64-arm64-20240910-en

Max time kernel

6s

Max time network

153s

Command Line

com.miui.ad.mimo.plugin

Signatures

N/A

Processes

com.miui.ad.mimo.plugin

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com tcp
US 216.239.36.223:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 216.239.36.223:443 tcp
GB 142.250.187.225:443 tcp
US 216.239.36.223:443 tcp
GB 142.250.200.1:443 tcp

Files

N/A