Malware Analysis Report

2025-06-15 22:31

Sample ID 241102-mtrpws1pas
Target 85101d383ba142e9b6fde15e8b4c6593_JaffaCakes118
SHA256 552a6d3dc1b6c2b5edcdd1252e5bd5993c5e6e73e435a4ab791d04de7f7601d4
Tags
banker collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

552a6d3dc1b6c2b5edcdd1252e5bd5993c5e6e73e435a4ab791d04de7f7601d4

Threat Level: Shows suspicious behavior

The file 85101d383ba142e9b6fde15e8b4c6593_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection discovery evasion impact persistence

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads the content of SMS inbox messages.

Reads the content of the SMS messages.

Reads information about phone network operator.

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Queries information about active data network

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-02 10:45

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive WAP push messages. android.permission.RECEIVE_WAP_PUSH N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-02 10:45

Reported

2024-11-02 10:48

Platform

android-x86-arm-20240624-en

Max time kernel

15s

Max time network

127s

Command Line

com.xmxxxwev.game

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xmxxxwev.game/files/bewq/VTcJhWmfUI6zvrYHQ0kO63_GpIHWtI2t/abeeVY-sxrT_5Jvt/DzYuRXREEQpbBBIP.zip N/A N/A
N/A /data/user/0/com.xmxxxwev.game/app_zhifulibs/zhifu.zip N/A N/A
N/A /data/user/0/com.xmxxxwev.game/app_zhifulibs/zhifu.zip N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Reads the content of the SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/ N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xmxxxwev.game

/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.xmxxxwev.game/app_zhifulibs/zhifu.zip --output-vdex-fd=57 --oat-fd=62 --oat-location=/data/user/0/com.xmxxxwev.game/app_zhifulibs/oat/x86/zhifu.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
CN 120.25.132.133:80 tcp
US 1.1.1.1:53 1npay.cn udp
HK 38.181.176.187:80 1npay.cn tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp

Files

/data/data/com.xmxxxwev.game/databases/lepeng.db-journal

MD5 8c0f6e48f21049170ae0211631a0754e
SHA1 9bda6e16554feb4ef62272b081fe4e1d48dd8070
SHA256 7930486ed9e947c8c948cf89fa70920bf0db43bf3f9ba20407bc19b9e8513e56
SHA512 50c85f2029f4b55fc9eee2c0fdbb8f17ce3d57b9f4f31a3ad9fc8ef8368c205cab8ee6081854eebee8e842dc017eb97ebc320de277298bc140426e15a60c01d7

/data/data/com.xmxxxwev.game/databases/lepeng.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.xmxxxwev.game/databases/lepeng.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.xmxxxwev.game/databases/lepeng.db-wal

MD5 07efd5118bcdb9c91c751397e2ca5437
SHA1 23066387fda9fd0e546a70c6b289d06d62b3caab
SHA256 fc9090bbf9d68762720d812e005218d5c7915ed9c90d5a78ecacaa4690f46f22
SHA512 3893776abe490eb3366aeca098f0a4750b1872b256a4d645bbee92e477dd128331107aeca5bc0ab2f1e8d01fbd746d5eb55b9536da999d49b3daca427c78f2fd

/data/data/com.xmxxxwev.game/files/bewq/TzxVa9cImSXWY3-DX1e7lhQh2-o=

MD5 d6f83149aba37ca51bee591ec398ae7c
SHA1 fc537d230af5aef1ccf07c015c661eb5a880e6bb
SHA256 6ed40ff43fcda7417ce9b2d3de00458cb518a71b70831cd6cbee0afff01b59af
SHA512 c6548af43bf39e5c1ea7ec715bc384a6b80bd97d3899502cb000165b0dd455284f98ab55388160c50ab2de24d97934613642a5a3994b33d2e833029d8078aa1d

/data/data/com.xmxxxwev.game/files/bewq/zImbgVVxT9gLotLoQo92Uf2GrgA=

MD5 3cdadf4f051a185250b443193904a553
SHA1 2f83348b6bc0a809d08a672f60ddbdcdb885cd40
SHA256 b41ddfdcae059af0742b31541fbd7a0e6d50f561db2a9a8fe745c30238cad51c
SHA512 d72fdf082fb08489beb83780270db3d2223b10bf007a6ae637e271d69d5191ba40c238f95fc291db4bd2393d81c97db0f1b2831325e57f5d31fb19d3f310bcdb

/data/data/com.xmxxxwev.game/files/bewq/TzxVa9cImSXWY3-DX1e7lhQh2-o=

MD5 5a7da1043c7a9ada800e80fb3b327eba
SHA1 980a181b63afc4eaed833bfd59377965112748c9
SHA256 0ebe72bd43cdcd5b79e6df063608f07190656028c7565c8721eaae7c8f161e10
SHA512 ccd2093eb21143d320774c5e73559d8e797ecfa060cf08211f69a4f2723afbfe4cd9e62f2a284a564ca72b1678bc5ed22fa7fd0ed83328f93eecef198cc4ca5d

/data/data/com.xmxxxwev.game/files/bewq/Gj9FCFCVDMZEpfFyXo2emNlosUY=/data.dat.tmp

MD5 5c4515cf14a135427926dfedcd358e99
SHA1 b13ba705392fea93492d68b072bddea58083a52c
SHA256 3c3b33267d0f051cc4a3d6ccca8d75092c4ba22034b15f482473b10b185fe9b2
SHA512 16f55aadf37a138f8c37309762b86ab8abfffa7418657645b69adc72018e7564a0090ab0c338745127643e71a24570839d1a0bd634b92fd2c0a1bcb5d44534c4

/data/data/com.xmxxxwev.game/app_zhifulibs/libunicompurcore.so

MD5 1207a3edcf8e684b7e97342a243a8bc8
SHA1 cba0ce2e88395c7733b9d62cce8a3d6ea7df9ae1
SHA256 d581f30214e19929f55ee8f6c6b996956007a025a8eb21890767ef11cea14681
SHA512 f15fa62f2d588e37dc7dd2232cdb82636ccc3e408a74dc673692d6202af1f90b80738b9a3c222ff505dc1424b1d33d4f099207f4de0190902768b0b905aa5c5a

/data/data/com.xmxxxwev.game/app_zhifulibs/zhifu.zip

MD5 8a3198c5ee6c420310455daf8d54ce67
SHA1 200d1eb3e30461bd70bd0f04ec7b0c7c64dd5188
SHA256 0f514a231b675d8e485165ef4feccf8e293bb872760ed1e2fd808af3dff4521f
SHA512 a93a639df99d01cf48a6d1a420702e2dcbba3e717bd628dead4a64e0140e1c390c651edcc1a5bb0acf853afcca5805ced20bc605ab52b9b05e4ec0fcf981635d

/data/data/com.xmxxxwev.game/files/bewq/DsWAH7HH4-WM6CZkSa5RgXCG2Nc=/e77DEMA7B7Csg5vqZqZvHg==

MD5 11f5d336138d0fe4cb2d939c00356941
SHA1 1f7cebaba76b4c98e793e23b594e66aa6f5f7c2a
SHA256 d442c57a3317657a4d4bd52e780383058289f0100b4b139ecfd8ef5fb8d49231
SHA512 69d437c284921a63f9d4b18908c466905e73523b4599a31921e9ed3210a01aa73930626b4ce44e1c01f6f337deac678fdbdb5ebf5cdb40c9d5613fd450665281

/data/data/com.xmxxxwev.game/files/bewq/DsWAH7HH4-WM6CZkSa5RgXCG2Nc=/F4QcGqYUmtjt7nid8zzSqX68EgU=

MD5 bd98e722585164b54ba0849b965f78c6
SHA1 af77b0be380a1f1f949298d8b961f9a39c221b74
SHA256 df1476454b8a091794f42c80dc132dd6ca8bd7ae77a8e2e36d3c622c1fa0a502
SHA512 af231f193963cb2b23da4afdea6921af0a35dfa3c98e26c9d57be7047302812d3e60b4ea9905b79c557f5d23fc78bfe9e0b0dae7ebf2e623f9fda58e1f70995d

/data/data/com.xmxxxwev.game/files/bewq/DsWAH7HH4-WM6CZkSa5RgXCG2Nc=/Q6SoI48vGt6E7NJX.zip

MD5 3127bd37a95cf7387f0d637eab8496a4
SHA1 e74fe25515320946aaa88f53742d9aa3fb31151b
SHA256 485470b822c0b70c8582ca920df14df88ba00c8c924f5ffe947f33598482f40f
SHA512 b6e73663f4abe88254a880233aacba26e5c48505343fae923ee160c254a3150294295aa05ac84b665a7f9064f8e0a0be972681678f1e5525e3b841bd404cdade

/data/data/com.xmxxxwev.game/databases/qy_db_pay-journal

MD5 1715cac2db579814d3734673c9d215b8
SHA1 54b58d1fca8436ab411f530187ae8fbf93c66c77
SHA256 32743ac529262138d92a819fd99fca82b90074603f06ab6637784af1fd2f97fe
SHA512 29273d30fcdb978fb0c19351be63d50e8b0c0d86e702efcac5abb9476bc0d78ff98a2a78a37d39f67193aac822e192519c190ed813850dfbe4cf868e20a23264

/data/data/com.xmxxxwev.game/databases/qy_db_pay-shm

MD5 620f0b67a91f7f74151bc5be745b7110
SHA1 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d
SHA256 ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7
SHA512 2d23913d3759ef01704a86b4bee3ac8a29002313ecc98a7424425a78170f219577822fd77e4ae96313547696ad7d5949b58e12d5063ef2ee063b595740a3a12d

/data/data/com.xmxxxwev.game/databases/qy_db_pay-wal

MD5 a6a1bb0a5b8a93bcee1b8763bc68a06e
SHA1 66984f4090393ed83a18f4ff55bd367d514e87a3
SHA256 302471691e4267bf0bfe38aedb52c1f1327d38f7c28024efc888f6f775f7321a
SHA512 f9f558305d6370c0c52c01761e51ab06b674ad6b2837d77a941e357767cc39758f06accc0560bdb9ee839b9b76ab6f107a73cd8eaed93512b02474b54205331a

/data/user/0/com.xmxxxwev.game/files/bewq/VTcJhWmfUI6zvrYHQ0kO63_GpIHWtI2t/abeeVY-sxrT_5Jvt/DzYuRXREEQpbBBIP.zip

MD5 8e08b2043b87bc0b45b0e8fbfecf0639
SHA1 77ab3061ae96c8f28a6f4c75c4fe63926a63dc8c
SHA256 a81996c9134aa61051dd666ac936bf32febcb7b7afc60fdec83874edb51b420a
SHA512 d8b0bbd6e63588c38344b35efd4ba51f798cc0db1bccc47c88ae9597b6e1c350cf3ba1754e3226d2fd5ede1e3043d5f60b927332e3d8caf0c4b5e8120baf3ac0

/data/user/0/com.xmxxxwev.game/app_zhifulibs/zhifu.zip

MD5 4bae3d4fcb996fb2d0a59c824e9f60b1
SHA1 66ba946ad0115253e4f3c48f8c2e20f74ed66420
SHA256 6cbefc6f144374e24182b148a8c03dfa797af9827cb79d46388044d35f31e0f2
SHA512 f50da5bdc8a428ea482ff0ec311ee8ca26199b615b90fa5f171650d2dd4d621bd0b4f2e254c17456b9ccabdbab028f060a6da960e74555e971c9fa357dec2807

/data/data/com.xmxxxwev.game/files/bewq/VTcJhWmfUI6zvrYHQ0kO63_GpIHWtI2t/abeeVY-sxrT_5Jvt/lib/libtt.so

MD5 39b6ac5154df77bcc92c9cb4c76560d0
SHA1 b985bd345461490ee6c62548a87d648413faccda
SHA256 ab50dcbe107ba99a5065f674f1b4b48bf3d83ff3f0b256e68c502ae483dc72f3
SHA512 cb1dc48f50d9ed016f75b03917e9a66d2a2a9ac751e069063a9cbccc8c76f5c32223795c77aeadfc21989d700fcedd718c9c70e878a8a3962e1152bbce005e02

/data/data/com.xmxxxwev.game/files/__local_except_cache.json

MD5 13319dd0a80faa5d98511a675b21f424
SHA1 9cf235fbdb097e4d64d5034d3b0a74a64784aa00
SHA256 794c233958c32c016b41e2a7610c0101aa007328b739db057dc9b1b108f8f510
SHA512 133fb09188955c102267d72df83bbc050f3bbd351f8c3cf38277b888506a4517c4063962bc6460232de21c2aa5c26b36a8472e666681104b3a52a27f7328a365

/storage/emulated/0/baidu/.cuid

MD5 1258a52ecece7f0fd201c6f4687e5d44
SHA1 27b59c2bbaaf1b75deceb4316b67466acb5269f6
SHA256 705238abc79d36033b5b4916c0495239e9cbea4f4b44f95bbdeb9d360656ad32
SHA512 99e3963a417400faa2c10851fb9d9d4ea5d2adb43ca552c6b56292b1d507d4b0d823e1e6bd9181dd72f498c8eede13f3f2e8cffbf5d49c026954c78b3a6e0112