Malware Analysis Report

2025-05-06 01:30

Sample ID 241103-1e1wxaxpcp
Target 8d9c78499d2277796005b0cf6f392f42_JaffaCakes118
SHA256 2e38f52d536045ae46c828eb2f54e9289237de71d5243952afde4959b4ea5984
Tags
collection evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

2e38f52d536045ae46c828eb2f54e9289237de71d5243952afde4959b4ea5984

Threat Level: Likely malicious

The file 8d9c78499d2277796005b0cf6f392f42_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection evasion persistence

Checks if the Android device is rooted.

Checks Android system properties for emulator presence.

Queries account information for other applications stored on the device

Loads dropped Dex/Jar

Requests dangerous framework permissions

Acquires the wake lock

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 21:34

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to use SIP service. android.permission.USE_SIP N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to receive WAP push messages. android.permission.RECEIVE_WAP_PUSH N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to access data from sensors that the user uses to measure what is happening inside their body, such as heart rate. android.permission.BODY_SENSORS N/A N/A
Allows an application to add voicemails into the system. com.android.voicemail.permission.ADD_VOICEMAIL N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 21:34

Reported

2024-11-03 21:37

Platform

android-x86-arm-20240624-en

Max time kernel

47s

Max time network

132s

Command Line

com.lexa.fakegps

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.device N/A N/A
Accessed system property key: ro.product.model N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.lexa.fakegps

/system/bin/sh

stat /sbin/su

stat /system/sbin/su

stat /system/bin/su

stat /system/xbin/su

stat /odm/bin/su

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.196:80 www.google.com tcp
US 1.1.1.1:53 modam3r.linkpc.net udp
US 1.1.1.1:53 modam3r.linkpc.net udp
US 1.1.1.1:53 modam3r.linkpc.net udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 modam3r.linkpc.net udp
SG 139.99.66.103:5553 modam3r.linkpc.net tcp

Files

/data/data/com.lexa.fakegps/files/DATA_Preferences

MD5 cf40a1de3f93b4a025409b5efa5aa210
SHA1 c66bf56ddabc2021b84d3ae2755d0ab05ff0c99e
SHA256 2da42fb1d7bd8524e83d5a1e332bad697c8769ba430770a19bec630eb8ffcaa8
SHA512 a4f042e43d4db61c4ed35d966210b12d9b0afabcff358f4d07691c948c0e308068a5a9a7ee52a7329d78c9d9bbf7e06133d79334e53c9bde3c011c954fabf144

/data/data/com.lexa.fakegps/databases/fakegps-journal

MD5 776233b4b6baba83e6f7563f1f3e6649
SHA1 99062963eb8d50cfe0422ed1d37359a24f19f76b
SHA256 052b186951f460bbdb88c3c38931157f3264c96234e94666abd88375f6888d15
SHA512 de97095b17435ddaf66ab9a5746ab555458706e32213757e377f29edd5cdc7394bea2adc1d422beb05342bcc6e129372fbba3e53c0511b44187085a26ea35d73

/data/data/com.lexa.fakegps/databases/fakegps

MD5 ad73d8317b8f111273411cdabec10aca
SHA1 0b1357e4f248cafe34472f3fbfaa4816f4b637a9
SHA256 e07b6c67ba455440e2dc9b8743c78000a0a8b647cc4bafe89ab411a8450df7b3
SHA512 2d5c3173c1f75ab42094f1f54becb768a28315f4563416bc5bb22e8ff62af11ebfa60626b4a648749931d24cae240ee67f2b1d72df3ca6a9c35e075c9be85ee9

/data/data/com.lexa.fakegps/databases/fakegps-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.lexa.fakegps/databases/fakegps-wal

MD5 90f94adf3e1cae989ebecbe7cb2d99d5
SHA1 88cbf05d3185cefd3c9a10b44e203ef334bdae39
SHA256 c106807d4525daefec73b1e759b2bf5e693ce468951ff6a29040b6bdb8d250a3
SHA512 c9b70aaa12795fc7b61b51e8a842bc21fab42b60e85a5e768a033f99b61a0e67497cdbb5428d0767ffb457c2acc5b1a85798ecfdf2f6f826a875f08bbe7033b7

/data/data/com.lexa.fakegps/files/DATA_Preferences

MD5 a63fb3e802601bc3bc9437527304859a
SHA1 87b2aae49503bb1d8a6f2a1198dda99cd2255ffa
SHA256 6d91a179751a207d7a668c605c4b846bc87dd0d097e61b2385019597dcc2001a
SHA512 4ecb6f03143f5d2eae928fe6c68ea87ce51fad7174410b385fb822a2e02e248e2be183c4cc6637720dd5cf283f1da316ef75190c3e2583b47ae8b5afa1af246a

/data/data/com.lexa.fakegps/files/ID.txt

MD5 55291fa24e7b0760e63b98ce4fe45da4
SHA1 1656655b5809f9fb45dcd39530003fd2116e0031
SHA256 b8a58f588c12c921f78b9393cab959a2c38f9dfd2649617d9ea047f54374c909
SHA512 b213af2d196550026733fe0c4889584f657c0b4a4f6960608cfa04468c5e94ae6061727f297df62ad12454bc92a0195a9e843078f71fe31aae2c67c68149da46

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 21:34

Reported

2024-11-03 21:37

Platform

android-x64-20240624-en

Max time kernel

4s

Max time network

136s

Command Line

com.lexa.fakegps

Signatures

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.device N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /product/framework/com.google.android.maps.jar N/A N/A
N/A /product/framework/com.google.android.maps.jar N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.lexa.fakegps

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 modam3r.linkpc.net udp
SG 139.99.66.103:5553 modam3r.linkpc.net tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/product/framework/com.google.android.maps.jar

MD5 4899aca36d1ed747a447dcac0d101a62
SHA1 32e43edc0bf3e036683ea8639472e6cd31ab9929
SHA256 67a651acd867e046fb4463b31ea584c1468f7243a9d1e2efd34059e8ee2f130f
SHA512 50b23dd279a9efba566c6a6523c7537723c0cd6dd3e4871f1cbdb8d5bc355caa3ddea99452b1c8e5356802f812b3768066a9848b93d715bb8bdfa455b704285f

/data/data/com.lexa.fakegps/files/DATA_Preferences

MD5 cf40a1de3f93b4a025409b5efa5aa210
SHA1 c66bf56ddabc2021b84d3ae2755d0ab05ff0c99e
SHA256 2da42fb1d7bd8524e83d5a1e332bad697c8769ba430770a19bec630eb8ffcaa8
SHA512 a4f042e43d4db61c4ed35d966210b12d9b0afabcff358f4d07691c948c0e308068a5a9a7ee52a7329d78c9d9bbf7e06133d79334e53c9bde3c011c954fabf144

/data/data/com.lexa.fakegps/databases/fakegps-journal

MD5 ab340ec6586395aff156fe3c3927af7e
SHA1 e37cc6405d4b0ffb05ef0ff6784af262bd7662ac
SHA256 a3673a68eb785140a6d38c585c8550a28c0a6cd155a5769a5bbb795cb687156d
SHA512 31e719c74360ad555ec37cc3e092d4cbbc461aab0183af0db9c6bf009dce6b9195fe9e2d31590c9180f7a64711060388220a94197ec2dd52f8957054dbcb0fba

/data/data/com.lexa.fakegps/databases/fakegps

MD5 9dd5bc50602399245f7972392ff9dbbc
SHA1 88367f0cbb41d94e7392eaba714c5344546eb73b
SHA256 1f1359727df307418255a6137c0eabe92ce58f132e9dee067bc59b9ebcbda430
SHA512 0e6a5beecbd8ddf0a32ef4b7cc843877ee7ea8c942101c89dfc70f13b08579d9dbc3f35d0d3715c34d57e9ff86552a3e7057ac66f4a2e3239664b01adeb50c0f

/data/data/com.lexa.fakegps/databases/fakegps-journal

MD5 a129320be15c38a4e43e5938097cf0d0
SHA1 9b482fd330327b2418468130cb1715f924f9f435
SHA256 3b0b7dd11d4190b5bb3ea4ed4340607fb0af8f1224e91ff47fcac9503e9fb761
SHA512 2f4d51f5da3837f1ec255d9fa154b3849ae8692cb8d8746e166f9645905a9034b1ffaaaa5ad4decfa4d4da7a1aca5520bad6fdf83e79f46542420c5b8b48ff12

/data/data/com.lexa.fakegps/databases/fakegps-journal

MD5 3e8baaf520a0b0d783ea04de5c20a6a7
SHA1 5c6e29f267d5be5ac1eb444c8e6a993319e5a938
SHA256 26433615bb85becc546dd1c71daae909f2756c095e83df18cee0f5ffd34baaf2
SHA512 80984aa9f1925921bbaddb5bfc0980e6516ced93a27ce9489298c3b27b844ee761906ad91fb96323fe46339185aa602c62694d63fcbac5bf99faac01f56fb577

/data/data/com.lexa.fakegps/files/DATA_Preferences

MD5 3c574c39b458e988ad2a0007eb25bd1d
SHA1 6c3cc2dacf3ed2a153a931c57c071485a013928b
SHA256 26569e10b8ed3853c67cdf34ea3d51b904c077b8f1cc2e0da08c1a7e181d797c
SHA512 c7ae6b43b5c7042cab272668513e2c4c96757f4f10e8c87d84ba8a248de5133be466bdf43eed6a57f933446b8a58d495655605dd8d22e306e495c06b5c4a1c71

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-03 21:34

Reported

2024-11-03 21:37

Platform

android-x64-arm64-20240624-en

Max time kernel

2s

Max time network

134s

Command Line

com.lexa.fakegps

Signatures

N/A

Processes

com.lexa.fakegps

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

N/A