Malware Analysis Report

2025-05-28 18:45

Sample ID 241103-dygwtaterj
Target 8967b0c24602559c25ca6a402bf2977d_JaffaCakes118
SHA256 a884eb0221e989a8f7197e7b8feb6887735f16c1688f46b44060234a76405afd
Tags
banker collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a884eb0221e989a8f7197e7b8feb6887735f16c1688f46b44060234a76405afd

Threat Level: Shows suspicious behavior

The file 8967b0c24602559c25ca6a402bf2977d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection discovery evasion impact persistence

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries information about the current nearby Wi-Fi networks

Reads the content of photos stored on the user's device.

Requests cell location

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 03:24

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 03:24

Reported

2024-11-03 03:27

Platform

android-x86-arm-20240624-en

Max time kernel

100s

Max time network

153s

Command Line

com.baidu.appsearch

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.baidu.appsearch/app_push_lib/plugin-deploy.jar N/A N/A
N/A /data/user/0/com.baidu.appsearch/app_push_lib/plugin-deploy.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Reads the content of photos stored on the user's device.

collection
Description Indicator Process Target
URI accessed for read content://media/external/images/media N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.baidu.appsearch

com.baidu.appsearch:bdservice_v1

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.baidu.appsearch/app_push_lib/plugin-deploy.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.baidu.appsearch/app_push_lib/oat/x86/plugin-deploy.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 wap.baidu.com udp
HK 103.235.46.39:80 wap.baidu.com tcp
US 1.1.1.1:53 m.baidu.com udp
HK 103.235.46.92:80 m.baidu.com tcp
HK 103.235.46.92:80 m.baidu.com tcp
US 1.1.1.1:53 wappass.bdimg.com udp
US 1.1.1.1:53 loc.map.baidu.com udp
HK 180.76.11.136:80 loc.map.baidu.com tcp
HK 103.235.46.92:80 m.baidu.com tcp
HK 180.76.11.136:80 loc.map.baidu.com tcp
CN 180.97.198.36:80 wappass.bdimg.com tcp
HK 103.235.46.92:80 m.baidu.com tcp
HK 103.235.46.92:80 m.baidu.com tcp
HK 103.235.46.92:80 m.baidu.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 171.107.86.36:80 wappass.bdimg.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 m.baidu.com udp
US 1.1.1.1:53 wappass.bdimg.com udp
HK 180.76.11.136:80 loc.map.baidu.com tcp
HK 180.76.11.136:80 loc.map.baidu.com tcp
CN 113.219.142.36:80 wappass.bdimg.com tcp
US 1.1.1.1:53 m.baidu.com udp
HK 103.235.46.92:80 m.baidu.com tcp
HK 103.235.46.92:80 m.baidu.com tcp
HK 103.235.46.92:80 m.baidu.com tcp
HK 103.235.46.92:80 m.baidu.com tcp
CN 111.170.25.36:80 wappass.bdimg.com tcp
CN 111.174.9.36:80 wappass.bdimg.com tcp
US 1.1.1.1:53 lc.ops.baidu.com udp
CN 153.3.237.195:80 lc.ops.baidu.com tcp
CN 117.92.139.36:80 wappass.bdimg.com tcp

Files

/data/data/com.baidu.appsearch/databases/server_config.db-journal

MD5 af07b1bb96ccc3f13e35f5d890c4e0f5
SHA1 47b73ff23939eb53ddcaa84f63724f5aedf1f883
SHA256 b7e7dd712e33b45facaffbc0d1e08063a3c808b5cc1926b6fcb1b775092304f1
SHA512 31ea7548c76a8a5bcfe56c2970a2d424e5607427f8508c35c5a7f8c5ed268233c76057787f1991b8ccdeb775463ea5c51d2c3368cbf0b11806a49e042ef3c66a

/data/data/com.baidu.appsearch/databases/downloads.db-journal

MD5 e2860f4b54f9ab58081afe77d795a543
SHA1 12fe65740491042857c51b96f3ffd931c5f1d802
SHA256 8a74c004682d95fc744be4bff8ca71686a24a759fa22f6cfc76f8685618d4eca
SHA512 c14333d9933f0ae53abeac1e951d55a08c026f74852dfc64c233f4799caa40ae48c9458340d6670be12daaf3ccf03ca0646194ad57caae26afd4241392d0e592

/data/data/com.baidu.appsearch/databases/server_config.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.baidu.appsearch/databases/downloads.db

MD5 13d66dcaa4900bf1338c49d6c641ec22
SHA1 0b6e91a604767125ea16f16a8bb5c1a63ae88214
SHA256 c91a383f08cbe8a893063986842bb96aee00cd3d525e424385a79d445ed9be49
SHA512 3e9a1facc576ccbf8a55ee28d71e377fa4e9047c81361aea3ce1a7cfa3c1d75e5bd7ff7329f34787977acb1c91b406225d649a2ef1d88b0286b719a082877bf5

/data/data/com.baidu.appsearch/databases/server_config.db-shm

MD5 2f194e54548372de9c563133420f44ab
SHA1 08dfcf85b1d9e091bc0816ca0d250fb6cefaa4f0
SHA256 1c308675d4a32473b98a704063471009ca624f49e2f90c56b4460984288050fe
SHA512 63bde02b24ca3a3f6e908fed401f21612628a119ea82fa11c7a327c6e4ca6ba888cf0df18f6373ce13f786f67505691fddc2bef45132af0ec3d25a2af5336703

/data/data/com.baidu.appsearch/databases/server_config.db-wal

MD5 620d26032a28c561acb391d5dc482c26
SHA1 f96767965ffd37e376d33513b031dbddf6ebf7b0
SHA256 481475e8f4ae993769950f11acfa0869743efdc307cb5fba97119227c68c6837
SHA512 d9ea0d794c8d4971ae5375e10e569f8ecede318be85b278e6de5a7f4139ad9a470103a195ff2b844c310d648c0f5057dd0a03789888b101fd5dde3a9c7525106

/data/data/com.baidu.appsearch/databases/downloads.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.baidu.appsearch/databases/downloads.db-wal

MD5 a0128237b9cdf55dad207db2a6909925
SHA1 4c55b99ed8b3cad0c439e3b43a82b8e859bccac4
SHA256 5e98fa080ae68246ee4acaa731a4c9c6451781b23c4616c0edb95b2ea844a97c
SHA512 c989839bbf8dd7264b17923a4a3ecd6c3f06938b1cbd42d38084fa3ffbf7f785a6c240b6f67714241e904b3a8b61ae6ce7445dd898e03a87e13a4233750d0dd8

/data/data/com.baidu.appsearch/databases/bddownloads.db-journal

MD5 c3f63579503b3d8014bf2423c4638e8b
SHA1 185d031b26426dfdcd172a5028dca4821d7bfd44
SHA256 fde789df42b19fca094178dd298405152fd4f243f920903cd15c40eee4183a52
SHA512 67c47470a0f21d7db87a35c219c63eab6f20ba96eadfe7b1c827069907d9451b008435ad129042ad3b271367d8211aca2f8f72ca9ca1700ffc646431b7dccb19

/data/data/com.baidu.appsearch/databases/bddownloads.db-wal

MD5 f29b690fd95d30689c005b7274a14721
SHA1 7ab3f15cf5ce963d7acd358de6d1fbafbb727727
SHA256 6742d60be718444835884fe204e99265341e09b172b4f761af69e34175b15b0c
SHA512 e9599156a53212bc00ecf47beaa52d46bad4c13446f88a0e0573bda091998d3781c7f860802540e33af5098e1863073a74fd6862d8d1747d31f2e6b5d95d2307

/data/data/com.baidu.appsearch/databases/appsearch.db-journal

MD5 c018d2cdc6ee261a877e018c6e8db8bc
SHA1 363cbd30ff0e0d8238ff9161fee8c6ae423ffe6f
SHA256 6cdaa19074ae8870cc33b05d90053b17f288769a9d358fc7f96be9d20018c865
SHA512 832d70282acfb591b7d6264b07be652f50b7dda64e1e232eaa0ea7814ce79d6a7e3ffec46e985e7575a677a1ca722853be1769a990cf9601972da9843ad0de12

/data/data/com.baidu.appsearch/databases/appsearch.db

MD5 d6784443b8b2e1d8fea54c81fe5203ec
SHA1 fbcd72feb243159a7012e6c40caf10039067eb29
SHA256 e3c709ec5314f6bdbd9b346de6c3cb8a597f00cbfc6f36ac89676ec9a9e5c40f
SHA512 acb770dc42325cda620948d7dd032c71c94ca3807fba4ce9405ede4917dc32460b666bf880be144ab52605653d820f0906045c389871c6dd4140c36d8b2ddca0

/data/data/com.baidu.appsearch/databases/appsearch.db-wal

MD5 452197ffef3778aa29bfe148dae3724d
SHA1 1e8c1fe6664ca0b535945c17b1b080cc10fca195
SHA256 bf58e162353d33ee7ac070f7575757c69637702ca89d14fd6e9b9b429f4b45e3
SHA512 ee8211896742775810114add0f3b27381d68ff363cabcf10a495edbf577d5cccd3f5579200ae101cbd403f21fdcb1b092b01cb2b91f3a35260847e7a9c4b6657

/storage/emulated/0/baidu/.cuid

MD5 44188e8fe329a88e295aba6e1c350055
SHA1 53325ab0173780ee837443690500a1658ac46335
SHA256 c957a6296f672a91597ab595193d1fce3006cd457b401926e92f1ff0c24fe6c1
SHA512 822549330abedfb8ff1756674bce92d6c359503827ae1b8d0ab73ae404a50a83fd8275973c31d2dd5fd422d1cf5eee5eb7a4ab0cceb48224a98c5f823d807067

/storage/emulated/0/baidu/tempdata/ls.db-journal

MD5 9645a2d442b0a0a42da4138f4fc9a2b9
SHA1 1fa222717cd38c2a726203b4e897ab9cfd01e4a6
SHA256 9f7d847648ae5bdfc6bef6a4b4961eb554ccc78d4986be439838ce4bc15a09ee
SHA512 63b621a01ef0816d58bbd5e84dbbfdabf7d89fb4c70361a563cb0d04916bcc83d8223b4c49989a69e55e7683952e3aa86f0e21da1c8538749ecf658f1e31280b

/storage/emulated/0/baidu/tempdata/ls.db-wal

MD5 5c435ccb27cf00d68f2315992a6eb177
SHA1 517dfa672a05f38adca9c59336a848c88198a104
SHA256 d04eb9cc384e225dfdcbb66103cb63de181752b0bf998b9d2697972af9ebccf4
SHA512 b013868420c25f5bbe5d7e5d1cf270beb4ea4003a87ad97f1493830268226927c008e6a7e876f9f4fb2bf3ffa15d24e14864992f152183d003992012cbbbb2fe

/data/user/0/com.baidu.appsearch/app_push_lib/plugin-deploy.jar

MD5 bc54b34b069b698d60fe64012a61cb1a
SHA1 7cd06c33eb7dc91721609bf7d8e45dba8462772c
SHA256 23a5802902a515fbd38fa47d408e635f476c7bccd2c77eafe58b80f0e85ba7a0
SHA512 50c0168b149f0d0d1190a22b14beb041d0f84cefa97021616caa451a893302861757a902732461c4327bd3a7ec4659ea3628c7f0ad1c7e7ba7eadcdce12b79f4

/data/user/0/com.baidu.appsearch/app_push_lib/plugin-deploy.jar

MD5 6ce90c3fbf4ce3b10bf1b95cbc322e00
SHA1 dde49f2742bfb0846146a118af9806816bff8330
SHA256 46cabbfe0687c36c1fe3768a03b7e39b5cb489ccebf60a3371b8e17051347ae9
SHA512 b9216c2c24e699b3a4b1e1ed54be3eaf06d22bff260e4f5980a69f83e7a7b4cf90359b736c267df990bb539ac3a2c86617911aa626aee0165941e6a884769e09