Malware Analysis Report

2025-05-28 18:45

Sample ID 241103-hcprraxkaz
Target 8a1763ffa07c7d4801c398d0ae31a512_JaffaCakes118
SHA256 b781810b7c7d71cfc8ec782b8e1d7820a3d96ce09ec66ee56459f832126b52fd
Tags
banker discovery evasion impact persistence collection credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b781810b7c7d71cfc8ec782b8e1d7820a3d96ce09ec66ee56459f832126b52fd

Threat Level: Likely malicious

The file 8a1763ffa07c7d4801c398d0ae31a512_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact persistence collection credential_access

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Obtains sensitive information copied to the device clipboard

Queries information about running processes on the device

Queries the mobile country code (MCC)

Queries information about active data network

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 06:35

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 06:35

Reported

2024-11-03 06:38

Platform

android-x86-arm-20240624-en

Max time kernel

19s

Max time network

131s

Command Line

book.gwapme.ikerzq

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

book.gwapme.ikerzq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 v1.gameapiv1.com udp
US 103.224.212.215:80 v1.gameapiv1.com tcp
US 103.224.212.215:80 v1.gameapiv1.com tcp
US 1.1.1.1:53 ads.wapx.cn udp
US 1.1.1.1:53 app.wapx.cn udp
US 1.1.1.1:53 v1.gameapiv1.info udp
N/A 10.0.0.172:80 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp

Files

/storage/emulated/0/Android/data/.uuid

MD5 592921cde222c3e289f0b22e07630a17
SHA1 0a5d37151ab632555b25f159ae61a4e342ca3acc
SHA256 766f28c067563296ba368e7d788379205f3981f4c2a4c6a7602ab7e540d526b9
SHA512 4cb5862e620b36155725abf0057fde8a4d53132f2d0e5a090d15923e9233d74c2e4eb71d818a68d18c2d62a96d0f82ca9aabadddf0243a303593e069e1201df3

/storage/emulated/0/Android/data/cache/CacheTime.dat

MD5 f3dddcbcf6fb92547d1df5d73ddb16e3
SHA1 b6a822fc4fccd91d7a2e322dc14725030abad198
SHA256 5211fbf90637a53774b5c430739933162f031d0951f3c05e5fc17426724c4822
SHA512 5e867e7a5fd7756e179ec784826b4887d25456d95b4cf17fdf3117cfc25535b18037e620d67f496c68dc9d3f2f01c9bed8cc68af305c92833efaaaeecc1b905d

/storage/emulated/0/Android/data/.class/android

MD5 3d01a0cc7abc4fc30bb3e60da34f59ef
SHA1 a77628ffc105519271a9bdfc24bc0ada1aadd20d
SHA256 687bd1f19832d515445c688a6acdaf9212540c0b08796179b9a1b27497f45e29
SHA512 6d3fffcd24d6a65a48a89313861896434f7dcf4dee695dc84f3b55d6c19e457a7a68dd6f5e464acb007d16922b44192f994e24064d69062c36481f2cf80636fc

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 06:35

Reported

2024-11-03 06:38

Platform

android-x64-20240624-en

Max time kernel

50s

Max time network

151s

Command Line

book.gwapme.ikerzq

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

book.gwapme.ikerzq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 v1.gameapiv1.com udp
US 103.224.212.215:80 v1.gameapiv1.com tcp
US 1.1.1.1:53 ads.wapx.cn udp
US 103.224.212.215:80 v1.gameapiv1.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 app.wapx.cn udp
US 1.1.1.1:53 v1.gameapiv1.info udp
N/A 10.0.0.172:80 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 app.waps.cn udp
US 1.1.1.1:53 v1.gameapiv1.org udp
N/A 10.0.0.172:80 tcp
US 1.1.1.1:53 v1.gameapiv1.net udp
N/A 10.0.0.172:80 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 172.217.16.238:443 tcp
GB 216.58.201.98:443 tcp

Files

/storage/emulated/0/Android/data/cache/CacheTime.dat

MD5 dd805019a83ab98d50f857a7deced851
SHA1 40c7ef340af17efebf827cf4b3c9298e31b3a9d4
SHA256 2b3898d1f54536bd9c10b67812e3cd3deec42a03afcbde8f9522058a0a7e5830
SHA512 0e11a1d90a1d77cbcc8b8597ac5ae745792870d569f8563cddea813398f58500e2c0b4e57d524e9b280affb6667b5fd744b6ee38fb5e3c6296f6f75fb324dc7d

/storage/emulated/0/Android/data/.class/android

MD5 0f44edbc45401773c96dd5e2a39ba212
SHA1 116c913e3b6f4f77f9549426bf6e4a4d279396d5
SHA256 745fd71594e73895acc4a7b052c1c08184aa5239f3edf22c152826c49953fa28
SHA512 b9ebcb18204d3b6a6e18cf1f140eda5bf40026e893415488d5d69c7288002512955ba6d9b2811609d48e1d3352f7c58fea88188d1b47747eeb6339dbd4a3b471

/storage/emulated/0/Android/data/.uuid

MD5 030a7ee38713a2bb243014f95b438839
SHA1 5a14534935c95a4e971f562e1a99361d7451dcb0
SHA256 9a07179ca50e2472421a0e11c9965bc8ed6182da739bc85f1710dc3eb9c61bb4
SHA512 d0ab83302899982283f1a92dd6e6180ec90ace99bbc35fab88326381731df0baaf7c9d58757bed1ae36568acd58a678d8cbfcf439a74bdb52851959a837bf72d

/storage/emulated/0/Android/data/cache/AppPackage.dat

MD5 566a78c9c0ac0348d473f1199c520fab
SHA1 0c45b6108d9b9122ed42b30e1beec29a42b483ea
SHA256 e9ce66eab5a8675e60e8d78e34a04d8e7e967c49e7589a947370acd185c3d69c
SHA512 9be3b08357a937a6727d2a43eff6bc7b4ac8d95d3c93e240b44392178f8423faf6bb85ffc27d10d7519a43c2d8e2ebaa4ad1ded08492d0f04075d07134f4a8a2

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-03 06:35

Reported

2024-11-03 06:38

Platform

android-x64-arm64-20240624-en

Max time kernel

145s

Max time network

133s

Command Line

book.gwapme.ikerzq

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

book.gwapme.ikerzq

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 v1.gameapiv1.com udp
US 103.224.212.215:80 v1.gameapiv1.com tcp
US 103.224.212.215:80 v1.gameapiv1.com tcp
US 1.1.1.1:53 app.wapx.cn udp
US 1.1.1.1:53 ads.wapx.cn udp
US 1.1.1.1:53 v1.gameapiv1.info udp
N/A 10.0.0.172:80 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 v1.gameapiv1.org udp
N/A 10.0.0.172:80 tcp
US 1.1.1.1:53 v1.gameapiv1.net udp
N/A 10.0.0.172:80 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/user/0/book.gwapme.ikerzq/files/uuid

MD5 5164cce7538e4456d0d113a032fe5e4f
SHA1 13acc1e2c9ba036aebb75e9fdae516b0c9c5f056
SHA256 c275b878674da9f26536bd44f11e795d6ce99f58571f41d1434d049492c23805
SHA512 ccabe21edf3faafec880575995efda7ba928b30272d0d2f8257a0508a473ce76fa108779f6df4f0f7095a45e5dd87a251e8f5d66bde38ea0ddf92f02e6826105