Malware Analysis Report

2025-05-06 01:31

Sample ID 241103-wgbbtasqem
Target 8cbfc9764ebe88e450183b6c89c1ba06_JaffaCakes118
SHA256 cfcfe43bd9b3958d360dd3e49bfa7938bc25d2ea5f73d86d5a1e6cce6f3d040d
Tags
banker collection discovery evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cfcfe43bd9b3958d360dd3e49bfa7938bc25d2ea5f73d86d5a1e6cce6f3d040d

Threat Level: Shows suspicious behavior

The file 8cbfc9764ebe88e450183b6c89c1ba06_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection discovery evasion

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Requests cell location

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 17:53

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to receive WAP push messages. android.permission.RECEIVE_WAP_PUSH N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 17:53

Reported

2024-11-03 17:55

Platform

android-x86-arm-20240624-en

Max time kernel

105s

Max time network

152s

Command Line

com.mdsd.game.zf.airplane

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.mdsd.game.zf.airplane

Network

Country Destination Domain Proto
CN 123.56.128.21:8020 tcp
CN 123.56.128.21:8020 tcp
CN 123.56.128.21:8020 tcp
CN 123.56.128.21:8020 tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 123.56.128.21:8020 tcp
CN 123.56.128.21:8020 tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 123.56.128.21:8020 tcp
CN 123.56.128.21:8020 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 123.56.128.21:8020 tcp
CN 123.56.128.21:8020 tcp

Files

/data/data/com.mdsd.game.zf.airplane/databases/sms_pay-journal

MD5 e5c6d875366a9026c915627ba8d2662d
SHA1 45a3277485085d7ebc02d586b25e7d4d125836f2
SHA256 dbdb4c7514850c7e120445eddeacd582cedb2edca88be9f132a41ce43d416d60
SHA512 151d02db407e5a2b7a87feb1a3863d0c81cbba232a0bec5a586470b79b99ba970d9915521fbdb9a0ed787fe6db13133ae5622585f0e555d39363537c5ea25488

/data/data/com.mdsd.game.zf.airplane/databases/sms_pay

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.mdsd.game.zf.airplane/databases/sms_pay-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.mdsd.game.zf.airplane/databases/sms_pay-wal

MD5 4bdccac1b37d6a8e21f0fb05709e347a
SHA1 dfa8a00e303391f3f1dce025ca49f2e117fdece0
SHA256 04a917d56328a15c466f7cf8f119157f4774149ee19f5ea2145f1b4e39a61519
SHA512 3979cc64051148a8295494055ae05e14d7a12be06fabc8bd37985d0cc97bde3c753c929b39c068a49c7a939e940b6ea0f5fd38c07341593990c4a1f1daf6b72a

/data/data/com.mdsd.game.zf.airplane/files/zmplane

MD5 6cd96547242a37638157b8ba3cb831c3
SHA1 d5b6970d08e73b422e051216527f7748a3e339fe
SHA256 9fd507fbb56af29aa116d70f5ced3c52e909e22a00aab5daa74363b37ba69493
SHA512 c0bbe5834ff7ce76307e77ea4e78165bcc258585c0d4e4ac515b9b3615a8138c8098e60a7e513901952418ba04c3ce7c5b8ff689b68439521544a97124c3025d

/data/data/com.mdsd.game.zf.airplane/files/zmplane

MD5 01bbeb379cbc6920f264a7c397f9cb2f
SHA1 562499454ca0e830139cde4049d89144439b701a
SHA256 748e1c9ab551f615bf84cc5d06f5484cc7cede51ab3480d176cfd840b380683e
SHA512 f1f206764ea4cb91a6fcaaadbbeace0fe05ac213c6f832076da364644e6ef2c18afdd57865975d7faad001ac428d6ec1697a5760ee3795b21ad507044931b65c

/data/data/com.mdsd.game.zf.airplane/files/zmplane

MD5 bd7daadf93ba36f97c88c3265fe343b5
SHA1 2f70c7d61fea794d1a3de76f925c44b136ee5b58
SHA256 c2ad05970d787ca8a15bc338761c2c531778fdbc3d6454b3019fcb71e9fea674
SHA512 f1603d9856aacf8ab462c40484de68e1e6b1f7d765b2130d3e2ae9865b2dc657722bd14746048cc3ce8f8348ceb8b9e4808416bdcd0370ca1e83b4549b61e4b2

/data/data/com.mdsd.game.zf.airplane/files/mobclick_agent_cached_com.mdsd.game.zf.airplane

MD5 aafa4ceabc7256285a4a1fb1c57eb302
SHA1 7f161a0c621630275231ca2fb84f8f85d23e5a40
SHA256 5da00382c9dc56e64fe4f08c0cea7189f7638b8752396475193a4678a6369158
SHA512 cd3ef8a2d47d613a8adde9d1791d573e4777f7efead5b2714673499601bdd2d61e8c4a067c0d6698126e4ef156eb9d921623675093f5f1d50e4083a9855ce574