Malware Analysis Report

2025-08-11 00:07

Sample ID 240513-hjaleaba3t
Target 3e356eec96d1fdf44bb7deffd8537d48_JaffaCakes118
SHA256 74f9afc54ef47525abc388d47e25978ba84d8ded8b8382430252e9eb4a57fd31
Tags
discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

74f9afc54ef47525abc388d47e25978ba84d8ded8b8382430252e9eb4a57fd31

Threat Level: Shows suspicious behavior

The file 3e356eec96d1fdf44bb7deffd8537d48_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence

Checks CPU information

Checks known Qemu files.

Checks memory information

Queries information about running processes on the device

Registers a broadcast receiver at runtime (usually for listening for system events)

Loads dropped Dex/Jar

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Checks if the internet connection is available

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-13 06:45

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 06:45

Reported

2024-05-13 06:48

Platform

android-x86-arm-20240506-en

Max time kernel

139s

Max time network

155s

Command Line

com.cloudywood.ip

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /sys/qemu_trace N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.cloudywood.ip/.jiagu/classes.dex N/A N/A
N/A /data/data/com.cloudywood.ip/.jiagu/classes.dex!classes2.dex N/A N/A
N/A /data/data/com.cloudywood.ip/.jiagu/classes.dex!classes3.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.cloudywood.ip

chmod 755 /data/user/0/com.cloudywood.ip/.jiagu/libjiagu.so

sh -c ps

ps

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 2eyad9yt.stats.lncld.net udp
US 1.1.1.1:53 app-router.leancloud.cn udp
SG 119.29.29.29:80 119.29.29.29 tcp
SG 119.29.29.29:80 119.29.29.29 tcp
CN 106.75.100.17:443 app-router.leancloud.cn tcp
US 1.1.1.1:53 2eyad9yt.push.lncld.net udp
SG 119.29.29.29:80 119.29.29.29 tcp
US 1.1.1.1:53 api.yunlaiwu.com udp
CN 106.75.120.150:443 api.yunlaiwu.com tcp
SG 119.29.29.29:80 119.29.29.29 tcp
US 1.1.1.1:53 2eyad9yt.rtm.lncld.net udp
SG 119.29.29.29:80 119.29.29.29 tcp
SG 119.29.29.29:80 119.29.29.29 tcp
CN 106.75.120.150:443 api.yunlaiwu.com tcp
SG 119.29.29.29:80 119.29.29.29 tcp
SG 119.29.29.29:80 119.29.29.29 tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 106.75.72.56:443 api.yunlaiwu.com tcp
CN 106.75.72.56:443 api.yunlaiwu.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 2eyad9yt.api.lncld.net udp
SG 119.29.29.29:80 119.29.29.29 tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 b.appjiagu.com udp
CN 180.163.249.208:80 b.appjiagu.com tcp
CN 106.63.25.33:80 b.appjiagu.com tcp
US 1.1.1.1:53 alog.umengcloud.com udp
CN 223.109.148.177:80 alog.umengcloud.com tcp
CN 223.109.148.130:80 alog.umengcloud.com tcp
CN 223.109.148.178:80 alog.umengcloud.com tcp
CN 223.109.148.141:80 alog.umengcloud.com tcp
CN 223.109.148.179:80 alog.umengcloud.com tcp
CN 223.109.148.176:80 alog.umengcloud.com tcp
SG 119.29.29.29:80 119.29.29.29 tcp
CN 106.75.120.150:443 api.yunlaiwu.com tcp
CN 106.75.72.56:443 api.yunlaiwu.com tcp

Files

/data/data/com.cloudywood.ip/.jiagu/libjiagu.so

MD5 f7f5e960db0c8a6f3b5b8d1a0427a042
SHA1 a8b623f9f87a6e785508befe07314da2fa903bfa
SHA256 17ac5b03f2a51ebdf2cce66314bc8e3e1547bfa0dde61357fcc07768aaaecb3c
SHA512 ec889d1d9428cdbac082d0b5ab81cf33ac417874a416daf27b02af3d207b1b02ed794fc0b3f0ea266c8edaf3bfeb8f3cef7c631af689405fa629fee948ae8cba

/data/data/com.cloudywood.ip/.jiagu/classes.dex

MD5 5c554467252c53c7389b8d96bd7c3372
SHA1 e63de9fbfa8f1e4a8f3c628459c8e1261c42badb
SHA256 7d5d64cc636d9e06120254ade478294905faa7f936b31189c6b038f8c30f283d
SHA512 4b38d146e3a038f35449b2fb57f444c69a4c56d408f957030b01dd49c0999f97d96f7585a385e17249f9b5724c5ed1c201c0574cb7c293a6f564716605fc5b8a

/data/data/com.cloudywood.ip/.jiagu/classes.dex

MD5 d2345b6b061f723c6a5cb4c3ed89e1b5
SHA1 1cd88839dc1417d548476af09f3196588c01d952
SHA256 087be3526c55211477540818ae404f48f5407a5252e7d606843539f3562aad60
SHA512 d7229054ab515667cd291d941470e1fe968144aec02d6a4cebbc865bc1e53261b0adef19454e380e49a5b5de3e554ad13ba38d610b2e38c60b9c4211622e7d78

/data/data/com.cloudywood.ip/.jiagu/classes.dex!classes2.dex

MD5 d44a708ae7f551643253c378cc139e6c
SHA1 655bd823214bdfa630440d264be75c33e496ed77
SHA256 4122328d9b125dab5a6e3268e69cb058cfb00f88f16ed7cafd71db66fab67ce3
SHA512 977822257440d17d05178dc59b19df1d5a396c8f2a9dfdd9e30408bcaa970aac2fc0337e64795efa25ec0e27a302437321630037e03a23ca5433e898ce4ae33c

/data/data/com.cloudywood.ip/.jiagu/classes.dex!classes3.dex

MD5 474b32d4c0e89a526d09888ad01024de
SHA1 029bdad358148f4191eabc923ae4487191d11d05
SHA256 64849e15813bb028bcaef90294e5ac6505c5a9e95a2e02fc548f9c8fb53ee8d8
SHA512 fb9b6363d0efd217b3ac636a6874fa9cdf16375e15d2942c7df0ec5262cce6348f31c659492cb2d2b988284fa723b115143dfd97669b05fc2365c037b5f06e48

/data/data/com.cloudywood.ip/files/.jglogs/.jg.ri

MD5 b0cb625325b49ee4d2b5ad42eb3d5781
SHA1 3273ab17235ab57dfd8bdf61206509956a95c2db
SHA256 e7240ee2d2fba892387694cf3409fab378748830d7c16c5c59320c246f601e41
SHA512 dd398c729035c1e5b6be4c150acee34bd2635a9696e020646871c534a9ec8d905377a186ed3e8fcb8a127703c1befec694c6b526d672f53c41939087ac91f7eb

/data/data/com.cloudywood.ip/files/.jiagu.lock

MD5 1dce86e19089d8fd244d6782b2093f79
SHA1 89238aafc0fbf1bc6a1c6f772aabbef87fe1c9a1
SHA256 2ea9de806ba7a9dbb7bd6dd412dc6e16da649eae0068f3f6c94c7840a9d509a2
SHA512 72607e9f89aaf0e01f73786f16970f8a3f40a02cf445169df482e405a74ffbed374001f6e5ee2693a400d3da3ba244e7a237080ff86d80d323135059de2cebf6

/data/data/com.cloudywood.ip/files/.jglogs/.jg.ac

MD5 3bbf1c4a9069018d9d4d7db6c37d666c
SHA1 4e230325f94b2daa9d18c54952a243cee3770bf6
SHA256 694cde99ca6f1b661ba99ef3af22e84049c240ff60b8dc4ce6c78aef89602272
SHA512 d2dc06af12088412561f73a9a4d172f8d07a2e81601e794291464b1ef456e738fea8f6f2ac0997e9525201e4344ea7ceaadfcb3197b4bdaa3ba9ab6617f22b9c

/data/data/com.cloudywood.ip/files/.jglogs/.jg.ic

MD5 03d6b583cf5e6a425a610d3e1db3b12b
SHA1 adecb908ba24a328313829c68beefdde24bce2eb
SHA256 7df2e05ab58f95df15d1f1d444d896a19af52adb4ad8a88e348a7e8770bbab99
SHA512 404b97b3b7f34c70201759a31b79ea3803a2495dce43ee76a568147771d139e3fccad2171f7eca406b87711912810ad73324b9e972f2b19fbd91c4b56216a6e2

/data/data/com.cloudywood.ip/files/.jglogs/.jg.di

MD5 c2288d279c498e1367e1afb6ed88de12
SHA1 385fa9d430666f63a7ca9de33d43a4a0809b8b07
SHA256 403ba38e158479879baf5daf72176ea1252d2b3aa614ca240c5ead29846d3ee9
SHA512 165a6de1292e9e35a7517a4c2b0a48f179325dd3d83fc245dd79e5156ed54572c5de1d41a991b4da1ea4b881b2e0f2b4227bc9ced631f4f4c492f90930d2f35d

/storage/emulated/0/360/.iddata

MD5 b7200542b71fdf3444fb3827226b3c2a
SHA1 08a0c00a40d4d672291438cca7ffa45d1e23fee5
SHA256 73490931688f0cf8ec6290c7eaf044dd561751e72abb40ec5083b1afac09cf7d
SHA512 8c727f1273d4ba17b88ad34b85cfa5a3db14a9d7de008bc41a12bafe9b396491bd79b158efb0014c44d903c3a151b5f1a029fab9d96795c90954934b5d647f39

/storage/emulated/0/360/.deviceId

MD5 1d8d16c4e3b19ebf18988530d9b9a757
SHA1 bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256 abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA512 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

/data/data/com.cloudywood.ip/files/installation

MD5 7519168465d0658c49f2684dafc5bde9
SHA1 a2d20656c68c36694bc8564bca992e3dbd7271c7
SHA256 1e0765c0bb8911541da20be2b1e8d43bcbfa3bf701c61626c5927195ce8c07aa
SHA512 6f508644081260d42fd238f7682293909bc466f81df6e25eb32b0ee48640b11a2db378e42c0c19b6960fb10648dfb9b2190c8716c4dce48e8085736576a286f6

/data/data/com.cloudywood.ip/cache/CommandCache/50b5682a02f09be5b6d35b62d9c92ea1

MD5 b34956a9f66ef072cc601849b4780ea1
SHA1 98401207423b2ebc899897ecfb11bb511a5c3f96
SHA256 6d972a5bf08607883c0de2318dea6f544253e51a2bf2d144c702104f58de7dbf
SHA512 bc04d7279437c670d92f4c0bf13f17c76136c0398e4185b3897e67e0a10e50b9e44419185330e542799dd18fb8c122949c96ba112d67c814567cff2da27bf947

/data/data/com.cloudywood.ip/databases/CLOUDLOG.db-journal

MD5 031030caafa50b59adffb31ba09edaa1
SHA1 59a86a5ed913906db4314d4b818641629ea4fc05
SHA256 63b6d46335ffd5be528cfd572cd489a365fa12f68309b36c826827d76c6fad21
SHA512 c81b98a9cc2fc2147c6c3b701ad1fa1c54afa06be15f1f5e30dcfc2b8e7d36e375366b1693306951591906fe79c26ed550a80a8d7631b0db5ab2f2fb330bccfc

/data/data/com.cloudywood.ip/databases/CLOUDLOG.db

MD5 85725769907352d7d6430cbbf214947c
SHA1 8f8469edeb89e057718385f6515aafbd904826a7
SHA256 53a83a947cf18086ccb9d8864ad0044e5f423f07b640ffc438d86deb92d06890
SHA512 c10756da3330084a9d34cde4e1e081caefdd08a03a6fd176b989b8618cff56bf9639c560bffc235b60fdf18e7d889f1999d7668a49d81830463610cf3ea62860

/data/data/com.cloudywood.ip/databases/CLOUDLOG.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.cloudywood.ip/databases/CLOUDLOG.db-wal

MD5 ed40368818c0abc0e93fb83850f389f7
SHA1 988e5b838ad5c8e8f2975fe196c3cf35a8218a7b
SHA256 b63c11807b46dfd8e2ed39f5c6218342ab1be6010153e0c065f15b1c96a1896e
SHA512 0d6ab2d37af831384bedcf0b96283f0610e56c20a288e6e051d131805bd766a3debad8e57a9dfdc8ba47656cd6cce62b3fd69ce5681063f6a4dc6870e0ebd21b

/data/data/com.cloudywood.ip/databases/ua.db-journal

MD5 777380b4c111a6badbaa01aee54eed68
SHA1 dcb1130d5b5cfb46a93d02ab084cb8eb4e5d7fc5
SHA256 0b0deb4e44a316cbaefe779549a8229c4d0b5df0bba4f08a6b06cde7fdd5fa63
SHA512 3049cf5ce3c7ac4a724a16c370f2308f6d47ca1afd47c6da2f817243a00c4a3c4f7f291ea14b9cb2ef45b8bea4f53d8eb4d5d21846177a2acf72b750f3671c29

/data/data/com.cloudywood.ip/databases/ua.db

MD5 0acea2a3f03bd79a2fbdcd928be20232
SHA1 a013e1838cbe7fc9bb7599d2d32ced2e1205db34
SHA256 6fd7dc57a0621acb57171f9536cc84554c52e3c2123f82931cea99bf636e2fe9
SHA512 a66a4e02f1858d7e84c7d8e389125703c57608a9a2640b3c1e0675ba144a096b931ccb280781b7780f65b002b6655895e0ca48f74e80d0eb134fbf292c9c1469

/data/data/com.cloudywood.ip/databases/ua.db-wal

MD5 5e3c224148b61a67a68f34585f35782f
SHA1 fdb264fe90dbcaa84e567f33dd5444ca14f2701d
SHA256 7437968af00ed5192d81ba72ac3528acb3cea45b4a9d13218999b86ab69ad46e
SHA512 bef2a72e2cd6ed2d83f4e22376f3159a85d67e0e4357031cbb1fec756d34730dc8e48c53b378d87387fc051a1151a161acbe1fe1b7ca135a8aa5cb0cbc3fa39f

/storage/emulated/0/Android/data/leancloud/dontpanic.cp

MD5 ade407ccbb3cdb14fcf092c7825b94ca
SHA1 e19f9714ace14a039b9d95c24b4a786597005a5e
SHA256 eeb0813677b622312f63cc88e63dfa44748a9db72fde0ea452b859ca1cc04ff8
SHA512 e4f56ac070196e36358a6a6f5b5bd7caea45b5b974782050501135ef2734a9a79cbfe14e2b699b86ea253f5909aa23d819d6791e1811e592b01591c7e829d4f3

/data/data/com.cloudywood.ip/databases/cc/cc.db-journal

MD5 66ce4e9ba15e71bc68b1de84c4c7ed51
SHA1 c1e1e67e43c6d7cf8d11c1334560a4733a3a81cb
SHA256 5d647047c69411f86db0de0e98b9fd2fcff5a2feda898c5257d065be8370f628
SHA512 7e7499d93540d82140f1a949120217c6de54b767b8c80e91c97b8552be6da83e4c193086975dcb0aefb696531e77344e5008540e8bf994217e01a516bbe69872

/data/data/com.cloudywood.ip/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/com.cloudywood.ip/databases/cc/cc.db-wal

MD5 88d429043e05a86c222644632be7a07e
SHA1 69443dde29a952614d913f56a2d6407af952d349
SHA256 140500aa048eaee8b982e47b0c7ccdd5e6d9373af1185c32082875dc70f43633
SHA512 14c71cc0d9b42edcdaf2a2fda38f1f3399576f9b9e165eb9aed546e83b13077b11501eae8dcf00ff048b043616921a55f4a6b35912e50dbaae37349abb52c96a

/data/data/com.cloudywood.ip/databases/CLOUDLOG.db-wal

MD5 12e34d2335c75beb579fb9d4eb950456
SHA1 c3538dfdbeed3886959ebcd560ce2a5deeca6dbf
SHA256 6edddcc8594154330eb5ee64aed9540b4d931c41b28fc82d876ba9ff9549f2a2
SHA512 92edcc2ddf9683c6e56ce1d178a75939a6605baedc01f85b6fe0dea2476fd11daad560efccc4281642ae59eed231e12e4f937114971bd3ce200c2e633503ee1a

/data/data/com.cloudywood.ip/databases/CLOUDLOG.db

MD5 d592dd5e346abcf1d2693597b10ac3da
SHA1 4d4a5f2aa127d6fab4ff9e29fcc6ec42107be24e
SHA256 cb29bb4674ac5201fcb480464d40e8ca00aa381397dc3e4e15d4209681aa484d
SHA512 3b938fdd773ea13b097515402cc7fe18d09daf5e7430a93ce48665310bcfd571a9e5c16cd81fab28a7ffeb619f1f92a789e141b6903f0e3bf1337cff9d05e85e

/data/data/com.cloudywood.ip/databases/ua.db-wal

MD5 1b6dfe23044e8150dd4b4561c3952ae1
SHA1 bb13a2f15433f7648f2d52938c00b380646f8cdd
SHA256 299687889890a80d227e81f4849454f839f402099418d2b19295bced2ea40ced
SHA512 bbb7190b0815208424fe44c9e97f9fce0a82375dd72c0340094770f4b99e77e435249af8618bfe930d03a1050e642eaa713fcbec271266ee056465d31ccf9a65

/data/data/com.cloudywood.ip/databases/ua.db

MD5 c92ad76b29ce00c935a8588d79b5a114
SHA1 e92c6434be2090f6cfd098f8183bd4586026a011
SHA256 c33e025da11b3cd7abb90a1f649d8259cb0d69625cfdf5b4736894e55204c2bb
SHA512 582a948013cd8d2cbf4e8cc309e4c58beee274e607456efe616258dadd990c2c0a628adf546f1e94a7ad4da7f3d57d84b5682cf90fa8b2a89db0996c52fcdfe0

/data/data/com.cloudywood.ip/databases/ua.db-wal

MD5 e082c04465024476ea327718d4924047
SHA1 6ac2c1bc93c28194efdea23d6588ab6e4a474746
SHA256 2cd0802c4f9146421934692700994d4f5069e0867ed75975fe1e2692922812f6
SHA512 63dc5d54c770f5c9016950ebce7ca7f7da6ec00c735c8bfd4e3857826d5a678b97f691fbf8270660b72c134fb1b90c59303c049d746470679a771ad646c3a564

/data/data/com.cloudywood.ip/databases/ua.db

MD5 b3e3d3429e3756009b0ea817c49680f3
SHA1 52fc5ad5e579f6cad504c47a39f20dafcafd071e
SHA256 4a8f796b6497cc1c5dd5366b6dac76d76ee4576b1592cff34ef5f409990fe301
SHA512 544581dccbefa1d7314cc6c63e26e47fc8fb0352b9875e9296aca6582bc0c006ab9e0dac2860726ec52c9e1cc3dcdc1ba03ec8f047dbbb3cea2dd404fa70dbe9

/data/data/com.cloudywood.ip/files/umeng_it.cache

MD5 00fe0b7669870d2d317d8ff9e6ca9285
SHA1 677e2a35c64135591db456183a6427d83724b757
SHA256 d4721738efc637b8eebbf62e9f67aea2131785e1a69cb17ba6c06a64f9928ca4
SHA512 f0860719efc9b57a827c798bb93d4f7bae2ca42c0cc79f86d27b505c261679b6495507772dcb5c2b58a07d4df72be0270503d0ced58e58f3a4288f06dcc23d7e

/data/data/com.cloudywood.ip/files/.umeng/exchangeIdentity.json

MD5 f016c54f8b4bd5cbc72c391d3c92f810
SHA1 9daa8f44a0da19273ffa8731fc0e9cfdf2acaaf9
SHA256 6b539450eeb61d47ccb5e430ee0d0e9ec015acbe1a28cfe42332808ef77bbcf9
SHA512 497687bbe608ba0df4810572478f3fb2b0391c7143a2ba26e195c4d05091c12a05cde7d1c0a494fe535a2a3f73925223f07a8d7903249a0b7ebc1761bc86414f

/data/data/com.cloudywood.ip/files/exid.dat

MD5 b9d1ddad50269db917841a43e7e0b74d
SHA1 eeba71f9d1f1a9c2bc241f9eed52a64fdbd9eda0
SHA256 8c9160aa4a08f36e03f4e32ede7a5755bf933f9ef294f8d57f4eeb753c17f7d4
SHA512 88e7c2d1a708cb7b4d6c091439af3a32b5867ce6ad02d7d3214f8e645226847d63cd4c6fed57dc7d55a19c79998f33367730c105b8dc8aaf8e92e4d99d6233ed

/data/data/com.cloudywood.ip/databases/ua.db-wal

MD5 d0917273f4988cbf85731421748496f7
SHA1 2914eb5fdd6470bb348ea21c84b5a42fb506a74e
SHA256 3e46fc6e7419b1850bd3dd90d351e16f44f3687e434cedaec92a3ee5f086dae2
SHA512 8a1c8912c1b7b9384336084d191d43405890c95a1babfc8455c4ef87106660ab7613c0ceb5321563e8e2d252a49562b85c86b3c6ae355f265f15a97b69bdceda

/data/data/com.cloudywood.ip/databases/ua.db

MD5 d604a3bf1f8d992cc320ea5b1f7609bd
SHA1 247f88df0b55c7d523ea5398637711a0e4a483a4
SHA256 329940b4d46326d58e73c842dd099704061d0ef7338777bf31ad895f29013c17
SHA512 67e28f6713cb5c238a9664df128f01a89a2efb7c8c9330c1e45bc0d40ebab81fa20df5166743d84d81dc0386a89ff0329f022281c098339baa2e851ff0a1e1ab

/data/data/com.cloudywood.ip/databases/cc/cc.db-wal

MD5 6b073dd0cf1d4a38e770f8f47033efbf
SHA1 680f7dafdfd158aee18930bdbe96d7a73d893172
SHA256 afe8713fcaaa1cc0c3fb73c0ed6e7c3493ef76145cdb6b3671a78c30925185bf
SHA512 08f7558778d841996d37c1124567b557f28ffdb137a918e40f283b9e4ec6c59cee3d2c49518a911732cb224b2133c6ecd1602ada5aab3a09964395f2ab0ba031

/data/data/com.cloudywood.ip/databases/cc/cc.db

MD5 ce6135aa1b1fe4f2c2db2a546d2a5558
SHA1 79b59582154017aadab783dc266fcb158c252940
SHA256 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA512 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

/data/data/com.cloudywood.ip/files/.jglogs/.jg.di

MD5 0e6010302a5dbe2dc5d9cf8b9622e812
SHA1 ea28d6795dddb5bfff8a41dbf9af10b2349d617f
SHA256 d007ad8519350d0242f8e8783e0d23127dad559af9b687dbca95f43145d0375d
SHA512 5cece30b34d3faf6573bdd531608faaa579fce1ec4c0d6daa9d804a3260e08af48453b793016bce052be21e796a1253f1ef91935a5c1df41a89d5dc1c9a9406e

/data/data/com.cloudywood.ip/files/.jglogs/.jg.ac

MD5 3a74b1f95e18f51409db962115b61b95
SHA1 d47fa96c3e6d07c863193cc2721e658c86e160dd
SHA256 6faf40bb46cb584687a1341ab5bcc83ddf89b0cae95513015e5a51b42fbee5a6
SHA512 706a1e4c935f99833e482479a4f8ff6fdd5b4a466da1fe984c6a11d554ad06b790b23c6acc83ed97c078e090c29d18a5f0571fbe02f2cd47da45c71ffbe26b65

/data/data/com.cloudywood.ip/files/.um/um_cache_1715582870879.env

MD5 6900dd2b20da04b6c4d2d4ee74d96166
SHA1 1e7e65163b87396daa37b77d41d54f157638178a
SHA256 64799f4e188427ab6f3ad789670300c4824ff5c900c3c499747b8b22e024901d
SHA512 33f98d7a7e362683f94aaaabd4f6a4777a1440d3e56e7106ed72817b3b1ad014638bf012571f09ecf207d86423a07f56aef0bd21ab0c83f0d2b5d97317f8428d

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-13 06:45

Reported

2024-05-13 06:48

Platform

android-x64-20240506-en

Max time kernel

8s

Max time network

131s

Command Line

com.cloudywood.ip

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cloudywood.ip/[email protected] N/A N/A
N/A /data/user/0/com.cloudywood.ip/[email protected]!classes2.dex N/A N/A
N/A /data/user/0/com.cloudywood.ip/[email protected]!classes3.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

com.cloudywood.ip

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 app-router.leancloud.cn udp
US 1.1.1.1:53 2eyad9yt.stats.lncld.net udp
SG 119.29.29.29:80 119.29.29.29 tcp
SG 119.29.29.29:80 119.29.29.29 tcp
CN 106.75.100.17:443 app-router.leancloud.cn tcp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 172.217.169.78:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.179.238:443 tcp

Files

/data/data/com.cloudywood.ip/.jiagu/libjiagu.so

MD5 f7f5e960db0c8a6f3b5b8d1a0427a042
SHA1 a8b623f9f87a6e785508befe07314da2fa903bfa
SHA256 17ac5b03f2a51ebdf2cce66314bc8e3e1547bfa0dde61357fcc07768aaaecb3c
SHA512 ec889d1d9428cdbac082d0b5ab81cf33ac417874a416daf27b02af3d207b1b02ed794fc0b3f0ea266c8edaf3bfeb8f3cef7c631af689405fa629fee948ae8cba

/data/data/com.cloudywood.ip/.jiagu/libjiagu_64.so

MD5 0733255e286b6e6dbaba9cd897e6d6a9
SHA1 f7050b691709a83633b7d3cde1b91bd6fff1c2b0
SHA256 8ebf467743eb1ac1c31eee127d4d37e3109c23b856e7de94de04a11f8b9f6432
SHA512 c3349d02dbdb02e3c0bcf52a752df5f142866aedfedca01cfd52a37166b50acd5159488260ee8f43a7b59da1288dc50bbabb6845a67135c919de1083ef9d678f

/data/data/com.cloudywood.ip/.jiagu/classes.dex

MD5 5c554467252c53c7389b8d96bd7c3372
SHA1 e63de9fbfa8f1e4a8f3c628459c8e1261c42badb
SHA256 7d5d64cc636d9e06120254ade478294905faa7f936b31189c6b038f8c30f283d
SHA512 4b38d146e3a038f35449b2fb57f444c69a4c56d408f957030b01dd49c0999f97d96f7585a385e17249f9b5724c5ed1c201c0574cb7c293a6f564716605fc5b8a

/data/user/0/com.cloudywood.ip/[email protected]

MD5 d2345b6b061f723c6a5cb4c3ed89e1b5
SHA1 1cd88839dc1417d548476af09f3196588c01d952
SHA256 087be3526c55211477540818ae404f48f5407a5252e7d606843539f3562aad60
SHA512 d7229054ab515667cd291d941470e1fe968144aec02d6a4cebbc865bc1e53261b0adef19454e380e49a5b5de3e554ad13ba38d610b2e38c60b9c4211622e7d78

/data/user/0/com.cloudywood.ip/[email protected]!classes2.dex

MD5 d44a708ae7f551643253c378cc139e6c
SHA1 655bd823214bdfa630440d264be75c33e496ed77
SHA256 4122328d9b125dab5a6e3268e69cb058cfb00f88f16ed7cafd71db66fab67ce3
SHA512 977822257440d17d05178dc59b19df1d5a396c8f2a9dfdd9e30408bcaa970aac2fc0337e64795efa25ec0e27a302437321630037e03a23ca5433e898ce4ae33c

/data/user/0/com.cloudywood.ip/[email protected]!classes3.dex

MD5 474b32d4c0e89a526d09888ad01024de
SHA1 029bdad358148f4191eabc923ae4487191d11d05
SHA256 64849e15813bb028bcaef90294e5ac6505c5a9e95a2e02fc548f9c8fb53ee8d8
SHA512 fb9b6363d0efd217b3ac636a6874fa9cdf16375e15d2942c7df0ec5262cce6348f31c659492cb2d2b988284fa723b115143dfd97669b05fc2365c037b5f06e48

/data/data/com.cloudywood.ip/files/.jglogs/.jg.ri

MD5 df826d93aa697d43511b258d1712524d
SHA1 895743d0f732f9a92417af1963404c6ee1a005a7
SHA256 5c4ead8ff0434ab59d453f0189472f1f83671e6f544e5796e424bf34f9b26d9e
SHA512 7c41e425628608cbfbbe98ba8b4db951485bd20f66c224934bbfd93ab90564565762518ea3137faf3d2a9db25bd5a94c239f17c82006d9b941683b16ff6a7c78

/data/data/com.cloudywood.ip/files/.jiagu.lock

MD5 a1d4895f960c116d4b9deba9d624ed4b
SHA1 c5b72e71f1641dde86732e13373b24e705db225a
SHA256 51cb8e6ea4b055231f5a191aa5c491aad9255ce8b13ce7038a5241b56cbe7780
SHA512 148802e94758c75e2419be8e5dfa1b0c1fefcaef5695c59960db9a5e9c25d8021e5e4d33b201cf14f44de28ee1d9715e6a5cd1f7d18cb8119dd40f095b861a07

/data/data/com.cloudywood.ip/files/.jglogs/.jg.ac

MD5 8e2136e373de4952a5caee1c99c6ce8f
SHA1 cf3965fe33b918a7e76af58a28b3e9e79a824ffb
SHA256 88b05a706ac294a0d97ab487f38faed249ef016a4d0ae119aee199d827e473f1
SHA512 53255410e39f81945d70a7dc95594328f4f5a016e9716786c6fad7635d8bb69c7f4a1baaafc38a3ca5c757c10886868f78acb2e9e6820ea474ace4da034f069d

/data/data/com.cloudywood.ip/files/.jglogs/.jg.ic

MD5 3deefd42149178c1852595dfb10f5772
SHA1 561b33f14b77f01a6746897adfee1844aaf7f6b5
SHA256 d8b16a7d09b195c00c9e1f46216309223573507bc08c34946757bf701fe2fee9
SHA512 eb98d7dba512aff4cfed804e09047cadcf3ad3fbb3e544cc4a6ce6d2f231894209ecb6d36ef0cdb2dfa663303217bde1fb74697abe8a6abf48037860b17df4c1

/data/data/com.cloudywood.ip/files/.jglogs/.jg.di

MD5 cfc226fa7931f6ac8ddabfc1cca8b4e0
SHA1 7c45fb85ae8a5b37104efe3aa776538804c7c664
SHA256 8d11fe391cfe5c30de1d6fe2cfa3351b89ee0dfeb652e3df271d5ad1cbe12c63
SHA512 f68c1e89503ee969f12e1147b2c91ff5fa4255a5654809e73ee4e5659a19b86343227d7c7962df17b2c669859f3cfbf5133abab247ab96fce80a78d9bdc2e974

/storage/emulated/0/360/.iddata

MD5 c05019695300bd729dadef3afe624577
SHA1 fc8621409852fd4d1cb5d42d0d04200fd41692bc
SHA256 bb45ef26a363fe88026305f348d452a4742d01eacbd2d747ccf28e471224b049
SHA512 76e1b32a0b4699ab082962dc13b73c1f872cde6ff2fb3d0997b6de9048586f1fceda0e3eca5bec5a8cd9c2d2d3ad10ee8fcc1741e53a1e23c866b45b20f71ed3

/storage/emulated/0/360/.deviceId

MD5 4c4c5285293d5141f582aefa4e038669
SHA1 e01852a72e5a8e6f7d63a21426b515118196047b
SHA256 36c5c63f39ddf7a6a9c01946e4f78b95790aa734176802e793e95724a1b5b731
SHA512 097aa673273e307f7bfb7c08861ad389d4b5f7fae55d972a5c1636aa66d0b8d23b5eb9b696cefe0e5b942f23969dabf0147397aeca85fb9a4d75e0473104e399

/data/data/com.cloudywood.ip/files/installation

MD5 dc8da7cdabea281d4abc8a0d4aeefff0
SHA1 3176ee5ce18c871b7f04bd2a3ab7e1a264b70d00
SHA256 d2ce3415c8e507cfeb6077785e72ed441cbdb8081c6c4ce4f5ffea4f3f7a7215
SHA512 d30262b422ac6a692a87124cbb50f3938aeda29918a80e01769a0180536fb17ac5053c938faa948d9a5ebac91529892270fabc692b6f5c4fbb6e3717e0f31ab3

/data/data/com.cloudywood.ip/cache/CommandCache/89660ab8a3d977c681bb4215cd1d49e4

MD5 492678d134071b33fe3b691e18c3e539
SHA1 3ddaa24fc3cb35463b361549f4d9b9c62cf2d86e
SHA256 6587951715e8ce3f9c41191bf51a005c643787456349d52858ac46d07f7216e1
SHA512 543f57d271d2a6a600b9c9e890415344d7298ee061d96d72b09d4601ceb0349c846f6352cb6f52603d2d019ef162bd20062a95f7b517b7246d673e15345a7de9