Malware Analysis Report

2025-08-11 00:07

Sample ID 240513-hqbgaaec69
Target 3e3f2c8c7cf9d4cc11e396bda0e01897_JaffaCakes118
SHA256 5428765b8f7eb40ce41d779563e9e7eaf50336c8cae5cae9e0883045e3f0420d
Tags
discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5428765b8f7eb40ce41d779563e9e7eaf50336c8cae5cae9e0883045e3f0420d

Threat Level: Shows suspicious behavior

The file 3e3f2c8c7cf9d4cc11e396bda0e01897_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence

Checks CPU information

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks if the internet connection is available

Reads information about phone network operator.

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-13 06:56

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 06:56

Reported

2024-05-13 06:58

Platform

android-x86-arm-20240506-en

Max time kernel

136s

Max time network

158s

Command Line

com.yunti.lfs

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.yunti.lfs

com.yunti.lfs:push

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 fb.umeng.com udp
US 1.1.1.1:53 lfsapp.koudaitiku.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 115.28.112.191:80 lfsapp.koudaitiku.com tcp
US 1.1.1.1:53 adash.m.taobao.com udp
US 1.1.1.1:53 utop.umengcloud.com udp
US 47.246.137.207:80 adash.m.taobao.com tcp
CN 140.205.160.70:80 utop.umengcloud.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 47.246.137.207:80 adash.m.taobao.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 47.246.137.207:80 adash.m.taobao.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp

Files

/data/data/com.yunti.lfs/databases/tqm.db-journal

MD5 732ba972b6bf73d76c72b6a7102e49ae
SHA1 95314d1e07ee39c9856f0bd7e38f40dbaa3b3170
SHA256 9676db698817be6e619452a421c50631d2071010a3e093ae4fd9a04a466fc7a7
SHA512 ba1e7471e769ee4eb8e99ebfb22bcbb9ff9f051fa8bd3b0257aa8da47d9dcdfdda4930e23db42c3d7085ffb9569e4e04a24f372439bd571da455732b7ccf345d

/data/data/com.yunti.lfs/databases/tqm.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.yunti.lfs/databases/tqm.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.yunti.lfs/databases/tqm.db-wal

MD5 082bc374e0bdea2eb082de8fbff82668
SHA1 f13426691bc456a534fe48924f768057a3359ba6
SHA256 148e07f4745ffb78d9e69066d4ac2e8b1f1f94e29528d3704e53490881e9c2ff
SHA512 5a1bacc4ed2cbd388bc5b8c9ef036aad6e5135011e564883c7bc07a3aa6a87c91d6af041a71d324df38e1fae55a4305596257d63843bdaafb0d608423408808d

/storage/emulated/0/Android/data/com.yunti.lfs/cache/uil-images/journal.tmp

MD5 f25ee2ec346fbf7df0eb4f684696a07c
SHA1 0fef4fc5fb245f4f393cb04d66e2a6a019c87a38
SHA256 c61c1e4e1709b2196354c3701cff9832345d11bd500b8df76911a91b0583cf4c
SHA512 ceb923152478f41a70bc3b74ba5d86f12220da66d290b27af6d1d14cd23eccab2abe67e3334df4b321ea67f350daf678b274afbe37e5155312492f819623e172

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 ca2972a64909d4384bfacbb9a4e8e1a4
SHA1 c276eb2414bbde31ffa172ba16e66004b3d972ce
SHA256 2bb860092073cdc7085d54dbbc07939225f3e48a67fe464e0079a0b287b6d472
SHA512 ee2cb18b7231b099a56f030d8267b3e0a1e496b5609a445622bc26897336ca129656194e294c46fac43e520122a87dcf8d12f756f5399cb49a6c598477046a77

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 109c0318d4996fa584d972aa7e880755
SHA1 351d86a52e3297fe22dba213243a7263579b3fde
SHA256 633cec488dc2106d966b8e56ec727070c14f2e42f4ce2bfc1e1e96ec06801f17
SHA512 b0564a2588e78375e63e66114176d0bc07991b35234f56f1ddeedd8aeb629acf9699d61cf260823867e9042234ce68af2fbb1391a0f41520a7f999ad85f0d229

/data/data/com.yunti.lfs/files/umeng_it.cache

MD5 ddfe3a6248531a3403137594e70aee25
SHA1 62eb82d132d53af38dfa233314c67495de6518f2
SHA256 2c5032abf33bf6537509ed8d8c6c4be0e8c1bac50cf8c1a8a800069d1c64bd76
SHA512 01dcef70c092547266fd19f856cd55a140f6231da2bc342b6aded88388b0346fde27227902a648e3dc65395bfaf9b9c2c7d7aafc4a46c5ec7f31d99abfebe1b6

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 6181bc6508725c75f2138fd4b0478a6e
SHA1 95c5b6bb70c8a0311ef2953bb0e687cca9e514ed
SHA256 9b256d5c3d9d1598889d50503374aee48d11f94b9e2469bd7c67c730cede2192
SHA512 ac1238d8f511bffcc7c71517745c61e3e74304718ae87e7716fb64653424f61bfdb00b6558303d8c2fdff3f9f280aa57054b901a67a675638b7926ba91f1bb3f

/data/data/com.yunti.lfs/files/mobclick_agent_sealed_com.yunti.lfs

MD5 629094ee9c55360c6f2674946283d57c
SHA1 44a5c498882b2db2d514885b18453179e3733356
SHA256 9a3ca543feb26afb1b67a7d90b6130ef93328517b5c039b1729741e04d76d5b9
SHA512 4ded15c4cc00c9f0ac95f5071943419a91d9d73d8f7c20ffd0f70c41f7fef63f9fabeffd81c63056e7c088d4b1b743d53eaac5118f58fd99c3d3c56f074729af