Malware Analysis Report

2025-08-05 19:17

Sample ID 240513-mdsl9aba67
Target 3f01ed78c64f217d66469822fd8a9823_JaffaCakes118
SHA256 1654378e495b22149b614824402f87e12192f7af379b39118705d2c2c01ddacc
Tags
discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1654378e495b22149b614824402f87e12192f7af379b39118705d2c2c01ddacc

Threat Level: Shows suspicious behavior

The file 3f01ed78c64f217d66469822fd8a9823_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence

Checks known Qemu files.

Checks known Qemu pipes.

Checks memory information

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests dangerous framework permissions

Checks if the internet connection is available

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-13 10:21

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 10:21

Reported

2024-05-13 10:24

Platform

android-x86-arm-20240506-en

Max time kernel

125s

Max time network

146s

Command Line

com.scwuzhou.logistics

Signatures

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /system/lib/libc_malloc_debug_qemu.so N/A N/A
N/A /sys/qemu_trace N/A N/A
N/A /system/bin/qemu-props N/A N/A

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.scwuzhou.logistics

/system/bin/sh -c getprop

getprop

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
US 1.1.1.1:53 sessions.bugsnag.com udp
US 35.190.88.7:443 sessions.bugsnag.com tcp
US 1.1.1.1:53 vapi.wuzhouyunshu.com udp
US 1.1.1.1:53 upgrade.huochaoduo.com udp
US 1.1.1.1:53 codepush.azurewebsites.net udp
US 23.101.203.117:443 codepush.azurewebsites.net tcp
CN 47.98.134.70:80 upgrade.huochaoduo.com tcp
US 1.1.1.1:53 notify.bugsnag.com udp
US 35.186.205.6:443 notify.bugsnag.com tcp
US 35.186.205.6:443 notify.bugsnag.com tcp
US 35.186.205.6:443 notify.bugsnag.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:80 android.bugly.qq.com tcp

Files

/data/data/com.scwuzhou.logistics/lib-main/dso_state

MD5 93b885adfe0da089cdf634904fd59f71
SHA1 5ba93c9db0cff93f52b521d7420e43f6eda2784f
SHA256 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d
SHA512 b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

/data/data/com.scwuzhou.logistics/lib-main/dso_deps

MD5 3df20e3d7e7aea02733aa293c6f70c18
SHA1 b62d5abacfa2e2e9298989a86dfbb24e6ca66018
SHA256 b3b7cb81da2d9764d7f71456e3b4df22067c1df946154db4a0b417dd7eb3be14
SHA512 067beb5a11f0d069832e622714a0274077608d1266e3579a148ca1e11e2b6d85dc32d61c702a5129dbb90d82a8970f8b9b49058efb59d57905ae9a836dfef391

/data/data/com.scwuzhou.logistics/lib-main/dso_manifest

MD5 c06857e9ea338f3f3a24bb78f8fbdf6f
SHA1 c5a0a2529d2deb60fec041b4fbd722a2ebe31702
SHA256 957b88b12730e646e0f33d3618b77dfa579e8231e3c59c7104be7165611c8027
SHA512 29f61516876c25379a7bf4faa2b3ca6f6b53eac90e7de47671fec4a818d51441b4025cd7909f7c0a0d113ab6c5ff00cb3700c286bac7319185b77905feec4fb1

/data/data/com.scwuzhou.logistics/lib-main/dso_state

MD5 55a54008ad1ba589aa210d2629c1df41
SHA1 bf8b4530d8d246dd74ac53a13471bba17941dff7
SHA256 4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a
SHA512 7b54b66836c1fbdd13d2441d9e1434dc62ca677fb68f5fe66a464baadecdbd00576f8d6b5ac3bcc80844b7d50b1cc6603444bbe7cfcf8fc0aa1ee3c636d9e339

/data/data/com.scwuzhou.logistics/app_crashrecord/1004

MD5 c48865f983d1194554ea596a03d2fd39
SHA1 003efda1526d4b91643d0e3c8625c1b16162117b
SHA256 9bfeee02dffb6a765228d17edcca2b8d93ae82233f3d820ce40b9e8dca3c3936
SHA512 98e8ab50f51e455c199a5affc5829125e95a128d97d8ee7efc6bf6d001f785394968bbb555d1fb5d627ab3ba8be4c39d8987027da3929df975f3ac09db1d75d8

/data/data/com.scwuzhou.logistics/databases/bugly_db_-journal

MD5 857f74589be2d78d404a60109b499e1d
SHA1 2e5fc9229e5df677ebd3dc4c6739ff584f193168
SHA256 60d1a404d6ca8fd05055a6d7da7da3280c067c08887df14b93c205b44ffa54ce
SHA512 51251adce0b26605e3e3e43d239c3afdca60b95f376923ca8b19f764073acb42fa3efeb6bbd6ed08316e08aa1765189fbe82ef8915c0e025430ad5d194d9ba77

/data/data/com.scwuzhou.logistics/databases/bugly_db_

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.scwuzhou.logistics/databases/bugly_db_-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.scwuzhou.logistics/databases/bugly_db_-wal

MD5 99ba0d10b5040183e025a3f6257cbb92
SHA1 7d7fbdeef05817b385600740d28f776cc0783459
SHA256 6e84beec77cc5cdff210bcd537659478103e2e3c5f57d39b2a7a557332ec04d4
SHA512 4750e690ce6ea5741f1cf6414b8c0c828782b8b511d26d61ad6a9199a0d91f4e55409bf4a0e021ca181b5a9df00fc1391d4e29cb00598ea205eff0364b2009b6

/data/data/com.scwuzhou.logistics/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/com.scwuzhou.logistics/databases/RKStorage-journal

MD5 e226d87e9fc3856dd3afb7b50ac790ea
SHA1 ba1b8120b437d6b0963fa3e64b69ee55fc94b725
SHA256 8d04f43d3af628612c89f189513b56e10d1f7e98d7c5c9c8252c94fbae9d5e6e
SHA512 1a82f04f4a41785cad952c5cdb4b73d4e9ce073744fed113e1c3148d99ba2e7b103c0085d2162163a3acd7d8cc68813aaf852ba029593a9ef1f4dd38a9500578

/data/data/com.scwuzhou.logistics/databases/RKStorage-wal

MD5 9173aeacc2cc50374052e22964efe6fe
SHA1 e8a30106f283c66e715f7f31c2a11ec8da034157
SHA256 c02337ac1641f32cfcd625772413346d87641448d052a46ac75c9fcde043036c
SHA512 a32d4eed96783fdf0230532ada5e4024a0b941957e7ae4a96698c89f8fa424ba9ed933326e72d5fea4f3f69494aa692019bd1e33ea9dad5c526d55eeef66af7e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-13 10:21

Reported

2024-05-13 10:24

Platform

android-x64-20240506-en

Max time kernel

128s

Max time network

152s

Command Line

com.scwuzhou.logistics

Signatures

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /system/lib/libc_malloc_debug_qemu.so N/A N/A
N/A /sys/qemu_trace N/A N/A
N/A /system/bin/qemu-props N/A N/A

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.scwuzhou.logistics

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 sessions.bugsnag.com udp
US 35.190.88.7:443 sessions.bugsnag.com tcp
US 1.1.1.1:53 upgrade.huochaoduo.com udp
US 1.1.1.1:53 vapi.wuzhouyunshu.com udp
US 1.1.1.1:53 codepush.azurewebsites.net udp
US 23.101.203.117:443 codepush.azurewebsites.net tcp
CN 47.98.134.70:80 upgrade.huochaoduo.com tcp
US 1.1.1.1:53 notify.bugsnag.com udp
US 35.186.205.6:443 notify.bugsnag.com tcp
US 35.186.205.6:443 notify.bugsnag.com tcp
US 35.186.205.6:443 notify.bugsnag.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
GB 216.58.201.110:443 tcp
GB 216.58.212.194:443 tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 216.58.204.78:443 tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp

Files

/data/data/com.scwuzhou.logistics/lib-main/dso_state

MD5 93b885adfe0da089cdf634904fd59f71
SHA1 5ba93c9db0cff93f52b521d7420e43f6eda2784f
SHA256 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d
SHA512 b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

/data/data/com.scwuzhou.logistics/lib-main/dso_deps

MD5 80ebdc41541bd49112bea0c5245ce094
SHA1 aabefd8a75a6b5763137e31f6557f05d9d109dc5
SHA256 d60ea5c46cedcbbd309ba39662b32d938d34a0b2548207e1e4e2023b422fa0b8
SHA512 eac528e1d634372db01abba91e863cb22bcbfa2cfc60fe05535eba754cee809bbd54fa101bac153486521a2ed06fc6073a635b28a0377edf4897beda8099ca54

/data/data/com.scwuzhou.logistics/lib-main/dso_manifest

MD5 c06857e9ea338f3f3a24bb78f8fbdf6f
SHA1 c5a0a2529d2deb60fec041b4fbd722a2ebe31702
SHA256 957b88b12730e646e0f33d3618b77dfa579e8231e3c59c7104be7165611c8027
SHA512 29f61516876c25379a7bf4faa2b3ca6f6b53eac90e7de47671fec4a818d51441b4025cd7909f7c0a0d113ab6c5ff00cb3700c286bac7319185b77905feec4fb1

/data/data/com.scwuzhou.logistics/lib-main/dso_state

MD5 55a54008ad1ba589aa210d2629c1df41
SHA1 bf8b4530d8d246dd74ac53a13471bba17941dff7
SHA256 4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a
SHA512 7b54b66836c1fbdd13d2441d9e1434dc62ca677fb68f5fe66a464baadecdbd00576f8d6b5ac3bcc80844b7d50b1cc6603444bbe7cfcf8fc0aa1ee3c636d9e339

/data/data/com.scwuzhou.logistics/app_crashrecord/1004

MD5 8c59af832f882561425f8560efc948af
SHA1 1ecb5be14a175cbcf1bca66f31d9357d280321c4
SHA256 6f63cdf133c1a66da8685db545e1a12c8b8e5b9c28632430dd11bea782f8c019
SHA512 192151e50d978bee1b022ef5c66a60ea5d4683415ea691d0f6c005cb5b364ec57c2955febb0bb1a2dc4d41d82545d6d8adfe558a6eb932d7951ce1dddc975589

/data/data/com.scwuzhou.logistics/databases/bugly_db_-journal

MD5 a82e229458f35fc831c1cc147338b74b
SHA1 b85df06b09d7fa0aa2feed3ab6fc147fd58376dd
SHA256 71af660eee5ae37b2e66799b5230bae1960007ec5f120241ba6ca12d4411c96f
SHA512 5a531a3003d6ba3bc5f88c454c3f98f3130f2c7bfac2958bd252abec0cb00bc589e6c242f00b15e135d474a771359368f9ea08e1aee23a8785b97489c0fd14e7

/data/data/com.scwuzhou.logistics/databases/bugly_db_

MD5 9bef1e91b6a003c24d0be07cc98d880b
SHA1 b9f8b83726a3404c691f7d141329bd912877467b
SHA256 5c491a1067f784fd3eab88e4a08bcdbb84d2a42683a36c898c8cba091c6b7e4e
SHA512 f357d53bcedc1406a60847628819c1cbff997c60cae1d2b3e11de6391c6a5dadd24c09673897ceff5c949594d400018fabd3f10b549554bc06a6d79cde3f7f00

/data/data/com.scwuzhou.logistics/databases/bugly_db_-journal

MD5 1848e59acd488caa8dbb7781e569950f
SHA1 5d323bdd0d6bb722dc769e93f9af093afa286c70
SHA256 1f25f9e0492b7e7e28bc48ac9ea0d4491276012bf2860076d05dbbeacc571d66
SHA512 2049a7d8f32d1369f39c72b29d4206a3652264724c6e6997a78c75c26a9f7adfdcd6a18cd6292f7e007c63bc321913c76f01296c7493cc046eb1e073bc518dd1

/data/data/com.scwuzhou.logistics/databases/bugly_db_-journal

MD5 52666e66a85217d52e64411327f60c2a
SHA1 1993271b31d6331d2080e8e3b03af0d03ef0f4db
SHA256 878952883ba63ffec25afa69993867e015151947d32adad2a5ea862485413093
SHA512 b1e4559233daced0b0ac984e5091d55ba7353e643c7e790bc5f8ffd051aaf3e73548ac015ead8317e39d17cfb7523bc54c75574c813fae59a6512523c101bc07

/data/data/com.scwuzhou.logistics/databases/bugly_db_-journal

MD5 c8fe2805f4874a00bd4f3ebf44795b07
SHA1 b47ae7f1f869940a2d2027a582027542f4ca1c7f
SHA256 0f2be791cae18b7ec81bcbd3411a6587aa3f1259b2de60f9ef8b8ca5c6636e0b
SHA512 7ddb6d014e26e9973ff50393085e9faca1f9bc319b5391a534eca57efb175fc89553ef1cb25d3dbc562e323be3b72fd563c1fb5d0cd631d1757f8f6a6d08c693

/data/data/com.scwuzhou.logistics/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/com.scwuzhou.logistics/databases/bugly_db_-journal

MD5 1f265cd2767e5eef6dc2954292ecae84
SHA1 345bd293e480ff60df5902d9a8b809af5a5be8a4
SHA256 303d27539e4b2d3c5e196d0eb067989e3e3afcd8e69c8bf3905a9f01d9751624
SHA512 0a34922e11d21dcdf438eaef760ac71cc29ca92b2fe0902c1e3e6c4027a8578b39dc80b35d7ce0d0a760a91ff5e555ee5503ca887955ebb19700935878779f76

/data/data/com.scwuzhou.logistics/databases/RKStorage-journal

MD5 82a888c3c664181a7d6138e63240e1fe
SHA1 4b76d395e8f046cb8eda6a59d0527dc6df55e7fe
SHA256 cfc02cde6b87c1df55d59cf4ab3c49ed7e2bda815b2f3db84d542adab7d00145
SHA512 ea97ed86d2e3ac39dfd9aed6c2625f63cb65bd99d1424709287b6d8a5875e5696e00d48a19a29667dffcbbfff957d9b170fb6cb7b3cfad89e77e828b9c88ef5b

/data/data/com.scwuzhou.logistics/databases/RKStorage

MD5 f4652fdafe0c0060f572bfa675e8c054
SHA1 d0e520b53184fadf371229c52ee66b60f3925839
SHA256 75561af4813b5b1cb417aa5d9ecdd41243246e7649f161d4782fbc676ee5e946
SHA512 2ca5e31c8ec2e0df99f58d552812491e78d88d3b8a828ae21015320d1db2a6fc6cd90e43e1a44478d41fe527f90f6c03bf5bf36afdc9e0ab54c99c06c3b099c6

/data/data/com.scwuzhou.logistics/databases/RKStorage-journal

MD5 3441de824cc8119d927b89dabb50904b
SHA1 61a008febf6cde5c43c4c9303cfbb5bab1be1cc4
SHA256 5fb5db79ab7ccf6ee8a1d63c816ab6bbe949606c6d69060a8022829e059fcde9
SHA512 f4c56ba5723aa1bac5f8909dc0bc00114c63caaf374707d6b5a6ce5104cf89e77df2e5f457f0b0bb4063ec6e60aeed9fce3a4ead50cb426a5af3cfbad38291ba

/data/data/com.scwuzhou.logistics/databases/RKStorage-journal

MD5 57458591a882da29418a83736a20fcdc
SHA1 decfa6aeadc0444b7ff28dc995ee75b966da4414
SHA256 d0a1730d1d7f5073cbe42cd1eaea3bc48cb8b350e7720ab51919837200b6f3e2
SHA512 d33d9edf939b5fe58d9b853cfa36380406e83d578e9bec635e7e931e3a689b4e5996924eaa07bb2162dc9c8c5cfa0a4795e23e72dae4b825c489d376a8b6f58a

/data/data/com.scwuzhou.logistics/databases/bugly_db_-journal

MD5 9b918ad091bc67902e24947ea0c41e37
SHA1 ef6fab1057b46ab8435f7d2755dac500225b7d95
SHA256 1af65dfdebe750c54833c096dc75d14e13c666fbdfe5b27135c6a515142228e1
SHA512 8dbad797d8d675e34f8947b6244eb156ab2471d13533487bd971a19ba9dc7d37c6b11a6e864424621e4ce7822bc05aa56a66e8bb846f49530578dd94756496e9