Malware Analysis Report

2025-08-10 23:54

Sample ID 240517-s6g9waef41
Target 503d51c4ee816c43168a4ca15212c164_JaffaCakes118
SHA256 e7cbc970ec865cbff06b0c7ca5f24ca127489be2e17b1383904299c5e96a8151
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e7cbc970ec865cbff06b0c7ca5f24ca127489be2e17b1383904299c5e96a8151

Threat Level: Likely malicious

The file 503d51c4ee816c43168a4ca15212c164_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Requests cell location

Checks CPU information

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Queries information about the current nearby Wi-Fi networks

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks if the internet connection is available

Reads information about phone network operator.

Requests dangerous framework permissions

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 15:44

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 15:44

Reported

2024-05-17 15:47

Platform

android-x86-arm-20240514-en

Max time kernel

41s

Max time network

157s

Command Line

com.mhealth37.BloodPressure

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.mhealth37.BloodPressure

com.mhealth37.BloodPressure:pushservice

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 imrourou.cn udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 oc.umeng.com udp
CN 59.82.23.79:80 oc.umeng.com tcp
US 1.1.1.1:53 register.xmpush.xiaomi.com udp
NL 20.47.97.231:443 register.xmpush.xiaomi.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 142.250.178.3:443 tcp
US 1.1.1.1:53 apiinit.amap.com udp
CN 106.11.43.113:80 apiinit.amap.com tcp
US 1.1.1.1:53 oc.umeng.co udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 abroad.apilocate.amap.com udp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp

Files

/storage/emulated/0/mipush/log/com.mhealth37.BloodPressure/log1.txt

MD5 da16256cc81e0ce1bb78db01c95c5214
SHA1 1061597c791a39cfc1302e82670d96f90b0cbbf7
SHA256 2624821a350dcaadab0cc3d40d3718dc03eacbdf5ab78bb42f226b33b0de66ab
SHA512 626c7e5e047124d1909b2006fb8a6f3e9439da45bbb12e2c6320d3b75a24fa18de62f990c279d0acb8876108922a2baa82c9f56ef90aa528dba30d78c0b25480

/storage/emulated/0/mipush/log/com.mhealth37.BloodPressure/log1.txt

MD5 6dec2dd3159c05ddf09bd7921e072368
SHA1 9937bafff0155bf627335d082e4e2fc2539f1cba
SHA256 1c5fb521967700b41eef230304691cb22ab6ddf5f7904b79063ef534876ba8e4
SHA512 ae96d1ec299f552a8fdd864cb774340716a293331cf086cdfb9303bc20ab60a7d6150f005a4a0498ba98525ab5394fcea8a4ed51ba1736a017a999c2783f880b

/storage/emulated/0/Android/data/com.mhealth37.BloodPressure/cache/locationCache/journal.tmp

MD5 b8cbc35d2a3c83c33ebdc11dbf67e01d
SHA1 db20f5d11aa1ccad82a9bd917322856e7c6de7a4
SHA256 ce7dd77d4b9702727c3612655b9110590cdedc155cd28733787ff4c4aa10898c
SHA512 ea83ce28cbc52170d400f45d0468dcff75a13028572c1a5861bbf3609f31093c871b238ef766a03386d87c1ecc1d7c37468932ad7dea169c77a114d297f12088

/data/data/com.mhealth37.BloodPressure/databases/bloodpress.db-journal

MD5 b40aaeb42c8a5195b9833b02b6f67a4d
SHA1 1a1e1df40d4950bb8203123d7effa5497fd484fe
SHA256 c0d011dc2c6d87e1ad168fe532fb80ef761c18a4df252954df2f313565d64218
SHA512 f4ee2a6b071c199b9444d294f94cf1b71ad3268e9de9fa2daefbf3a2833813c1864862bf3cd9764fa3b0d5e449671bb359e3886844a5949661ba9c911c1dd093

/data/data/com.mhealth37.BloodPressure/databases/bloodpress.db

MD5 9d43d6faa9c76e67fc11d5620606ad58
SHA1 eb14bb968dd77383719768375027471c7bba250b
SHA256 022e0c06b2f72c2f501802126535d9d0118dc0e746b7b8ac91bf8fd11eb06650
SHA512 022e7e9183679e67d0783fa54de8cbe90e7f46854fbf365cd5ef7e2bbdce3b6fced0e51f94ef3562e24093f56f256b0e105356dcc423537d16826c1f45daac7f

/data/data/com.mhealth37.BloodPressure/databases/bloodpress.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.mhealth37.BloodPressure/databases/bloodpress.db-wal

MD5 6fd290aeecec3bdd53a5d69469489388
SHA1 36a107e9960fba67b20696a7c0e425efc8cabc00
SHA256 aa08967862edcdf352d6c6f8a37931c5531fa8581ffe153ce2be0cf5fc3c5d8d
SHA512 698c41b44caf94e2cd755a061c45933774c01ca9717ca25712e84c19012f701453bace3d142444d2cd9b72d7c23df9d6558b8573af5def89b59bf28c2aa2e251

/data/data/com.mhealth37.BloodPressure/files/umeng_it.cache

MD5 9ed02567c25e1a061079268a61378c0d
SHA1 e6cc5eb50ccbe0426811fcb5c39851bd021d5239
SHA256 dc9a90b79de64e41a3988d610ddfa6e07acadf3fbfffd01a81c80f65150ae068
SHA512 08b38a9a6d082155f37da3d23d9b77d0133f7d161b1dfd889a938001c22e866e93166dfe8cea42af78cb543f3b709ec228967af5b341ef76e37dbe1a5ec55e0c

/storage/emulated/0/mipush/log/com.mhealth37.BloodPressure/log1.txt

MD5 e3aa6b1a7bc567131190bc859d8c4392
SHA1 37ca44e3e208c81c49132ef28993ac00b1ece55d
SHA256 5e2c53a4aefa6fb74d61223870f6ddb2cc9d3a06eea24597670a283e14821a62
SHA512 38d80b9ced39906735c3b9faf500d2583b79e50492fc4970de65b489ff7e97ceeec3687ca03488406194294f9bd603c3385262283420921a188c9b3146280842

/storage/emulated/0/mipush/log/com.mhealth37.BloodPressure/log1.txt

MD5 ecce89c3180776878f3e72d66e9181dd
SHA1 2396afdd6ed5c9ed73c5a80e3bc6a5959e5dd848
SHA256 2bf56ce92963dd152aabdcb027305545fa8db8dd475ee8efc0869e412346b2e9
SHA512 d68bbd5122c16101284da74c301ca84b64b3f94089af17dece2d0279fa23f5b1f241e58648f49b3d5f6f072c50e801a910964fadfab6566d0bd127253c7d4717

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 15:44

Reported

2024-05-17 15:47

Platform

android-x64-arm64-20240514-en

Max time kernel

179s

Max time network

179s

Command Line

com.mhealth37.BloodPressure

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.mhealth37.BloodPressure

com.mhealth37.BloodPressure:pushservice

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.106:443 tcp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 oc.umeng.com udp
CN 59.82.23.79:80 oc.umeng.com tcp
US 1.1.1.1:53 imrourou.cn udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 abroad.apilocate.amap.com udp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 oc.umeng.co udp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 register.xmpush.xiaomi.com udp
NL 20.47.97.231:443 register.xmpush.xiaomi.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 apiinit.amap.com udp
CN 203.119.169.174:80 apiinit.amap.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp

Files

/storage/emulated/0/mipush/log/com.mhealth37.BloodPressure/log1.txt

MD5 ce0538db83880a331c4053411674da67
SHA1 2dff9e382ec0e60720574cd2d001409bc18fce03
SHA256 18985040da74ec57e59ec1a24954056c980c19b6000a13d489e0e5565e7670d1
SHA512 3c110df1819274bedd9cab55fc7f528521a81b08191b9544f2ecc484b7faa69451e028da76e96ffb10f12a2bee8cd934963aabbe27851795e4455d46fcfcb742

/storage/emulated/0/Android/data/com.mhealth37.BloodPressure/cache/locationCache/journal.tmp (deleted)

MD5 6dec2dd3159c05ddf09bd7921e072368
SHA1 9937bafff0155bf627335d082e4e2fc2539f1cba
SHA256 1c5fb521967700b41eef230304691cb22ab6ddf5f7904b79063ef534876ba8e4
SHA512 ae96d1ec299f552a8fdd864cb774340716a293331cf086cdfb9303bc20ab60a7d6150f005a4a0498ba98525ab5394fcea8a4ed51ba1736a017a999c2783f880b

/data/user/0/com.mhealth37.BloodPressure/databases/bloodpress.db-journal

MD5 9148d491ca03b06f7e3aa9167339dcea
SHA1 44758a5d4b7ee018ca279924129cd901df954acd
SHA256 10cc8771def64e506b2d2d8c5558a7e188d7fbb6a71e4b524337672d127a74f5
SHA512 c3a6a0ec6c01bb228d75e96a4f6747b9efdd9c0231313241ef81c90c35019f518483276e84cf9fd451a51f2ec90474dcd26a878aaa18b9bb290b1287186ccef0

/data/user/0/com.mhealth37.BloodPressure/databases/bloodpress.db

MD5 c7f774789f8119da3b75310da56b1f1c
SHA1 9b53d091b4d6432b2f9d0ac4afb2fd6aaf37b69e
SHA256 a8d7c0400d130961a2ae24bc0b7864d62900c73bd30107c50c07947dbb4da3ec
SHA512 ac771bf7c013dc29d34ec5b72b3acc7dc676da33c0a84a839d6c463d537f0dfbdd5c8613b093a600d26773252ad109f8ac2685168892dff32440fa808e934cf9

/data/user/0/com.mhealth37.BloodPressure/databases/bloodpress.db-journal

MD5 17712ea206d2e4af7bb1a6e752defff3
SHA1 0eb7ea920269363a642c5eafc75eb40c0c1818c7
SHA256 8d0ea346212d577fed5377f4f1bcbae0a5aa0a5d0789293faefb7fad3413169c
SHA512 e1d5786b8b22f8bf6725b6a429d607cf941ec4a9f45331015611cc2e9cd09956bae5776e6920a4cd78ad0367acbf471d3f15ac0c7323fa9a066d1cc3e8b59323

/data/user/0/com.mhealth37.BloodPressure/databases/bloodpress.db-journal

MD5 387d311246554f5dc60662e430ca29a1
SHA1 f8ed843b4e08d7c3038c018a88d850d8c032d0c8
SHA256 7d72ce0df5cd70106a58a2ce5a77d4da072a2327415fffdc6fa4f717b302f096
SHA512 c5fafde8308a73738d16f68d7479a63461d43c8df41b3c0602bc807d7e6c89fcae82c6af25d5985c59c9478daad81d8bd0cb7824d13b213a0116e1686aee9f3b

/data/user/0/com.mhealth37.BloodPressure/files/umeng_it.cache

MD5 140ec5a0ad34530614b979e6c4096a17
SHA1 539651f45fa00ed1c33b0e3ea62bcf9240716abf
SHA256 0bff2293f9ba2e836da8e0666f22f80083dc6cb5608d46d13a366d340c4abb9b
SHA512 bb79750d0684d43abcbb4d7da899d82204b05ed2e1d7b12d10c537f1c2d43f200fc8382f8f904cac6193e90c75df00dbaa4b0cd2f8b22ca00d2c651146f9051f

/data/user/0/com.mhealth37.BloodPressure/databases/bloodpress.db-journal

MD5 92d8b88f5427680f6a6563614c0fa727
SHA1 a8ae19df8cc271539410e4fe40d65bd050869c13
SHA256 bf7fe3618faf626ee0ee23bc471c025bf46562b0d488a52b906548917b8b798b
SHA512 f634994f4c73adfb2b57e8e9673ddc187945316d238781bdb5fbafcabadfd5df0a8974b1604bcae4bc5ae46f0b759cf12d862906ff6dd85f4ca8f690e3bafc22

/storage/emulated/0/mipush/log/com.mhealth37.BloodPressure/log1.txt

MD5 8f0ae531836fb6edc9ddee35220818fc
SHA1 179609fc9729c6e4a0537b04b2bb2ec6d89222b9
SHA256 126896faacf51b7a9cd11265ab42db267f1020c421ad6fe5da75f198c78811f6
SHA512 a624afe02af363e3259ff3d27f246b16702764c035171ca9cea6ca535a140f8920e66fcae560293d162f898f033664f7eb2e51f68b6d1563e3d95e3f622111fa

/storage/emulated/0/mipush/log/com.mhealth37.BloodPressure/log1.txt

MD5 2b1b4939115714e4801d2d26ea82ee24
SHA1 61da573da1bffda28835fc30a3ef482050bcdb7d
SHA256 3a8e9802ed391cb7a6c826b5c25552e0a818ac30bd5bdf4df890f92a5f2c4cbf
SHA512 8c3324fecb90929f1d5e605602a0e31985fe06faa2187f2eb04124604b50e775848b4fd2f9c49f7942376e30cd2f1bc3fb83a1d6b98d60204726ba08644d7bf3

/data/user/0/com.mhealth37.BloodPressure/files/mobclick_agent_sealed_com.mhealth37.BloodPressure

MD5 1bc62f4ded16693a400e139120e20522
SHA1 a4ddbaf78b6517feed16f341fc02f1a9434b3251
SHA256 6b58148852f766912a2fbfd311a0a442fa29011aa6c402c7b49acedd5be44013
SHA512 0780950f64f5dbde0fec702e1debb340eae0ee58c25a17f12486cc2525aceff549fffd81a1a9b43943f0cac151ecda613be659435771498cdb016a57b0755120

/storage/emulated/0/Android/data/com.mhealth37.BloodPressure/files/carrierdata/1715960753

MD5 f07f4106421832c2dd8ff7b271c2a302
SHA1 2c796970b1094bdd2f3871cd3d0bee5f32c3436e
SHA256 2f2fc3f7216db6e0884749ec9875580ea1b9b971ca65d830b799293ba6c3ee34
SHA512 a956615f3b401ea2046a9fb3293703223f755e5e0bb29b8c718e71c538232d3a724bce88af7f0cd8ea623240e74bce9d8b69df5c898f9ecba2dab0f963bad616

/storage/emulated/0/Android/data/com.mhealth37.BloodPressure/files/carrierdata/1715960753

MD5 cafb780b4e4879184f1f88dfb67d4186
SHA1 c11350150ea6409514a7624eebadf5a0f6a678d0
SHA256 93b81a813bf991c5be712f0e90e5ae93f6d67346dcfd9666e55f12afb3d402f2
SHA512 bd2f846ceaf130619d2543156b3e8080d2d1c0c407aa1a425b58cb380e840812e9e8ea57ddbc19b91a9276d4c7ced82359e5f4bf3f2d7d0c14dfd9c8a05870ab