Malware Analysis Report

2025-08-10 23:54

Sample ID 240517-skxgnsde83
Target 502535716efa44eba898cee9e26d5700_JaffaCakes118
SHA256 3968e7de4ec0548f333d4ababeb7eed3291f8ed55ecfb9092c5585f10adff38a
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3968e7de4ec0548f333d4ababeb7eed3291f8ed55ecfb9092c5585f10adff38a

Threat Level: Likely malicious

The file 502535716efa44eba898cee9e26d5700_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Requests cell location

Queries information about the current Wi-Fi connection

Queries information about the current nearby Wi-Fi networks

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks if the internet connection is available

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 15:11

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 15:11

Reported

2024-05-17 15:14

Platform

android-x64-20240514-en

Max time kernel

178s

Max time network

186s

Command Line

com.diandianzhuan.app

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.diandianzhuan.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 s.jpush.cn udp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
CN 124.70.128.38:19000 s.jpush.cn udp
US 1.1.1.1:53 abroad.apilocate.amap.com udp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 1.94.119.240:19000 sis.jpush.io udp
US 1.1.1.1:53 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 113.31.17.106:7000 tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 139.9.135.156:3000 im64.jpush.cn tcp
CN 124.70.128.38:19000 easytomessage.com udp
US 1.1.1.1:53 apiinit.amap.com udp
CN 203.119.169.174:80 apiinit.amap.com tcp
CN 1.94.119.240:19000 easytomessage.com udp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
CN 123.60.89.60:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
US 1.1.1.1:53 restapi.amap.com udp
CN 59.82.132.217:443 restapi.amap.com tcp
CN 113.31.17.106:7000 tcp
CN 139.9.135.156:3000 im64.jpush.cn tcp
CN 124.70.128.38:19000 easytomessage.com udp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp
CN 1.94.119.240:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 113.31.17.106:7000 tcp
CN 139.9.135.156:3000 im64.jpush.cn tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 1.92.77.21:19000 s.jpush.cn udp
CN 1.94.119.240:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 113.31.17.106:7000 tcp
CN 139.9.135.156:3000 im64.jpush.cn tcp
CN 1.92.77.21:19000 s.jpush.cn udp
CN 1.94.119.240:19000 easytomessage.com udp

Files

/data/data/com.diandianzhuan.app/databases/fengchuan_db-journal

MD5 8a707fba3721ffea1ee4d88eb80abb1e
SHA1 ba6756191561b2d6c6175b3eee61e9f49efa894e
SHA256 d5a33c768c28f2a32c97121210643a7cb409a77c562d05d1bc99d81e6f941517
SHA512 cd8a53fb33b86b9b74df91c870a204fbc5694dc08054b0033a212edd7300526d8a8aff38596d627b8f131a5cf0138aa2e7c7af161e834e67935861c499a01dcc

/data/data/com.diandianzhuan.app/databases/fengchuan_db

MD5 6da302a2e5fc0263420684f38a00e3fd
SHA1 9e1c35e91c3b84600dd8ebc10e072ccb91b5895a
SHA256 a9b2f6227429fd83edc4db9e62c5e3f8c45b55598f7b10c3132d6b339283c8d2
SHA512 6e91d3076e4f382a5e4119e6429b90bd4d604c858acb4914e8b67226f4ad0626e29726e09d12965f075ac6aebc49eb22faf0f5c6a286913aad9515887f91fa1b

/data/data/com.diandianzhuan.app/databases/fengchuan_db-journal

MD5 8d0ca05232353aeabdeffb7548fade1e
SHA1 2830cdbc3c9a3874b05fef5cb363565586bbaa29
SHA256 27193368e5da34b27237ccf52b90b8cb8b46afeaa993a4052bc33aa0467931e2
SHA512 031c103588a0416b689bcd003e12642ef2a49af63f1ff3ae5b5f38b80fe637c06825eec83c5760bc8773e5adb547689717bc68a87580890903a596fd53fea9dd

/data/data/com.diandianzhuan.app/databases/fengchuan_db-journal

MD5 66314f7b5bfd6440d21c4ef18928afef
SHA1 0d0bf8b6bca8b544adb6cdf4da8b84cd44337303
SHA256 916ccd63aeec3bafc393fee53f8b916d654de4e01aa7a35bb93bfad131f14430
SHA512 459142697063d9e7b3243e405a4b8a5ea338fbc41a9447fae96bd2a4fbbd8c5e540ae3be5fecc91ebd81979641b6652a448480b8e9aecf7cfee71f26eb2ad4b2

/data/data/com.diandianzhuan.app/databases/dynamicamapfile.db-journal

MD5 f8613602e8b03201689a37ea9434ec6d
SHA1 968f32f750fb4ae8bc9a97fb322fc50554605e26
SHA256 171ad084f13b1af841c4f0ffc9643fa711e5d2b84aa472993d750f05aea2d960
SHA512 2c023cc3398bcfc715560c27f511e528afea4afd54be793e6b9081bdb702948f44d7cd04a0408e5c08d2f8e73432e2f5e9dd89fab4949f6f2e3f7bf0e3dd52e4

/data/data/com.diandianzhuan.app/databases/dynamicamapfile.db

MD5 d505db4bb9a0c36589db4d1853867791
SHA1 aad475b5974f46d8cb5eae497a1fa541ffee99c6
SHA256 6d82ef6a44919e1e77d94e4d6fcfb33b0f04d48a7846fafa58d343b20968af32
SHA512 2edfc04b01683a4df0ae3b5ceb7b34448f06551743689842f18ce88ff979577171ccbc179ca6f06f1e238dfdbe035e411239797ae23780ddb35a778fe6d03a87

/data/data/com.diandianzhuan.app/databases/dynamicamapfile.db-journal

MD5 d1be36e7aca0ca473ff12e70acbd542f
SHA1 0dcdcd47b13d0b887321a10192f141ea2cb3c042
SHA256 e6d01a0e7377475e79a593d434dd072ee7802380681f0b43013c6438d496df9d
SHA512 2ef6edd03d0880cd8dc20874e5d970545f3127ce8610e085726e788631234c97b56e970f3f7994aadd309868eaba80178084e5cfa662bd446a6622692dbcdc5a

/data/data/com.diandianzhuan.app/databases/dynamicamapfile.db-journal

MD5 6aeb158f4fd96ce597c0ae5ddaa57253
SHA1 6fc68975ef9e2a9dd82a3ed33b394586cecc7098
SHA256 817eaffbe5db96359648f4789d26077050956f11e53de92e89217010b2160b97
SHA512 d7642aa7d365cc79fe8609f700cc2db928fbb0fb039609ca69fbf443bc468604f9cf0ae60a60250f200569daa779a5278ca2628b73ce12ab0df5769364ec696a

/data/data/com.diandianzhuan.app/databases/db-journal

MD5 d8f98d3feb08d0563ed16ed685776698
SHA1 0db2ab9ba41be1aaff13f634b3a1c60578e323c2
SHA256 0c5b20704d263e8cecf8b2e271e722640d436c40ca48a1210c34b205533e14ae
SHA512 57cc16c24a7271d709f236a5ce45dbebf7f17c4ac92b14093d5d94c46adaedfd7a08cc4efd624aa04d89fa2660c01da4d2a8fbd36f27bd78a835ec447b91d32a

/data/data/com.diandianzhuan.app/databases/db

MD5 ea628e04765adaf4238a5dcdff4bbd51
SHA1 a801947619ea8c368efe9c006a324dc6339ac60b
SHA256 885e337c2156e4dbf2176a9677ade50418740532d222ccae5ad4aa371b54c6a4
SHA512 c0287b0e7b690a7231a37d1745c49f3d861b22aa65dd769ba6a8b5ab9da55443f749957781ee05a405019c39e1be45d37a971b821bffd62a1d5620bc39119abe

/data/data/com.diandianzhuan.app/databases/db-journal

MD5 0c6a9677672b05018e110b3dcaae2675
SHA1 e4c156dc8f97fa51e304baa36a0718fd93d7348f
SHA256 866e931856b4a8ea86f10225a1ac0cd55c8a5da807d0924b8ef16ff8d97e399c
SHA512 8fa47022a9de8a0763557dc9d1cf31b1aaa424799a6d7b1e49b44845493b5f00f3b7be3fdb3c78b7e640fd9b57f7afab8316824ba47ff97d8fa59a0e4745bc18

/data/data/com.diandianzhuan.app/files/jpush_stat_cache.json

MD5 18c725a7cc86d2a8b35a0ef728dbb27e
SHA1 2eee728b298860f1170420ad547a797a477c98ae
SHA256 89313d3f760c8ade240b137abe7010497bbf04e3eb64f4f47f1366dce702c4b5
SHA512 d460df50d674299ab722255bacc90bbd37b00f7a665ef9bf7337e97e1c6c8216d0d4ee39dcb4f9ff381cbc42e33209c638b79301324d6a2b4b592594d8d5a449

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 15:11

Reported

2024-05-17 15:15

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

185s

Command Line

com.diandianzhuan.app

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.diandianzhuan.app

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 s.jpush.cn udp
US 1.1.1.1:53 abroad.apilocate.amap.com udp
US 1.1.1.1:53 sis.jpush.io udp
CN 123.60.92.210:19000 sis.jpush.io udp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 1.94.119.240:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 113.31.17.106:7000 tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 1.94.137.47:3000 im64.jpush.cn tcp
CN 110.41.53.90:19000 easytomessage.com udp
US 1.1.1.1:53 apiinit.amap.com udp
CN 106.11.43.113:80 apiinit.amap.com tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 110.41.53.90:19000 sis.jpush.io udp
CN 1.94.119.240:19000 sis.jpush.io udp
CN 113.31.17.108:19000 udp
CN 113.31.17.106:7000 tcp
US 1.1.1.1:53 restapi.amap.com udp
CN 59.82.132.217:443 restapi.amap.com tcp
CN 1.94.137.47:3000 im64.jpush.cn tcp
CN 110.41.53.90:19000 sis.jpush.io udp
CN 110.41.53.90:19000 sis.jpush.io udp
CN 1.94.119.240:19000 sis.jpush.io udp
CN 113.31.17.108:19000 udp
CN 113.31.17.106:7000 tcp
CN 1.94.137.47:3000 im64.jpush.cn tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 124.71.159.41:19000 s.jpush.cn udp
CN 110.41.53.90:19000 s.jpush.cn udp
CN 1.94.119.240:19000 s.jpush.cn udp
CN 113.31.17.108:19000 udp
CN 113.31.17.106:7000 tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 1.94.2.18:3000 im64.jpush.cn tcp
CN 124.71.159.41:19000 s.jpush.cn udp
CN 110.41.53.90:19000 s.jpush.cn udp
CN 1.94.119.240:19000 s.jpush.cn udp

Files

/data/data/com.diandianzhuan.app/databases/fengchuan_db-journal

MD5 f9e3b2165d06eb76d9d91f9b3a73624d
SHA1 a3aecc851d1ccf35c85def8e930870ffce8b7880
SHA256 50b28a80032307478661141597bbcc63438d349539802e5737766e31805b84ff
SHA512 23426680a02e42af70668f4e3054518d22c64ae8bb21e62791b929397a226b09a91f4feb61784d6a810500e1f3374881d6780070def3ec4ad9ef1d9a92b1583c

/data/data/com.diandianzhuan.app/databases/fengchuan_db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.diandianzhuan.app/databases/fengchuan_db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.diandianzhuan.app/databases/fengchuan_db-wal

MD5 afac4972263ee900ab120e0a6bef4aeb
SHA1 c2d98d4d0554416cc944724c15bce19dfbad91ba
SHA256 f3943b4ed763bd665b0e1ef4c8600e881f535c2776b2090d5fceda0662c9c44a
SHA512 30c550b27ca8bc497eef4395e7bd2f5022fe6ab1453e095cb2e00d7c6a586809b4d75f545dd582142cd7603e9ba4044388e28d65e1b73d54aa86296575e40ab2

/data/data/com.diandianzhuan.app/databases/dynamicamapfile.db-journal

MD5 59484f7de01a75bced6a6cbfb3e25708
SHA1 cffa0632aa976638d6bc57d47623bc5e08e3db3d
SHA256 394b28d8064590abc97072b8201a625a02f48afc14082c3e76f14cd4da517a03
SHA512 a2b993ec359702ae0ad08e17225afcb47c9a6dc39c063eeb15ffddf5e8c6a42cacfd5ef01971c6d70399973a5262b88568a81cada38d67c3be4577410a883f31

/data/data/com.diandianzhuan.app/databases/dynamicamapfile.db

MD5 d5950b4302984c62ae015c70f8359000
SHA1 44de2b51c2942afc6706cfd591bd17e0b22732a2
SHA256 b25855280d949ff775756116e72d78ac73561352dfa33866835ccd355d037f9d
SHA512 39c732e681ba5913a12d78056a128a2f7a2cf3b78f5735727e629b15bd5f498ea22ca1bee6bd0c7580c2443cc08e4416c454679bf52ca34fb91366f6374b334c

/data/data/com.diandianzhuan.app/databases/dynamicamapfile.db-wal

MD5 a90d55b6097e3a9528e8ee5782d54784
SHA1 97b06f5907be8ffcb8e7e7e645bb547944545a18
SHA256 e30632692390efb09f26fff1cc5b654eaca04d697f3d3b2a729da0b6420d5989
SHA512 9a002bc87ebcf419e23dad9fde86876dd937cabdc05d702aee273d22e13502f35f0b9d3c661cc44d981cfec55cc5c33048ccd538354c80a15af55c557457e233

/data/data/com.diandianzhuan.app/databases/db-journal

MD5 b8b38a323297fbe1a00232636e21b112
SHA1 b700d24a1df95499234ece9df4366c86f52648af
SHA256 b12dde39b170239c1518b0bf7452f1444373ba27ce1f6683134626c80b1479d6
SHA512 dffd7a796c48fdbe2bc6630c1811c55601a6c55dbc24332d32768ec4d787c55023efda98694b4fe19ba144b3c4feac4356b9af76635c5f3be6b810228d0fa50d

/data/data/com.diandianzhuan.app/databases/db

MD5 3fe30614d7e0d11db870b4624f6c50e0
SHA1 053ff0fc621ab40f2afeddb3e7b4a73ee41ec533
SHA256 67c532f0324228dd33b445cd399c1426e3a0e0cdc7b9358c66b402c5d40a838d
SHA512 c7c09e97a408e88aacaf8099ad4d1fa604d58113393500a384eb3c2eb7c3c105af41314934b86eca2f088045cbab5a20d768bbb295448dc1ae6cb6c3f59821ae

/data/data/com.diandianzhuan.app/databases/db-wal

MD5 c9ee272a2a84bd2494db4cba94a8049c
SHA1 6efdac60cdc7b4260572cf7f9db75d77ece223e7
SHA256 2568d13b6e2b2851983b49cb8e2974912f9e5dc878b50e67a4efefd8dc23ed5f
SHA512 f2315f2bb5ff0a9a5a246fea8bb23afada96b3818a458ac54be865f9cc6f2db06c777774c66d3ea396934085b0657f38992f022a06dbfbf4cce65df691a809e7

/data/data/com.diandianzhuan.app/files/jpush_stat_cache.json

MD5 029d549656c7c50b818148fd6f747ee0
SHA1 d675e6238fa4fa33bf849eb96a6d8c0bb0c194dd
SHA256 466d1b8f3ac694675abc2b7cba89c6acd087d39ed176109a83166ba99c436d34
SHA512 9b07c4d3cf88b9727911c3e847981e31eed7ee2f4956132954329bdf7e27a199d5b42167d3319f171222c9d7cc584bffb6c25c13fb2e977aebc576e4e0b47cec