Malware Analysis Report

2025-08-10 23:54

Sample ID 240517-vhsrtahe88
Target 50869954220676386f8c1c4c3f3cbab3_JaffaCakes118
SHA256 226a2cf7eeb8a18f679611cd3163e27429b1dbafc8592bbbb83af06760f361e8
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

226a2cf7eeb8a18f679611cd3163e27429b1dbafc8592bbbb83af06760f361e8

Threat Level: Likely malicious

The file 50869954220676386f8c1c4c3f3cbab3_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Requests cell location

Checks if the Android device is rooted.

Checks memory information

Queries information about running processes on the device

Checks known Qemu pipes.

Checks known Qemu files.

Checks CPU information

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries information about the current nearby Wi-Fi networks

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Checks if the internet connection is available

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 16:59

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 16:59

Reported

2024-05-17 17:03

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

189s

Command Line

edu.com.gaiwen.firstchoice

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /system/lib/libc_malloc_debug_qemu.so N/A N/A
N/A /sys/qemu_trace N/A N/A
N/A /system/bin/qemu-props N/A N/A

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

edu.com.gaiwen.firstchoice

edu.com.gaiwen.firstchoice:mult

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:80 log.umsns.com tcp
CN 59.82.29.162:80 log.umsns.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.75:443 plbslog.umeng.com tcp
US 1.1.1.1:53 ulogs.umeng.com udp
CN 223.109.148.179:443 ulogs.umeng.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 123.60.31.166:19000 s.jpush.cn udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:80 android.bugly.qq.com tcp
US 1.1.1.1:53 update.sdk.jiguang.cn udp
US 1.1.1.1:53 sis.jpush.io udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
US 1.1.1.1:53 im64.jpush.cn udp
CN 123.60.31.166:19000 easytomessage.com udp
US 1.1.1.1:53 im64.jpush.cn udp
CN 59.82.29.163:80 log.umsns.com tcp
CN 1.92.77.21:19000 easytomessage.com udp
CN 59.82.29.163:80 log.umsns.com tcp
CN 36.156.202.75:443 plbslog.umeng.com tcp
CN 223.109.148.130:443 ulogs.umeng.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 123.60.89.60:19000 easytomessage.com udp
CN 119.3.188.193:7003 im64.jpush.cn tcp
CN 119.3.188.193:7006 im64.jpush.cn tcp
CN 119.3.188.193:7002 im64.jpush.cn tcp
CN 119.3.188.193:7005 im64.jpush.cn tcp
CN 119.3.188.193:7008 im64.jpush.cn tcp
CN 119.3.188.193:7004 im64.jpush.cn tcp
CN 59.82.29.248:80 log.umsns.com tcp
CN 59.82.29.248:80 log.umsns.com tcp
CN 119.3.188.193:7000 im64.jpush.cn tcp
CN 223.109.148.177:443 ulogs.umeng.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 119.3.188.193:7007 im64.jpush.cn tcp
CN 119.3.188.193:7009 im64.jpush.cn tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 110.41.162.127:19000 s.jpush.cn udp
CN 1.92.77.21:19000 easytomessage.com udp
CN 123.60.89.60:19000 s.jpush.cn udp
CN 59.82.29.249:80 log.umsns.com tcp
CN 59.82.29.249:80 log.umsns.com tcp
CN 223.109.148.176:443 ulogs.umeng.com tcp
CN 119.3.188.193:7007 im64.jpush.cn tcp
CN 119.3.188.193:7009 im64.jpush.cn tcp
CN 119.3.188.193:7002 im64.jpush.cn tcp
CN 119.3.188.193:7004 im64.jpush.cn tcp
CN 119.3.188.193:7005 im64.jpush.cn tcp
CN 119.3.188.193:7000 im64.jpush.cn tcp
CN 119.3.188.193:7008 im64.jpush.cn tcp
CN 119.3.188.193:7006 im64.jpush.cn tcp
CN 59.82.31.154:80 log.umsns.com tcp
CN 119.3.188.193:7003 im64.jpush.cn tcp
CN 59.82.31.154:80 log.umsns.com tcp
CN 223.109.148.178:443 ulogs.umeng.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 110.41.162.127:19000 s.jpush.cn udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 1.92.77.21:19000 easytomessage.com udp
CN 123.60.89.60:19000 s.jpush.cn udp
CN 59.82.31.160:80 log.umsns.com tcp
CN 59.82.31.160:80 log.umsns.com tcp
CN 223.109.148.141:443 ulogs.umeng.com tcp
CN 119.3.188.193:7008 im64.jpush.cn tcp
CN 119.3.188.193:7006 im64.jpush.cn tcp
CN 119.3.188.193:7009 im64.jpush.cn tcp
CN 119.3.188.193:7004 im64.jpush.cn tcp
CN 119.3.188.193:7003 im64.jpush.cn tcp
CN 119.3.188.193:7002 im64.jpush.cn tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 119.3.188.193:7005 im64.jpush.cn tcp
CN 119.3.188.193:7000 im64.jpush.cn tcp

Files

/data/data/edu.com.gaiwen.firstchoice/app_crashrecord/1004

MD5 d21ec1a6182985c06b508576f645b1f2
SHA1 e054566e56e32cb2c97bf9514d407f1fa1e30729
SHA256 c15ff4344adf9eb984b78fd388d6ca655b76ab5ae656a5a8e6b9e180a8186633
SHA512 21b70576613d99eda0201d70ab1e49cc114a61cd8320f2e1e7360345b9c40e277572e4d4d4ef621d5ec1a5db2f534c414fe38bff8c1e1f2a7974f8b48cd2d483

/data/data/edu.com.gaiwen.firstchoice/databases/bugly_db_-journal

MD5 444c76902147c45ce364bf2ff641dc7b
SHA1 26d9df1e54950a6b70d12ddbc47af82973fa0f5b
SHA256 15607f938e41f97c76e349685010b4a071baed305a02a2574dd2a4f505f054f9
SHA512 0bf6c3204ad5b200c299ab0b6d603490c459bba187208a03421d87f5d5956cc059ba115ef54356e75f25b9344e314a4b24261769e5ee478ade2fa154b8b3610a

/data/data/edu.com.gaiwen.firstchoice/databases/bugly_db_

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/edu.com.gaiwen.firstchoice/databases/bugly_db_-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/edu.com.gaiwen.firstchoice/databases/bugly_db_-wal

MD5 b68b3f7d22f2ea76ec21a4d6f050435f
SHA1 d5d155b9097abfd31bd6e05ea34a7c5457dc5629
SHA256 7d0e50cbe64397eec9c3e1ea8b766517b081a543f7af0c623b7c11ef8e576b68
SHA512 07a976c1253679d331b7f8baf6f4e88eab3fd59c45dbe98bf6ead99e429afb845703eb8c0354cf676d436f72e3c1673b6f40f82d40ef3c5d5c2d8922a726d536

/data/data/edu.com.gaiwen.firstchoice/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/edu.com.gaiwen.firstchoice/app_crashrecord/1002

MD5 de5c4f775b1afbd032afcfb052b66055
SHA1 14f36fe3d2bb891aa7af5acce20b8e3e65e079a7
SHA256 ddb9dd13d928638e9ffda21335471201d637e2a327fbc43f2745c5db3442b2b4
SHA512 ae7766818af60b41aa2c6126413c6baa936844f55c98b43e87325212867f211f5f2e3c64a74d70e6582b13c286b02358382ef8fd4b6cc968dd241229d5a39ed7

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 cd3416d50a26eb526d6ea7853ca1ab82
SHA1 7f9fc603c3b9842bfdc33e108baef9a756c12388
SHA256 1f9fd588b2c195bf99b49574f2c8e1a277b9f522f6e99968b4bf47e17c2412ad
SHA512 fea43a7ee46cc9e6d88ca5827bf07057fb60609e98bbaf8a31acc72e653d0114c771ba4ea0da10247f9ffadbf3831c12dab66b4459b9f722ce0cd18bd1a507a0

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 f5f2740f5a20d45cc46d9abbd1d3f867
SHA1 02eb0161b0557c1b5eea7458f3ade1adf4467733
SHA256 b70fb4cb3953b0cddd01d81eb6030189f2c6ea534ad8706f2d090b79f3269efd
SHA512 2dc02951290281ce44696b4845fee404b2e62387162c5b9f68d36e9976236b30bf1551dfa91f446cc8493bcd12a21d444db7548c68d4f68acb744c05dee78cf7

/data/data/edu.com.gaiwen.firstchoice/app_crashrecord/1004

MD5 352edda888b3fd1ff5fe530ca9d508b6
SHA1 92b197dbbb93ee5a8301c8286ab292e0cce62ed0
SHA256 bc3c494b0a2059324e33acf992f2f33db44f875e30a253b20a9a6828889f2458
SHA512 5cda4a06a659a6898c8ddbf6067e4bc7c33c5490c92209f7e91e8670529f15f511df22e37fdf6bc0f6705fec3eb7b9a62d3286365f6b66dd115edab34726a7ad

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 6c6b732e7a9c0f8d681b3719b6820f1c
SHA1 035a601c58ad2b81d5e28a1aaffa0018797c5048
SHA256 8a72994f068b2ece1b89b12fe203a8189aa864cf69e3e7c7cb07a6a528417f6b
SHA512 8ddd3135ad33955f358a19554f8fc8a66ce2f02dcb426fd1cd4c9ec51f20b1a01740f130ea9bad7a930f33b322b74c7cbf1018ef7e895477329eb6aefb63e108

/data/data/edu.com.gaiwen.firstchoice/databases/bugly_db_-wal

MD5 feb226723d3ce4477362a57a05bb85a3
SHA1 6123618a8adc4208afd3768ffbf0cb96927e725d
SHA256 8b4449715f2888822c83007db0836ebaa072d071799a7e40f30334c5ee998eed
SHA512 ed81f145b93eafef839ab7b99afa056aa2bf31bff32c41c38899856681f5d7b9d0e51d57d875bf44ee6863cec472a830b189381c5a35d2f67e8aab288f6757d0

/storage/emulated/0/data/.push_deviceid

MD5 86dabf46d7989e243b92a3a3f215389c
SHA1 fa61c31799e5f2d33fe17e6bcf8004976ac02b94
SHA256 7f01ba347441f9e35b60d303f7f3f47c8ed76cfcba7307972e913eabb91a3449
SHA512 154bcff2db5ec4ba77fcd5fa2df651706ab6cddb46af498db3f2aa7f8dcb315f0844e61c3165b3f7e3ff20eca6830c26ce808957253949e99e071f6f7f27a727

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 045f337477751b0280d1abcb25a5c918
SHA1 5c82db2ec805ab33827a13d1225a739188651243
SHA256 9df032fd71ac65ff689a8604abb19bfbf8f000f3b59a77bf218dbeae7329c167
SHA512 1ca8e05849ff855dd800ddec84a0278a060c8bbf64e2aabd5ef873927b21312f8925ca8f098db3604e33e12abef9c16bc727462dcccf43f9f20558b0e8df2856

/data/data/edu.com.gaiwen.firstchoice/files/jpush_stat_history/normal/nowrap/e8c944ce-6908-4994-b0b5-09e46995585e

MD5 8c383fce5875b2d4208939c0474a06ab
SHA1 a100810a90177ec4189e81b1ec86c48b5562f75b
SHA256 f181a1756d64df8f66a14c2f515836079e60208941bcd507c82d5fc8639a7335
SHA512 46404e082b80d6d3817095f432a52e5eb520f7c0be50bae836a38d44e7228726e66d8d8f6ada95fdaef30828456768c2aad48b0ba6ac281a9154b74c0f992fa8

/data/data/edu.com.gaiwen.firstchoice/files/umeng_it.cache

MD5 e990759363d4717d9bb72dc67106a62a
SHA1 e64f59ffe35614f59e669b2538028713b09593ea
SHA256 bedb51b2129adca6cea11cebd5e184e1f1c78b01ac11024b3af2fb88e6f5c273
SHA512 6e43d3f7c4d67b4c643e0eb69f286958f963398a9a7b359a33bf9ed19f1e13935a59c4a7e9b60060f33e477ab25a8dc26cc01be3f2b9fb63c2a5d168346ad2b7

/data/data/edu.com.gaiwen.firstchoice/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE1OTY1MjEwOTYx

MD5 6ef805ad86b90b8303e8d29bca339e6d
SHA1 c2d6c98e230e5e28e53015f436fe8d29dd559f13
SHA256 37db3606f4758039fc0855c1334459df1768141887418aec59538080d38bec27
SHA512 1b984359edc5e77c2c2e8bef5457421c50c13652ff2817fc748bab3de32f57f196be09e9c0f4b38e431e935b44170299be0800e5e7c9308655351a43f65402bb

/data/data/edu.com.gaiwen.firstchoice/files/.umeng/exchangeIdentity.json

MD5 64e8cf1e8e26bee21a1dbede1c930503
SHA1 e82751c63af705c2093075a86d56d0a2a73afeb6
SHA256 2061a8bc90d3088750631838fba6d33e0a07da883fde4376a7eea7b8a9ea6a44
SHA512 c57a8c5dc49e0f0acdc457256b99884643909c3b4059c6f80634964be3d3a59e5084b3f2ab1a15cdb0c73304ed49a57055e8acf5631b40eee2679d88dd21bc3a

/data/data/edu.com.gaiwen.firstchoice/files/exid.dat

MD5 39c0d6badd84caf21a91d0f58ec7158c
SHA1 af0233f6cd7ceece3a12cbf618fa11e35b7b4c1f
SHA256 ac7c3770a289c34a0fa9a788f62f860a3fcafa92492a1b7a795cf275cd32bab7
SHA512 4d193c58d0ec7dc7afef10cbe7be72795e86145617da31b7889300640ea711ed38d8c7afd5b35d1a920d0fe719f61dea6352357141a5dd5f8ccec3a169dcc986

/data/data/edu.com.gaiwen.firstchoice/files/.envelope/i==1.2.0&&1.0.3_1715965211825_envelope.log

MD5 3cfc0e23a904184fe380574011560108
SHA1 d1ff8b4519d246a8ae7f0d808588ff061239e555
SHA256 7c1e49ff30bc5f120037f994053c441367730e3f960b673b026e70591e5e8d85
SHA512 fd0acd738d36adfa0be25a0ee16dc1f7d20dff5dd991dd948f02d0f3aebaa743e77826bd98c3536d60612fb258caa1e18186a92e1c5b7a48266348e25022d16f

/data/data/edu.com.gaiwen.firstchoice/databases/ua.db-journal

MD5 38aa85db32c901d20752147ca88f3906
SHA1 e67638cb21e56d98f957a951600d400bb91835a3
SHA256 cedb8b4b4f45facf5adaef00b37783727bb914bfa54c9a1c04023cfa47509e2d
SHA512 7c7be79ad31d5b833a523a4c6618f922108c56299447cf62ccfaffb9bfe0ffe8b85a1b790a90891447b304448532db33fe71735c07236001dd6c87bbd11c0ee9

/data/data/edu.com.gaiwen.firstchoice/databases/ua.db

MD5 0adda9c85a5e4808f5b1b74c0a8591a5
SHA1 5048107883ab1e345af9cf2e6849ce46e0e612bf
SHA256 1e17860bba2bb4e3e92df3890aa6dddc973d6602c71519a15556d37bb69de2a1
SHA512 646061d3d5849772511bd94e36ca2d775a9a672851629d1812942ec0f0f925714eb7d4ebac44889911320cb6710a2f586014f6b1e126739cab653c4f8deef2d1

/data/data/edu.com.gaiwen.firstchoice/databases/ua.db-wal

MD5 ffb58e06802a793d913580ad163ff546
SHA1 ceb1def550ced986d422dfeed7388df3998ae70c
SHA256 2f3c93c5e082981dc8708d9f3a3020dd5d2dc311a71c3c69edbf47a452776b91
SHA512 c32f059d0ada065e1d3640009568abe5630398d30a333c1d05bf924c329494bad26ad4bd818581624a5d3b764da0d018339012af9080ce87075cdb012f70d205

/data/data/edu.com.gaiwen.firstchoice/databases/ua.db-wal

MD5 332306b1abf8d15cb30311acbfd9fa7e
SHA1 338963babffebf5a8af88d6fc179fb503b354162
SHA256 5279e8abdfc05ab4da15e45aa5280216fdfc8147cf082057a1353c2ba09e9d57
SHA512 d5ca3651e77f5fa3f6ce01a3ba296bf1cf77ad7f24e86b36342fc744f6303e61229ce0ba87c83a5c61003abab2aa95f3fc7c00dffb8a4887e617e4cbaf602d65

/data/data/edu.com.gaiwen.firstchoice/databases/ua.db

MD5 f21d81348d6ed054e3ab973694cb1e2d
SHA1 2757d52b19b609afa257427b13e231ea879aa7fb
SHA256 6f80c2c624c6a7ef87b1b428d4a1ddd02e1f7f3bfdc894829a71ea098b6f27f3
SHA512 1ac8132695f4fcf203fd11b5bf8264e09b2bb5b891897e72aafd43fe19d6a39c0de5a1475dd6519020679aebd25bb76ecb51835bf649205d69c1741b3f33fdf2

/data/data/edu.com.gaiwen.firstchoice/files/.envelope/a==7.5.3&&1.0.3_1715965213691_envelope.log

MD5 a369533bcac3f500c4c0bd5919abb7e5
SHA1 0e23583797548d37e02ba6850943201a47dbff9e
SHA256 686b0dddde4308fa032010ea6bb0f5ec3ec9cc99efffdb5e8befd576abedda84
SHA512 75eb01ce6a2568a74c791a3a6b127bb7299a9897126fc8651d45aaf204dff66caf83e64572016476aa2c0897b5cf64feed0e79a1ddc70c337bd282ee99236281

/data/data/edu.com.gaiwen.firstchoice/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE1OTY1MjQxMjI2

MD5 b2121bd726930968cb171152053e1919
SHA1 ae7ab059333b937ff8fb4b82c8804e48adf842a7
SHA256 f502abdef5b7612969a870f0d59aac4745c8b6be736d640eaf0f393206625030
SHA512 1735139414c55d5a810faaf064f955ce38a065c5caaadde3436bf8ac617844186895589752b6dee419a5bfb844ad8065555eb3ae4561f15a1c92e7e1b21b09e6

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 16:59

Reported

2024-05-17 17:03

Platform

android-x64-20240514-en

Max time kernel

177s

Max time network

191s

Command Line

edu.com.gaiwen.firstchoice

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /system/lib/libc_malloc_debug_qemu.so N/A N/A
N/A /sys/qemu_trace N/A N/A
N/A /system/bin/qemu-props N/A N/A

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

edu.com.gaiwen.firstchoice

edu.com.gaiwen.firstchoice:mult

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 log.umsns.com udp
US 1.1.1.1:53 android.bugly.qq.com udp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.68:443 plbslog.umeng.com tcp
US 1.1.1.1:53 ulogs.umeng.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
CN 223.109.148.177:443 ulogs.umeng.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 116.205.165.66:19000 s.jpush.cn udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
US 1.1.1.1:53 update.sdk.jiguang.cn udp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:80 log.umsns.com tcp
CN 59.82.29.162:80 log.umsns.com tcp
US 1.1.1.1:53 sis.jpush.io udp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
US 1.1.1.1:53 im64.jpush.cn udp
CN 124.71.183.120:7008 im64.jpush.cn tcp
CN 124.71.183.120:7004 im64.jpush.cn tcp
CN 124.71.183.120:7002 im64.jpush.cn tcp
CN 124.71.183.120:7000 im64.jpush.cn tcp
CN 124.71.183.120:7003 im64.jpush.cn tcp
CN 36.156.202.68:443 plbslog.umeng.com tcp
CN 223.109.148.130:443 ulogs.umeng.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 124.71.183.120:7006 im64.jpush.cn tcp
CN 124.71.183.120:7005 im64.jpush.cn tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 59.82.29.163:80 log.umsns.com tcp
CN 59.82.29.163:80 log.umsns.com tcp
CN 124.71.183.120:7007 im64.jpush.cn tcp
CN 124.71.183.120:7009 im64.jpush.cn tcp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 1.94.137.180:19000 s.jpush.cn udp
CN 121.36.193.140:19000 s.jpush.cn udp
CN 123.60.89.60:19000 s.jpush.cn udp
CN 223.109.148.178:443 ulogs.umeng.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 124.71.183.120:7006 im64.jpush.cn tcp
CN 59.82.29.248:80 log.umsns.com tcp
CN 59.82.29.248:80 log.umsns.com tcp
CN 124.71.183.120:7004 im64.jpush.cn tcp
CN 124.71.183.120:7008 im64.jpush.cn tcp
CN 124.71.183.120:7005 im64.jpush.cn tcp
CN 124.71.183.120:7003 im64.jpush.cn tcp
CN 124.71.183.120:7007 im64.jpush.cn tcp
CN 124.71.183.120:7002 im64.jpush.cn tcp
CN 124.71.183.120:7000 im64.jpush.cn tcp
CN 124.71.183.120:7009 im64.jpush.cn tcp
CN 223.109.148.179:443 ulogs.umeng.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 59.82.29.249:80 log.umsns.com tcp
CN 59.82.29.249:80 log.umsns.com tcp
CN 1.94.137.180:19000 s.jpush.cn udp
CN 121.36.193.140:19000 s.jpush.cn udp
CN 123.60.89.60:19000 s.jpush.cn udp
CN 124.71.183.120:7007 im64.jpush.cn tcp
CN 124.71.183.120:7002 im64.jpush.cn tcp
CN 223.109.148.176:443 ulogs.umeng.com tcp
CN 124.71.183.120:7003 im64.jpush.cn tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 124.71.183.120:7005 im64.jpush.cn tcp
CN 59.82.31.154:80 log.umsns.com tcp
CN 59.82.31.154:80 log.umsns.com tcp
CN 124.71.183.120:7009 im64.jpush.cn tcp
CN 124.71.183.120:7000 im64.jpush.cn tcp
CN 124.71.183.120:7004 im64.jpush.cn tcp
CN 124.71.183.120:7006 im64.jpush.cn tcp
CN 124.71.183.120:7008 im64.jpush.cn tcp
CN 223.109.148.141:443 ulogs.umeng.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 1.94.137.180:19000 s.jpush.cn udp
CN 59.82.31.160:80 log.umsns.com tcp
CN 59.82.31.160:80 log.umsns.com tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 110.41.53.90:19000 sis.jpush.io udp
CN 123.60.89.60:19000 sis.jpush.io udp

Files

/data/data/edu.com.gaiwen.firstchoice/app_crashrecord/1004

MD5 5278bb3b13c8a29662d828e99f13f7d9
SHA1 0be9fb4022f40eb10a9ebf962fee9b7c918062e1
SHA256 b5c09770433d1555842cb0566afd25d77b475aa141198142f3ae3f01ef78b696
SHA512 08436578578dd9b5068451d9edb71cf6506e50fafebf3ca3fb4b4d479bf5cb5808d043295ace22a6a9e8ae6c53a88020acbc9683536ee78af9b81a483af7fbd7

/data/data/edu.com.gaiwen.firstchoice/databases/bugly_db_-journal

MD5 8db03981a5b490f4a9c9cd3dcbe26b40
SHA1 59fc1cdca943e83841b5ba9c87972f59a2c5c78b
SHA256 2140fc8e15266baa5dc1868cd41b1fc62d7c6244b41622621fc9ead57bdbbeed
SHA512 e634c5d604824ada98a41b98ea03971b8865f4980e726729b94a20cae431c12b5329881cf0d7ddc286833a19f5f28e749da16ce5141b8ec269a72902da4875a9

/data/data/edu.com.gaiwen.firstchoice/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/edu.com.gaiwen.firstchoice/databases/bugly_db_

MD5 b12752a898772dc098ebdcfaac0c2a99
SHA1 ba2257291dd88ba5a9085e9171830d5393495eea
SHA256 2d2ba91156e4cdd6539fca592500417a3ca0fa8910b054a6f6da68259e04eeb8
SHA512 306b0f58260636f57ccf3f7179208b39cf5cbd33d4442cb56a16e924aaf79f346b3c8790e5d43200d9747ab207000f65b35e7de6f8fce0f824cb87804de3acc5

/data/data/edu.com.gaiwen.firstchoice/app_crashrecord/1002

MD5 4a80d418272573b119ba68010685b4df
SHA1 03f67236a7e7fd5600b402aa235c6de7a8a38e9a
SHA256 d9c2d35c803218fbd0a5fd2a5a4e754ae6365688f8d3ed294363d442e6dd9472
SHA512 90a554a3f138961507b4a9e5b5ac2027b9468420cb147d0b0ca1b792b5d2f66c98c33767d62798fc69a0fb9291be3d4545738f08cd21439d81304e820ba2a82b

/data/data/edu.com.gaiwen.firstchoice/databases/bugly_db_-journal

MD5 b0ad97d4a68eaa35e89cef8eddcd2c6c
SHA1 27bc0cd3167d9be26ffe9845877d470282e86fab
SHA256 3440e12c18a8946d784c4d398c648b3827ea7b8c5234dff4f203b1fc6b7e2944
SHA512 d6beef1812aad57517d530a29541e019ec36a5268c0e8b92131b49e8df95caf8dcb045258c2872171eabc99f89074e01fac931db52493feefd5d02ca183ee338

/data/data/edu.com.gaiwen.firstchoice/databases/bugly_db_-journal

MD5 942faac141460ff6db531ffce12b94f9
SHA1 e0bdf46a0b15c8d60e09e28a82145ac9cd93cc32
SHA256 e7443b6e814231e291c4080cf90d36817789a9cd3b4604e9b5d2ce5babbb0ea7
SHA512 0c0b81348c41d822b7f5b78ae8d9c3d838fe8a126e4221e36531da701d8a20b87e34324cf9f57101799dd2d005f2c45235c880a3e4c550d2bafad1b7ace01006

/data/data/edu.com.gaiwen.firstchoice/databases/bugly_db_-journal

MD5 b10dd56dfddc2b6ea1c9c9bf259b8067
SHA1 33cd65af10859b781109c5b32491d6a85e02b465
SHA256 883599b00ff00db94f885b15aec12d47293cdaa4b1ca94400cc7f4f5c3788b21
SHA512 7c6973a6feeb77c79ae266895f94e35fe2550a8e545221abb456e304b246a885d2917bd255049d679bd756a9b676e670f4d3dd9a22e6ea821f9cdac4579924ae

/data/data/edu.com.gaiwen.firstchoice/databases/bugly_db_-journal

MD5 6ec685440c207359cdcff7cbaf42d4c1
SHA1 41333d3973069c6f2de529793b86c325ec120f39
SHA256 1947bca65a0f176ea87be66747cd63254ac0309f828204e967e4b59c11d38ea6
SHA512 6353f851f5da2f4a90781969164e9a35973a16daf91aff738d4d9102f99d29e198e7fadea3a4940f86239aafcd13a0c8be4ca45c199982b0264d16de55a8571b

/storage/emulated/0/data/.push_deviceid

MD5 2d3ca64d64b829d081d56a47cbf5a68f
SHA1 5c6b0b0756dc8b9b43177bc125277721df366eab
SHA256 8162aa54f9ff43f35638be4dfe59cf4e788049f4e03d4f0999adf3e0429a5fcb
SHA512 d578b4d1142be82ca6ae055824232c07185395b4b6702b0c2f470cf68d036f470db208c4370ce1f668a38f0caa1bb93fd396b77401b0f77e3c1e8d71c7d2c04f

/storage/emulated/0/data/.push_deviceid

MD5 9a9dd03a1a1755515b84749ff3d356ff
SHA1 0f3a7a681729a4f06abbae37285afac4dc5da57b
SHA256 2d5519facec1d0d013e6319b97150919137e01d53f6983e84479344bf5b2b91f
SHA512 a583d2d89f51886d2d40f39fd533850cd72818d1ad776fea3de4f4fc59e6f0d02b1bea61a101d3e9e9a48495ce884550b3a5f5841ccd10d0797e29ad046abe7b

/data/data/edu.com.gaiwen.firstchoice/files/jpush_stat_history_mult/normal/nowrap/81be14d1-d332-49f8-8e4a-694c87e3d45d

MD5 baa3563ce43d8e17c63787ee0e0bfa29
SHA1 b2ea4fb8b755a8127830e75d43eafcacf2b09488
SHA256 1602157b474304c098421c0c7275bbe4a003d1e1ce33a6fcc4ef29fce74d3951
SHA512 633c486074b7092427f50a8171048b905f2f075af6d6556641af8ff351d72e4bf777b4465c93949f9a4cf90317ded59587088ba79da7156dd9e1b8da587863ac

/data/data/edu.com.gaiwen.firstchoice/databases/bugly_db_-journal

MD5 528244902c29f7e0fee2f5a202007b16
SHA1 543578ac04567b6b01bce4188982c5f06fa65b4a
SHA256 0d356c5f9bd65cbdd032eb1edd7f4daa85ca5e84ed6f9f6efe79501aaaa281d7
SHA512 bb3e4edec16f8bc437f86b55bbdfeb421ba31cde689ff70c6249837ef845e38cda44716fcae6e3f7a0b35a3d2c8703113e53add0a6e95f5fba66ba7b3fc60f95

/data/data/edu.com.gaiwen.firstchoice/databases/bugly_db_-journal

MD5 5aed7f16e1f10e3d928abf2f207dfe2c
SHA1 59069027c4b435aeb0d50da67e7341194fe0afb8
SHA256 ae2ed1883ad8ee30db707747eb1a13075678d2429096c4f201916cb29ac72baf
SHA512 4e88c675098ca2230a3a6b28445c029cdaa146c34000106203b9277a0c61ceacaecfcddac7bfbb7c51e01bd7a6daf4d18ed9a1237109abba10532c46560e0a7f