Malware Analysis Report

2025-08-10 23:54

Sample ID 240517-we3y2sbc4x
Target 50b9200d22134cca4aa8598834586d33_JaffaCakes118
SHA256 eb2ac2e0fce673d8a0016614eef445812b858af9b101a96eb6347653334ba1d0
Tags
banker collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

eb2ac2e0fce673d8a0016614eef445812b858af9b101a96eb6347653334ba1d0

Threat Level: Likely malicious

The file 50b9200d22134cca4aa8598834586d33_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests cell location

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Queries information about the current nearby Wi-Fi networks

Checks if the internet connection is available

Reads information about phone network operator.

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 17:51

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 17:50

Reported

2024-05-17 17:54

Platform

android-x86-arm-20240514-en

Max time kernel

177s

Max time network

188s

Command Line

com.hunantv.imgo.activity

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.hunantv.imgo.activity

com.hunantv.imgo.activity:QS

com.hunantv.imgo.activity:pushservice

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

ps -P

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.3:443 tcp
US 1.1.1.1:53 open.action.api.max.mgtv.com udp
US 1.1.1.1:53 x.da.hunantv.com udp
CN 39.106.134.227:80 open.action.api.max.mgtv.com tcp
US 1.1.1.1:53 m.irs01.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 guid.hunantv.com udp
CN 39.106.134.227:80 open.action.api.max.mgtv.com tcp
US 1.1.1.1:53 apiinit.amap.com udp
CN 120.132.47.142:80 guid.hunantv.com tcp
CN 39.106.134.227:80 open.action.api.max.mgtv.com tcp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
CN 182.92.244.230:80 x.da.hunantv.com tcp
CN 182.92.244.230:80 x.da.hunantv.com tcp
US 1.1.1.1:53 sdk.open.talk.gepush.com udp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
US 1.1.1.1:53 sdk.open.talk.getui.net udp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 39.106.134.227:80 open.action.api.max.mgtv.com tcp
CN 182.92.244.230:80 x.da.hunantv.com tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
US 1.1.1.1:53 abroad.apilocate.amap.com udp
CN 59.82.44.11:80 abroad.apilocate.amap.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 106.11.43.113:80 apiinit.amap.com tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.102:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp

Files

/data/data/com.hunantv.imgo.activity/databases/ImgoPad-journal

MD5 bac68c07c2f1b9a736f97edfea29afd7
SHA1 061cff830bbfc46da1ffae2c59aa5195778f9a9c
SHA256 cf106ad7aad65f1781269689e4585ef23519bd6d85211261043b5b2bc0724d9a
SHA512 9aa0b1a635caeb914b91de1b11607fd5184e0672bc86ae6d4cfa4786bee75598b3103ac83f99c45d83bb7103066ac4b21bc9654706384a94e04f21dcba16469f

/data/data/com.hunantv.imgo.activity/databases/ImgoPad

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.hunantv.imgo.activity/databases/ImgoPad-shm

MD5 c2f71a5121f425a023d973c80bc3fa13
SHA1 3c763d857ffd88c472eea20609746f8577ada2c7
SHA256 a429a4e7d09ceed3475c9a3360746e017e7efbbc60a2823446c45d0b8b17e6cc
SHA512 1072ab26d709f665e83593ab45edd48d07ec3d185f0959b8e57e0392b8b3ca98da74c5a6c7798b8a8beac1b854bb79f0598d2702e35d037c9b8059dd6917dfa4

/data/data/com.hunantv.imgo.activity/databases/ImgoPad-wal

MD5 af714fe325998dc30373a625e808b5e0
SHA1 b6040d84321b8d42ee31e6bf30af978975b190be
SHA256 668e56c3946aa1e1352986a3e6db8f922f911a160bfc19f315cebb6b8718e391
SHA512 36e4afd2c900925dcaf67e8590c7cd08121b07c5e0a089de5825c890c4785485edb26fe017ebc0c2984564576db429c937741955f2c6eea661257f7970d1ebe4

/data/data/com.hunantv.imgo.activity/files/MV3Plugin.ini

MD5 4d926b3398de395a2b5e416685dcfedb
SHA1 1821f776d641e359458c5775fdbab8eb79f8b21d
SHA256 43001c84d179f1bf1b155755a36e16d16d718a1d81458cbd558f379e4a79fa3c
SHA512 1fe1404efdbe12a804d4c6308614e79e2f240cfc8ca5d54c771b0f8da98a5870831b2a157145440624b4750fe45eec1b7e1e614c69fc04018d3a21a79e0ec25c

/data/data/com.hunantv.imgo.activity/files/MV3Plugin_Default.ini

MD5 f605e60db7c88fe286079631f12c2871
SHA1 8660db255fd21b403ada2b32d805a6dd0568d870
SHA256 40c0b2e6cf2f2c276bd40a81ceff29e82d08e35d55c74df6014079fe9e6a1ab6
SHA512 7b9598e8382a3afc6ee9e3ed6d2084d7b486c5a9ab2b4ba958b0dd4d0703b9cc876dce5ef8fa8416a4b579238aba923172dbe400b0fd052b63583a80d946adb7

/storage/emulated/0/Android/data/com.hunantv.imgo.activity/files/UnicomTrafficFree.log

MD5 8506d170f831e2314e9b4550f46d1583
SHA1 598e7198996b9b60f17a40969d3d727116af1f21
SHA256 9563fd857d0c16d198dc55fd661a661b4f3bf374b758eecb424d877a4e2fdf18
SHA512 e179d26d1757fc66528dfa831ab2f271ea0db9f44c3012cb8a1ce00a5e159e3254bcbda3c22b8f7deec453066f3d7e86683f729675964972c12993fd31685389

/storage/emulated/0/sitemp/uuid

MD5 d272fc0e73cd2a8cc0928b78ab51ee1c
SHA1 0a55e3e400ec65aa4858a2aae8f0644f34c36437
SHA256 4200dd5c2fad6e008b677d3b19c8442eece7e11c48b01a71834ed1797ef6b81c
SHA512 28737b3d037bb572f09378bcf2a9a7889c2915e93be1af25298478e54d71cf8283b668648440efdd990c89c84d52234a52310200d3fb39eae28d6b6cd308cbcf

/storage/emulated/0/DCIM/uuid

MD5 e2307cc29a7f5db66132663cf93d122c
SHA1 32ef870dd7f5b676bd4a2277a8d3366b4bc46147
SHA256 f183513662436707b24d1a6771e05900138d0adfc4fac7395229d8938f593aa0
SHA512 b0c2b0535713b40f3f557d0d7f866f052e4c5eac7fbb6b217208cc0fdd56a78aee3c3522198c0486ae8debc7a3f7d649f11b3acabc25022aa6f0e6d15418e52d