Malware Analysis Report

2025-08-10 23:55

Sample ID 240517-wlx2dabf86
Target 50c30b77bf9f4440aabb2490274d222e_JaffaCakes118
SHA256 dcfffc33d33b1907ac53dd8a92f0995bf5408cba966399564000879d095ee2e6
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

dcfffc33d33b1907ac53dd8a92f0995bf5408cba966399564000879d095ee2e6

Threat Level: Likely malicious

The file 50c30b77bf9f4440aabb2490274d222e_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Checks if the Android device is rooted.

Requests cell location

Checks Qemu related system properties.

Queries information about the current Wi-Fi connection

Queries information about the current nearby Wi-Fi networks

Loads dropped Dex/Jar

Checks Android system properties for emulator presence.

Checks CPU information

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Queries information about running processes on the device

Checks if the internet connection is available

Requests dangerous framework permissions

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 18:01

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 18:01

Reported

2024-05-17 18:04

Platform

android-x86-arm-20240514-en

Max time kernel

177s

Max time network

183s

Command Line

com.cai.wuye

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /sbin/su N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A
Accessed system property key: ro.product.name N/A N/A
Accessed system property key: ro.serialno N/A N/A
Accessed system property key: ro.bootloader N/A N/A
Accessed system property key: ro.bootmode N/A N/A
Accessed system property key: ro.hardware N/A N/A
Accessed system property key: ro.product.device N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks Qemu related system properties.

evasion
Description Indicator Process Target
Accessed system property key: init.svc.qemu-props N/A N/A
Accessed system property key: qemu.hw.mainkeys N/A N/A
Accessed system property key: qemu.sf.fake_camera N/A N/A
Accessed system property key: ro.kernel.android.qemud N/A N/A
Accessed system property key: ro.kernel.qemu.gles N/A N/A
Accessed system property key: ro.kernel.qemu N/A N/A
Accessed system property key: init.svc.qemud N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.cai.wuye/.jiagu/classes.dex N/A N/A
N/A /data/data/com.cai.wuye/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.cai.wuye/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.cai.wuye/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.cai.wuye/.jiagu/classes.dex N/A N/A
N/A /data/data/com.cai.wuye/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.cai.wuye/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.cai.wuye/.jiagu/classes.dex N/A N/A
N/A /data/data/com.cai.wuye/.jiagu/tmp.dex N/A N/A
N/A /data/data/com.cai.wuye/.jiagu/tmp.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.cai.wuye

chmod 755 /data/data/com.cai.wuye/.jiagu/libjiagu.so

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.cai.wuye/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.cai.wuye/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

com.cai.wuye:pushcore

com.cai.wuye:remote

sh -c ps

ps

ps daemonsu

ps | grep su

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 logconf.iflytek.com udp
CN 103.8.33.178:80 logconf.iflytek.com tcp
US 1.1.1.1:53 log.iflytek.com udp
CN 103.8.33.178:80 log.iflytek.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 1.94.137.180:19000 s.jpush.cn udp
US 1.1.1.1:53 loc.map.baidu.com udp
HK 103.235.47.89:443 loc.map.baidu.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 api.map.baidu.com udp
HK 103.235.46.245:443 api.map.baidu.com tcp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 sis.jpush.io udp
US 1.1.1.1:53 ofloc.map.baidu.com udp
CN 111.63.96.122:443 ofloc.map.baidu.com tcp
HK 103.235.47.89:443 loc.map.baidu.com tcp
HK 103.235.47.89:443 loc.map.baidu.com tcp
US 1.1.1.1:53 daup.map.baidu.com udp
CN 111.63.96.116:443 daup.map.baidu.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
US 1.1.1.1:53 s.appjiagu.com udp
US 104.192.110.60:80 s.appjiagu.com tcp
CN 123.196.118.23:19000 udp
CN 103.229.215.60:19000 udp
CN 117.121.49.100:19000 udp
US 1.1.1.1:53 im64.jpush.cn udp
CN 139.9.119.173:7000 im64.jpush.cn tcp
CN 139.9.119.173:7009 im64.jpush.cn tcp
CN 139.9.119.173:7006 im64.jpush.cn tcp
US 1.1.1.1:53 b.appjiagu.com udp
CN 139.9.119.173:7005 im64.jpush.cn tcp
CN 180.163.249.208:80 b.appjiagu.com tcp
CN 139.9.119.173:7007 im64.jpush.cn tcp
CN 106.63.25.33:80 b.appjiagu.com tcp
CN 139.9.119.173:7003 im64.jpush.cn tcp
CN 139.9.119.173:7002 im64.jpush.cn tcp
CN 139.9.119.173:7008 im64.jpush.cn tcp
CN 139.9.119.173:7004 im64.jpush.cn tcp
CN 1.94.137.180:19000 easytomessage.com udp
CN 110.41.53.90:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 123.196.118.23:19000 udp
CN 103.229.215.60:19000 udp
CN 117.121.49.100:19000 udp
CN 139.9.119.173:7006 im64.jpush.cn tcp
CN 139.9.119.173:7009 im64.jpush.cn tcp
CN 139.9.119.173:7005 im64.jpush.cn tcp
CN 139.9.119.173:7008 im64.jpush.cn tcp
CN 139.9.119.173:7007 im64.jpush.cn tcp
CN 139.9.119.173:7002 im64.jpush.cn tcp
CN 139.9.119.173:7003 im64.jpush.cn tcp
CN 139.9.119.173:7000 im64.jpush.cn tcp
CN 139.9.119.173:7004 im64.jpush.cn tcp
CN 1.94.137.180:19000 easytomessage.com udp
CN 110.41.53.90:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 123.196.118.23:19000 udp
CN 103.229.215.60:19000 udp
CN 117.121.49.100:19000 udp

Files

/data/data/com.cai.wuye/.jiagu/libjiagu.so

MD5 e5a53000766ebc433b27d6a66ec4f555
SHA1 2c8f53f1c03aec2005bcad67d731f07261dabde0
SHA256 78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e
SHA512 370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d

/data/data/com.cai.wuye/.jiagu/classes.dex

MD5 25416cbe0fb512b427664c85fe0008af
SHA1 fc854944d91a76dbac82aea5b0bd59b4d8fcf7ab
SHA256 ee44f75d69e9af5f90d58abb1d617721ea6207dbc080bd72e505a9a516128fb0
SHA512 9bea4cd1890103f53f4e64933bf713420a17eb272f38661d7c2307797b8d129ee67cbfb55fec959b9f9a99546c9627e9784743888c14ac33d60f8e1794029196

/data/data/com.cai.wuye/.jiagu/classes.dex

MD5 4e2755568939809839480adc2913b0fd
SHA1 d09f45ae2e847a17fad5bbcb15a9e3bcf27a03a1
SHA256 a055f1cf1c813fb85c2f4f007684b0b1c93329afd23c7d130fb78ed767334817
SHA512 49303daa2f9c67a7e6fff68bd3a52448dbe47a65e09d0da1a8e390452de53958e83cef6be0ba9f1693a8996ffa4594064c465717ea313135731ca41e7a6b255d

/data/data/com.cai.wuye/.jiagu/tmp.dex

MD5 0d269dcd5a3f8e68677b73c541af864f
SHA1 a9ad4f2b665c06e69be27bd98ba1d48e1b32d6ed
SHA256 9251076e3b9c2ce2974594d940fd810ea22af5010007eb25e46d22dae2617f9b
SHA512 9a4ae3ded591cd0c65fe85fe0e69b6e81ba479f0af55633b8f5f73e49796cbf2a6e89e78e59a357c8b498355a4094722adfaa24aa2e8a1d243625e1132e8efeb

/data/data/com.cai.wuye/.jiagu/tmp.dex

MD5 f1771b68f5f9b168b79ff59ae2daabe4
SHA1 0df6a835559f5c99670214a12700e7d8c28e5a42
SHA256 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512 dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

/data/data/com.cai.wuye/files/.jglogs/.jg.ri

MD5 ab7fb18bc505639ce5a8baad3c6aa80d
SHA1 7ab8d6e480bfa51787fc0f3f67a97fd52c21c2b4
SHA256 ae3b90b2de12013e9e10b7e65ef0337214969da6e957e46a1973134020dbce13
SHA512 fae3e467e931d899eeaeab3864a35f86352edfa2e9cb407ff5e53e7ee7c31de7e907c943b5018eeca52861fb616ef95e3bb0128e60a667f20f3a868d432ee568

/data/data/com.cai.wuye/files/.jiagu.lock

MD5 0d3e99204c6401ea499fe9e6d9855497
SHA1 09829f00ca458eab7374d5079393a2cd69a2348a
SHA256 63ad014cb50908591939d6a1536f85eece807425af4f4e8a1f9b9eeab13cc5ca
SHA512 8d9a50aa9abd17e508ed3ac35a3033e8f9e550d1088baa951f53e6c4697c5ac026d22b90e36e27341d64baa3f0202bd89ca97583e99feb25f8c26b5776c59c68

/data/data/com.cai.wuye/files/.jglogs/.jg.ac

MD5 9d67f9eac17fa33d70e3ec94f455c39b
SHA1 6c0acd354bae766db94892bb5d6b5b71cb3724c9
SHA256 05b7f743702a81609a182fa36afbd9fe545cd221633cf88a880485126d2f88ad
SHA512 01fa2162a4d2689d0b6c7351c1b57d57c449e1423cafdc9c54cc2bed50d2165727f74b0904e997ab6f6e23b1eab5a02e8b6eab8a7b13abad82b49f634096e707

/data/data/com.cai.wuye/files/.jglogs/.jg.ic

MD5 7ee1c72abba1ebab29258bebb3ebe9f8
SHA1 52844eaacef2608d276cf9dc793f3abd52a25dd2
SHA256 d43af7ebc1e22eae26fc8d22e239eda03444dc0940f74de2bab4108a7b0eeeb5
SHA512 630a5b965a0b70c61fa2ccd4bb58daf4c10e33fb865605202091ebb8df399977a37bfb55dccb08ed737dfa97c279ac13f28d635eb88c9bedb3bef699ffbff226

/data/data/com.cai.wuye/files/.jglogs/.jg.di

MD5 7371363c4d3b78871088936dae531282
SHA1 23b04c4209285c24ff39cd56e66f19874af061b7
SHA256 6a35020a0f6ebaebba3ad4260edcd88defba75fe5f5486f51f46f053d607f290
SHA512 65e1059aaf56b22031aed1007110c248a3d07f6b493c6efced6f3c42fe62cd9e45cd55172836af756927d0b6f44f0666c698f3038ec9df41d6d5ed0ad6b6150a

/storage/emulated/0/360/.iddata

MD5 bbf013f246f92df77c23e390afafc1f3
SHA1 bac047d73f8b37a2d195ead45e48063decad2bef
SHA256 70593740ed9b26dc3505388b9de0cd8ce10edba925365bfe4b51a5f19f41313a
SHA512 58efe4d056ad936ff5205d7ac449754b9d38b22be16289c749c20732ce188921b30da787fb3759149204238afb0154faf50faa5e9239e9a8509bdb6448a2b336

/storage/emulated/0/360/.deviceId

MD5 0106bcfbec03d55439badfcae6525fb1
SHA1 fb210c7400a9dd18b5c8b0979d544ef47fd5c5ea
SHA256 d7190c32e0f1eef5a7d18f6905b74057f1e28080bc9c8c1de5c5e21b3cd3dc6f
SHA512 18aa18463553a66b86f483cb31d6ef4f89852247f98700c88651cb8e1921092797f5a4651a4ed894f0e73913d5419705b9fe7208e8f5c48603a16962f88f00f6

/storage/emulated/0/data/.push_deviceid

MD5 3ae37badcbee8927f3d697bc45a7da9d
SHA1 ffca49069271a0efcdf801d7bf787baa431fc436
SHA256 0e2c1c38798555e9096c54c40da11cd33237cc46af1ac0ae9a355a6e6d3fae16
SHA512 00e78c982e125e6566ddc5c4146037464e8bb166e7acd9708a97539e4a18da260280f7705089d9909c81d2b584a4fe099b45b3db2d490a97bf27f0310e450bf1

/data/data/com.cai.wuye/files/jpush_stat_history/active_user/nowrap/f89666ab-b606-4c96-a999-d998558cb81c

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.cai.wuye/files/jpush_stat_history/normal/nowrap/15b0f047-183e-4a18-8d34-b5de61ced352

MD5 1674cda8ce2cabe718031ad4a566f4f6
SHA1 f7099c608bff3deec413ea3feeefec145be52eaa
SHA256 e40c31ed90e405b2b81b7e3e8cb1bf19c3f20032781ab427702123dcdf9b2940
SHA512 305b40c299507bfa87d7c6ff69ace69b9a71c4a2a8bde816b6b8a71d1b6dbd33c61601e46d05f70d7f4276f9b56e61907ee30f19471a756aac736c571b46505e

/data/data/com.cai.wuye/files/jpush_stat_cache.json

MD5 ba4016db3842c59738d32b93ed86afcf
SHA1 fadaf4fceba3f951ceefb8d293deaae19b9c0540
SHA256 7c070d4f5615900a837a2a39ccb8668cc804a33d7e15c24895ad8b416d647e99
SHA512 4c7f8e610da04725c77fd4e280ceac9c521db504682c7cc855bb06bd1026c121c054ac31787b3448937f47ff21c9f3620be7590ddf844786bef2856a4d7bb440

/data/data/com.cai.wuye/files/libcuid.so

MD5 7d693a12ee6baf83f31c75ae442d7add
SHA1 3aa18d5c013572375d9d134ceb0c325b9b5a60be
SHA256 bc54372a2292a6ff1477d6051309de4d6beb323352f91e1d224d6fc2f40cc5da
SHA512 620960668175d5edcd783d639b4d28039ede555be2afb4a5d0c02e2920a53db55c92c2091fb7f54e670ca6d4d708cc6c4ca938945176abecb3996a6364e68db2

/data/data/com.cai.wuye/files/lldt/hst.db

MD5 af757be229945be283974841139afbae
SHA1 7effab66dfda5890e9c65b2538fb073a71502670
SHA256 9e63d4d76760ce8968ff4cd4ea3450981d377876b31a1c651b26cf4ab7282100
SHA512 e164c3f219121ec48481653693fff175db6ccdb5e9d66b63d4ddbb21d42069579837375ebf1c0525e697a7183bcb9a0b46a86707467269cbe5a55c7b7266bee2

/data/data/com.cai.wuye/files/lldt/hst.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.cai.wuye/files/lldt/hst.db-wal

MD5 692af4612b372faa29fa8c7844f86f05
SHA1 c66b3662a0720df86b5e13642535b8220640bcb4
SHA256 9d31fec284a4ee8c71340074f1ea98568681dc30ba4214f77a7f03023be35805
SHA512 4d3a6e40746a5423797dab0b5c0c06dc9916229f44c4579a1088b52caf607732cad08e1d52952aed7c64abf4eed3f9dd0cc6357d3aa65087c3deb3c56a0eeb29

/data/data/com.cai.wuye/files/lldt/gal.db-wal

MD5 10711b19e4b641cb4753fbb4539cf7f3
SHA1 416a2cf97c3ddd3492d9e13896f29962cde02e01
SHA256 31bc7c3e295d25b5b0426c0e8394fca1760212155914643be6c3223686ece140
SHA512 f1e64602717bf691716d558fdee55b533b5226376485038992e64e6e66d371df7c1d969088c816e96831764f0632330f1e8c2354e9a0510807e7777d4e8f0e82

/data/data/com.cai.wuye/files/ofld/ofl_location.db-journal

MD5 c8ae2885316d11a5dc2d9432a29b30d6
SHA1 c2f00a9a88fb7aa6dd15a181569d9c661a551763
SHA256 eeb1def01af2de8ae63995e5931c8c463de9ba685a9c768cf3c387ff56977482
SHA512 cd527719c3b5d73352d4102c4a213ef8cf0a004fb0c6feac4f3daf65fedc9742120a1f418b56c28b31a84d224f3dba0810663b807e4e6df611b28e786984dd41

/data/data/com.cai.wuye/files/ofld/ofl_location.db-wal

MD5 2fb96dafc27bcf12b57ef6524b863ceb
SHA1 490f1a49f31bd9aa7ce5092b823e0ad9a7607f67
SHA256 e3ed0d727ddf4ebf59545fe4570bbae0b40ffbdbd07e33fd59f6af4e496cfb7b
SHA512 9625f76c448410c7c74bdacfe80e688e08a00a5072ba5609768caecbcbddc51d218d6a1aec3954bc3f00a44fa08209097fbb8b2d487b888a25f88ea3c3ea5d30

/data/data/com.cai.wuye/files/ofld/ofl_statistics.db-wal

MD5 8f47ae1c8015e7e3ab1c3f803b00359d
SHA1 b6e62bb3d10e6caaabec255ba98083fda3927779
SHA256 18f9cb21e131e0c629ced4c1efc008fc3bb79945d903fad24e76ce6eab01d086
SHA512 cc60ad1b8b62af86cc2db7f0f241f14ced8153732eef5b45cc86289c72a5bf1c9b26b9a83150c46119b6bc9e19742fc23f075e2a3cd66145ff1d44e15010806c

/data/data/com.cai.wuye/files/lldt/firll.dat

MD5 546a6ace3f96d4cf40c8cffd201e91cc
SHA1 585637788104528bf21a17af9871828adc9798f8
SHA256 88553be48156f2d45e94e22004b117a2bc167c0277a85e9b6ab824fdd44a2a5e
SHA512 be47bb1acf1783f85e61e8807a9ec4d7dca4edf972279c8f6aad61fdae98cdb58791899c3ddc0ff54808e6a058ff4dd775df43eb7a466f1430d87de486af82cb

/storage/emulated/0/baidu/tempdata/lcvif.dat

MD5 ca03176617d14d14ee955c1687d0fb76
SHA1 a5c15f2b00c6dd4814e1b0a2d0e6a84c0005260d
SHA256 e9e0e1fdbca0667f14e177a981401613e508e6cdccc142eac50f7bb70d25e089
SHA512 a35ef3f64a72b030d4cea239ab0e2ca5b1a15ffcc339e31d4fa59d0b1efe087a030c71131520850d2f9db2ee772c8236f96f6b345bf74b9b644e2fac8b020a95

/storage/emulated/0/baidu/tempdata/lcvif.dat

MD5 d00476caf53f91f908b6a51b61629056
SHA1 e29b300cc1134bcbaaa2ea33973934f813bc6ac0
SHA256 6a267865d73450d44ebbf6431294ec1a75cd4dcf50d95469a948c2db399d5622
SHA512 9d2a9f249a7841208bf4b3ab96d92e226356d8b5c9a571236b95f05d46f685e0528147fe5103d8fa084626b885130b4685583286959b58b512014e603741aa79

/storage/emulated/0/baidu/tempdata/yoh.dat

MD5 a936690571e9104e1922dda4a0ba5bd1
SHA1 65f49c57edde2f96be2a1dbdfc3f7351f1e66554
SHA256 f0f5049c51879dd7da0ce4a43349b5b34ce053d072a0ca704f62cf22ba4a8412
SHA512 3be1c3693963aebdfc04e86b1c820ee0ec3cf0b200e6a4788ef1141f39fd6c2f77f4227247ae4affa66c0a6c027df8466cc0dcec1e67ebfb953e36bee97de394

/storage/emulated/0/baidu/tempdata/yoh.dat

MD5 1681ffc6e046c7af98c9e6c232a3fe0a
SHA1 d3399b7262fb56cb9ed053d68db9291c410839c4
SHA256 9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0
SHA512 11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

/data/data/com.cai.wuye/files/.jglogs/.jg.ac

MD5 cbf273def273bf207c9a98b43bc51cb1
SHA1 1a89d48e48987a26e225ab23c30227208b8d3729
SHA256 7d3ece66ee66e42a8d9d4765b29bd946c4cb509db9c326f351f85c526f55ee8c
SHA512 237551c7d883455f6c23af3aad6893b6a358b70a0c71145d2f462f032cdce2506eda7e119f02b45022a01626f0fa89b8b33ffc0d2eac9e525057e8220410f620

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 18:01

Reported

2024-05-17 18:04

Platform

android-33-x64-arm64-20240514-en

Max time kernel

6s

Max time network

179s

Command Line

com.cai.wuye

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cai.wuye/[email protected] N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.cai.wuye

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 142.250.200.35:443 tcp
GB 172.217.169.42:443 udp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
GB 216.58.204.67:443 tcp
US 162.159.61.3:443 udp
GB 216.58.204.67:443 udp
GB 216.58.201.100:443 udp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/user/0/com.cai.wuye/.jiagu/libjiagu.so

MD5 e5a53000766ebc433b27d6a66ec4f555
SHA1 2c8f53f1c03aec2005bcad67d731f07261dabde0
SHA256 78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e
SHA512 370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d

/data/user/0/com.cai.wuye/.jiagu/libjiagu_64.so

MD5 05a8c3ca16893f4e6cc997a82d987fb3
SHA1 76d6c6d19e0bfa83c847e5d330bd144f58994bff
SHA256 82e708e200cebe270ec57231729413621a8904e907efac8cfe71cb2cf16a3c10
SHA512 2a878c39e713fb6ff5b457f94a1fe2b5adc456924d087a1b6abd59afc0b0e9bad68852eddd34c6441e8996e66eb5fdb711ed6f477d6e447dd48cfd151d89fe96

/data/user/0/com.cai.wuye/.jiagu/classes.dex

MD5 25416cbe0fb512b427664c85fe0008af
SHA1 fc854944d91a76dbac82aea5b0bd59b4d8fcf7ab
SHA256 ee44f75d69e9af5f90d58abb1d617721ea6207dbc080bd72e505a9a516128fb0
SHA512 9bea4cd1890103f53f4e64933bf713420a17eb272f38661d7c2307797b8d129ee67cbfb55fec959b9f9a99546c9627e9784743888c14ac33d60f8e1794029196

/data/user/0/com.cai.wuye/[email protected]

MD5 4e2755568939809839480adc2913b0fd
SHA1 d09f45ae2e847a17fad5bbcb15a9e3bcf27a03a1
SHA256 a055f1cf1c813fb85c2f4f007684b0b1c93329afd23c7d130fb78ed767334817
SHA512 49303daa2f9c67a7e6fff68bd3a52448dbe47a65e09d0da1a8e390452de53958e83cef6be0ba9f1693a8996ffa4594064c465717ea313135731ca41e7a6b255d

/data/user/0/com.cai.wuye/files/.jglogs/.jg.ri

MD5 18517aa7f8bcf312341f6195a9a98852
SHA1 cc99820aa5a0c430e6d35f873405d6da52ddc028
SHA256 d093e991c5c09389dc6d9346dcca9e6f93f66fd0ce0dacb8dc33946fcb0c00bd
SHA512 014952bf48182bd906ec69dea2df1928de7e61cc2a8e84904bb3fe8c860fad7d9c67a424b1ed3413dc2bb84c749ce1a9248bb9ef71a95589d51242dfbea9e839

/data/user/0/com.cai.wuye/files/.jiagu.lock

MD5 3ca55ee2ea455075d6d827c057d5bbc5
SHA1 7dec6c76e6426666545434abf0877d5feb291d61
SHA256 ae6ce92872a7985e06d0bc036330accea5a5926fa2286694275a7d53d79397b2
SHA512 38d9ee9a449b037aa38e99f127207c643e64f728677890fd91be77b84de17c5751267c8356d3ebbcc56c9c7ffb16f370313b583e99706ebae545604ca4d1f9f2

/data/user/0/com.cai.wuye/files/.jglogs/.jg.di

MD5 4f9774c60cd679691790a78d8703de85
SHA1 f4e22b82c14abc0ad3d8d510ce2d8b2d09598774
SHA256 d9249311dc52073d08a3261195bbfebf2e7c78a10851186f6b80c6d7b553e883
SHA512 438c1f864eab3c11bb2f96bd217c8c6fdfd20a717962dc523e263dccae2b51078762d3e4a28783264ef9d4cc0492240a3fe6ee7375f2a927a9ee539221a174b6

/storage/emulated/0/360/.iddata

MD5 aca0b304aff14554d3377857f839bc45
SHA1 900c0b6a9aaea5c9cb3b86bc4510ae02fac37c75
SHA256 b3726eec4b6ab1570890b3b2ad74559ca49fb9b9afd8d9931a8082a3dd03636e
SHA512 17d651ed329fc30c4805485a0520a6fcf6e0bb8360602ef84a7c2de8498f771135db259a8fdacaf41344a628146bb57816e519a634155e16d445b93985a185c0

/storage/emulated/0/360/.deviceId

MD5 4c4c5285293d5141f582aefa4e038669
SHA1 e01852a72e5a8e6f7d63a21426b515118196047b
SHA256 36c5c63f39ddf7a6a9c01946e4f78b95790aa734176802e793e95724a1b5b731
SHA512 097aa673273e307f7bfb7c08861ad389d4b5f7fae55d972a5c1636aa66d0b8d23b5eb9b696cefe0e5b942f23969dabf0147397aeca85fb9a4d75e0473104e399