Malware Analysis Report

2025-08-10 23:54

Sample ID 240517-wm54dabg59
Target 50c568ca141f5e0a26e6292ccf751b61_JaffaCakes118
SHA256 ab49fa00872d5aea4438e25a42f11cdf196871490dcf81a619e73da1b274eac4
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ab49fa00872d5aea4438e25a42f11cdf196871490dcf81a619e73da1b274eac4

Threat Level: Likely malicious

The file 50c568ca141f5e0a26e6292ccf751b61_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Requests cell location

Checks if the Android device is rooted.

Checks CPU information

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Checks if the internet connection is available

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 18:03

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 18:03

Reported

2024-05-17 18:06

Platform

android-x86-arm-20240514-en

Max time kernel

5s

Max time network

130s

Command Line

com.fanhua.box

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.fanhua.box

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 qxx.uooing.com udp
TW 104.199.230.2:443 qxx.uooing.com tcp
TW 104.199.230.2:443 qxx.uooing.com tcp
TW 104.199.230.2:443 qxx.uooing.com tcp
US 1.1.1.1:53 dxp.baidu.com udp
CN 39.156.66.180:443 dxp.baidu.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.73:443 plbslog.umeng.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp

Files

/data/data/com.fanhua.box/files/libcuid.so

MD5 285fd2ca5cc5c4b05aded6cb66b75dc2
SHA1 15fbe6ce7253e47c808716b7f7b912b2cf258919
SHA256 4cb0072e6aed7b479d7e5a7cec366fcc90b3ac8895a74bfeea8cc294d7f8f147
SHA512 75b0142e87f1f65b87463b9ebaa8517b0bdda7e5e465b3c6adb24fc26d80d7bc428d045992ac2986b5bb002e7f8c0d7ac2d58aef4d9773e84f9476ca003e7e48

/data/data/com.fanhua.box/databases/pri_wxop_tencent_analysis.db-journal

MD5 b627b18181fc1ff7ef092615cba34cd5
SHA1 499ce7eba938e7d6c14777b5efc10fa5b3b6412b
SHA256 35510bd34261d300588b9b7a6d4be06bbcfc5c7a31115270066e1f950350ce46
SHA512 112d4066333b15b51f407685a48a387ef0ca8d7c70ef30f8bbdf1ed37f68b56224be06003847c6949286c80541ba2d894b817700653bf604a0072630a42f8d33

/data/data/com.fanhua.box/databases/pri_wxop_tencent_analysis.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.fanhua.box/databases/pri_wxop_tencent_analysis.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.fanhua.box/databases/pri_wxop_tencent_analysis.db-wal

MD5 836bb9b27f308b2bf51e56a4da426416
SHA1 dde4d74396b75f2db699a754cc0fafa4f8908d10
SHA256 f7578c9c2b7ab9be2b5d479156ef2e57a76eb98feb3373778af6b5fc3f10c9f1
SHA512 ce1b976d4f970284503845d6e5fc43c0b50960f758d562400f2297429a2d2af2580bb08a4e503189e60b3e03a135b80ece4dba309062b58ec726dbaa2ff99ba6

/storage/emulated/0/backups/.SystemConfig/.cuid

MD5 d988f9362527a92577fc9f3ce5f3c991
SHA1 1dd2680ba645242b3ae0f7cd9d7b01763146c2c3
SHA256 fba668a3f4bcd694a55d923a8c4e327c6e72a43a835db2e96def263392bc526e
SHA512 49a07d3966aa92c54eb01eec1a57409bcbe160a040e91c0b560499c35b2bf1066862f0734b5855cf93a4fa106682dd147b141f5e1001b8c36fe55f0f76de75a9

/data/data/com.fanhua.box/databases/wxop_tencent_analysis.db-journal

MD5 c35467e10bad166168622fa46303af37
SHA1 cedf4dbff6b844d8629fc53bfcee3b5a14284cf0
SHA256 1759afaf1a042c199cb67040a75e4bb8193cf7eda432b4f9c08866cb5f5f6cc4
SHA512 27db205f7d24d1aefb9e855bac63ad54fe2e4c0fbc521c19788e733be748ef40c6f52e792e94fdbe4f52a9480a833b9f15c91810a16e885551a97e4e55a773c9

/data/data/com.fanhua.box/databases/wxop_tencent_analysis.db-wal

MD5 6e17c34fc1e211fe0ba6593cba562bc8
SHA1 85e44f26585114f8d2c730f23313399dc60d3011
SHA256 36a0a9019f8276bec2bb7f960319b6d665057983e3b2290a4aa439d06e981dc0
SHA512 4398ec225abfa79efeaaae661961283619af34315163229573b2d57712761bc6ddfe62c0fe8323cbd29077356f36e216057f73a9c0a5ed4d03e17a4698c770de

/data/data/com.fanhua.box/files/umeng_it.cache

MD5 05edd54f96e0d9847519d80bdd051f77
SHA1 69aa6e6f0f6d7595f022570ec8aa21385b518a4d
SHA256 12a3831a3515110d5c06a37f922a1502ea1f3d86efcdfcdfe4d328d977965b27
SHA512 25cffdabb6bbeb7f01a3010683d0f9c1471c092a61121347368aefcf92b444ad0b50819cf7d944d3a924c2fdf05a3a437e39efbac08f0b9e69eeb24dd92043ca

/data/data/com.fanhua.box/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE1OTY5MDM5Nzk0

MD5 a6de119c9c6d3fc2ce1a855233883089
SHA1 fd42d0e716ea39bed304aa9e3db21df3343f62d4
SHA256 11b112b003092a6e8c2693ff3915052db6c4f59a50943ebf29414632e74d5c04
SHA512 2eadb488989554abe3fedae0939070d27eafaa5e3442d6af14d6293aa9469fb4f8502bd3cd85afd1361bdd600b2fe69de31f153de26fea4641051cea12c7ed59