Malware Analysis Report

2025-08-10 23:58

Sample ID 240518-hw655sha5v
Target 5381cfeb78ea0ac05bfc114da905f8d9_JaffaCakes118
SHA256 4024d0f1bc319647ad39251c338ec2f7a1c8f5fd8973637a9d72b64c47e5d387
Tags
discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4024d0f1bc319647ad39251c338ec2f7a1c8f5fd8973637a9d72b64c47e5d387

Threat Level: Shows suspicious behavior

The file 5381cfeb78ea0ac05bfc114da905f8d9_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence

Checks memory information

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Queries information about running processes on the device

Queries the mobile country code (MCC)

Reads information about phone network operator.

Requests dangerous framework permissions

Checks if the internet connection is available

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 07:06

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 07:06

Reported

2024-05-18 07:09

Platform

android-x86-arm-20240514-en

Max time kernel

172s

Max time network

177s

Command Line

com.caifusenlin.cfsl

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.caifusenlin.cfsl

com.caifusenlin.cfsl:mult

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.234:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 cfg.imtt.qq.com udp
HK 43.135.106.184:80 cfg.imtt.qq.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 123.60.92.210:19000 s.jpush.cn udp
US 1.1.1.1:53 update.sdk.jiguang.cn udp
US 1.1.1.1:53 log.tbs.qq.com udp
CN 123.60.92.210:19000 s.jpush.cn udp
HK 129.226.107.80:80 log.tbs.qq.com tcp
US 1.1.1.1:53 api.caifusenlin.com udp
CN 47.107.92.24:80 api.caifusenlin.com tcp
CN 47.107.92.24:80 api.caifusenlin.com tcp
CN 47.107.92.24:80 api.caifusenlin.com tcp
CN 47.107.92.24:80 api.caifusenlin.com tcp
CN 47.107.92.24:80 api.caifusenlin.com tcp
US 1.1.1.1:53 www.caifusenlin.com udp
CN 47.107.92.24:80 www.caifusenlin.com tcp
CN 47.107.92.24:80 www.caifusenlin.com tcp
HK 129.226.107.80:80 log.tbs.qq.com tcp
HK 43.135.106.184:80 cfg.imtt.qq.com tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 119.3.253.130:19000 sis.jpush.io udp
CN 119.3.253.130:19000 sis.jpush.io udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 113.31.17.108:19000 udp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
US 1.1.1.1:53 139.9.135.156 udp
US 1.1.1.1:53 im64.jpush.cn udp
CN 1.94.137.47:7003 im64.jpush.cn tcp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
CN 1.94.137.47:7000 im64.jpush.cn tcp
US 1.1.1.1:53 139.9.138.15 udp
US 1.1.1.1:53 119.3.188.193 udp
CN 1.94.137.47:7000 im64.jpush.cn tcp
CN 1.94.137.47:7002 im64.jpush.cn tcp
CN 1.94.137.47:7002 im64.jpush.cn tcp
CN 1.94.137.47:7003 im64.jpush.cn tcp
CN 47.107.92.24:80 www.caifusenlin.com tcp
CN 47.107.92.24:80 www.caifusenlin.com tcp
CN 47.107.92.24:80 www.caifusenlin.com tcp
CN 113.31.17.106:7000 tcp
CN 113.31.17.106:7000 tcp
CN 123.60.92.210:19000 easytomessage.com udp
CN 123.60.92.210:19000 easytomessage.com udp
CN 119.3.253.130:19000 easytomessage.com udp
CN 119.3.253.130:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 113.31.17.108:19000 udp
US 1.1.1.1:53 tcp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
CN 1.94.137.47:7000 im64.jpush.cn tcp
CN 1.94.137.47:7000 im64.jpush.cn tcp
CN 1.94.137.47:7002 im64.jpush.cn tcp
CN 1.94.137.47:7002 im64.jpush.cn tcp
CN 1.94.137.47:7003 im64.jpush.cn tcp
CN 1.94.137.47:7003 im64.jpush.cn tcp
CN 113.31.17.106:7000 tcp
CN 113.31.17.106:7000 tcp
CN 123.60.92.210:19000 easytomessage.com udp
CN 123.60.92.210:19000 easytomessage.com udp
CN 119.3.253.130:19000 easytomessage.com udp
CN 119.3.253.130:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
CN 113.31.17.108:19000 udp
CN 113.31.17.108:19000 udp
US 1.1.1.1:53 tcp
CN 1.94.137.47:7003 im64.jpush.cn tcp
US 1.1.1.1:53 tcp
CN 1.94.137.47:7000 im64.jpush.cn tcp
CN 1.94.137.47:7000 im64.jpush.cn tcp
CN 1.94.137.47:7002 im64.jpush.cn tcp
CN 1.94.137.47:7002 im64.jpush.cn tcp
CN 1.94.137.47:7003 im64.jpush.cn tcp
CN 113.31.17.106:7000 tcp
CN 113.31.17.106:7000 tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 124.71.170.130:19000 s.jpush.cn udp
CN 124.71.170.130:19000 s.jpush.cn udp
US 1.1.1.1:53 sis.jpush.io udp
CN 121.36.193.140:19000 sis.jpush.io udp
CN 121.36.193.140:19000 sis.jpush.io udp
CN 123.60.89.60:19000 sis.jpush.io udp
CN 123.60.89.60:19000 sis.jpush.io udp
CN 113.31.17.108:19000 udp
CN 113.31.17.108:19000 udp
US 1.1.1.1:53 tcp
CN 1.94.137.47:7003 im64.jpush.cn tcp
US 1.1.1.1:53 _im64._tcp.jpush.cn tcp
CN 1.94.137.47:7003 im64.jpush.cn tcp
CN 1.94.137.47:7000 im64.jpush.cn tcp
CN 1.94.137.47:7000 im64.jpush.cn tcp
CN 1.94.137.47:7002 im64.jpush.cn tcp
CN 1.94.137.47:7002 im64.jpush.cn tcp
CN 113.31.17.106:7000 tcp
CN 113.31.17.106:7000 tcp

Files

/storage/emulated/0/Android/data/com.caifusenlin.cfsl/files/tbslog/tbslog.txt

MD5 24d09ce6bd6b4fe6ec4cfc45e6e13ffe
SHA1 ebef080f062a4c3ff9834776207582b1d2c1cee1
SHA256 a0a0ab1e3f6f26a57412df199a07f4d9bdd48490d49d9d0d2805172604a056e7
SHA512 a53e627fd9d4895844fab6cf175eb84e0760a89ca9ef2335f5cbf744973ad97231d956a148594c8a988c1d52b48ba4445e372ae58882a05b07f6335b9495c0d6

/data/data/com.caifusenlin.cfsl/cache/image_manager_disk_cache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/com.caifusenlin.cfsl/cache/image_manager_disk_cache/journal

MD5 7e45870d682a9ce5aa1b9d3340d04f0b
SHA1 4dea7172ec818cc7d78cf4def29a2a6e32e3bcca
SHA256 03016c5d329e6d5c7e5e0ac1ef8ae9e280b9aea14eec1f317b83d7fe0ef50e58
SHA512 d4867b395c1f6845bdaa8fd49bd8831a1e008aaee23764b4ff5d0e6ca5295541819a345927c4af031c46362fec83cef3402af0e9ecac02a6d90eaac57d60c29d

/data/data/com.caifusenlin.cfsl/cache/image_manager_disk_cache/78fefc26ee98a81e05de27fc9f7246f04fac9b22faffe5066d8f22aa4419dc50.0.tmp

MD5 495cadef7c7561fe71e1314b9459c4a1
SHA1 ea3eb58ab203481725191ca70869b71a686b747d
SHA256 6efa48f69cda3a43f08177c57d591b07e9806db28c56ad0b6972eed5a9cd5894
SHA512 bc297aa23d4be800e42d68d7a85680fac5e67ae51c65db17c156752353534b0c8e683929175cb1a792fdf1109f35d01800e020f3ee432d56d61cef786a063231

/storage/emulated/0/data/.push_deviceid

MD5 563bf04c05f21ccdec501371db9fd202
SHA1 cb0fe094578dc90dbf4f4aea78fdae237267def2
SHA256 ea3e0a063e7b3d34bcc00d4a6fe24cae1eb49f6331e0b3c52aa1624638cca152
SHA512 3d5004543b25ee220adcd410c241ed7d8577518656d694773a42767f52fd600d4b4a04531870ee39fb208451789b9d80970275a2a36d655a2b6d4bc1f3ca29bb

/data/data/com.caifusenlin.cfsl/files/jpush_stat_cache.json

MD5 aeb05f61a95a3f22569f2b62004db547
SHA1 282e09bb6376c00e55cd34c55651a53058ae4987
SHA256 8e21a3b9c113399e7ecfb2a33aeb41f1931c7a8d492aaa2e8fdab93e8e8c8515
SHA512 f75b5750d18e373d74ef1656d2bc7165a7496e0867f4b0cd2bf4659a326769cb6c9d9e21dda8c5fca9628fc5bc5ddef834e0714cd914f28021693aaba9d18e44