Malware Analysis Report

2025-08-10 23:58

Sample ID 240518-j128esba6t
Target 53c27edef2d5a91f4358915d14466a7c_JaffaCakes118
SHA256 f5175f479eb2b9eb87b8475fc0d818a13798aa08b4fb215b7e9f265d4e750bff
Tags
banker discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f5175f479eb2b9eb87b8475fc0d818a13798aa08b4fb215b7e9f265d4e750bff

Threat Level: Likely malicious

The file 53c27edef2d5a91f4358915d14466a7c_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact persistence

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Checks CPU information

Checks memory information

Queries information about the current Wi-Fi connection

Queries information about running processes on the device

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks if the internet connection is available

Reads information about phone network operator.

Requests dangerous framework permissions

Checks the presence of a debugger

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 08:09

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 08:08

Reported

2024-05-18 08:09

Platform

android-33-x64-arm64-20240514-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 udp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-18 08:08

Reported

2024-05-18 08:12

Platform

android-x86-arm-20240514-en

Max time kernel

2s

Max time network

168s

Command Line

com.unionpay.uppay

Signatures

N/A

Processes

com.unionpay.uppay

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 08:08

Reported

2024-05-18 08:12

Platform

android-x86-arm-20240514-en

Max time kernel

145s

Max time network

184s

Command Line

com.tuniu.app.ui

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/xbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Checks the presence of a debugger

evasion

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tuniu.app.ui

com.tuniu.app.ui:bdservice_v1

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 secure.tuniu.com udp
US 1.1.1.1:53 m.tuniu.com udp
CN 124.223.124.152:80 m.tuniu.com tcp
CN 124.223.124.152:80 m.tuniu.com tcp
CN 124.223.124.152:80 m.tuniu.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 123.60.31.166:19000 s.jpush.cn udp
CN 36.248.38.100:443 secure.tuniu.com tcp
CN 36.248.38.100:443 secure.tuniu.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 123.60.31.166:80 s.jpush.cn udp
US 1.1.1.1:53 m.baidu.com udp
HK 103.235.46.213:80 m.baidu.com tcp
US 1.1.1.1:53 openapi.baidu.com udp
CN 39.156.66.111:443 openapi.baidu.com tcp
US 1.1.1.1:53 im.jpush.cn udp
CN 114.116.243.79:3000 im.jpush.cn tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
CN 45.251.101.42:443 secure.tuniu.com tcp
CN 45.251.101.42:443 secure.tuniu.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 112.50.95.96:443 secure.tuniu.com tcp
CN 112.50.95.96:443 secure.tuniu.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 m.baidu.com udp
HK 103.235.46.213:80 m.baidu.com tcp
CN 39.156.66.111:443 openapi.baidu.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 m.baidu.com udp
HK 103.235.46.213:80 m.baidu.com tcp
CN 39.156.66.111:443 openapi.baidu.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 121.36.193.140:19000 easytomessage.com udp
CN 121.36.193.140:80 easytomessage.com udp
CN 114.116.243.79:3000 im.jpush.cn tcp

Files

/data/data/com.tuniu.app.ui/databases/alarms.db-journal

MD5 4122d1369df6168cd252280c5bb44eb5
SHA1 a3a9ebbfc92029758a57f643350aab66d4fb8acd
SHA256 f66b5cc621d2bb89538fdba7e1f517c82a5f1ad96278ea7261ad370a0bed3c0e
SHA512 7fbb6e8f733d153c4badc36922632248e356fb5a50492afad5a4da4413b0af0d0fcceacb4c8ab80a8be2da7f3a7d386b78f48435797c211b37094f328480f66b

/data/data/com.tuniu.app.ui/databases/alarms.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tuniu.app.ui/databases/alarms.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tuniu.app.ui/databases/alarms.db-wal

MD5 0cf76064f833a1e944cef2d550dca787
SHA1 ef2d79044a4a4e55cd80cd169e877de00af071c6
SHA256 1f5288f04b5f8af861f3fb535a873ea3f82fb709e29c4374ff5d79e8fe809bef
SHA512 1e5917ad105dbeb3673f6946145106f0640b59fdcc19a4fe9090ef5bd2ce840023e7cbc3de35fcb5241e2d15b7185ed469959a4d701d7cb87a7b978434685af5

/data/data/com.tuniu.app.ui/files/.TwitterSdk/v/com.crashlytics.sdk.android/session_analytics.tap.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/data/com.tuniu.app.ui/files/.TwitterSdk/v/com.crashlytics.sdk.android/664862260382-0001-10AF-652610921534BeginSession.cls_temp

MD5 2e3c6222eb4e7e4957c2c76f53b614b4
SHA1 1424cca2c764ab2858efa900ce4e2372b69ebffa
SHA256 5be311f7eb4e21a0ee1aea1032ae2e1514c403151febcff956cee831fdaecb97
SHA512 64ab78fbe1db927d883e3c5f5be38729c533183b17d02804369dcf265e47a71b63c1ce060e0e1aaf4c380800dcab6d0a4b71ecec45cca24b8dfa368570f7543b

/data/data/com.tuniu.app.ui/files/.TwitterSdk/v/com.crashlytics.sdk.android/session_analytics.tap

MD5 1d0e77a2c4282c7a76ad6d2f964dda7c
SHA1 12aa8260b8f87bfdc8b0c59a0f2958b94fded1c0
SHA256 c18922d3b339b9fd82d747ac05dd7cc23c0b60a66a01536b148474c5ce0f3908
SHA512 bd8dc5f456a1dd413043e0634d25b0d1dfa551a1613239ae0cb774d6255f1a05c3e0f053b84dc3e2d9779eead4ddd314074180002728c860b318f252c8b07c24

/data/data/com.tuniu.app.ui/files/.TwitterSdk/v/com.crashlytics.sdk.android/session_analytics_to_send/sa_a48a0e0e-362e-49a3-a0b0-1d6987033b57_1716019750954.tap

MD5 ce306c8d8aca03b52a63774b120ef7ab
SHA1 087775e9e2c0fefe5f3a7897da0c59b40f21f87c
SHA256 cee73a48cc802486994ea922cf74867f25b8cb77c65e5eae735b21ca7fa39393
SHA512 ed896e5eb1f1dd6d43f9b556c1dfd78166e3ebf169a42f987a0f10d0ffd2f001dbeeda5a9626d94179fa6274f253a7036600a950d77f3b5b7761a0663d6654bf

/data/data/com.tuniu.app.ui/files/.TwitterSdk/v/com.crashlytics.sdk.android/664862260382-0001-10AF-652610921534SessionApp.cls_temp

MD5 ee5d5f6d8dc8f0cad40b8398eeb15f01
SHA1 e2ba950a42760b6a5b6281e7bf8d22d8f7891557
SHA256 192b56972111015029ac4546c7c7d96fa9cdd97e80d70aa1e8343b2c5221eb1a
SHA512 3fd9c22e1fe07f35c05293cd76067869b32194d1ef0809dea2992bc9f0a2ebbf2f715ebbc758c17d3b19b2eae3fe195c73fd78fa5cac8e56d47284e36e712ffb

/data/data/com.tuniu.app.ui/files/.TwitterSdk/v/com.crashlytics.sdk.android/664862260382-0001-10AF-652610921534SessionOS.cls_temp

MD5 9b3d4522944ce6396563812bfdb92fa9
SHA1 6d2a6133c8f01938a48ccc77ef86ad8ca335c020
SHA256 d32805d685a3f50caa7f1c0bd7c8804c4d937a866513289f60e3184f7a591ed9
SHA512 091d87643712530bf9006135db42a5a50742bb5ca3026bcc5f2c1c17bf4fd984a8938d29263b0abde3d15cac196d2230902534e200b0b79485e3a1bd97d95727

/data/data/com.tuniu.app.ui/files/.TwitterSdk/v/com.crashlytics.sdk.android/664862260382-0001-10AF-652610921534SessionDevice.cls_temp

MD5 33557267b42f4a6608ba6d1184755b88
SHA1 7c2a91222758474ea4c0b655e937ed9c05cd3c42
SHA256 3aedf479a21561171949e7ebc185841d9c2a5afa43ea210acdf7effc9971d2cb
SHA512 bf142cca12802089c479ef4ad11aac0daab093d726d9f2df00888ccaf89a5637ba69f706f876d4814c6a2345f52ac84091ee3736a04ebcf45f41adcf422cc34c

/data/data/com.tuniu.app.ui/databases/rep.db-journal

MD5 ef9d40cbf012a31dd4711763100a8275
SHA1 95219e4c8b74b604f5dde67557a573938442391c
SHA256 1a96324fe0193519a41f09781702bef17f75b32d724ec7bd9c41d5116eb0dcd4
SHA512 dba5b961a692b597a53a1309f1c260eabad36af3930fc0961bf6e094213e47887b6c4b29bb7f8a13e9adc54622c2281fc6d52bf377fa3ffb1a3f582497b743ab

/data/data/com.tuniu.app.ui/databases/rep.db-wal

MD5 987df0f082c07dcdef26edebe1dd96d6
SHA1 b331388c335a70b350cdc93440631624efff73dd
SHA256 e90d59fc4c48a3d602a26cb1a6793d1c6eeb828bdc7daf4ccd8fdb776be3738e
SHA512 ea8e3086c23ead6e53a15d18b2c571f0520385cd230b19335ec30f734fc152221f9875b8a0c510839c806be745d1534b23311065fed0495d7abb06e133d97819

/data/data/com.tuniu.app.ui/files/.TwitterSdk/v/com.crashlytics.sdk.android/session_analytics.tap

MD5 f23fe3efaa7e0ecefeb3aa0a91046c17
SHA1 85888420107bf5a7e745018432e43889cf5ec412
SHA256 fa7cb30f9fcc0e6b824987e27900c058db2351d621dcdcf6393f31cd911da12b
SHA512 5c214c13485e27c554235dd7ed74ae7fc81109874141b0518b3da9eece402fd1d838b3bed63e3f482c5e0c782bbcf30308733bc926249c1680b59f10565abbd7

/data/data/com.tuniu.app.ui/files/gaClientId

MD5 ae1a9a9ad4d4bbc6980cf49c6dfaf163
SHA1 54331b1ea431ebe349aeb03966dd88a37e078693
SHA256 a95e658980693c20789d6df7290cb36bc80d2f73c1e7479b35b79ea06b2efae2
SHA512 11fbedf132cb831633647def34a96f2e044c7afefaf76a36f7581dff6b21ed73aa55e3f5a4c77b795f928780354bb1e72cfb3ab79f908b1e8742693312dafa38

/data/data/com.tuniu.app.ui/files/umeng_it.cache

MD5 29f90e081d8c2fe63c5bc91f941d52b0
SHA1 d5d1a6a35e7eb1d17c8a0d57a3c8444a00af9e4d
SHA256 afd36f95f7ca253d72fbcc37c7dd62494e581fa08599344c9653cf9d3c5308ac
SHA512 7fd7d48598745d795a594a6c90645a9b32e7d26d8b1d50fffe3a648b3873e62521fb6ec14e56f6c4373df2909db12602c7d616b892a1c0bb654a544f45aaa516

/data/data/com.tuniu.app.ui/files/jpush_stat_cache_history.json

MD5 aa07770693831b083bc935dfa44649e9
SHA1 8b03d1007e5e0839957d6eeef5c4aa874fb5f912
SHA256 b26f0b9fe8f512dd0f8d0c1097f48711b4a5b580a0c45e30e9cc323760032162
SHA512 5a3911a8fe2c514b5952849de7881f173184a5f18c50c781cb2caa6e3568dee00b745ffab3e9dd029bddda89e870d653ee9efa757e93bad8bae30d972b2a110a

/data/data/com.tuniu.app.ui/databases/moplus_server_config.db-journal

MD5 6baa1cab05e50a0855d33acd70464d47
SHA1 5b835780278c772ef414b16f301e9224e09edf5d
SHA256 6c14c309c00309fa71a34d53d3d3316f50450fe2e58424ebece1e14b31638137
SHA512 9343b34a734f95fc7c64006c17879d4e536da5763f1c9bd0fef587671c07f73060e3da8a3ae0bbb26af38b5d695ad45734a79003fac37f17496306984a611b04

/data/data/com.tuniu.app.ui/databases/moplus_server_config.db-wal

MD5 cfcf406080867166dac8a47346f16b42
SHA1 22fb2a7e120ea8bec7aa59a6ab823ad2c767c2cc
SHA256 dd2125d7d21b7b1b5c80881b33c6f5c77ae858838ffd21b6b35914519589d8b7
SHA512 522ae70ec2ac477a6fac79041761caf97cc8c5f06f41044c8dd223204fdd345d1def7df9f749c11ca18337a20a75928f8f0196809584008b0b1a019401019d3d

/storage/emulated/0/baidu/.cuid

MD5 608b28b2372179b982504c8eaf4af834
SHA1 c79819ef474bdfe38972f4bcf6b751a884b6b9c2
SHA256 0d7d5c9253e2a6906d1bb0ff466f5d5f6ee0977b9d658690e7fb71eb257fd8cb
SHA512 821c429d6a19f955d4444d1620c0daf1036b15937f56f6ab7c3b90c985c6d501e28747fc3d380f930813e89f5f590bee9b72f33a239c3f79bfca583f2bb1bfdd

/data/data/com.tuniu.app.ui/databases/groupchat.db-journal

MD5 547c8ef3fde3106fb4cb97abd3d20afa
SHA1 0dbe2c7a2534145b696e9604e18d225ad0e880a1
SHA256 6f7b78f367be889cccb42aba800048c62073a00b4b3e141edb187483d5cabd10
SHA512 89520e23883f503d13f924751b2c7ba21a416a69235fe09a621e850476002503c12d862663a6b722b40388e64bc62a1dcae9cbfe48ebc7d0d34b755123a9bf64

/data/data/com.tuniu.app.ui/databases/groupchat.db

MD5 4d56559138ee97f532d4ee1174277c45
SHA1 6907f856647f272c3f5712751e5e6c4e502280bf
SHA256 cedf3380bcdcff739afc930e84c4af2da56f206c504d9ce5376240fe154ca392
SHA512 8bc73e7bfd35799e74f5a8a61cdd7cbcf24378df5144b107a174b643c37ac491b7726de3ab494f99ce6c67449027b576d33efba355d085acab8b58402fb68597

/data/data/com.tuniu.app.ui/databases/groupchat.db-wal

MD5 c8505ff84f988124a044df134ee718d0
SHA1 cfd9e5d311b72c47e08d618ef74dd7233e947b23
SHA256 3d71212193b79b6c9df6cba0a5f500a42fc67f5d8822cee0a502bdd8dbf3cd1e
SHA512 634169729f03390fa873e0d31ec0909f36a621e80c47992a8a5284bfaa4ee522a17bfb3e2aa48812f2fa51c3a59e48a49993573ec987ebed45e0e7630ded4be7

/data/data/com.tuniu.app.ui/files/mobclick_agent_sealed_com.tuniu.app.ui

MD5 f479f2cbbaddc53564f534a842443382
SHA1 28f4d9b5267833c5e8a538e5972666db1c9cd816
SHA256 11c7e884d342f1c93535f6129f13b04f67c92444248c801dfae16966a0b2531c
SHA512 ab671f1ef2c233ad500876b4dc83e80f5dd391728d75ac69f4f3db64b0250e6f6552ee367ad5ad764c3e8190519c1805df1bc6e6f60403295e844425e6cfec85