Malware Analysis Report

2025-08-05 19:09

Sample ID 240518-t1zgmscd81
Target 55b429e4b5ed0d273ecefc0b386d30a1_JaffaCakes118
SHA256 8252d6d25ce25cb6464ef1f6a4730c6dc2ab8547bbb1f69f7095610630ce21e5
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

8252d6d25ce25cb6464ef1f6a4730c6dc2ab8547bbb1f69f7095610630ce21e5

Threat Level: Likely malicious

The file 55b429e4b5ed0d273ecefc0b386d30a1_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Checks if the Android device is rooted.

Requests cell location

Checks CPU information

Checks memory information

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Reads information about phone network operator.

Requests dangerous framework permissions

Checks if the internet connection is available

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 16:32

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 16:32

Reported

2024-05-18 16:35

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

189s

Command Line

com.wondersgroup.hs.healthcloud.patient

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.wondersgroup.hs.healthcloud.patient

com.wondersgroup.hs.healthcloud.patient:pushservice

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
GB 142.250.200.42:443 tcp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 hxqd.openspeech.cn udp
CN 114.118.64.119:80 hxqd.openspeech.cn tcp
US 1.1.1.1:53 data.openspeech.cn udp
CN 117.48.148.47:80 data.openspeech.cn tcp
US 1.1.1.1:53 api.map.baidu.com udp
HK 103.235.46.245:443 api.map.baidu.com tcp
US 1.1.1.1:53 api.wdjky.com udp
US 1.1.1.1:53 api.exc.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp
CN 114.141.131.252:443 api.wdjky.com tcp
CN 114.141.131.252:443 api.wdjky.com tcp
CN 114.141.131.252:443 api.wdjky.com tcp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
US 1.1.1.1:53 sdk.open.talk.gepush.com udp
US 1.1.1.1:53 sdk.open.talk.getui.net udp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
US 1.1.1.1:53 sdk.open.phone.igexin.com udp
CN 115.227.15.239:80 sdk.open.phone.igexin.com tcp
GB 172.217.169.66:443 tcp
GB 142.250.179.238:443 tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
US 1.1.1.1:53 sdk.open.talk.gepush.com udp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.76:5224 sdk.open.talk.gepush.com tcp
CN 115.227.15.235:80 sdk.open.phone.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.76:5224 sdk.open.talk.gepush.com tcp
CN 115.227.15.6:80 sdk.open.phone.igexin.com tcp
CN 115.227.15.7:80 sdk.open.phone.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.76:5224 sdk.open.talk.gepush.com tcp
CN 115.227.15.225:80 sdk.open.phone.igexin.com tcp
CN 115.227.15.227:80 sdk.open.phone.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp
US 1.1.1.1:53 sdk.open.talk.getui.net udp

Files

/data/data/com.wondersgroup.hs.healthcloud.patient/app_SGLib/app_1716049944/main/main_312768000.pkgInfo.tmp

MD5 76417144b13dd1566b83c2c574ce6dd2
SHA1 49fadc6bd1ad61ab241d91f16d46e224473cc7fb
SHA256 5d7a3b905b5b71c01ce40710a81df37d08605cf05cddfc232c8837d3fc2884d0
SHA512 6e088f764f7e846b04b609db7bc482219b86a42b3922b475c14c30acded9e923a222c0a07dbaab3af424a23ac9835cd4786ee00e6dc13b8d013ddc35e69e7eb3

/data/data/com.wondersgroup.hs.healthcloud.patient/app_SGLib/app_1716049944/main/libsgmainso-5.4.9901.so.tmp.4311

MD5 4ed88628a38d1079255b4c2bcaf6e81d
SHA1 afaaaf2ef14f8db896c3cc0f4f37c95854472d80
SHA256 336e61d1ec5c8097424fee02234bc00041e14ffd636f7ff2d0fa990ad73230fd
SHA512 1a282256d6aee51086432a8594c66ccd1bfeaddc2f3d74caa9de18361b1c478e479c762fdb08dd4b9964a3a10b266e4a3047d444637f5e3d638ca5f055f4d479

/data/data/com.wondersgroup.hs.healthcloud.patient/files/Q0VSVC5SU0EK.txt10d7

MD5 2769b6ce78ef4d03d99290a0ca8de080
SHA1 328cf6025588e52a932a4d8acb1daa89fbff4f24
SHA256 369b7df839484bd8f08b25a6eb95db6ff987930ae93621711d4447379629f2e2
SHA512 6901491541581d85f7c664b94a1d365437b7e9981c2e75648459f1790591e556aaea89700a215caabb1dd175a8dfa6a1129035b5ea4652806f2363d0930b53d7

/data/data/com.wondersgroup.hs.healthcloud.patient/files/SGMANAGER_DATA2.tmp

MD5 498eb3da9510807bef2674c02ddefa72
SHA1 2da9a404be53830763ce4f8e1003b64ea1d97cfa
SHA256 b5df5dd5dbc205b69bc1ad793e31aea3e811b7b3501ebee34094a65b39671295
SHA512 1bb42bec71f4504f736214d2f37b40f2f70f2b1970640677085bedbe18e4bcf305bf75b4f62ea85047d54753a75ee8f33b3d269c73e3540853d8da34d5e7a4dd

/data/data/com.wondersgroup.hs.healthcloud.patient/files/SGMANAGER_DATA2.tmp

MD5 9655d8f95da8d7b81462b6e3e38c1c27
SHA1 b56776a38fc2c9948b66f8a080022c0d0f61866e
SHA256 d0d3b3d1f5150e10afb51cd910892a036dae1952d016c3a09993078e5f77b06c
SHA512 907e9178f99d69827e4cd0816810f82a745f2d5cd2a12fd3b1168a0e4eae538f5295e3d4e2a34c0bce43baaf4d52303606cc667ddbb4ddb15c3dc68fedbc659e

/storage/emulated/0/backups/.SystemConfig/.cuid2

MD5 0815ad202092b08764532ee94a6b164e
SHA1 92bf5d1e242b39c9845b032513bd12f9b008374f
SHA256 4928bd35d1056ffe5c683e6b10a7a5ae5d9df44970bfc47b53435f7e099bd3c5
SHA512 abccd5e58fe0c18a2a6482a96f9e82c99bea38d60dbe5bbdb62a67f125dcb1652accebc1a8b5c0ec79d5435ff9a106dce3d3c7acd9e7bdd647b901a76a9186d4

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/healthCloud-journal

MD5 65872f73d2e5b177ab65cf540c6162f9
SHA1 d122abde2a9b4f30538382737107d75afd91150c
SHA256 154074c5652303bb6ee540309e5d18fc01742e5c739be56240e8fa3d301ad67d
SHA512 884c5043348168030e410095544a24d97e9a90d59284ed5d89b3d5dbdda949023afa7f668f5b73c15b9e924fb1a388d03272147c738ed0072e0784615f7ce029

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/healthCloud

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/healthCloud-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/healthCloud-wal

MD5 152d93ae988386d9dfeaeeff4e1b8bbf
SHA1 5d0e40c4987fd64663a22bff86a5c57199425be9
SHA256 314d28a9e8fcf52e71da0f7503e2d7996fff69371703725719f39247860b2348
SHA512 a955a300646916efaa9334f3cda2441d004fd75990b6c3e218858913cf0d9a3742681739a183c4d1fd3fcb0243311aefff56331059942122870913d924380d9f

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/local_data_patient3.db

MD5 fd1d92a83e08f04b08b49f130c05e7ef
SHA1 b475d3589d57e7e93aff5b80b6ff71a0934679bc
SHA256 1f14bb7f0b9a082d6293256330ba4e7fd8b11bcf30e1b671a75bfd999aa0b9c7
SHA512 4262b60bd23957d8b4463c4f98e34dd6cd0449813f8a6802d8fc2bf88f89eac5ab1cc864cc157ffc1d0de76db34b3e88e3225b8495c7f30ed03261ca06b99e6f

/data/data/com.wondersgroup.hs.healthcloud.patient/files/init_c1.pid

MD5 58d5c4192472e68a9b6a9275c4336498
SHA1 3f00a0f0696f8dd10d8f193057be707bacc360c8
SHA256 1b9e966f08f3a9b97c3602274458d11089fb5c482fecaabb90779bf755035aa4
SHA512 b31a558d020d1a7a519d34573ac58d710f6c27b93cea13aace6c6310eca10d4d745c7fae8eb145054fbbc48e6b27367faa41111fc3d30ff7d690db6d4cf5e072

/data/data/com.wondersgroup.hs.healthcloud.patient/app_SGLib/SG_INNER_DATA

MD5 cc5a0a10604619ffc9f5c2fbbcdcb750
SHA1 795d0c001a99e35835c60751b2a8f6e809322dbe
SHA256 f3e8e03ff468757132bb8308495841ae6cd11d256b1b68db5ca321de3afb2c85
SHA512 b764d3fa0c2c218ac580363888f3ce790e9595a93a4108ee0ee330c724fa23a8527240ef4cf869931467dba8ad384953f71cea92319218f2d5a62255ccbaeb6f

/data/data/com.wondersgroup.hs.healthcloud.patient/files/SGMANAGER_DATA2.tmp

MD5 b4a6806bcf99901d36f3b58cf640495d
SHA1 f2495f402377d72a233598d8960cd5058533e8b6
SHA256 88bf74e40295e668e3c13db8ac6267e0b7227cf0e50d0c0d6dd9747393187013
SHA512 10bfe99e072998a73711341ad487e1ef2891ada2f45cd8ec33bccaf22bb6bcea3b5b89a6a40c8cb9e235f722c1195774ec8abbf94e4dac0fa66dd79cd5142cc3

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/pushsdk.db-journal

MD5 34eef8d138a8d62fb928759302676e6b
SHA1 f510b0a78f576e305d6df6e71a1a6c6064359943
SHA256 1aa72b21d1ae51ac185cec352ddaa4a3195f1e92a5012dab81c80d4555dc3991
SHA512 82fefa61660bd6f8a126bd27785057f2281b2aee632aa8cda9563b95170e32395f90a1e69abaccfc16d62ba321920f52893600c2cd5a4bc428aae585f0a50674

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/tencent_analysis.db_com.wondersgroup.hs.healthcloud.patient-journal

MD5 27486047480f0d5fbf48046f9e449fb5
SHA1 411660551aca5d0342fcdfba6858a70dcb5ade01
SHA256 8f15f60e99a659fff88dc8431f869ee00a57df2135a7708ce91d601b210d6737
SHA512 6374fcf084b53fc0dae49d425329c3d7a32d8168dc620b1c27faad42c37fa991bdf90605c187a0eb6c4fb00aeb2de9285e3692ce46005023a4dabe69fbb63fa4

/storage/emulated/0/Mob/comm/.di

MD5 70a42cba408700f9a6c01c7941a8829e
SHA1 eab01cc2c0671538795fb0b1146017dc099d0984
SHA256 499576707ce2623293166979e59c832be5b8636c64ad39aa63ebcf961910c35f
SHA512 8900d4dc8eed0430babbacb72942401bd22ef7fe5430cad90d3ce0c2c53010220d666aa0e2eb1026f3ec81d574c7fa12585b49222a5f15b01637f6ba134fe70c

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/tencent_analysis.db_com.wondersgroup.hs.healthcloud.patient-wal

MD5 c8ceda7252f243344f8f2a4765afa807
SHA1 20aa1d3637bd17db528d1252b9165896a15f9030
SHA256 e7abb71b99614e328393f193f3ff78661fb403c9e3bc8da159b8b6ec031014b3
SHA512 763c750defc9d93b80ef2c0943446310937f65afe2dff3c42564892f03d1633c3acfe7005ba3492dc05ed943250d8e3a5d41e7180bce739208256326715e60f3

/storage/emulated/0/Android/data/.mn_410185822

MD5 e8be01a3d651b9f955cbb28d7fe2f623
SHA1 04010f8b539c2e98c8d7b7752e9879547aa9dc0f
SHA256 97f36bba6fac1a853fc47a62ed426b46325a58a209d20a7c232641ffba4e44f4
SHA512 19eb61bf037bcc667e6a19773beee13011faffc9a5f8efffebddeb5e27e017bc47f26e143de5e9f471668bdd9eb445fb85afda410b065f0d3ae323169ba4b34f

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/pri_tencent_analysis.db_com.wondersgroup.hs.healthcloud.patient-journal

MD5 ad925fa26de7568d78ab5ec742bb9dda
SHA1 f0b81f716923ce3edc46d9ac4d2d3d7ef49d3c57
SHA256 7d7c4d3b80ff7983ddab47abe2c3be239da8c16954fdb864b162b8f29178e21f
SHA512 be88a6de21cfcdf27fda99d33acaa145fa5e5fe4327caa600cce07049d714bd81746061bffdc9eb2e2a567bfe3bf31a1131ddf661b48c4ea13c769b917baaa46

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/pri_tencent_analysis.db_com.wondersgroup.hs.healthcloud.patient-wal

MD5 cba7f63129e5760f9cbb800bfe80106b
SHA1 2226538a6f9a988bb264d1862fab612bb75bb5b0
SHA256 bc71bd2464741282d439922614562822f927400791996707010aa9a0a4eb1430
SHA512 b32ed502dbf52a7b331855df4e6a01e9d6ebbb0351809a9cb33a1353416ce288ab4427ccdf9c26f78d91889e4cf68edef218f1621f75285afa20905253d62f45