Analysis Overview
SHA256
d582d7ddc86593e5410fff46bc799ee32089fd52727b84585cc8fdfb8b987356
Threat Level: Likely malicious
The file 559548207cd91eb06040d5b391ef8c48_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Requests cell location
Registers a broadcast receiver at runtime (usually for listening for system events)
Queries the phone number (MSISDN for GSM devices)
Loads dropped Dex/Jar
Reads the content of the SMS messages.
Reads the content of SMS inbox messages.
Checks CPU information
Queries information about the current Wi-Fi connection
Requests dangerous framework permissions
Checks if the internet connection is available
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-18 16:01
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to monitor incoming MMS messages. | android.permission.RECEIVE_MMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-18 16:01
Reported
2024-05-18 16:04
Platform
android-x86-arm-20240514-en
Max time kernel
8s
Max time network
130s
Command Line
Signatures
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.ygi.hmwjqf/files/rui/fKHUOiL.jar | N/A | N/A |
| N/A | /data/user/0/com.ygi.hmwjqf/files/rui/fKHUOiL.jar | N/A | N/A |
| N/A | /data/user/0/com.ygi.hmwjqf/files/Plugin2.apk | N/A | N/A |
| N/A | /data/user/0/com.ygi.hmwjqf/files/Plugin2.apk | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the phone number (MSISDN for GSM devices)
Reads the content of SMS inbox messages.
| Description | Indicator | Process | Target |
| URI accessed for read | content://sms/inbox | N/A | N/A |
Reads the content of the SMS messages.
| Description | Indicator | Process | Target |
| URI accessed for read | content://sms/ | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Reads information about phone network operator.
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.ygi.hmwjqf
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ygi.hmwjqf/files/rui/fKHUOiL.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.ygi.hmwjqf/files/rui/oat/x86/fKHUOiL.odex --compiler-filter=quicken --class-loader-context=&
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ygi.hmwjqf/files/Plugin2.apk --output-vdex-fd=72 --oat-fd=74 --oat-location=/data/user/0/com.ygi.hmwjqf/files/oat/x86/Plugin2.odex --compiler-filter=quicken --class-loader-context=&
getprop ro.product.cpu.abi
getprop ro.product.cpu.abi2
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | app.jtmtht.com | udp |
| GB | 216.58.212.227:443 | tcp | |
| CN | 120.55.89.238:8977 | tcp | |
| US | 1.1.1.1:53 | sdk.qipagame.cn | udp |
| US | 1.1.1.1:53 | jx.hamofo.com | udp |
| US | 1.1.1.1:53 | xiafa.hamofo.com | udp |
| CN | 118.31.135.201:80 | jx.hamofo.com | tcp |
| CN | 120.27.184.190:80 | xiafa.hamofo.com | tcp |
| GB | 142.250.180.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
Files
/data/data/com.ygi.hmwjqf/files/rui/fKHUOiL.jar
| MD5 | 71a447564ddfedec2d7ccc09404b50de |
| SHA1 | 537ca7b2ce9aaf513e217db5560c30add7912494 |
| SHA256 | 15c29239d04d24790b11e9c6f73b9707013ac1f4473ba2d805268479f0495c2c |
| SHA512 | 7e9a1d1b5a8f7529586fb989247b07e2fdb830808740737353d0abcac9a4b5b10f654d634be228ef01cdb6828857017095f11ee2808f0ef46615e46af7b626f8 |
/data/user/0/com.ygi.hmwjqf/files/rui/fKHUOiL.jar
| MD5 | ea26cf686a381a188cbbd7e1d6ba25b2 |
| SHA1 | c04fbf5cc016306f6395a81984667e51246ae7be |
| SHA256 | eff87c3a9fb2fa80d7b6444f2bbbf60ec418ef043186e362f6256ca6fd166527 |
| SHA512 | 775d33d0a1a3012b4025c6c3e8457fc6fe92a172270db78b177db3cfd21657d545953f5a2f9ca80dcc3882553c77faac392bd4922f0cdf89fb8eac44580e3d99 |
/data/user/0/com.ygi.hmwjqf/files/rui/fKHUOiL.jar
| MD5 | 338c4c9ce3fc4648f14fad9b5d23f31c |
| SHA1 | 11a05600a57ea58d3711e049ed35a461335f4ee6 |
| SHA256 | 564b42bf05c402c73dc42edfc75133c2b20ab7178895c2e68c562260fd5ec0bf |
| SHA512 | 66cefa3d5effbcd64f9c95b957ff2580a2b7858fb08e0193349becaf657c08e01ab27851fc819ebd9a47929bee8ecc52a7ceafb49ad13b63bee52d947e18fbd9 |
/data/data/com.ygi.hmwjqf/files/umeng_it.cache
| MD5 | 162913de87cf5e65a0188fd94a97c1e5 |
| SHA1 | cb49d9ad5092ef0a9305ac744d1098ed22c303f7 |
| SHA256 | 03c9bbdc79ae2ca74c2af969b88ffc71f1c1c3b433a04ef9525ea6f628cdea58 |
| SHA512 | 5fe1ef582e91fa4f5fe2605a2736234e9d0c6264074d0be7288cc0a773d0a41be37705693cfe0c02626c2fec623836282920b208ed0f276b6a0dbe20ee98bc81 |
/data/data/com.ygi.hmwjqf/files/Plugin2.apk
| MD5 | 3d216f8fddb9705a6720a285475837f1 |
| SHA1 | f053d23b284bfe2faf6e76d353ff052471e2de2c |
| SHA256 | de7bf40574754a5144fa5cf3bc5e97f7adc7f5abebb18c41e8f0631917db4c0c |
| SHA512 | 38be39da8f96abc87109cfd57b2d63ddfa72971f023024a5b4ce1f97cd905a96a94e19eea19ae9b745f28d02c6689a4473627ce57ec85dce2018a77e699620cb |
/data/user/0/com.ygi.hmwjqf/files/Plugin2.apk
| MD5 | 2a425e0fae74f20a2c475da937a619a2 |
| SHA1 | 4d701c7e6d828aa96ba8a493720e7282c49ec741 |
| SHA256 | 2c61a25f1ad5783bf82eea9faa2536cac4788ed3147bc1864d9ef17ea01be6a7 |
| SHA512 | 44c8d2a837b606de99055badbd4b5e708424ca9809b1583d13aefadc4d4af974658dc3a3f179fc3047eef7167151c638ff66dd6c8d38121b6ecdfb464d2a5a60 |
/data/user/0/com.ygi.hmwjqf/files/Plugin2.apk
| MD5 | ef019d14367b7346b1ae2419e9d445c8 |
| SHA1 | 23d81fcf81f3a9f2a991ba4d0d135fe2a28aa188 |
| SHA256 | 1d83642ede6b16a071676e895f547d056543b5b4622bbc9b9b4ab45e47bf9ba0 |
| SHA512 | ea582f21c6054c37c679c798e93116c9c18c9544c0feb78fb949bed7b2cd3122c8d7bb8ecef329829c2531764abeb6200f0af49ede97c3b0b7448bdb65a34a60 |
/data/data/com.ygi.hmwjqf/databases/wochi_v4.db-journal
| MD5 | 17b7fe4b0ed89744361706a313cedfe2 |
| SHA1 | 0e3155c487ce4f8e311e922b2cba207b581445b5 |
| SHA256 | f3a41e88dc6f755785bf453434d356c5aa16d15feaa2215eede75380d2b5a9aa |
| SHA512 | 1ff99854913d5384c659e5e7a3d59343d1ee48e8588dd82d6201e1a2470dbd6b35dfddc9b4f7d87553a2782eee90ff3eca89adbfc3b21b2cd5222021ff9c9a8f |
/data/data/com.ygi.hmwjqf/databases/wochi_v4.db
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.ygi.hmwjqf/databases/wochi_v4.db-shm
| MD5 | cf845a781c107ec1346e849c9dd1b7e8 |
| SHA1 | b44ccc7f7d519352422e59ee8b0bdbac881768a7 |
| SHA256 | 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7 |
| SHA512 | 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612 |
/data/data/com.ygi.hmwjqf/databases/wochi_v4.db-wal
| MD5 | d72f0ffbe332ee8e6e81b6347406ba53 |
| SHA1 | 6483f01d48b1586b4837175f4184bd736b3bb009 |
| SHA256 | c96d2f0c130548a44c5b1432eb8a12f7dbc2f65647209e5c25325c0d873c3d5b |
| SHA512 | bb19a9cac79a8a83cde63d10e1fc8e027ecacc5987b50c7cae8f78d408bcbfa6e13652c80b9d2ba0ee823fbeccd34ebaa89f3c17f9330885f885062c7b2703dc |
/data/data/com.ygi.hmwjqf/files/log.dat
| MD5 | ff9229f8e7c92d44d48e25206d43b021 |
| SHA1 | be3d75050c16c5b7484652ba292fdd6510f205d3 |
| SHA256 | 77fc3599be409f7e73e643de843c0ebcfa20662964c498fc59e245c7f5e003a2 |
| SHA512 | be7b3aa8d670a2873c6b7bfd4ca93121fd2450723cbbc36d9d06d152fafa3ce90451f0a60ab56bc96bccb81cf5aae0167b404073db14dc17b9513ac73d455c58 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-18 16:01
Reported
2024-05-18 16:01
Platform
android-x86-arm-20240514-en
Max time network
5s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-18 16:01
Reported
2024-05-18 16:01
Platform
android-x64-20240514-en
Max time network
6s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-18 16:01
Reported
2024-05-18 16:01
Platform
android-x64-arm64-20240514-en
Max time network
7s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |