Malware Analysis Report

2025-08-05 19:10

Sample ID 240518-tk427abg95
Target 559c94a2bb96582e732017e0ca1731e2_JaffaCakes118
SHA256 9e42e5df2512a52da5176fc9c34652ed6e1e7d52f8ddd7a9fe47ad56422b36e0
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9e42e5df2512a52da5176fc9c34652ed6e1e7d52f8ddd7a9fe47ad56422b36e0

Threat Level: Likely malicious

The file 559c94a2bb96582e732017e0ca1731e2_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Requests cell location

Checks if the Android device is rooted.

Checks CPU information

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Checks memory information

Queries information about the current nearby Wi-Fi networks

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests dangerous framework permissions

Checks if the internet connection is available

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 16:08

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 16:07

Reported

2024-05-18 16:11

Platform

android-x86-arm-20240514-en

Max time kernel

175s

Max time network

186s

Command Line

com.wondersgroup.hs.healthcloud.patient

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.wondersgroup.hs.healthcloud.patient

com.wondersgroup.hs.healthcloud.patient:pushservice

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 hxqd.openspeech.cn udp
US 1.1.1.1:53 data.openspeech.cn udp
CN 114.118.64.119:80 hxqd.openspeech.cn tcp
CN 117.48.148.47:80 data.openspeech.cn tcp
US 1.1.1.1:53 api.map.baidu.com udp
HK 103.235.46.245:443 api.map.baidu.com tcp
US 1.1.1.1:53 www.wdjky.com udp
GB 142.250.200.3:443 tcp
US 1.1.1.1:53 api.exc.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp
CN 114.141.131.254:443 www.wdjky.com tcp
CN 114.141.131.254:443 www.wdjky.com tcp
CN 114.141.131.254:443 www.wdjky.com tcp
US 1.1.1.1:53 sdk.open.talk.gepush.com udp
US 1.1.1.1:53 sdk.open.talk.getui.net udp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
US 1.1.1.1:53 pingma.qq.com udp
CN 119.45.78.184:80 pingma.qq.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 www.wdjky.com udp
CN 114.141.131.254:443 www.wdjky.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
US 1.1.1.1:53 www.wdjky.com udp
CN 114.141.131.254:443 www.wdjky.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
US 1.1.1.1:53 www.wdjky.com udp
CN 114.141.131.254:443 www.wdjky.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
US 1.1.1.1:53 www.wdjky.com udp
CN 114.141.131.254:443 www.wdjky.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
US 1.1.1.1:53 www.wdjky.com udp
CN 114.141.131.254:443 www.wdjky.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp

Files

/storage/emulated/0/backups/.SystemConfig/.cuid2

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/healthCloud-journal

MD5 c559e1cf8cac0bfa141278dc987a1976
SHA1 00cd7915fa32d3eec2796571e19ee9b9271aeab3
SHA256 2114aad2f15544212c07cd04a36d817a8eae772a0aa0a3acd7230cddf81ebf0a
SHA512 31526f5588f30778266b1743a7840d62575f39cf783810194f141469847ac61962e17ff3ba63354128fda99cc480a47328b18680b480589ecb44180674dc575d

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/healthCloud

MD5 e6242131a071ccf7ebb2cca364a57485
SHA1 4741ce47e4768d95b07a31678db4a66169b71562
SHA256 09f5a184e4f4c53a23b7fa39fc0f907eaf487ef47880722b68f9d7bca82e4b50
SHA512 ca0aae789e78b9bd39e8c017644c618f803a1c8d02b7f74338806f3c23635737f7c823ed4d8f03f106a564f7993dae6cf564fc580a0f55bf899600f49690531e

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/healthCloud-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/healthCloud-wal

MD5 a9d6eb85654189c69aa1aa6d7b4e9032
SHA1 160bed5adf0fae6195c99dcca9c58371cd4b6be1
SHA256 e32f997675a72734b7e61bb64cadcecf17359534b600ec19c10ff5d4abbc0365
SHA512 0abce3ffc33ab2cb69ab2cd6cac8dcac7112c19f92e9839af36f75b963e821b9b9be0d91e6a53c47470344b3e3f040b382fd5fdb0efacd4e98f3dcd59fea442f

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/local_data_patient2.db

MD5 50a46d64496658abc64d837699413be5
SHA1 645d83b47c8fefc2a069262bad40f630b2d0d814
SHA256 57dc792fe40527ca5237887d06e3a855c4a6ef681ccb68977d759e8c8c0967a8
SHA512 3ad2c3c5f0a7adba773138194f1125f2142e46a807fd578b75b308ef9555fd5265240759c6acc1473e0b5e9a4bc6fe7404446898c499c90d18c754c3e88012fe

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/local_data_patient2.db-journal

MD5 dc807f4fc9b349cf6af302e7931117f6
SHA1 8a778c4fa0a91af206003f6b04d2b3dc71e25754
SHA256 1bd265d938b0e2de1f0509e3d591426d1489def87f435be630803ce8342f1074
SHA512 8968dff21934334c7c329a8681e9ac1a4bd0755ef742cca38a7dc3c3686cd60d9bce1c9a6899f00d46840d162788dd5689475a8eefb9257e2117709450acefbe

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/local_data_patient2.db

MD5 fb94489ed872af1c23994e6303b6bce3
SHA1 8ec28e9f34b4e2a93ba0cc60dca4f37ce0202228
SHA256 6047554b242782e084deb42d7693ce5b3b0a9e56fd69292c20050b17add5151c
SHA512 19c3aafd93992f8866821c1449cef4bacf95f5ee1c5764e53d06b6bcd64f70da3237617f14a7b7e0f56772c7d80a3a240c4806df7fb83834a290e95ecf634eb4

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/local_data_patient2.db-wal

MD5 e32a7f84eeef820cd6c216b3d7b7c11d
SHA1 76162dc140e725df40ec936d84ca09ce14d21d0b
SHA256 d9e857d4f6a0f2a243568cff5e57b2037be66bd5811b4a2d534f5ed9e69a855e
SHA512 40ed0eb88266dabf9d3e45fd60679f5f019686fcc7e85addbc6d079883a29e40d9a032b4f3cef934882a1e9de128ac3f21b2465e6060e873f220400edf23cf3b

/storage/emulated/0/com.wondersgroup.hs.healthcloud.common/cache/journal.tmp

MD5 27e11278f1ad5ea170159841bef85eb9
SHA1 c9eef99d176b102d5e614c7dfde3eec770eb29eb
SHA256 f2467b897f7539b0050def69eb667969a28a40a9d86848bfe321c3e220f0fd88
SHA512 3cbc94ccc003813c16a8150d555e2bac8bfe58d42ea985da414f0a2283b86667ad75e9ba52cac0e61d4397f77d60b5731851c125eb9b90fb8174f6cbf80256b9

/storage/emulated/0/Mob/comm/.di

MD5 70a42cba408700f9a6c01c7941a8829e
SHA1 eab01cc2c0671538795fb0b1146017dc099d0984
SHA256 499576707ce2623293166979e59c832be5b8636c64ad39aa63ebcf961910c35f
SHA512 8900d4dc8eed0430babbacb72942401bd22ef7fe5430cad90d3ce0c2c53010220d666aa0e2eb1026f3ec81d574c7fa12585b49222a5f15b01637f6ba134fe70c

/storage/emulated/0/Android/data/.mn_410185822

MD5 e8be01a3d651b9f955cbb28d7fe2f623
SHA1 04010f8b539c2e98c8d7b7752e9879547aa9dc0f
SHA256 97f36bba6fac1a853fc47a62ed426b46325a58a209d20a7c232641ffba4e44f4
SHA512 19eb61bf037bcc667e6a19773beee13011faffc9a5f8efffebddeb5e27e017bc47f26e143de5e9f471668bdd9eb445fb85afda410b065f0d3ae323169ba4b34f

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/tencent_analysis.db_com.wondersgroup.hs.healthcloud.patient-journal

MD5 30fe769c1da03ed0bce9b833ed215927
SHA1 caa72aba1a19e3f5876315c5540e12d6712c47b6
SHA256 0de797de75cfd2dd2c140d2e19b72d70e547d696fb25cf594759405af47cef30
SHA512 65c8ccd762aed43d2a6d8828cd6b36f3dee85957bf724649ec37dcda0f5d5c70cb2ef351368825cf31de12c5c5046137040466ee762d7c930967e069aa382ac1

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/tencent_analysis.db_com.wondersgroup.hs.healthcloud.patient-wal

MD5 420496b639b16db67cd33177743cdac0
SHA1 efac6ea7dcdb9ec14f4ad52aaf64b380d5ad16b8
SHA256 099a61c476086b4c2213ae3c5fa782d03e2fa99b46e0cabecbcf4c100808f33d
SHA512 b3deeb15048f7ece61a9d5c8014285593f5c4b8a79d5db86905240f7aed176deee6e1813f1a953101a2edabd05db882ef3b21ffe4f960c70487cc26b602abc7f

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/pri_tencent_analysis.db_com.wondersgroup.hs.healthcloud.patient-journal

MD5 8d7652e1280fbe5ed02a6e838dfe4342
SHA1 95b09ddfc920fef1204d727beb7e20c7326a8274
SHA256 ebfdc765466f940a001ffe917dbf3f0f8ac6184b8894ad83e29cd396ffa0e85f
SHA512 4675b2a22387c1f22ebaedfbd6ce8ccfc12ddbd67ef38dd6d7449790e9e2771da0cb64ba970b208e1a9326446d1126e403c4f538de9269c36e7f64d0a5c1821d

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/pri_tencent_analysis.db_com.wondersgroup.hs.healthcloud.patient-wal

MD5 54c7f313ceb58bf2f88923ef4d326ee1
SHA1 6739451e00d4ffe93f8dc0bfa2138635135ceac0
SHA256 1ce88eadbd60f2af859fa3b9240098472e6c943213bf4e8ee62eaf84da2994e0
SHA512 3d1f31ec0440c9e682850689b9ab3447006fcebd1783c6d6e2f66270ef8e84fc02cd0dd2a1aa97851bda6c5458a460cf2728a43da582e863d0511c2cdd6e13d7

/data/data/com.wondersgroup.hs.healthcloud.patient/files/init_c.pid

MD5 e0f7d76d07ade18d9d0c9be1d87422c6
SHA1 2abfcf6c92ee63c4dee91646c9d6e3d49c6024fb
SHA256 8aecd796607ec1c3d8598f7ef2c5848a1b08d1dacb1a4d792e812c0f3a20eebc
SHA512 39e76def78057e9a50651523db3d2b3e2c148b5c63bc46b86fecfc9e4a5c68ef31553551f8533ddc7e0e64355cc1a658d5d79f76e368c3c3766ddcb1ee3727c2

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/ThrowalbeLog.db-journal

MD5 211811ccac2019019c4e19415dfd9cc0
SHA1 738f428b4ffad2b331cedcb93c50d8063ceee7ea
SHA256 7d53cbb2b15f9043a00b87d78439ea245ad90bd8c7457fa74ba5ce4e8e8579ad
SHA512 68abe21d7699476a432ea1d47b55d057eb6c6b0dfcb2b00649400b82f3266b14b37143e126ebc7196a1d0ef188e543a4102f3ce7af581d9e454b5067a2700d2f

/data/data/com.wondersgroup.hs.healthcloud.patient/databases/ThrowalbeLog.db-wal

MD5 47e34d7f22f672cd24b93fcf146dd5f5
SHA1 fb7c0ea1d01ab4888c6031f1bef9e7df555f7acf
SHA256 f2fec17fa8713fc73ca98474ec8dee6642b3ab25ab7c75ed67241cedccc4e0a6
SHA512 8faee598dabe9f7e40b285657b43f0f77c1abddf9a9e785a705a7c78313883d58501e44056ea72544fb9d565ad3263d33c9e84e7d63976be28a030aa1b18b858