Malware Analysis Report

2025-08-05 19:09

Sample ID 240518-wnhdpsga5s
Target 561509cf6f827af8f7858757bf006cd3_JaffaCakes118
SHA256 68dffad1a3079432c6d8f191eaaebdd2e219d8a1d91e8cd95588978e4ea564bf
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

68dffad1a3079432c6d8f191eaaebdd2e219d8a1d91e8cd95588978e4ea564bf

Threat Level: Likely malicious

The file 561509cf6f827af8f7858757bf006cd3_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Requests cell location

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries information about the current nearby Wi-Fi networks

Reads the contacts stored on the device.

Declares services with permission to bind to the system

Requests dangerous framework permissions

Checks if the internet connection is available

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 18:03

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 18:03

Reported

2024-05-18 18:07

Platform

android-x86-arm-20240514-en

Max time kernel

174s

Max time network

186s

Command Line

com.travelrely.wifibox

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.travelrely.wifibox

com.travelrely.wifibox:pushservice

com.travelrely.wifibox:remote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api.map.baidu.com udp
HK 103.235.46.245:443 api.map.baidu.com tcp
US 1.1.1.1:53 sdk.open.talk.gepush.com udp
US 1.1.1.1:53 sdk.open.talk.getui.net udp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
US 1.1.1.1:53 ofloc.map.baidu.com udp
CN 111.63.96.122:443 ofloc.map.baidu.com tcp
US 1.1.1.1:53 loc.map.baidu.com udp
HK 103.235.46.246:443 loc.map.baidu.com tcp
HK 103.235.46.246:443 loc.map.baidu.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
GB 172.217.169.14:443 tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp

Files

/storage/emulated/0/com_travelrely_wifibox/log/log_2024-05-18.txt

MD5 e3369bd33af126310449c799bb0f9fdb
SHA1 8c78e338aadd5fc0ed5af0d102627564fdb26cf4
SHA256 6810d840e07c90fa00fbf80dab8b57f93045bc92da8966713710506efffdca36
SHA512 01d9cedca7317648498fdd896e8ef31076e450581b392c1a0baee554a3702fb4235824c44867dc2c84013ce148beeee9cf029157b5d96e81ab5f68be88ac88ce

/data/data/com.travelrely.wifibox/databases/ble_app.db-journal

MD5 af757be229945be283974841139afbae
SHA1 7effab66dfda5890e9c65b2538fb073a71502670
SHA256 9e63d4d76760ce8968ff4cd4ea3450981d377876b31a1c651b26cf4ab7282100
SHA512 e164c3f219121ec48481653693fff175db6ccdb5e9d66b63d4ddbb21d42069579837375ebf1c0525e697a7183bcb9a0b46a86707467269cbe5a55c7b7266bee2

/data/data/com.travelrely.wifibox/databases/ble_app.db

MD5 03454374d2dfc1686ee01151b9b2add8
SHA1 e7edd7523f006243708e8de11b91b8a8285f999f
SHA256 224e1ac4c1f36cdadee06a9d023a591abb62ab6f063d01b31588c457b239371c
SHA512 65539ac64e34215f142d38482b792abcb993532615ee2b31d4d07d8f766e719c99b71a438af6c874a8c54a7487ed0a45a0cf066187f0ef68e21773d064e4dd29

/data/data/com.travelrely.wifibox/databases/ble_app.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.travelrely.wifibox/databases/ble_app.db-wal

MD5 16c23011cc29872300b9c02690321ab7
SHA1 1b35420bba9d3740f72a4606a7b4fbc147f0c80e
SHA256 bb0f27ebc947a28e5150dfc31636e1db2777fb86a1587b97e4485759b3443010
SHA512 c017448c770d8b622efe0bc889077c6a70c0d9d0bffd1e4150e7f366e1cf96f83b30bb1aeeaab84f29bf6b5e8c54afd35401b475aa93742831b65c7768b0c4e2

/storage/emulated/0/com_travelrely_wifibox/log/log_2024-05-18.txt

MD5 9b49eff87b82ca065c06733dc6c697da
SHA1 b592a4fe27515d36a2141dffd2573de4ef9ea44b
SHA256 117a1b92890120ac226a761cfc6b34d41a6ab2ad38892377ddc5e034b50c7b3a
SHA512 5b3e09403f62e75c966b37fbe6c05ed5cb6646ce1a3787a740b4af5e508b8289a573f8883e4c9b1d752120a0f7e4bd7c0d5fffe4a52d52915049154bf0ba5cb1

/storage/emulated/0/com_travelrely_wifibox/log/log_2024-05-18.txt

MD5 f91c60adaef0e74adc2e7b9c5a46694d
SHA1 c2c5c9601e1b8272c87c2c7427dadd4b748edf6d
SHA256 a100058316e365566f9dd39170c2c679faa6f5e3f0f338ecb57c5e016e8bd002
SHA512 f973d4615ea4fa926cdf3e8d3a4c99415d789b1e3518a527397ab1a12d6ee5dc5c1c75e6b7fc8e8e9214c61d472ea3c028faf8bfaab58b724c03e6ef17dee3ee

/data/data/com.travelrely.wifibox/files/libcuid.so

MD5 0d3e99204c6401ea499fe9e6d9855497
SHA1 09829f00ca458eab7374d5079393a2cd69a2348a
SHA256 63ad014cb50908591939d6a1536f85eece807425af4f4e8a1f9b9eeab13cc5ca
SHA512 8d9a50aa9abd17e508ed3ac35a3033e8f9e550d1088baa951f53e6c4697c5ac026d22b90e36e27341d64baa3f0202bd89ca97583e99feb25f8c26b5776c59c68

/storage/emulated/0/com_travelrely_wifibox/log/log_2024-05-18.txt

MD5 4d91cfd68b57807353ad7a86978ed2d2
SHA1 c127313cb5fb818525661069e414024d2ddfc5e0
SHA256 8455dae14367dda3c33fa9018094153cf13333ee5cf68ad103fe1f4e4c4e3186
SHA512 640ff1f725e2e0edbfa5eff903c765072916247a9c8db171e75c6a47558e7909cb0e38d347b349a88f8320a82edddcc8fdf5afb788ef27d86ed185dca7f94708

/storage/emulated/0/backups/.SystemConfig/.cuid2

MD5 c0e971ccf95b2fe4032fdff77ac1a3a3
SHA1 3b27702cdef7ada6570d6802c900e3fbc1b62c71
SHA256 e85f73eb30a27ebb6d10bd393abe08c8d89aa3a67908837fda5f1a70d1eb3802
SHA512 875a981cf9ef245e7b11202819569371eae9369a123c8117f5f7cd09fa56af9c2d475d61bcfb52b20246d9f2f8f5663269a1fe64422ab1a9867e4054c8f1dac4

/data/data/com.travelrely.wifibox/files/lldt/gal.db-journal

MD5 5627c475733169c127b86418e79d16bc
SHA1 de811152a977131358f600125fc95a35154a4243
SHA256 3c208968cf032418db5764d611fd31342275ceb1b6cbb5f2ae186a1acc4f65a2
SHA512 d6ec4932b3ed6d93b2ad93d0da213a57c90a9dfe9702a4cb016f88aa338db0e926f88b7853362fe140eeaec344a34b10f8d85eec72accec02ca5740ebac8fb3e

/data/data/com.travelrely.wifibox/files/lldt/gal.db

MD5 0106bcfbec03d55439badfcae6525fb1
SHA1 fb210c7400a9dd18b5c8b0979d544ef47fd5c5ea
SHA256 d7190c32e0f1eef5a7d18f6905b74057f1e28080bc9c8c1de5c5e21b3cd3dc6f
SHA512 18aa18463553a66b86f483cb31d6ef4f89852247f98700c88651cb8e1921092797f5a4651a4ed894f0e73913d5419705b9fe7208e8f5c48603a16962f88f00f6

/data/data/com.travelrely.wifibox/files/lldt/gal.db-wal

MD5 19ccc44895a1db5574c5ed289b03745a
SHA1 8feff9784f9ee52fde301dbabf06297daf2adce7
SHA256 05ee15ae2124797f248115290fea475de6108160bb74f724e002867048a5497b
SHA512 99f6d69d25314ee440e633bb5518b7ac50a106072f10e456ad143f0ff5b32fc9944b9618e4d9e0b61c4f5a264c388a9f2ba15c5fba6ab2289ad79133ea09663a

/data/data/com.travelrely.wifibox/files/ofld/ofl_location.db-journal

MD5 9da9288369a3ff4bf2c265d23d71a5b6
SHA1 57f5288729be9e2703a5a89a51b243ab112423af
SHA256 4601be4393e7e5496b7e2bf3b4d5ad841e17ef354f598367e71c074314e4630c
SHA512 5eacd5034a99d73a24fbed603f6fc1c8067bb6f980edb0052b7b905282cfa52c947dec349277b1c0863dcb96c0990b81bb21adee8e040d1d863ed35a77a1f1e8

/data/data/com.travelrely.wifibox/files/ofld/ofl_location.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.travelrely.wifibox/files/ofld/ofl_location.db-wal

MD5 6be035c088d53486979f3886786a7aa3
SHA1 a940e9b5863f84fd5443f9c50534b4074f388f33
SHA256 53ce9b6085c8ceefbd1a036013f5826a45213cf6dffa32fb9f9be4ba238577de
SHA512 017d168ea98a9d11d88e5de7543efb7edc9970772ddd14f277c351a64928a671430ce637fc8c96d3a04aa86c89ee955b50b756a34c799afbf1a43cdfb4069b85

/storage/emulated/0/com_travelrely_wifibox/log/log_2024-05-18.txt

MD5 71e1ec843910b379c770b4a51c98941a
SHA1 43324cefb3004856031da4bf66e0ac02a3d7d5f5
SHA256 cbe62b877ec6a2f4eaa1b6f001433f67878b21371334d7a638951f1cd8c696cc
SHA512 7f3fa47067b97c7cd3605bcd35637cdbbc2e0111b94098b3788f8cb7b536708895f91568dcd7a405dd0acbb2c0dda4d6b2e6b04387cf8e1add56270410f09b43

/data/data/com.travelrely.wifibox/files/ofld/ofl_statistics.db-journal

MD5 ca25375421470be938e8324de6d8a34c
SHA1 2a04eedc6dfd15d6c7f8fa57c3a6883208274ed4
SHA256 8f3b4da2a70ee7609f20cb5eb2a4001adc025ea6b4094baf0b3cbe65dd0b562e
SHA512 ae199ac53b64434c4e19c2327226b86e86ee17701ddb37d255b3281f8c37de423971606e36f499593f63ed8947b0ab151b0585346d46035edff11a62f8458ec3

/data/data/com.travelrely.wifibox/files/ofld/ofl_statistics.db-wal

MD5 b2e2472bb06410ac0d3f5c336ab195f5
SHA1 cad8fd76db1380ff0d11e850ac420276400f8a0c
SHA256 d1f47b82b1ff9d686d27aaa36f5c6649c68dc9ee5326d3286302b425de541710
SHA512 a602d33f44e42669fd3ccdfb82f200ac8858a8050ea15f403d2fa27b1c645b64b4d770a3bd77b8a0219556588ebc82d9eade28e88fe64af184028fb6e8822264

/data/data/com.travelrely.wifibox/files/lldt/firll.dat

MD5 89fba1f31a1da5c04b1396703155bdaf
SHA1 3647e0d8106330b79d16b9643538573027c15571
SHA256 86bd963e3ee1c8765f8bb511801556fc6123ed4c7286af64c297e775f96970f7
SHA512 95a232470b2c77305ebbf118dc2906d638dea2a84733f13a94b68081a884c19f944f2ab8c571e915f8c35981ff49658670496d2e98509ff87809482267316ab6

/storage/emulated/0/baidu/tempdata/lcvif.dat

MD5 3d714dfb5cd13c47cbb2ede079cb8853
SHA1 028a00236865cb2d4fe3c32652482c3c518f7910
SHA256 6bdd1bc7e74d32017273d6c3b7d46de12170c172948cee6f5e4a5dd618131eb6
SHA512 9417c59cf2e9b8e56d32f2f684fbae0503c0a82bdff198636aae263ae136328aa3b610ff9cd8c90e36fce7c192f2a0d6dad37a5c84d9509427a6ea438595bd97

/storage/emulated/0/baidu/tempdata/conlts.dat

MD5 8d80bc8ea90e9cac010d3ddf97bda5f5
SHA1 f063bc0d356e6ba9ab1eb9a851131ffbefd8fa07
SHA256 f52db31332534833414abd5e870f78c810b8ebbe5b134bbf599506beecfd1b93
SHA512 9ea732dd572a9a4ba91b70891972230a09576687ca1bc19e62d5a98b5b84e0f2ae11985108008bc9fbccf357219b8bd3dbf146bb70752f618f70dc5d0c46a7c7

/storage/emulated/0/baidu/tempdata/conlts.dat

MD5 1a656e941e7b3e39723f0b0505881237
SHA1 58b9915a4742729220d8bb9e8c84eb707d6cba54
SHA256 8f4ad351365044a6a9374123a0956cb349c75328c39d4b22a37a97b5137cd75c
SHA512 53b6e5f060e51358aadf8a04333e7eb859d81dfc4df552e67667d99fdb87e1b56d67d63a94598ffd6913040741bf0303198182dc9eec27a328ff8912fd6f31e9

/storage/emulated/0/baidu/tempdata/lcvif.dat

MD5 7ad4f478509303434a355269f2be3da1
SHA1 73babc07b6fc16b959584b6b35562ec61962036a
SHA256 6736aff61471a472a0ef7593957322f0f4864ee7d33263582c7ccab489425e2d
SHA512 2f023cc76afcb0f7ced638d3ddee65961b147eb428d3d7bfc95d125a48f03d5fa20504c4364bca39b7ced2882bb098efdf05c97accc3e77b83215942fc5f547c

/storage/emulated/0/baidu/tempdata/yoh.dat

MD5 a936690571e9104e1922dda4a0ba5bd1
SHA1 65f49c57edde2f96be2a1dbdfc3f7351f1e66554
SHA256 f0f5049c51879dd7da0ce4a43349b5b34ce053d072a0ca704f62cf22ba4a8412
SHA512 3be1c3693963aebdfc04e86b1c820ee0ec3cf0b200e6a4788ef1141f39fd6c2f77f4227247ae4affa66c0a6c027df8466cc0dcec1e67ebfb953e36bee97de394

/storage/emulated/0/baidu/tempdata/yoh.dat

MD5 1681ffc6e046c7af98c9e6c232a3fe0a
SHA1 d3399b7262fb56cb9ed053d68db9291c410839c4
SHA256 9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0
SHA512 11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5