Malware Analysis Report

2025-08-05 19:14

Sample ID 240519-eyz8tsac77
Target 58849c5a9eb5285b444a1f0ea8827d0d_JaffaCakes118
SHA256 f4192402915d000ca1389cc24c6cb7b7245372a10d1735b3a2b7c3a2479eff18
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f4192402915d000ca1389cc24c6cb7b7245372a10d1735b3a2b7c3a2479eff18

Threat Level: Likely malicious

The file 58849c5a9eb5285b444a1f0ea8827d0d_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Checks CPU information

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks if the internet connection is available

Requests dangerous framework permissions

Checks the presence of a debugger

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 04:21

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 04:21

Reported

2024-05-19 04:24

Platform

android-x86-arm-20240514-en

Max time kernel

63s

Max time network

130s

Command Line

com.itianpin.sylvanas

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/xbin/su N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks the presence of a debugger

evasion

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.itianpin.sylvanas

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
US 1.1.1.1:53 oc.umeng.com udp
US 1.1.1.1:53 sylvanas.itianpin.com udp
CN 59.82.23.79:80 oc.umeng.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
JP 106.186.19.75:80 sylvanas.itianpin.com tcp
US 1.1.1.1:53 oc.umeng.co udp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.itianpin.sylvanas/files/.Fabric/com.crashlytics.sdk.android:crashlytics/66497E5D03D4-0001-10D1-621B277DFD3BBeginSession.cls_temp

MD5 5145201e6865ab6253b8db71ffc82011
SHA1 5cf8f24004bf14b5f4355db6c258812f4e1e2564
SHA256 7b886eab8d23c3acc0a36fc6f41ac32a4ff88ae65013c719836c77c9d0b6d372
SHA512 a0fcaf67ae4bc8b4279851b8c75f672a39f85b0f54ee731ae96e5a0574859092d6d5b4bebed257d101364bc3b08795f5f74c7ea0945a7f6d64d7dd44bb549088

/data/data/com.itianpin.sylvanas/files/.Fabric/com.crashlytics.sdk.android:crashlytics/66497E5D03D4-0001-10D1-621B277DFD3BSessionApp.cls_temp

MD5 9cc4a34328692609d114e93c51c7d664
SHA1 2ef094fe03ce8079048e111c615cce1fbaae5a7b
SHA256 9223b44e3ec0e644f49a9b77ad35b723e56863503cdd743284268f93698193f9
SHA512 bc5ddefc9065606f48d901d26316554ce38d94e054049db5a6db0ae1bdaa51b37de5c2f4b86a4012dfc7ad5859644b17c4eb963a694e18a203c493eb31d1e0de

/data/data/com.itianpin.sylvanas/files/.Fabric/com.crashlytics.sdk.android:crashlytics/66497E5D03D4-0001-10D1-621B277DFD3BSessionOS.cls_temp

MD5 9b3d4522944ce6396563812bfdb92fa9
SHA1 6d2a6133c8f01938a48ccc77ef86ad8ca335c020
SHA256 d32805d685a3f50caa7f1c0bd7c8804c4d937a866513289f60e3184f7a591ed9
SHA512 091d87643712530bf9006135db42a5a50742bb5ca3026bcc5f2c1c17bf4fd984a8938d29263b0abde3d15cac196d2230902534e200b0b79485e3a1bd97d95727

/data/data/com.itianpin.sylvanas/files/.Fabric/com.crashlytics.sdk.android:crashlytics/66497E5D03D4-0001-10D1-621B277DFD3BSessionDevice.cls_temp

MD5 f4ea833cc067c7693866b3df990ae52c
SHA1 82ed754091ba11743d4131fb5547c79d13f95a22
SHA256 437d847ae985dac0cc8e96312de1ed323b7907b9222ef717b2e75eb455df9d51
SHA512 8cf3f98b4a4724d0b93aa7e76152f6645969edfb121b9bca17c7a21645729520b27ca15a41f9009f574ed7ce667fb4b15e087fc4bd0b5ba536fbd217afba88eb

/data/data/com.itianpin.sylvanas/files/umeng_it.cache

MD5 3844640752d11d2c6ce839b09f67bcb7
SHA1 7ec69f537543caddda2160b1c1919ba90cbac91c
SHA256 c0dba26fdb9ce42c830db4a1ca4173186c5d130244c817f2f04aa66f27f68cc9
SHA512 c05b2f43172fcc48d00b6e37a600104a10ef28f3881d6bca8e776bef67254df5faffb5d4d81d63dc5e62c47ecf9838d2d01cbeb8588a56caf5785f7c0f6fd3e2

/data/data/com.itianpin.sylvanas/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/data/com.itianpin.sylvanas/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 d34e086e3e3fe30c99159cfd4be481db
SHA1 a41ce678165a0436dd2313b4274cfeb2b4dabdbd
SHA256 e968ec7e8099b437562b5359620a4cdcced9a088fe78550526dc349107138a2f
SHA512 c529865a5017e861f40aa46669026ac17be26873f86a3784d09acf65dbf44d39deeb0b0bbcd0344e33d803050e28f01f0ae20fa75a9caad1e6102a294d48b0c6

/data/data/com.itianpin.sylvanas/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics_to_send/sa_37447cb3-46f6-4f88-860b-e9193592b6ec_1716092510705.tap

MD5 493aad8cecdb03774b1b28057843ef48
SHA1 416679aa7f266e7a08175412492d6832269b768d
SHA256 9289a4a9dda5341f2a334fad42f9d404fd30592de9ea704ca4c7e17fc2a7cefa
SHA512 48024bdc44459bb75e7dae8d9ffba0b2159b8d1669f7ef1a7f50f92c6b7b1b3fc2b70da8ef7c4b57147481a4bce5b7588f9568d11c87b7f3d8630fcb665fdf9b

/data/data/com.itianpin.sylvanas/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 cef792f2ee9f44ac7a9c65a4cd30954e
SHA1 0da47ee1144b6e178e2946df8efa03095d800316
SHA256 250a744c075eadad1a3e5ada45263d6622a9d84288cc1ce5cc3d4ae3a6d47fe5
SHA512 c4eb91d22dce64edb17a3cfe6ff6111189da58d4150c02f96eb8d104f256691665b13754de3f3e5327ce5a09a2d40bbb73a5d3fbb8de7496cb7da832c12351be

/data/data/com.itianpin.sylvanas/files/.um/um_cache_1716092571186.env

MD5 966b4456a50b44933ff0e8b8c3faac7c
SHA1 7b253d477237e13dfa138e150c25b700262bb243
SHA256 f5e408e2cf4826bc3e28a10e50a73d1164c43fa86504d823596c4d1f49dc4cd5
SHA512 b40df35fdf1b39d9e2f2ecf7db622850b3cad302343c57ee5a1b053adaba7d0bbed2272e613f4895660399edda498a127eeb06956ef2c853a19a508b4fb3d334