Malware Analysis Report

2025-08-05 19:13

Sample ID 240519-fmjx5sbf29
Target 58a8aba359ac7a49a0dd18797e72120a_JaffaCakes118
SHA256 d0f76739fda55a1fd46c625ff7107c24ee8640cb87c62f4355b9e4d2b36d091a
Tags
discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d0f76739fda55a1fd46c625ff7107c24ee8640cb87c62f4355b9e4d2b36d091a

Threat Level: Shows suspicious behavior

The file 58a8aba359ac7a49a0dd18797e72120a_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Checks CPU information

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Checks if the internet connection is available

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 04:59

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 04:59

Reported

2024-05-19 05:02

Platform

android-x86-arm-20240514-en

Max time kernel

8s

Max time network

131s

Command Line

com.epark

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.epark/mix.dex N/A N/A
N/A /data/data/com.epark/mix.dex N/A N/A
N/A /data/data/com.epark/mix.dex N/A N/A
N/A /data/data/com.epark/mix.dex N/A N/A
N/A /data/data/com.epark/mix.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.epark

sh -c getprop ro.yunos.version

getprop ro.yunos.version

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.epark/mix.dex --output-vdex-fd=54 --oat-fd=55 --oat-location=/data/data/com.epark/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.3:443 tcp
CN 203.107.1.97:443 tcp
US 1.1.1.1:53 adash.man.aliyuncs.com udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp

Files

/data/data/com.epark/databases/bugly_db_legu-journal

MD5 553232dd0615c52a567793158f7f9077
SHA1 01a721d08f5d72574a8cae2c8fb32f30cc9a5f86
SHA256 b87efe6d0b7e0826ecbf88c472c76f70ebe3979ba48ec50210ba4e595a172761
SHA512 e9a12ad3b29f3138eb8bc0464e55fb6985fb2e7a51e2b147a1c08032b451d6e39aa91039b50e6621dacc2edbb808d59efaca891099f499676f959f42ef269fe7

/data/data/com.epark/databases/bugly_db_legu

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.epark/databases/bugly_db_legu-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.epark/databases/bugly_db_legu-wal

MD5 e7672f47a113e6ed840344a6297ba0b0
SHA1 6462a7f1c04665a904650a9c90e8d0e23796512b
SHA256 355ab59a883b5da23022f79bba4115bd463131286088a1a57bacec76e69baac3
SHA512 1040361662b33dc762b9d3733eed145ea2ca377417970fb43b1f1cb9f56ada1f57bfb40a2d6600a3d695f7de1393bad0aa4aa39a54edc86cf381ac8f1714bf62

/data/data/com.epark/mix.dex

MD5 63f77f99bd2c2b772a479923bde11974
SHA1 c7632e7d301e4463fafce85f84e9c3d7da3fdbbe
SHA256 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615
SHA512 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

/data/data/com.epark/databases/MessageStore.db-journal

MD5 bc7337ab07ca8fc440fbebcaa70f23bf
SHA1 5ee4ef176af3e408bae6b70b56741e92af56bf5d
SHA256 5b06929579e8ccc170f1a784b48823e0ea0a67beeae7bbb49f32b7007bc586f2
SHA512 950267db7d358f179bb72742b395fc3830a2e63edbafac16ef70aaa0c6e4c7e374a0b76ff6f724c42abaa689c50e921054f29f515fc3a9247392b7afe7f04b3b

/data/data/com.epark/databases/MessageStore.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.epark/databases/MessageStore.db-wal

MD5 ce962671c0c654340deeab21468743d8
SHA1 0dcc2ab67354bd01f3e9b1253ef65be6a58622f5
SHA256 d1c7b85ea6ee688ba8db05e0d57d2932dbc2d4025687ddbd41256afecc85609c
SHA512 19d0b32c9e6284436824cbacece0fc9f6aa5a6fdda04b032e1a8be7a4a0aa6940e4d85bda2b5f777ff9930db864a99227a2c5693bbf1d445bf97c81c5842a4bc

/data/data/com.epark/databases/MsgLogStore.db-journal

MD5 3c85946dd44626c99a2731ff18941734
SHA1 824d84acd32c842a8ddec12d056227ea77cc4e55
SHA256 89bfd83122becc8b55b0f331086f543addb0fa9eb1118aef3c07656f27aeae2a
SHA512 55fccb13434cc5f6d76abc7a76b60e4cdb2f96518815f30b024cb52745bd639cd55d279120d0521eb0eea47473d1728bb11e39fa5b7b11c8baa9e188c555a7e0

/data/data/com.epark/databases/MsgLogStore.db-wal

MD5 7e54ac9e6f53f37e276e38fcd692dcf1
SHA1 0841356b9dcaff354a7b9595d5ff7c420520f02d
SHA256 89d34810ae1267247f15a2f2454b369093fa916557837c4af599447d87399d8e
SHA512 c3c3ef691dc82b3c7d20479e727356eea007bf96e43894927467690715d155163b934841fa8938c12224cc80145c01bfe7b67decafa43fa81e0b24531248b529

/data/data/com.epark/databases/epark.db-journal

MD5 4b606a8f19f03e2c6452e625f6f8db0f
SHA1 6ab5aa708e2af536051e59d6cfec7225abbeb893
SHA256 172996407e7b1e688444a8764089bb8b4df82897f5acf66017a2021bac2ffab3
SHA512 5e4b9708d064e67f91aebbd8fdc664579b3cb16a424dc55c83ca0f0c25f6983635ff085b42fa54e9c3ddf6ae46f6cc827143ebf30a437fa8cb0f583afebcb920

/data/data/com.epark/databases/epark.db-wal

MD5 4e97dfa0075ac14dd9e840f37fe9d632
SHA1 daf1ed6cba0826c480b62da3c85cbfa03e448eee
SHA256 6655ca881b9981256c0b63d2421844ecf8babc730a2abcac8fb7559958dc1f89
SHA512 a27bd8c1cac8e457f374f3052104bcb34fb77178e947801add5a4fc1c0ccd07c4a3a8fcd0edff3f3f2a2e0aa5f7fc031666fc3fdbc32d12862fbcec8784d1f3f

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 e7115ced63b507fcba26ab17af4e5da7
SHA1 3aad5efdb594d91bcf2d63b3ff5ea1c54e0f2c29
SHA256 bd0412e3a46445af1c2d0d5998a7cf5ea9fd7d1b0787d0afc9f19cac6b4b6bc3
SHA512 aec67c075994bb6551e7f896723c6ec73794681e1294286978ff06ae88f942de3d6141c68373b57b5ba757b894d1a7cff04708a4032684a4b3aac66f1bec5c08

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 13e23a78089c20db2b3ea42dabaf1af2
SHA1 85b2ffdab792113b69e3752fb78e34e5922aa895
SHA256 46327e99eb21a7d9592580ddef3ff89da2d33506f27cdf4795c62403f51a0700
SHA512 faf4df9c56bc85e15e82af758d67b09a0d08c5caf3a90be7a5aa395c0d9b7b5b4e4092b94f8c7d1668afa6b115c748c8eb55a5078e0d3a9ea086a13e785a6634

/data/data/com.epark/files/libs/libBaiduMapSDK_base_v5_0_0.so

MD5 873b2a28bc498203051de1cb168d798d
SHA1 c6b9f2b527a582ec2abdf18ede117243b0abc137
SHA256 71231d32e62565b6aa24c8f40feee0a1e35b0191af63bcf20347df54104f65ef
SHA512 8f76b6cde1cbaefeee1ce55e033a88d5412b9440fe0268351b0e1db536f7214854bed0d723b15ddbd07d23a7bf3a4f4c570fb4dc906bb0d0b4198a5a464190f0

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 66e4639c0d75be6a04e65f72aaef9b40
SHA1 ce10f41b96f5c4ad4191175ad093f4edf707db78
SHA256 c3075475ebe6e36ff48a1e8b1e12ae158ecb4845e3c777ecfac7cffe3529a613
SHA512 1b4963520d420dd794e49afe5716e2a27b56f69ab6237e75c02d0b6324f079d38402f61df11f560cbe427afe7687abcc111cb63e620db39997f5c124779e605b

/data/data/com.epark/databases/accs.db-journal

MD5 1f507c35291b109c7c0682d5b994a555
SHA1 fe821c8490afd6d7bc05586d78650f12b43869e2
SHA256 eb424c014be7703a468657b2418bed21e14e39c4a47d29791b2f50e0203222da
SHA512 003f46f92e50491a029ad60665b71d5180c63e18b6f3c957c5425f4a2af635f5fc4bb6f3826c775bfaed88adc12d03470c0159de3cda6da94702b69830e2f5d9

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 04:59

Reported

2024-05-19 05:02

Platform

android-x64-20240514-en

Max time kernel

4s

Max time network

131s

Command Line

com.epark

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

com.epark

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 172.217.169.14:443 tcp
GB 172.217.16.226:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/com.epark/databases/bugly_db_legu-journal

MD5 b790fe2b9842da41a6283aa307a7a5ac
SHA1 43daf19b342b56b1440e6eed4185e076d507d919
SHA256 40d2c784812bfee5ec3f118860dad6d8776995b01c65f6b8a68c5a3038899bde
SHA512 b0c27cbda4ec42514a2e1ecdd65e2fb2546a62f897b62dace0b36966180084262986433a244d804d24380c7fe0d18d1a0424c2bf1f3316ac1286b8f773189242

/data/data/com.epark/databases/bugly_db_legu

MD5 557ed9b8134fe2afde18a566665646a9
SHA1 89488796bdbdfa6ae3888310aff870cc90064be4
SHA256 ff1d7f41b18cb5faddd1ee7aeea00cc5b8c33390a68f580db2ede6cc0ee078cd
SHA512 60905598de7400355ff3c42e8d649bfbed42ff1b87cc4d154738096b14acc078ee4dc3b6c03feb09f2cc15d06b3844a188fcd81ea77ee796c59b2f7f2b01e65a

/data/data/com.epark/databases/bugly_db_legu-journal

MD5 1233afe7f8ab443a5fe01f9e3723cc87
SHA1 aad5f0b25bc531eeec27028581d7dc7248d325c3
SHA256 a670d9012b488b2b609d16cabdcd923f96d9ba6cbf4228a8c65311391393fe16
SHA512 0fbe9584a912eb935014f386b6b92e550707f083d981a089284ae5b1c9aeabbd3ee0f97c95623b8fe628a22e0059eed60af0e89ad0a1ca41e32610a3394d383e

/data/data/com.epark/databases/bugly_db_legu-journal

MD5 877071cdd7156385c1ea4cb4cbc4826c
SHA1 e0f5035e918d366e6c26e4e0b55eb2416c591015
SHA256 18db5ec635588a94a87b518b4bed278b788c98ad5e3a6f75e2f98a25bf8ef37f
SHA512 53fe396e75792b7a93e88f3de8ef912ae636f1ad9a57cb8c1b4b8b1137351c54dd3b87b47cee72608caab340182c272b135c939ea87e2d7276a62338541ed39e

/data/data/com.epark/databases/bugly_db_legu-journal

MD5 e74f919dcd53d680a9e71f282e75108a
SHA1 b97d7432885ecb7c2ea0d00a4affb870f6873e18
SHA256 60bd2a49f771f72d51a082c5cec79d34d6fe209a535d8460b54561c308202e4e
SHA512 fbce78af4fe110df817c4a328706d061f5e712381f44b642013a18e26085253ccfcb601a5a15f156947a484a0ffdee404992c97bdd7f00d30d7a6c551a3dfda0

/data/data/com.epark/databases/bugly_db_legu-journal

MD5 3480615f5ff1ccd0f4b029ed6d62de0d
SHA1 bec9677dfd973617cd130c0696611518bde6d0a2
SHA256 1e63e74e262870734778bafe8ee61efffa55fe7c7bd7bfc9c938638528d18508
SHA512 6bcfeb9f43b68dee4e1b0bb0fd6568162bc26b48f5c26c1d036444364c16224dd2f57847f0365cb33bb99646491de99bef86fb21acbc7e4acf981240b200a08b

/data/data/com.epark/databases/bugly_db_legu-journal

MD5 c2e149dd98276944f58378eec99f9acf
SHA1 af6a3e35eac434f4a2c8d8f2588ad801bf56b89b
SHA256 43d137a9ae69980080bf233945b27c6c67190d24cd97d35024ce73bd9739e5ec
SHA512 5d997e96f216ba5714de550c762430207c6ed4a2e1d48b025a3b7114b55c1897cb235e026fd9d80fc7c0c225bd8b9509bb7e9ffc66851136c368e0238ba0ec0b

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-19 04:59

Reported

2024-05-19 04:59

Platform

android-x86-arm-20240514-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.42:443 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-19 04:59

Reported

2024-05-19 04:59

Platform

android-x64-20240514-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-19 04:59

Reported

2024-05-19 04:59

Platform

android-x64-arm64-20240514-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A