Malware Analysis Report

2025-01-06 09:16

Sample ID 240601-ghbawace64
Target 8985e529f9e151f91e0f372a76d66cb3_JaffaCakes118
SHA256 5cedbc7d2cdd098c611faa8818d980ec0054076e9eff1e6c21a69a076c8d28b9
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

5cedbc7d2cdd098c611faa8818d980ec0054076e9eff1e6c21a69a076c8d28b9

Threat Level: Likely malicious

The file 8985e529f9e151f91e0f372a76d66cb3_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Requests cell location

Queries information about the current Wi-Fi connection

Queries information about the current nearby Wi-Fi networks

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks if the internet connection is available

Reads information about phone network operator.

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 05:47

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 05:47

Reported

2024-06-01 05:51

Platform

android-x86-arm-20240514-en

Max time kernel

7s

Max time network

164s

Command Line

com.greenline.palm.wuhanxiehehospital

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.greenline.palm.wuhanxiehehospital

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 sapi.map.baidu.com udp
HK 103.235.46.245:443 sapi.map.baidu.com tcp
US 1.1.1.1:53 hmma.baidu.com udp
HK 103.235.47.161:80 hmma.baidu.com tcp
US 1.1.1.1:53 hservice.guahao.cn udp
CN 42.177.83.87:80 hservice.guahao.cn tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 36.249.65.247:80 hservice.guahao.cn tcp
GB 216.58.204.78:443 tcp
GB 216.58.201.98:443 tcp
CN 116.153.68.115:80 hservice.guahao.cn tcp

Files

/data/data/com.greenline.palm.wuhanxiehehospital/files/imei.dat

MD5 748d9beeaa1899252a7365b780b95fb0
SHA1 2158cbe9044f2b138df0094615afe6616e526c9d
SHA256 59290d2d5a77605f8140feb82e44e8438115fb2f93dc56ed4c225b88c21baaa8
SHA512 cdeb0c4cebf1cc96ebda6940763a940df76120ee991bc7f003480caf055a970f16e4a19ef2ba2c56fa056d539b981e16542ec7239a7b91dd3828585bc2d1e440

/data/data/com.greenline.palm.wuhanxiehehospital/files/imei.dat

MD5 e6698d96e4ef34bb8d40a30fcc643095
SHA1 da6307ae48ada70eaf21c4de479f91fa9ec5c35a
SHA256 abd9e83f9d20f1368946bbd0b7455bcf2e4912637a0fc6e9d76ae774428d7cbe
SHA512 47251138780a2922c74fa34047aecf636559f4250b19f606c623865466d2c99f3369ced8d1031ab53cbff0b1dcd328dea49aa2e8d57e2250983aa3fcbd175b5f

/data/data/com.greenline.palm.wuhanxiehehospital/files/channel

MD5 bfe279945c6109d067bcd295b5189d86
SHA1 9969230fa9c65716f6f82a97c9ba7c7007609014
SHA256 a89151ba4b5ac0f22e96b71b963db927791d3808f5175f06ae4a60de5891bf0f
SHA512 c843adbb98d263d02ce3f9d3d9c684b9cfd8e61e8b155d8349317f122fa9089119e8eeced1a0f0f134db68a0b88ce095273acb863c86c1be6f9b8e4682eb00e9

/data/data/com.greenline.palm.wuhanxiehehospital/files/ver.dat

MD5 76fabae8a08fe8991ef3b5f87490cf25
SHA1 e948d7ac877bf74a400a10511ad0da7b2f30b086
SHA256 7a4bdaa71c635e520749e1fef25711aaee6965f9efc30d5acdf39618705acd9b
SHA512 c9e9f8ff1dc2bf7ddfcde30b27c6bf63a64f22b580cf304671b1c2378f25223a77a45e3730f57133a3c7e3e774216cdbca23f304c148d747afb21f9aff16595b

/data/data/com.greenline.palm.wuhanxiehehospital/files/CMRequire.dat

MD5 25e57636aee83606d202f04f26c2913b
SHA1 1ef0ade456ba38aa31584d0fbce647d0ba74b399
SHA256 89c56da41f0046c9e733fed330d2636d623510c217f72c2d025df3343dc66783
SHA512 3a8d294b8be98abe4d18116cbf7c16d44a541d1d20dd4dfbbbf3bbd8cb7997abcbaf51790bbc1978135d888c4e89868a9a2575d9cfed65a331969de77ba07326

/data/data/com.greenline.palm.wuhanxiehehospital/files/VerDatset.dat

MD5 caaa975d7bf4952bd5dd695ade33f1da
SHA1 119373fbb2db036712df72ec9b26c0c2840dfbb1
SHA256 d0f94264a6b5c355dbf5c0516202c732bcae471a2401542b2ca43307727a0d02
SHA512 db2acdecd236eab67cb67151032f53e51c9c04e754f3c21d74e05cacb1ea5edecbbccbd66ee760624b9cac97b8dd77f568324e8abc2b9c16aa73131db81c8b06

/data/data/com.greenline.palm.wuhanxiehehospital/files/cfg/h/ResPack.rs

MD5 fc611808bd9b0edd8348d92490481ef1
SHA1 602fece48f0aac9835443bbe83c19ffc91fccdcb
SHA256 92dd9ef7734a6b9b68cbaac963d52dba9bb1a12ead615f860177577d89a40130
SHA512 309a1b878cf62e232e8d15bdd6ed0e7cc0f3122e6f70851a8b93016a31b4d40e99413afcd07aa6301b85c44689b88f33302f3ecc7ba7d4efddbad0b3c4a7c8ba

/data/data/com.greenline.palm.wuhanxiehehospital/files/cfg/l/ResPack.rs

MD5 8d183d412478e62d2ec90152beeb3a0b
SHA1 55fbb0b0808fa25deafc3de9fd26dcad5f5ec278
SHA256 9d26787a9fcc52d18ef6fb98b6bc4853107258ad235351116ec8ae7ee908185e
SHA512 9e71ebb78bd03da1a11d97ff98a3c64c1d1ddc4e1009b1ad847168f31c44eb9b4dfa1dc62cf2b020db8a10b6f1037560671ad3c07e218b0a910b98648078e074

/data/data/com.greenline.palm.wuhanxiehehospital/files/cfg/h/DVHotcity.cfg

MD5 64f064a4742aa3a40f537edde8d6b3d9
SHA1 f84045d96e72582238d8b35e6d508ea9129ae348
SHA256 905d87c66b14980402afdc2736b80d8fe108246e44f76e573291a852bd105a63
SHA512 5f0df60c3bece73b319b4e7c057ee8a218b0b7a9f710bf9725845fa621a4f8a53bda2d55c962e940f01ae6a81cd76af55116be55c7f196ac2dc09e86ae5e73dc

/data/data/com.greenline.palm.wuhanxiehehospital/files/cfg/l/DVHotcity.cfg

MD5 f389dd3b20a99988cafb81fa9833d51d
SHA1 601208ba2cf437be2490ce14ed3cf4cc3943a7c8
SHA256 dabd641f5931761bc3f202daf16e560c023b86314123fbda7bfe9428debc8db4
SHA512 0fc49984da0a3a681ce08a91ef1e849c122ba9f34dff29b1c3f952eb82ca90f3b6c6f4d0f47e537cd17c00b5c2f89eea411f7a2f3f9b2d674e205b95cd438292

/data/data/com.greenline.palm.wuhanxiehehospital/files/cfg/l/mapstyle.sty

MD5 affb6ab297e0a28c70e290bc7b0f79fe
SHA1 994cfa22aeebba487dd7fa4ff81fcec17d011801
SHA256 6e0e16c5ee516f49c30e9db4d470d57c964dfc38516f3b7ae459ceb4411a076f
SHA512 b94d1c81b7419dc75a158f0ba67f129885fd60438f8b31f97d5ae2a20d8069f5d60a3e5de9090493e503b41c78a981b38433b8d7c99ffdbe0a0313a79b4be2a2

/data/data/com.greenline.palm.wuhanxiehehospital/files/cfg/l/satellitestyle.sty

MD5 9f7410e1680f5b7cc5ee5b306e1679f8
SHA1 28a8c4bf92e9347b536eee59b314dd4bdf27644e
SHA256 110694528641874bc9b9dae26d83e701b36e18996fb91b4d249a08931942e73f
SHA512 297ceefc94b84092dc7c039c2cba110dc97fadbaac5fa6f2d73cc5ee1ab557813b5cea43574a84478d443097890df3ed85ead0e90851d24cd47c81b2aa022fa1

/data/data/com.greenline.palm.wuhanxiehehospital/files/cfg/l/trafficstyle.sty

MD5 ea1255472c3feae81239f87996544ac9
SHA1 9527474aeb5833e4e268aa55cb233f8193624bb7
SHA256 030529b5a75b50d5b4cbffb5c170f6ec5a9a00695dcdcc8c9918909eb5ee4671
SHA512 e8658bb8b37931b349dfc9e911fc6f483dd08d659ac917526ed05cc70271b97c13def353ad841436696c71a2f8794cac5d8035b0064d99d590c9b4f2db2b6c67

/data/data/com.greenline.palm.wuhanxiehehospital/files/cfg/l/DVDirectory.cfg

MD5 200b74c3ebb374f1e2ca0c2d77418cba
SHA1 23e52a22fcbb020f4613811bde49f145657657fa
SHA256 8c0ad1afee4e26ed64ef30d34e612edf1e9a3ac0e78e426dab3ffbb803bf7f1b
SHA512 d30e07942404993b6fce92e411208e6c971712bb2efde6c0817c6e4f46dfd53bcfe2de7ffd374bba7350ee83d0a4ebacca0f1ce27480c2ba6649ef9d66f8874e

/data/data/com.greenline.palm.wuhanxiehehospital/files/cfg/l/DVVersion.cfg

MD5 901e9e58cb056bc895fee4f19173ae4e
SHA1 d5ca46f40f8b5e833a8491d8d2fdebcd91e33d4d
SHA256 cc73778e36a6677cd6de7ccfb5c605dfe532acebd039843d82ef3be295b73567
SHA512 5891cdaff2de481f98b0247748c036447bf73b0f1b1186e6cf2b05d27f39826da496d87cac93feef142f3c47bd6f37753116b18194f49064b3fc9dd6fd3ecab4

/data/data/com.greenline.palm.wuhanxiehehospital/files/cfg/h/mapstyle.sty

MD5 042f8bb92192b33fe881cf680db79d5f
SHA1 17b1ab10e0ffa30f3534d3f0a0240a631222ba54
SHA256 6f4205cb972c0c49c9480951e4d2decde58df5c7555be18b274507dbb25dfc1b
SHA512 4cc20908f12ec0b41fd1ea1b6e0f0ffb3fa003ab6f574a6b40f3a6ae2a7db07313ab57a9714d9891f3b798046a47e6bdc0da9ce1f4f91b7a966ed96e9b7d885f

/data/data/com.greenline.palm.wuhanxiehehospital/files/cfg/h/satellitestyle.sty

MD5 24b50fe4886b6d6f4011464e9a6238fd
SHA1 68b5c9b9345870b4f4d1b6a09258840ecc82382b
SHA256 c7eba9052ab1dc3c1d70541270688d63a7cfdd6cca9b0b5d62f5872413974dd5
SHA512 96217a781d8d23c298372ff7d005bad7e4d9528ea607bb28148f7b249be028ed0b5f0c1456aca0d78ce06335ba252790ada81135810bd5861bb74e25499aabb8

/data/data/com.greenline.palm.wuhanxiehehospital/files/cfg/h/trafficstyle.sty

MD5 1e4b535871c4feb2010b614713def5c7
SHA1 4c5dc67838d12b795b6882c6dbbcc6767e42184f
SHA256 efa3ec85127a21a8c8a74640acc5fe1d992952964d4f257682f832f63c2ad3fc
SHA512 0c5443dbfdafab2e6cb7740587f48ca9a2c971b93afafcebccd17691edaa7c7fb75dfd1b6c939dd591a5aa65977f55e64b6c3690ab0a660432269fc43bf3133c

/data/data/com.greenline.palm.wuhanxiehehospital/files/cfg/h/DVDirectory.cfg

MD5 4387420494429045bbddc8dbc8036a57
SHA1 d00c920c88acbd73b1b09c4e36f947fb1cbc43b0
SHA256 c0def80bdd08026af800c61c476cabc9f1cda4d754e5e7a30d8dcd6ff0ac44ad
SHA512 200d360e00ae1d6f95f6fb57b217da7618a0c60abb8e17e5d2d2a5bd19434ce7ab001dd195f57bfb7c9f63a1802fb1e4e9c20f94773a772474c63485086b7ab9

/data/data/com.greenline.palm.wuhanxiehehospital/files/cfg/h/DVVersion.cfg

MD5 fb6694479700218b7eeb8e595dec6b83
SHA1 5ea06f1b529de035fcd8e4180c58f84c9d4eb49f
SHA256 ee862c09ac9d43be689d03a6bd29005dda386de845690f7cd369ab8ceb723514
SHA512 630c010a78772a3449ba0667121c743e1994f09be3b75a668e50d7340423414efb11528072efa1d630e2581ee45c49f03ddbea5d2af6ae68dfc1ee95b3ded652

/storage/emulated/0/baidu/.cuid

MD5 819b386d200561b12299d2195f9b2e73
SHA1 2146c7c565e2372fc7c2feb7552e77f8dfdbb6be
SHA256 2f0abd4b7ae99f6dec4dcdc49aa1f38136f19e13a67aa18b0b385fa310b7537b
SHA512 18c0f9430f826ccdef5fbba1214f0a1dd59dc6fe10c2c0014ca1f8b0354188759315d6de5e33c0b46a4c936fcc23b8bb486d4b937f281ed19be60b34f6ae802a

/data/data/com.greenline.palm.wuhanxiehehospital/files/userData

MD5 76dc8f957c6989ea13a9f0fd458f4caf
SHA1 075e05fadbb2f06f5980f8a9e20ef2948e342cd6
SHA256 76b6aab8d063854dea5ca765d241901c9954942aa337452a0fe30e81d4543f7a
SHA512 388ddb2e61d9c496975edb73197a2fb0baa4550e844012413b3245d9935075486e257fdf3d1d08dff5267f85cd3555220d76a09c2d905219c5c03c6cbd4c373e

/data/data/com.greenline.palm.wuhanxiehehospital/files/__local_stat_cache.json

MD5 2d805b13f2f28dc3ca9bbcc000f49bb5
SHA1 9eac165b4d81258fd3967cde5cc53b53b1dabcb1
SHA256 c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19
SHA512 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0