Analysis Overview
SHA256
f6034e75b17cce56db6148cb478f6dd86c834fec34c4fd034c24c73074e84ec7
Threat Level: Shows suspicious behavior
The file 98905c07a5fd12c9fadb1d06d5f68f0d_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries information about the current nearby Wi-Fi networks
Requests cell location
Queries information about running processes on the device
Queries information about active data network
Queries information about the current Wi-Fi connection
Requests dangerous framework permissions
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks CPU information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-05 16:02
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-05 16:02
Reported
2024-06-05 16:05
Platform
android-x64-arm64-20240603-en
Max time kernel
7s
Max time network
132s
Command Line
Signatures
Processes
com.alipay.android.app
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.16.238:443 | tcp | |
| GB | 172.217.16.238:443 | tcp | |
| GB | 216.58.201.106:443 | tcp | |
| GB | 216.58.201.106:443 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.40:443 | ssl.google-analytics.com | tcp |
| GB | 172.217.169.68:443 | tcp | |
| GB | 172.217.169.68:443 | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-05 16:02
Reported
2024-06-05 16:03
Platform
android-x86-arm-20240603-en
Max time network
4s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-05 16:02
Reported
2024-06-05 16:02
Platform
android-x64-20240603-en
Max time network
5s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-05 16:02
Reported
2024-06-05 16:02
Platform
android-x64-arm64-20240603-en
Max time network
6s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.179.238:443 | tcp | |
| GB | 142.250.179.238:443 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-05 16:02
Reported
2024-06-05 16:06
Platform
android-x86-arm-20240603-en
Max time kernel
157s
Max time network
169s
Command Line
Signatures
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about the current nearby Wi-Fi networks
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getScanResults | N/A | N/A |
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
| Description | Indicator | Process | Target |
| N/A | alog.umeng.com | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
com.wandafilm.app
com.wandafilm.app:pushservice
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | wdapi.wandafilm.com | udp |
| GB | 216.58.204.78:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | register.xmpush.xiaomi.com | udp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| NL | 20.47.97.231:443 | register.xmpush.xiaomi.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.com | udp |
| CN | 223.109.148.177:80 | alog.umeng.com | tcp |
| US | 1.1.1.1:53 | apilocate.amap.com | udp |
| CN | 203.209.230.23:80 | apilocate.amap.com | tcp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
| US | 1.1.1.1:53 | apiinit.amap.com | udp |
| CN | 59.82.132.217:80 | apiinit.amap.com | tcp |
| GB | 216.58.212.202:443 | semanticlocation-pa.googleapis.com | tcp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.co | udp |
Files
/data/data/com.wandafilm.app/databases/wandafilm.db-journal
| MD5 | 18c8a14e46cdc2266c5248ba418c515d |
| SHA1 | 56ec5a7e0fec54af90f87cbfc9399bc0b5bb3bba |
| SHA256 | ab381a241567737ee5fdf005b7b926b90aa98e8e7e11811b7a3ce20d80069491 |
| SHA512 | e2bc83ec304b0de77dd532a18a0f9c8372349db8aa6a92ce0ba18e710f1f25190953a13b2224bdab9ffd53085752172b8997a3b0a624bd4a00d0e229b872db59 |
/data/data/com.wandafilm.app/databases/wandafilm.db
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.wandafilm.app/databases/wandafilm.db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.wandafilm.app/databases/wandafilm.db-wal
| MD5 | 52669401dfe24247aab2507c38ccfaf4 |
| SHA1 | 25f15634e828c68e7cd0a122031a349336c72734 |
| SHA256 | 48533770efa0363f9c52f35d715ce1715ff4d930d594017a6c272797695ac03d |
| SHA512 | 6f13e7318d97200cbc787621cdae1a453fc1f277a10066caf3ee22baa79814263a8359f4b8d38440c642e122292584dda80103fd1c2acbfd5a62119e68f1e25e |
/data/data/com.wandafilm.app/databases/cc/cc.db-journal
| MD5 | ac1b607d125de783531e9df18501b2c9 |
| SHA1 | 63a398b05886b1e2429eb08a952cd470d631ca8a |
| SHA256 | 72349061f332b3b2ab53fa6b4b7756e7f3b9e5a322413f2245bd3c85a7704150 |
| SHA512 | 93dde96b04a3c23143252bae89f12c6a8cb956b0456e7e3fcb45d3bc008484d0a255fbff2a9f5153d0f3a6e0a00a68b5668105998ca7c6060caebda578d03fd4 |
/data/data/com.wandafilm.app/databases/cc/cc.db
| MD5 | 5d7ea1a23af19b4340cc8d90f28297d5 |
| SHA1 | 4cfe95b23a9e98378d69c4290af81b51fbe76aea |
| SHA256 | 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da |
| SHA512 | 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b |
/data/data/com.wandafilm.app/databases/cc/cc.db-wal
| MD5 | 10c0c4d4e0aa0e9367bc98163dcafd13 |
| SHA1 | 9a42a84bd1429295b5e81d1f48c17f0a60d79082 |
| SHA256 | 434dac5766d75e95066b19364564c4783a64f8353e3e08e7f341247ef47a0321 |
| SHA512 | 4130b7c7151a860b1c04b2a7a3be13b05c6fc10140d95998ef8b91ddc7566e40186b431a0fa49f135cfdb97c64acdc905676dc437219caad461b4a8e14402ab2 |
/storage/emulated/0/Android/data/com.wandafilm.app/cache/locationCache/journal.tmp
| MD5 | 8c92de9ce46d41a22f3b20f77404cc1d |
| SHA1 | 8671a6dca00edb72be47363a7071be65cf270373 |
| SHA256 | 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274 |
| SHA512 | 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56 |
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml
| MD5 | 9781ca003f10f8d0c9c1945b63fdca7f |
| SHA1 | 4156cf5dc8d71dbab734d25e5e1598b37a5456f4 |
| SHA256 | 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793 |
| SHA512 | 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03 |
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml
| MD5 | 43043bc5228acfe030e62f699c86adf7 |
| SHA1 | 9f68ccb4c5497113437237eec08dcfdd674df372 |
| SHA256 | 76c172e91efdac6b16f12ab253c0a7623aff4c5e7a19fa53fd57a2e4db4c972b |
| SHA512 | 0d12485e31386150c513d3bb7d3d5aef9bdf2dbe21cd664a64b7af9eb5d0efabb57cb45bcb0ce2a3de47a0a136a7bec0b4ff4cb8078282b248b39782fc724355 |
/storage/emulated/0/.DataStorage/ContextData.xml
| MD5 | 92e1c69dc41b3db5dce4b441a8050782 |
| SHA1 | ac5fc9bdb724961be080780fe48e7bf0c0234495 |
| SHA256 | 74f5123aa64670eaadc085bf5185ceee4704e5d8e0689f7427c8dce5f4b47a16 |
| SHA512 | e2fe25346af26359792742ba375aef1db3355eb1882f8afd8b9818144304bdab44767af67255425e5ee9f5cb23919cc889107f2d552c75966c546e61e0d801fe |
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml
| MD5 | fa0f1903c38b830f4334a7526f09a3c6 |
| SHA1 | d901c53bad2bc605b49c4f4b88fcb890acee770e |
| SHA256 | 2ebb50ba7e0d04f56eb7ea29c685efb6366cc537c83cfe3ba2ca7385dd776e74 |
| SHA512 | 671bf522046c70e9873dbc6bca690f4fe98f646843b447ebb33ae8956c118dfe5288baaa3da85ebe84232b39be0d059c6430cffab8b3e2260918bd58b7d79c75 |
/data/data/com.wandafilm.app/files/umeng_it.cache
| MD5 | d30390fe272837af3cf83ff270ef71d7 |
| SHA1 | bfa9751e8839b75c0e102e1fcdb2b128ae026f54 |
| SHA256 | 50b6e2f9008d0da8330a800c2334f60e15f7a9bd0e26450b0c89be2f01780fa7 |
| SHA512 | b44b302f5e8f294fdde9a3612364a3fe8bc6fa92b068ec61d0ee3a774bd4a30e4803fb77c1b26e363a25f3435c0d1a41c15684f232911b69082917df0cbcdaa9 |
/data/data/com.wandafilm.app/files/.umeng/exchangeIdentity.json
| MD5 | c2bc4dcd8be0c470e33954e47dd5d6c9 |
| SHA1 | 32ca2d27f747ffe404c65876620c334e01e2dbd4 |
| SHA256 | 8592832411680d3ae1ebd80d25f7a9254406b95ea4248d8a3072c1380be6b81d |
| SHA512 | 098bf552f6a8f014d7cef77a3db16bee44bed0c8292669319f02a69e204f10833837a9be1495c8e249aca60cd2a441f167629e701ee0f4c0bb3a911f1ac08a89 |
/data/data/com.wandafilm.app/databases/cc/cc.db-wal
| MD5 | af61fc478b6b84869c36059ebb8a2688 |
| SHA1 | a054bae68dcd61582c67717fb47b5c991f1b3bee |
| SHA256 | eb5a9cd7a81e8b5ff48f5080b73dfb4301ed9ce2a6e8ed0b9e567cd608e9edf3 |
| SHA512 | c1632a7293a6216f0fa2a48c9e12b4546c0e0760a9ab86da4912e0116c6e471dc52f15a91273f718fb8bf9370bcafa5dea96d625b9f18645c48a5800d241caf2 |
/data/data/com.wandafilm.app/databases/cc/cc.db
| MD5 | ce6135aa1b1fe4f2c2db2a546d2a5558 |
| SHA1 | 79b59582154017aadab783dc266fcb158c252940 |
| SHA256 | 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c |
| SHA512 | 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4 |
/storage/emulated/0/Android/data/com.wandafilm.app/files/MiPushLog/log1.txt
| MD5 | 5654e12c6fa73250840e1d77edbf2a5a |
| SHA1 | fd8df6a6085b99d45ec7e79fd4d52e66bc91098c |
| SHA256 | 3783ebd00144aa5c3ca2799115966af3a6cb4b205599740885e7ba36d6838e7e |
| SHA512 | 28a9861ce550542ef272dcacdb1ea4f86e06c6921defbd02e300760002cf1d4b5ee45029829844af7846d2f4ef93366d7bc02a07cda0510f42c0968fb931548c |
/data/data/com.wandafilm.app/files/.um/um_cache_1717603468852.env
| MD5 | 2585d7a9ca4c0097547c3497a93cb4ca |
| SHA1 | 4154fe51b989f2183d0f9a3f267db4d936b61aa2 |
| SHA256 | a0ad9308ed231c997567f4d383438fdfb69d03aace05ed6d00d47d36d60a8824 |
| SHA512 | 11b67db159e352eec16ab9532ad6f9e58f9ae066f70a51cc3a92c988c2a7c4c6e28db6d2b6bf66d64e9249eee6210f961ae2372af0cd1b1a3cc1568a87cfcf94 |
/data/data/com.wandafilm.app/files/mobclick_agent_cached_com.wandafilm.app4610
| MD5 | a49148786168f0733e36ebd576545fb0 |
| SHA1 | bd5330c78ed1a4d0885d57b6fd9d08749dbef38c |
| SHA256 | d99ef8c4bd6e0996e0d938959b1d4bc9c9ccb508d0498f85b9f5616612b63ec1 |
| SHA512 | b162be1caad4a1174191889d8edd0922e86400a34eb1d39b91033e6b695843c46d869fa77f0d2c7b2e9a479c9a1fced44d1d4017d9d256d7e54bbb07538ee9c0 |
/storage/emulated/0/Android/data/com.wandafilm.app/files/carrierdata/1717603551
| MD5 | 45daf6b688333e571e627d2ecb006bfb |
| SHA1 | ab79b707f6d4ad6fe5879a429999862db9b002f0 |
| SHA256 | d1684e2a34a8ca7dd1c6fdf1ab1569a362df6ba617d8e90c516a7266180368e4 |
| SHA512 | 4767febc931f3817ddfaa135c874de2393cd2eb526a1d8e0002fbd248f3e0793aafa9a1e45c05c329ce3386ef69328473d55aa7cc6dbdde37c338b6c1b84c10e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-05 16:02
Reported
2024-06-05 16:05
Platform
android-x86-arm-20240603-en
Max time kernel
3s
Max time network
130s
Command Line
Signatures
Processes
com.tenpay.android.service
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.238:443 | android.apis.google.com | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-05 16:02
Reported
2024-06-05 16:05
Platform
android-x86-arm-20240603-en
Max time kernel
7s
Max time network
130s
Command Line
Signatures
Processes
com.alipay.android.app
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.201.110:443 | android.apis.google.com | tcp |
| GB | 172.217.169.74:443 | tcp | |
| GB | 172.217.169.74:443 | tcp |