Malware Analysis Report

2025-08-10 13:11

Sample ID 241016-dym3tszfne
Target 4b3558a7df4fd618b3dfb843f49d2a9f_JaffaCakes118
SHA256 f67f6b9ae0caa88fa51171d0acafaeabc98855828a9b6978fe1bbfab53fc6818
Tags
collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f67f6b9ae0caa88fa51171d0acafaeabc98855828a9b6978fe1bbfab53fc6818

Threat Level: Shows suspicious behavior

The file 4b3558a7df4fd618b3dfb843f49d2a9f_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion impact persistence

Queries information about running processes on the device

Queries the phone number (MSISDN for GSM devices)

Requests cell location

Queries information about active data network

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 03:25

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 03:25

Reported

2024-10-16 03:27

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

156s

Command Line

com.duomi.android

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.duomi.android

cat /sys/class/net/wlan0/address

Network

Country Destination Domain Proto
US 1.1.1.1:53 serviceinfo.sdk.duomi.com udp
US 1.1.1.1:53 chan.game.duomi.com udp
US 1.1.1.1:53 service.ad.duomi.com udp
CN 43.241.76.190:80 serviceinfo.sdk.duomi.com tcp
CN 59.151.12.92:80 tcp
CN 59.151.12.93:80 service.ad.duomi.com tcp
US 1.1.1.1:53 api.exc.mob.com udp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 59.151.12.92:80 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 59.151.12.92:80 tcp
CN 43.241.76.190:80 serviceinfo.sdk.duomi.com tcp
CN 59.151.12.92:80 tcp
CN 59.151.12.93:80 service.ad.duomi.com tcp
US 1.1.1.1:53 m.data.mob.com udp
CN 180.188.25.47:80 m.data.mob.com tcp
CN 59.151.12.92:80 tcp
US 1.1.1.1:53 devs.data.mob.com udp
CN 180.188.25.17:80 devs.data.mob.com tcp
US 1.1.1.1:53 m.data.mob.com udp
CN 180.188.25.47:80 m.data.mob.com tcp
CN 59.151.12.92:80 tcp
US 1.1.1.1:53 iframe.ip138.com udp
CN 59.57.13.182:80 iframe.ip138.com tcp
CN 59.151.12.91:80 tcp
CN 59.151.12.91:80 tcp
US 1.1.1.1:53 m.data.mob.com udp
CN 180.188.25.47:80 m.data.mob.com tcp
CN 59.151.12.91:80 tcp

Files

/storage/emulated/0/DUOMI/fo/EMF

MD5 30cac26d3a08ff195061078ca8b4ed4b
SHA1 ea43602f8a9e803559c687ee5c14fe13ca0ede0d
SHA256 515868e15d76248088bcd2b4cfd8b79450c304f079bd8592b248b58190c405fb
SHA512 9682f1b1574c4eea9fc531b11c57a4049d26cbd0ee19e3fb43d140ae6995c4d2ccba577ac05edd19a46dcbd795cc266b45ba06cce04fbbbc9456ec6c5316c827

/storage/emulated/0/DUOMI/fo/TS

MD5 dfd31ecd9c4a8b68825c92f3bc6e011b
SHA1 a83edfc464ea038797f1468c7869b90a1d18d71f
SHA256 176ce01db7238b60cc89dc7d7b1bcfc48dfacd6d041c659f144801b3009663a5
SHA512 e8ddb46552bfa8bf5b1166b0ca1d2fbe15a4bd20b50086b3425800f2f59fec751927eff28a0524f45f3c2f0bfcf796f4beee0cae096b0280687e218f09ce1984

/storage/emulated/0/DUOMI/cache/-1468876515

MD5 dab5e7dd9aa3f42e12d33fe90ddc4ea3
SHA1 67e3fab5acd5c296ecb61f3d57f294c8ff63164e
SHA256 263b57467ecb14e1edfe982e39aa1253d88e6763a071568beac717ead1b729b8
SHA512 d0aa3c0162217b9eb5765e38196910aae2581ab152efd222ef59be495d5ec27ab4ed637d30b490d9492c983b62767155ba2e31a8906d4dc5dabd0ba4805412cd

/storage/emulated/0/DUOMI/docpath/playlist/playlist.dat.tmp

MD5 9a52f398ca8583b5217d4bc432264531
SHA1 5ec8370e55b344731b7faea3750099d02206b988
SHA256 f720fcd587b2e60d97534cada8aa3b07bf8344bf6a9a496635c2f8982f887943
SHA512 131103a03ad755407ae28627799e5ace3141708ae2be3c97a5b672a1f66d9bc2881168c15724e2085757b10dae5edc4ceb796b1e79a5f93411d408bb5bdf5618

/storage/emulated/0/DUOMI/docpath/playlist/curr_playlist.dat.tmp

MD5 ca3b3b7a6a624037f3a665d09e3fa3f4
SHA1 6e95464ec529a27f42d713944c0215514427342f
SHA256 1f584ea8bff3b311c742a133b75235945dcfa9a5fca0884d9e826e25e9ca4f89
SHA512 4ac022feb32044f8c7f512fdfd6efb1f1495d3f4317ac7316f17aa95deba75cca5602fd6d9b5151a4cfecbed59e1a0c769dc0f671f963f2eab667c57842f179e

/storage/emulated/0/DUOMI/log/duomi.log

MD5 185033afa4aba4eccf91d7fe5edc7f0b
SHA1 0be56591cdaa489e8079d0820fd4ed14066b2534
SHA256 120e6f1ba6e71c67753a82a3ac82916c4ff0ae84e13c41c220613495ce7cbcfa
SHA512 5df2d900906ccce77fbb974ef990cf43acb4ff9c042334bcccb8e4d33bc124ec673ad49c678901e5aa04b4ad664d72521e10254abbbf3671eb7b4e5042f10550

/data/data/com.duomi.android/databases/ThrowalbeLog.db-journal

MD5 4a5f67889cadcb187800208c08a09585
SHA1 f8c09c6546f25dbf838181a14b29414c13392ace
SHA256 394a598e48efd8fbc58e97a791eca6830651fae9978f10b086b15042cdbf4f96
SHA512 4beb386935640d7a81000b42e8c6838509343be717d63e07f5cd02cff797617454bc9d67104c07f5aed5e3196232d9fb9586e54883d54257677175d7dcc3c2c7

/data/data/com.duomi.android/databases/ThrowalbeLog.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.duomi.android/databases/ThrowalbeLog.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.duomi.android/databases/ThrowalbeLog.db-wal

MD5 6196a64f32c670fd2b1f843d9ebc49d4
SHA1 29c4b7b3cf843803c86a2befb057df300271d299
SHA256 d01d1b4ff34b29798a81d1e845684d85db2e419fc189f58e835d0af265ccfefd
SHA512 ba494fb52c1e103f0da2a8037cbc5daabeb21e4e464a6d2d0cf0c1eb30de52ee3902d7d56f8474aba60a3304d557835dcc7d4bb8a7b51a97cd8b6949a1f9fa5f

/storage/emulated/0/DUOMI/log/duomi.log

MD5 6aef1101f45adba6f81434298f1ffaea
SHA1 58b549daa05c64d5477419203d7083ab9b09c957
SHA256 4f75e2983979f66e8cf473b8dd5ac2fa40dd6b19f8c806c73de4bd5ca06512d5
SHA512 337919e21b7b0eda6f76d7cb7991b924d4b954938c0e9d1007448d2b52f52411f2836a900b875406e0748f0ba7632b6c0250f04e4572c966c86dd8bc608f6493

/storage/emulated/0/DUOMI/log/duomi.log

MD5 1bd4119880f6422ff03b2625d29a4a27
SHA1 e4c10c59f242880dd1e446874262db396857912f
SHA256 0fa5f023e279e28cab332a042adcc2abe5a1dc3fa9b713e281c30a94f26cc47a
SHA512 ce7b8b3050a27dc121ca89b087afcb8bc5b3c13c727e3937be3c2a42fcace180ccccb1a37c138ac7eb645691d7cbf9d82120faa006c3f5de1a0cd0e13b8fdc69

/storage/emulated/0/DUOMI/log/duomi.log

MD5 c67c7ad39b7a806b23d77e9a256e83e0
SHA1 db466ee33603fdd8cac4a96686013919df796178
SHA256 c80f55ead3f5fb4dffe1c2b2948f7604e00bc2a173fbf49aa9d24565b64a7781
SHA512 a2510c992d6223d25b03acd8dc0828bb5573779cee776184ea5ec258d27cf810bcf81ce39baaf5b33419b6d7653d29706b0e110f11ef43bfeab193f83a268fed

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 03:25

Reported

2024-10-16 03:27

Platform

android-x86-arm-20240624-en

Max time kernel

2s

Max time network

131s

Command Line

com.alipay.android.app

Signatures

N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

N/A