Malware Analysis Report

2025-08-06 01:23

Sample ID 241018-s4wdqaxaqq
Target 583f100323ed26b0f6eaeddd1f73c41a_JaffaCakes118
SHA256 1d0b79d3c3346c66e464bd08e275b7cafcf91b4cdfc133ddd1617ab40a57f0e1
Tags
banker discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1d0b79d3c3346c66e464bd08e275b7cafcf91b4cdfc133ddd1617ab40a57f0e1

Threat Level: Shows suspicious behavior

The file 583f100323ed26b0f6eaeddd1f73c41a_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries information about the current nearby Wi-Fi networks

Reads information about phone network operator.

Requests dangerous framework permissions

Acquires the wake lock

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 15:41

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 15:41

Reported

2024-10-18 15:45

Platform

android-x86-arm-20240624-en

Max time kernel

113s

Max time network

152s

Command Line

com.android.cheyooh

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.android.cheyooh

Network

Country Destination Domain Proto
US 1.1.1.1:53 api.exc.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp
US 1.1.1.1:53 appinterface.cheyooh.com udp
US 104.21.50.148:80 appinterface.cheyooh.com tcp
US 1.1.1.1:53 s.jpush.cn udp
US 1.1.1.1:53 api.share.mob.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 1.92.77.21:19000 s.jpush.cn udp
CN 180.188.25.42:80 api.share.mob.com tcp
US 104.21.50.148:80 appinterface.cheyooh.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 apiinit.amap.com udp
US 1.1.1.1:53 sis.jpush.io udp
CN 124.71.159.41:19000 sis.jpush.io udp
CN 106.11.43.113:80 apiinit.amap.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 123.60.89.60:19000 easytomessage.com udp
US 113.31.17.108:19000 udp
US 113.31.17.106:7000 tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 139.9.138.15:3000 im64.jpush.cn tcp
CN 223.109.148.178:80 alog.umeng.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 203.119.169.174:80 apiinit.amap.com tcp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 59.82.132.217:80 apiinit.amap.com tcp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
US 1.1.1.1:53 restapi.amap.com udp
CN 203.119.169.174:80 restapi.amap.com tcp
CN 106.11.43.113:80 restapi.amap.com tcp

Files

/storage/emulated/0/ShareSDK/.dk

MD5 c9383021bd97affc44be4db7018c4d7b
SHA1 7e680409d1c86e35149bebc22f2cf8c484f0d23e
SHA256 b7b7e032170e3190a84359e5c37adede1d58b6bf4c455ef0c01f73335709bb65
SHA512 7303f068da97319891e2d25c1c737035f1cfdc365d75d954102b612000e54d7e2b5dfafe10bdf909563e2b46ec3ff9e546423bff6f0aa9496880eab1c1c36a81

/storage/emulated/0/Android/data/com.android.cheyooh/cache/newlocationCache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/com.android.cheyooh/files/jpush_stat_cache.json

MD5 0e0a2feca1852f55f1ed797116734cbd
SHA1 cfbd7373321c9683744a1c5ddfafa256832ba885
SHA256 6dc99bf1ebebe30b6d44bf0a1520a32abd0f88f933667339d9e855c866cd51ba
SHA512 bf6884af8f3e1543b31c71d573ca84767490076df923583592a7d2100593c7afbb8c550e25232b41b21cf54fc24f2342ff2441502c3000e89be4a05a8d57fb16

/data/data/com.android.cheyooh/databases/ThrowalbeLog.db-journal

MD5 1b26914553c7e180401a925debd70eb2
SHA1 770368842a61d68a935482aea208af38553e714b
SHA256 356cdbe60ccbdb539dc7c4d9088c0427eccaa65e247504aad03731236f0faae4
SHA512 2b5535f4240b27a54d82af385ce618528355ffbecd55e38f3d4b7db9012d1b2e80fad5195837587ac509b0b300bd66572969b598c8341ad8f61ec0f1b02167e6

/data/data/com.android.cheyooh/databases/ThrowalbeLog.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.android.cheyooh/databases/ThrowalbeLog.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.android.cheyooh/databases/ThrowalbeLog.db-wal

MD5 846d0636123930cddc809801ec961f3f
SHA1 96d4030e9d24a141099e4148f9c79226a2c5d9b4
SHA256 06b99554c0139ec6da19a30647ad0da264af2494c3cf806341f498f074155789
SHA512 b0cf54efcf05200558225ee5e82c5ab5c9412315c51ada40a65add6e794d6ad12de558498d956369c387b5cb7c30b725e2edb8f36fb67f56879bac954ab925e1

/data/data/com.android.cheyooh/files/mobclick_agent_cached_com.android.cheyooh

MD5 5e46b7d14fa9fa36f1c5e6348ab3e8fa
SHA1 a0cbbe9b0fbff163ba2eba4db881227eba4a13fa
SHA256 901ad7f246b50a9cc0af37f6fbf297aca858295097e86b8500581f0723772fd6
SHA512 9d84ab5df19a34a9523f5894105703964312f206d47099002ba914653c58d1dcd85e3d9045729f59b678eb89cb7c0ffd93ef4ebb9f34c407ac9f1db55cf29c8c

/data/data/com.android.cheyooh/databases/sharesdk.db-journal

MD5 cdc95b22d467d1e7b50104927125bd41
SHA1 0072bc5c97a02013c11c9623940c320e9c9c9dc7
SHA256 a9c21cc8436863079dcfbbef34dcb0a7d5fa7fadc62fc5ea494e5fbea81ad7e8
SHA512 f82a84192ab5fd718cdb93473cab0ca79a9fe6b74b782c3873876bf554ff3ceab3ea0ee8735a6f87229b4860678643bd6c746551d4630e18fbb55d683b4918eb

/data/data/com.android.cheyooh/databases/sharesdk.db-wal

MD5 d024669fe3b52cbed2e36ec07bf4e00d
SHA1 797027d569955fb56b97c67be648ccd763f55ffc
SHA256 1b633e5c9b98f4cbc7f1e3a9a898560062321e81b595e50672530742dbb965a8
SHA512 7156837f5e615c361d8e5716c7dd17cff16477256e08673ddee3086f0900e0e063349a9fa8a4bcd45ea7b64b40dcb2f3a3bc51ee4e104819c598df78f29dcc68

/storage/emulated/0/ShareSDK/.ba

MD5 0c823192e040c664232a82249e6a421a
SHA1 d691e472b1db55cd1cf13bb5717567f2a2e33cff
SHA256 a9fa6fcafe406206e8f522bd375d63204796ccb4b962364c6fdcb91212eb9f4b
SHA512 587b58c3b8ee12984e23c23008b09f3027afd9b11ff1f7274fc038ba0b73dc8ccacfbfe2803a118ded4005f52566ccd37b2238cf077061e57306927d3d0bb1c9

/storage/emulated/0/ShareSDK/.ba

MD5 9fb769775de8a97fa8ac9f7831281458
SHA1 0add0b1faf06714fb63735ccd6b9a76cf98b1a31
SHA256 e4a4e429550ea52ceac239599b2dc5c6a4708fd479cf3cea19c387242a22bfaf
SHA512 0b6b8af1bdc0879cdc1add77907b212925abe560ec0482501e0d5b03124e3f1aabcde81b76b53c4c25d5ae4e30977edbb8403430026a5b35306a225085b05883