Analysis Overview
SHA256
2ec94de06334a2e235964298011d6221b3812aec8b9911dc9c2f815b9155f695
Threat Level: Shows suspicious behavior
The file 89926abd46a7ae7058bdb4bc623b343d_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Queries information about running processes on the device
Requests cell location
Queries information about active data network
Queries information about the current Wi-Fi connection
Requests dangerous framework permissions
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
Checks CPU information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-03 04:10
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-03 04:10
Reported
2024-11-03 04:13
Platform
android-x86-arm-20240624-en
Max time kernel
145s
Max time network
154s
Command Line
Signatures
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
| Description | Indicator | Process | Target |
| N/A | alog.umeng.com | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
com.threeti.huimapatient
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | www.easemob.com | udp |
| US | 1.1.1.1:53 | v.hms21cn.com | udp |
| US | 1.1.1.1:53 | s.jpush.cn | udp |
| CN | 123.60.92.210:19000 | s.jpush.cn | udp |
| US | 1.1.1.1:53 | alog.umeng.com | udp |
| CN | 223.109.148.177:80 | alog.umeng.com | tcp |
| US | 1.1.1.1:53 | api.share.mob.com | udp |
| CN | 121.41.75.169:81 | v.hms21cn.com | tcp |
| US | 1.1.1.1:53 | hmma.baidu.com | udp |
| GB | 163.181.154.244:80 | www.easemob.com | tcp |
| HK | 103.235.46.195:80 | hmma.baidu.com | tcp |
| GB | 163.181.154.244:443 | www.easemob.com | tcp |
| CN | 180.188.25.42:80 | api.share.mob.com | tcp |
| US | 1.1.1.1:53 | a1.easemob.com | udp |
| CN | 101.201.233.110:80 | a1.easemob.com | tcp |
| US | 1.1.1.1:53 | sis.jpush.io | udp |
| CN | 123.60.92.210:19000 | sis.jpush.io | udp |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
| GB | 216.58.201.110:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.14:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | easytomessage.com | udp |
| CN | 110.41.53.90:19000 | easytomessage.com | udp |
| US | 113.31.17.108:19000 | udp | |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
| US | 113.31.17.106:7000 | tcp | |
| US | 1.1.1.1:53 | im64.jpush.cn | udp |
| CN | 139.9.135.156:3000 | im64.jpush.cn | tcp |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| CN | 47.95.246.247:80 | a1.easemob.com | tcp |
| CN | 123.60.92.210:19000 | easytomessage.com | udp |
| CN | 123.60.92.210:19000 | easytomessage.com | udp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
| CN | 110.41.53.90:19000 | easytomessage.com | udp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| US | 113.31.17.108:19000 | udp | |
| US | 113.31.17.106:7000 | tcp | |
| US | 1.1.1.1:53 | alog.umeng.co | udp |
| CN | 139.9.135.156:3000 | im64.jpush.cn | tcp |
| CN | 123.60.92.210:19000 | easytomessage.com | udp |
| CN | 123.60.92.210:19000 | easytomessage.com | udp |
| CN | 110.41.53.90:19000 | easytomessage.com | udp |
| US | 113.31.17.108:19000 | udp | |
| US | 113.31.17.106:7000 | tcp | |
| CN | 139.9.135.156:3000 | im64.jpush.cn | tcp |
| CN | 123.60.92.210:19000 | easytomessage.com | udp |
| CN | 123.60.92.210:19000 | easytomessage.com | udp |
| CN | 110.41.53.90:19000 | easytomessage.com | udp |
| US | 1.1.1.1:53 | api.share.mob.com | udp |
| CN | 180.188.25.42:80 | api.share.mob.com | tcp |
| US | 113.31.17.108:19000 | udp | |
| US | 113.31.17.106:7000 | tcp | |
| CN | 139.9.135.156:3000 | im64.jpush.cn | tcp |
Files
/storage/emulated/0/Android/data/com.threeti.huimapatient/hms#dtyprod/log/20241103/000.html
| MD5 | 728c11923f82be4fe9998c8adfd1d418 |
| SHA1 | 5dc90ea2411f5b14feae5948e4fba1789fb27cc8 |
| SHA256 | 8e0395f5a645c5e3718fa52608d6f20d535dae2e230a350cb715c9c885b4617c |
| SHA512 | 97c887370f7b1301b677246795029eb934f47b6c298cf5b7502b67c8b9e6b6449b919908bc0429536eb28bbcf61c9a6a33fbf4a9d8e216b5724ab58c8549ce00 |
/storage/emulated/0/Android/data/com.threeti.huimapatient/hms#dtyprod/log/20241103/000.html
| MD5 | 7ae40b462af9de9e8d186eccf772e60c |
| SHA1 | 7035b3f3a74134b0f30bb7c0d4a5a8137e70b243 |
| SHA256 | 561b6423e71c911edc32afa5d8928f22ad3e4a3628034d7a3a32d374c8856d7e |
| SHA512 | b91ee50d52fa115f23f0d27b677adb7744f46f29718ccc06b4556ba38401c9042ac9c27db3979e0e14706eba8e81b28d75eacab0f91c64c8a8b57d8d6bcec63c |
/storage/emulated/0/Android/data/com.threeti.huimapatient/hms#dtyprod/log/20241103/000.html
| MD5 | 05760810454681be54753fadb4057f48 |
| SHA1 | 14403f6179cbf26578d67d7e7b037581454efa65 |
| SHA256 | 2d16500aa248342ad5761ac463785d80d0d5ff6a68c09139633a36376830bed4 |
| SHA512 | 1a919ee733749ea9ffec623fbbeaba69323c7e0b1b3e173714a3ae8f83aac61dcc09063845973afdea4ed1b8c5d8eed8a143428bd5b28cb69fe08116220ee169 |
/data/data/com.threeti.huimapatient/files/umeng_it.cache
| MD5 | f7f741e845901edf777c3a13c1f11b2f |
| SHA1 | 1a86254338e4b1d20cbb08e297ef2d9211b39dc2 |
| SHA256 | 6eee75d1e8bea71b5ec7a2ac43b0fdd9da95a18ff19bada1db1044b13bfbe45c |
| SHA512 | 27e07bf3c6ac7d50b710f3abbebdc9f5132aae18e138cbb9887875f9242f7df59000e846625376c7b25bea3d7143e3d21fee582c213a4c99685d82156a97fa7b |
/storage/emulated/0/Android/data/com.threeti.huimapatient/hms#dtyprod/log/20241103/000.html
| MD5 | ee84ab3995413cdc9dcd3d72dc80e1be |
| SHA1 | 9b23d6d5365849e2ae65df2e47d29ae336b13c4a |
| SHA256 | b753099794d920a1dacdde94993316b5fa3b7c4074ecd20cdd1352bdc36e38a5 |
| SHA512 | fc8492e6fbbea242d9cd18925bf048174ef07d72305c5e432804a0ea147686a047886b59f795357d36dae128a57625e4d5a694811d3dc815469fcaf10bcafd5b |
/storage/emulated/0/baidu/.cuid
| MD5 | d92f679496497d148b748a3e81156ce8 |
| SHA1 | abc33a0659fdff30dfca697c173b712184131d43 |
| SHA256 | 6488e08dbbe12860cda633b373c4caf30a5f14fcc190ef0063cece496a23e2c3 |
| SHA512 | a91aee584128251df27155d09ae94185f153c6a9a3945a7dd2502011d4730080218c1275aac4ac529bd84b076be59837d49b5a62ac7030accfa9c4a6db50b7bf |
/data/data/com.threeti.huimapatient/files/__local_stat_cache.json
| MD5 | 2d805b13f2f28dc3ca9bbcc000f49bb5 |
| SHA1 | 9eac165b4d81258fd3967cde5cc53b53b1dabcb1 |
| SHA256 | c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19 |
| SHA512 | 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0 |
/data/data/com.threeti.huimapatient/files/__local_ap_info_cache.json
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
/storage/emulated/0/Android/data/com.threeti.huimapatient/hms#dtyprod/log/20241103/000.html
| MD5 | 14e79b0096da611976fed3ee458aabca |
| SHA1 | aa9fb4aa992e5653667ce91faad3691f5ebce10b |
| SHA256 | 7a037f56c30eb27a73907663f6675e5f6cbca5425b6a7ac7a2b435065af06bb7 |
| SHA512 | d57f36f06e1e2ee8ccf01b1f8c778b9a858559e875cda03ff3b2855b6929cc134988a40ccbe5066d1839b6234c093192b3116f0bc2d2704f2b4a68024c16259a |
/data/data/com.threeti.huimapatient/files/mobclick_agent_sealed_com.threeti.huimapatient
| MD5 | 61a4f3f24d56e3c747c998716d587cc4 |
| SHA1 | b2e460d369c2d1ca863ad6a59aa0d35878455a32 |
| SHA256 | a8b522f4175a080372242748b1fd13fae233e08a6ac82ab31758c1809c93e3ec |
| SHA512 | d0a6d1df30a0e9b7e279e20382f61d8f9b21e89a78440868def0e309939e2d432391917abcaf1463296b853a6ff94ac6b75d97bec2900c5c31f91de4b2c088c6 |
/storage/emulated/0/ShareSDK/.dk
| MD5 | c9383021bd97affc44be4db7018c4d7b |
| SHA1 | 7e680409d1c86e35149bebc22f2cf8c484f0d23e |
| SHA256 | b7b7e032170e3190a84359e5c37adede1d58b6bf4c455ef0c01f73335709bb65 |
| SHA512 | 7303f068da97319891e2d25c1c737035f1cfdc365d75d954102b612000e54d7e2b5dfafe10bdf909563e2b46ec3ff9e546423bff6f0aa9496880eab1c1c36a81 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-03 04:10
Reported
2024-11-03 04:13
Platform
android-x64-arm64-20240624-en
Max time kernel
146s
Max time network
158s
Command Line
Signatures
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
| Description | Indicator | Process | Target |
| N/A | alog.umeng.com | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
com.threeti.huimapatient
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.238:443 | tcp | |
| GB | 142.250.187.238:443 | tcp | |
| GB | 142.250.187.238:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.178.14:443 | android.apis.google.com | tcp |
| GB | 172.217.169.74:443 | tcp | |
| GB | 172.217.169.74:443 | tcp | |
| US | 1.1.1.1:53 | www.easemob.com | udp |
| US | 1.1.1.1:53 | v.hms21cn.com | udp |
| CN | 121.41.75.169:81 | v.hms21cn.com | tcp |
| US | 1.1.1.1:53 | alog.umeng.com | udp |
| CN | 223.109.148.176:80 | alog.umeng.com | tcp |
| GB | 163.181.154.242:80 | www.easemob.com | tcp |
| US | 1.1.1.1:53 | s.jpush.cn | udp |
| CN | 124.70.128.38:19000 | s.jpush.cn | udp |
| GB | 163.181.154.242:443 | www.easemob.com | tcp |
| US | 1.1.1.1:53 | api.share.mob.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.179.232:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | hmma.baidu.com | udp |
| CN | 180.188.25.42:80 | api.share.mob.com | tcp |
| US | 1.1.1.1:53 | a1.easemob.com | udp |
| HK | 103.235.46.195:80 | hmma.baidu.com | tcp |
| CN | 101.201.233.110:80 | a1.easemob.com | tcp |
| US | 1.1.1.1:53 | sis.jpush.io | udp |
| CN | 1.92.70.140:19000 | sis.jpush.io | udp |
| CN | 223.109.148.130:80 | alog.umeng.com | tcp |
| US | 1.1.1.1:53 | easytomessage.com | udp |
| CN | 110.41.53.90:19000 | easytomessage.com | udp |
| US | 113.31.17.108:19000 | udp | |
| CN | 223.109.148.177:80 | alog.umeng.com | tcp |
| US | 113.31.17.106:7000 | tcp | |
| US | 1.1.1.1:53 | im64.jpush.cn | udp |
| CN | 139.9.135.156:3000 | im64.jpush.cn | tcp |
| CN | 223.109.148.141:80 | alog.umeng.com | tcp |
| CN | 47.95.246.247:80 | a1.easemob.com | tcp |
| GB | 142.250.200.36:443 | tcp | |
| CN | 124.70.128.38:19000 | easytomessage.com | udp |
| GB | 142.250.200.36:443 | tcp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| CN | 1.92.70.140:19000 | easytomessage.com | udp |
| CN | 223.109.148.179:80 | alog.umeng.com | tcp |
| CN | 110.41.53.90:19000 | easytomessage.com | udp |
| CN | 223.109.148.178:80 | alog.umeng.com | tcp |
| US | 113.31.17.108:19000 | udp | |
| US | 113.31.17.106:7000 | tcp | |
| US | 1.1.1.1:53 | alog.umeng.co | udp |
| CN | 139.9.135.156:3000 | im64.jpush.cn | tcp |
| CN | 124.70.128.38:19000 | easytomessage.com | udp |
| CN | 1.92.70.140:19000 | easytomessage.com | udp |
| CN | 110.41.53.90:19000 | easytomessage.com | udp |
| US | 113.31.17.108:19000 | udp | |
| US | 113.31.17.106:7000 | tcp | |
| CN | 139.9.135.156:3000 | im64.jpush.cn | tcp |
| CN | 124.70.128.38:19000 | easytomessage.com | udp |
| US | 1.1.1.1:53 | sis.jpush.io | udp |
| CN | 116.205.165.66:19000 | sis.jpush.io | udp |
| CN | 110.41.53.90:19000 | easytomessage.com | udp |
| US | 113.31.17.108:19000 | udp | |
| US | 1.1.1.1:53 | api.share.mob.com | udp |
| CN | 180.188.25.42:80 | api.share.mob.com | tcp |
| US | 113.31.17.106:7000 | tcp | |
| US | 1.1.1.1:53 | im64.jpush.cn | udp |
| CN | 119.3.188.193:3000 | im64.jpush.cn | tcp |
Files
/data/user/0/com.threeti.huimapatient/files/umeng_it.cache
| MD5 | 989a2fbc08c64b99bb40000b0c3deb08 |
| SHA1 | 228192a26f4d668ecadd91eab65b440968a64c34 |
| SHA256 | 51506d453ebb352da3eb74498c201ccb597b6faf159fe6b0a2758105d62ff36a |
| SHA512 | b622b52b59a259da486b8e222b663d9254e224468f546fc5dcc8f400b24d98a5435ef2669dd6c0a60245e1f8ee6dd8a6a7db54c1c83fef65d68998495c674cea |
/data/user/0/com.threeti.huimapatient/files/__local_stat_cache.json
| MD5 | 2d805b13f2f28dc3ca9bbcc000f49bb5 |
| SHA1 | 9eac165b4d81258fd3967cde5cc53b53b1dabcb1 |
| SHA256 | c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19 |
| SHA512 | 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0 |
/data/user/0/com.threeti.huimapatient/files/__local_ap_info_cache.json
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
/data/user/0/com.threeti.huimapatient/files/mobclick_agent_sealed_com.threeti.huimapatient
| MD5 | bc83618c7b19531d30973c0b57615e68 |
| SHA1 | 8b7fdb48ff41d09e561a8681f8ec3e9c9e26942a |
| SHA256 | 95ee02152bc52ceb94c14a38cd03712216da237092d93c3b7aefb561becd807b |
| SHA512 | 66f569a611f9ac1ac76c892c011c757ae8d753e6023cdd83e9374a143c11f736a68449254c2593bb903106b47a3429103cf042ecfa3325ecafc0de94fd340028 |
/storage/emulated/0/ShareSDK/.dk
| MD5 | 893bb9930a6efdd3211826f4114b5a29 |
| SHA1 | 57b8895adcc3bbfec87268d5f004cdaa6caee8cd |
| SHA256 | 45e6cf5549bc12c1150b2a10f20de32ec5b86fe23221536eca2cb2a43b1e2d21 |
| SHA512 | 78f094bf00c6b440a57dc5b8edc10c3abf4fac63176dd64a54b2e7b03d9973485504d619ae80312fed1bc72db9f1617a990f37edc7bfdfa032ae47b054939010 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-03 04:10
Reported
2024-11-03 04:13
Platform
android-x86-arm-20240624-en
Max time kernel
7s
Max time network
137s
Command Line
Signatures
Processes
com.unionpay.uppay
mount
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.238:443 | android.apis.google.com | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-03 04:10
Reported
2024-11-03 04:13
Platform
android-x64-20240910-en
Max time kernel
5s
Max time network
154s
Command Line
Signatures
Processes
com.unionpay.uppay
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.204.74:443 | tcp | |
| GB | 142.250.200.46:443 | tcp | |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.178.14:443 | android.apis.google.com | tcp |
| GB | 142.250.187.195:443 | tcp |