Malware Analysis Report

2025-05-28 18:46

Sample ID 241103-erl3maxndj
Target 89926abd46a7ae7058bdb4bc623b343d_JaffaCakes118
SHA256 2ec94de06334a2e235964298011d6221b3812aec8b9911dc9c2f815b9155f695
Tags
collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2ec94de06334a2e235964298011d6221b3812aec8b9911dc9c2f815b9155f695

Threat Level: Shows suspicious behavior

The file 89926abd46a7ae7058bdb4bc623b343d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion impact persistence

Queries information about running processes on the device

Requests cell location

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 04:10

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 04:10

Reported

2024-11-03 04:13

Platform

android-x86-arm-20240624-en

Max time kernel

145s

Max time network

154s

Command Line

com.threeti.huimapatient

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.threeti.huimapatient

Network

Country Destination Domain Proto
US 1.1.1.1:53 www.easemob.com udp
US 1.1.1.1:53 v.hms21cn.com udp
US 1.1.1.1:53 s.jpush.cn udp
CN 123.60.92.210:19000 s.jpush.cn udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 api.share.mob.com udp
CN 121.41.75.169:81 v.hms21cn.com tcp
US 1.1.1.1:53 hmma.baidu.com udp
GB 163.181.154.244:80 www.easemob.com tcp
HK 103.235.46.195:80 hmma.baidu.com tcp
GB 163.181.154.244:443 www.easemob.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
US 1.1.1.1:53 a1.easemob.com udp
CN 101.201.233.110:80 a1.easemob.com tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 123.60.92.210:19000 sis.jpush.io udp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 110.41.53.90:19000 easytomessage.com udp
US 113.31.17.108:19000 udp
CN 223.109.148.179:80 alog.umeng.com tcp
US 113.31.17.106:7000 tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 139.9.135.156:3000 im64.jpush.cn tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 47.95.246.247:80 a1.easemob.com tcp
CN 123.60.92.210:19000 easytomessage.com udp
CN 123.60.92.210:19000 easytomessage.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 110.41.53.90:19000 easytomessage.com udp
CN 223.109.148.141:80 alog.umeng.com tcp
US 113.31.17.108:19000 udp
US 113.31.17.106:7000 tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 139.9.135.156:3000 im64.jpush.cn tcp
CN 123.60.92.210:19000 easytomessage.com udp
CN 123.60.92.210:19000 easytomessage.com udp
CN 110.41.53.90:19000 easytomessage.com udp
US 113.31.17.108:19000 udp
US 113.31.17.106:7000 tcp
CN 139.9.135.156:3000 im64.jpush.cn tcp
CN 123.60.92.210:19000 easytomessage.com udp
CN 123.60.92.210:19000 easytomessage.com udp
CN 110.41.53.90:19000 easytomessage.com udp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
US 113.31.17.108:19000 udp
US 113.31.17.106:7000 tcp
CN 139.9.135.156:3000 im64.jpush.cn tcp

Files

/storage/emulated/0/Android/data/com.threeti.huimapatient/hms#dtyprod/log/20241103/000.html

MD5 728c11923f82be4fe9998c8adfd1d418
SHA1 5dc90ea2411f5b14feae5948e4fba1789fb27cc8
SHA256 8e0395f5a645c5e3718fa52608d6f20d535dae2e230a350cb715c9c885b4617c
SHA512 97c887370f7b1301b677246795029eb934f47b6c298cf5b7502b67c8b9e6b6449b919908bc0429536eb28bbcf61c9a6a33fbf4a9d8e216b5724ab58c8549ce00

/storage/emulated/0/Android/data/com.threeti.huimapatient/hms#dtyprod/log/20241103/000.html

MD5 7ae40b462af9de9e8d186eccf772e60c
SHA1 7035b3f3a74134b0f30bb7c0d4a5a8137e70b243
SHA256 561b6423e71c911edc32afa5d8928f22ad3e4a3628034d7a3a32d374c8856d7e
SHA512 b91ee50d52fa115f23f0d27b677adb7744f46f29718ccc06b4556ba38401c9042ac9c27db3979e0e14706eba8e81b28d75eacab0f91c64c8a8b57d8d6bcec63c

/storage/emulated/0/Android/data/com.threeti.huimapatient/hms#dtyprod/log/20241103/000.html

MD5 05760810454681be54753fadb4057f48
SHA1 14403f6179cbf26578d67d7e7b037581454efa65
SHA256 2d16500aa248342ad5761ac463785d80d0d5ff6a68c09139633a36376830bed4
SHA512 1a919ee733749ea9ffec623fbbeaba69323c7e0b1b3e173714a3ae8f83aac61dcc09063845973afdea4ed1b8c5d8eed8a143428bd5b28cb69fe08116220ee169

/data/data/com.threeti.huimapatient/files/umeng_it.cache

MD5 f7f741e845901edf777c3a13c1f11b2f
SHA1 1a86254338e4b1d20cbb08e297ef2d9211b39dc2
SHA256 6eee75d1e8bea71b5ec7a2ac43b0fdd9da95a18ff19bada1db1044b13bfbe45c
SHA512 27e07bf3c6ac7d50b710f3abbebdc9f5132aae18e138cbb9887875f9242f7df59000e846625376c7b25bea3d7143e3d21fee582c213a4c99685d82156a97fa7b

/storage/emulated/0/Android/data/com.threeti.huimapatient/hms#dtyprod/log/20241103/000.html

MD5 ee84ab3995413cdc9dcd3d72dc80e1be
SHA1 9b23d6d5365849e2ae65df2e47d29ae336b13c4a
SHA256 b753099794d920a1dacdde94993316b5fa3b7c4074ecd20cdd1352bdc36e38a5
SHA512 fc8492e6fbbea242d9cd18925bf048174ef07d72305c5e432804a0ea147686a047886b59f795357d36dae128a57625e4d5a694811d3dc815469fcaf10bcafd5b

/storage/emulated/0/baidu/.cuid

MD5 d92f679496497d148b748a3e81156ce8
SHA1 abc33a0659fdff30dfca697c173b712184131d43
SHA256 6488e08dbbe12860cda633b373c4caf30a5f14fcc190ef0063cece496a23e2c3
SHA512 a91aee584128251df27155d09ae94185f153c6a9a3945a7dd2502011d4730080218c1275aac4ac529bd84b076be59837d49b5a62ac7030accfa9c4a6db50b7bf

/data/data/com.threeti.huimapatient/files/__local_stat_cache.json

MD5 2d805b13f2f28dc3ca9bbcc000f49bb5
SHA1 9eac165b4d81258fd3967cde5cc53b53b1dabcb1
SHA256 c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19
SHA512 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0

/data/data/com.threeti.huimapatient/files/__local_ap_info_cache.json

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

/storage/emulated/0/Android/data/com.threeti.huimapatient/hms#dtyprod/log/20241103/000.html

MD5 14e79b0096da611976fed3ee458aabca
SHA1 aa9fb4aa992e5653667ce91faad3691f5ebce10b
SHA256 7a037f56c30eb27a73907663f6675e5f6cbca5425b6a7ac7a2b435065af06bb7
SHA512 d57f36f06e1e2ee8ccf01b1f8c778b9a858559e875cda03ff3b2855b6929cc134988a40ccbe5066d1839b6234c093192b3116f0bc2d2704f2b4a68024c16259a

/data/data/com.threeti.huimapatient/files/mobclick_agent_sealed_com.threeti.huimapatient

MD5 61a4f3f24d56e3c747c998716d587cc4
SHA1 b2e460d369c2d1ca863ad6a59aa0d35878455a32
SHA256 a8b522f4175a080372242748b1fd13fae233e08a6ac82ab31758c1809c93e3ec
SHA512 d0a6d1df30a0e9b7e279e20382f61d8f9b21e89a78440868def0e309939e2d432391917abcaf1463296b853a6ff94ac6b75d97bec2900c5c31f91de4b2c088c6

/storage/emulated/0/ShareSDK/.dk

MD5 c9383021bd97affc44be4db7018c4d7b
SHA1 7e680409d1c86e35149bebc22f2cf8c484f0d23e
SHA256 b7b7e032170e3190a84359e5c37adede1d58b6bf4c455ef0c01f73335709bb65
SHA512 7303f068da97319891e2d25c1c737035f1cfdc365d75d954102b612000e54d7e2b5dfafe10bdf909563e2b46ec3ff9e546423bff6f0aa9496880eab1c1c36a81

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 04:10

Reported

2024-11-03 04:13

Platform

android-x64-arm64-20240624-en

Max time kernel

146s

Max time network

158s

Command Line

com.threeti.huimapatient

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.threeti.huimapatient

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp
US 1.1.1.1:53 www.easemob.com udp
US 1.1.1.1:53 v.hms21cn.com udp
CN 121.41.75.169:81 v.hms21cn.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 163.181.154.242:80 www.easemob.com tcp
US 1.1.1.1:53 s.jpush.cn udp
CN 124.70.128.38:19000 s.jpush.cn udp
GB 163.181.154.242:443 www.easemob.com tcp
US 1.1.1.1:53 api.share.mob.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 hmma.baidu.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
US 1.1.1.1:53 a1.easemob.com udp
HK 103.235.46.195:80 hmma.baidu.com tcp
CN 101.201.233.110:80 a1.easemob.com tcp
US 1.1.1.1:53 sis.jpush.io udp
CN 1.92.70.140:19000 sis.jpush.io udp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 easytomessage.com udp
CN 110.41.53.90:19000 easytomessage.com udp
US 113.31.17.108:19000 udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 113.31.17.106:7000 tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 139.9.135.156:3000 im64.jpush.cn tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 47.95.246.247:80 a1.easemob.com tcp
GB 142.250.200.36:443 tcp
CN 124.70.128.38:19000 easytomessage.com udp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
CN 1.92.70.140:19000 easytomessage.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 110.41.53.90:19000 easytomessage.com udp
CN 223.109.148.178:80 alog.umeng.com tcp
US 113.31.17.108:19000 udp
US 113.31.17.106:7000 tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 139.9.135.156:3000 im64.jpush.cn tcp
CN 124.70.128.38:19000 easytomessage.com udp
CN 1.92.70.140:19000 easytomessage.com udp
CN 110.41.53.90:19000 easytomessage.com udp
US 113.31.17.108:19000 udp
US 113.31.17.106:7000 tcp
CN 139.9.135.156:3000 im64.jpush.cn tcp
CN 124.70.128.38:19000 easytomessage.com udp
US 1.1.1.1:53 sis.jpush.io udp
CN 116.205.165.66:19000 sis.jpush.io udp
CN 110.41.53.90:19000 easytomessage.com udp
US 113.31.17.108:19000 udp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
US 113.31.17.106:7000 tcp
US 1.1.1.1:53 im64.jpush.cn udp
CN 119.3.188.193:3000 im64.jpush.cn tcp

Files

/data/user/0/com.threeti.huimapatient/files/umeng_it.cache

MD5 989a2fbc08c64b99bb40000b0c3deb08
SHA1 228192a26f4d668ecadd91eab65b440968a64c34
SHA256 51506d453ebb352da3eb74498c201ccb597b6faf159fe6b0a2758105d62ff36a
SHA512 b622b52b59a259da486b8e222b663d9254e224468f546fc5dcc8f400b24d98a5435ef2669dd6c0a60245e1f8ee6dd8a6a7db54c1c83fef65d68998495c674cea

/data/user/0/com.threeti.huimapatient/files/__local_stat_cache.json

MD5 2d805b13f2f28dc3ca9bbcc000f49bb5
SHA1 9eac165b4d81258fd3967cde5cc53b53b1dabcb1
SHA256 c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19
SHA512 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0

/data/user/0/com.threeti.huimapatient/files/__local_ap_info_cache.json

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

/data/user/0/com.threeti.huimapatient/files/mobclick_agent_sealed_com.threeti.huimapatient

MD5 bc83618c7b19531d30973c0b57615e68
SHA1 8b7fdb48ff41d09e561a8681f8ec3e9c9e26942a
SHA256 95ee02152bc52ceb94c14a38cd03712216da237092d93c3b7aefb561becd807b
SHA512 66f569a611f9ac1ac76c892c011c757ae8d753e6023cdd83e9374a143c11f736a68449254c2593bb903106b47a3429103cf042ecfa3325ecafc0de94fd340028

/storage/emulated/0/ShareSDK/.dk

MD5 893bb9930a6efdd3211826f4114b5a29
SHA1 57b8895adcc3bbfec87268d5f004cdaa6caee8cd
SHA256 45e6cf5549bc12c1150b2a10f20de32ec5b86fe23221536eca2cb2a43b1e2d21
SHA512 78f094bf00c6b440a57dc5b8edc10c3abf4fac63176dd64a54b2e7b03d9973485504d619ae80312fed1bc72db9f1617a990f37edc7bfdfa032ae47b054939010

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-03 04:10

Reported

2024-11-03 04:13

Platform

android-x86-arm-20240624-en

Max time kernel

7s

Max time network

137s

Command Line

com.unionpay.uppay

Signatures

N/A

Processes

com.unionpay.uppay

mount

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-03 04:10

Reported

2024-11-03 04:13

Platform

android-x64-20240910-en

Max time kernel

5s

Max time network

154s

Command Line

com.unionpay.uppay

Signatures

N/A

Processes

com.unionpay.uppay

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.187.195:443 tcp

Files

N/A