4b81db8603eb8fe5fdd8fea1de4dc3f47a173bdd83430138d841c927f379e4c7

General

Target

4b81db8603eb8fe5fdd8fea1de4dc3f47a173bdd83430138d841c927f379e4c7.apk
Size

8.4MB
MD5

3ad2ff46c4d7b246f26b10020f02d88a
SHA1

c9a8ccd051876c270ace7d5cadd64dcd296465a8
SHA256

4b81db8603eb8fe5fdd8fea1de4dc3f47a173bdd83430138d841c927f379e4c7
SHA512

69a86a3725217184ec1223e5cb87b2d32b5ddd7a4cabddc140122c5faf1a4811c632537a4eae86f491b93eedbc2d73fe3e651a31153e047fd25cba0d97350993
SSDEEP

98304:e/jcu3Ng3s1FCd621y5JLOrqBjB4FYH6p4EWMUpx9aOstsW5zYNNFGn38urBpF8z:gjUsDa1yHX14FFGXaOVVjOsSp86p+gM

Score

7^/10

Malware Config

Signatures

Checks Android system properties for emulator presence. 7 IoCs

description	ioc	Process
Accessed system property	key: ro.bootloader	com.wzty.ly
Accessed system property	key: ro.bootmode	com.wzty.ly
Accessed system property	key: ro.hardware	com.wzty.ly
Accessed system property	key: ro.product.device	com.wzty.ly
Accessed system property	key: ro.product.model	com.wzty.ly
Accessed system property	key: ro.product.name	com.wzty.ly
Accessed system property	key: ro.serialno	com.wzty.ly

Checks Qemu related system properties. 7 IoCs

Checks for Android system properties related to Qemu for Emulator detection.

description	ioc	Process
Accessed system property	key: init.svc.qemu-props	com.wzty.ly
Accessed system property	key: qemu.hw.mainkeys	com.wzty.ly
Accessed system property	key: qemu.sf.fake_camera	com.wzty.ly
Accessed system property	key: ro.kernel.android.qemud	com.wzty.ly
Accessed system property	key: ro.kernel.qemu.gles	com.wzty.ly
Accessed system property	key: ro.kernel.qemu	com.wzty.ly
Accessed system property	key: init.svc.qemud	com.wzty.ly

Loads dropped Dex/Jar 9 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/data/com.wzty.ly/.jiagu/classes.dex	4242	com.wzty.ly
/data/data/com.wzty.ly/.jiagu/classes.dex!classes2.dex	4242	com.wzty.ly
/data/data/com.wzty.ly/.jiagu/tmp.dex	4242	com.wzty.ly
/data/data/com.wzty.ly/.jiagu/tmp.dex	4291	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.wzty.ly/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.wzty.ly/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
/data/data/com.wzty.ly/.jiagu/tmp.dex	4242	com.wzty.ly
/data/data/com.wzty.ly/.jiagu/classes.dex	4327	com.wzty.ly:pushcore
/data/data/com.wzty.ly/.jiagu/classes.dex!classes2.dex	4327	com.wzty.ly:pushcore
/data/data/com.wzty.ly/.jiagu/tmp.dex	4327	com.wzty.ly:pushcore
/data/data/com.wzty.ly/.jiagu/tmp.dex	4327	com.wzty.ly:pushcore

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.wzty.ly

com.wzty.ly
1⤵
- Checks Android system properties for emulator presence.
- Checks Qemu related system properties.
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data)
PID:4242
- chmod 755 /data/data/com.wzty.ly/.jiagu/libjiagu.so
  2⤵
  PID:4267
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.wzty.ly/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.wzty.ly/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4291
- sh -c ps
  2⤵
  PID:4483
- ps
  2⤵
  PID:4483
- ps daemonsu
  2⤵
  PID:4507
- ps | grep su
  2⤵
  PID:4526

com.wzty.ly:pushcore
1⤵
- Loads dropped Dex/Jar
PID:4327

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.wzty.ly/.jiagu/classes.dex

Filesize
4.0MB

MD5
299cd92f6f74d4c61f2f24c6d44fc859

SHA1
d52af4a0829728fb66232c9287f515aa4bed4fa5

SHA256
3812a1d7fadfba5818f4bd10855a8d52d59037373b797fe39a1cd481451da752

SHA512
5ff683172a94247f0ebd7def7d5a4d33584bf2b0353ffbbfc4e16d225a3c7cda51cf410054d30f1a30e1c97b2a1042bd7df8a31cb2ebc03ce74a43f981565eb0

Download Submit
/data/data/com.wzty.ly/.jiagu/classes.dex

Filesize
6.5MB

MD5
4621389751f5182084ff94c6095786fd

SHA1
629e19a6e3f54a13703661eedbed1e82d35ef48a

SHA256
9b69728ac5120361a074863caa9f6fecb1c6803b29155b93e86382e5133e8667

SHA512
70d9ac04542c1b8cecfbc562a689b97a393758ad5bd169f95e2405bcec415645ad5272921e904936ea488b454a46d5423df35e860aa84fbc5c186a51ff4183cc

Download Submit
/data/data/com.wzty.ly/.jiagu/classes.dex!classes2.dex

Filesize
799KB

MD5
31f3b3d4d218c20e5b298febe660d367

SHA1
9b104c4c89b0a8a44c4e10bd5a1114fd39d29dd5

SHA256
ff59d2a6626df4597326211e6bf79e11a69f6cfec21b08448d9922f3199efab8

SHA512
329db946c0cef0171c78bb84f2b0ded37824a2b17e270c8ff326af3f8f4a6edba95ad3af3aaa87c380a76c30577f3bf3f9a747fa05dbe707cb8b86f91361dd3a

Download Submit
/data/data/com.wzty.ly/.jiagu/libjiagu.so

Filesize
455KB

MD5
e5a53000766ebc433b27d6a66ec4f555

SHA1
2c8f53f1c03aec2005bcad67d731f07261dabde0

SHA256
78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e

SHA512
370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d

Download Submit
/data/data/com.wzty.ly/.jiagu/tmp.dex

Filesize
284B

MD5
f1771b68f5f9b168b79ff59ae2daabe4

SHA1
0df6a835559f5c99670214a12700e7d8c28e5a42

SHA256
9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

SHA512
dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

Download Submit
/data/data/com.wzty.ly/files/.jglogs/.jg.ac

Filesize
40B

MD5
d32c756102721801b1d3070d37d7a46e

SHA1
f5b1ded0b2218eae77329530d70d41f00812c515

SHA256
2339b93c4b4f73b07b23bfb5fa1c3b2465648f88ff3627c69644e10e9c6a3453

SHA512
a041988a025c35864f5cc964fbc2b100291676402eba2c3acc0f397c4590e532d4f1a1c545fc8f8c982e5bfa3524fb93770082decd945597a4642236eabcddd8

Download Submit
/data/data/com.wzty.ly/files/.jglogs/.jg.di

Filesize
340B

MD5
18195e4c06df53a01b4412ec13993911

SHA1
2f41e4b9bef4f02f787cd2a7342d1bc06209efd0

SHA256
e54401b061e2661004c95f930f4aed814ebc0baa453d3ea210e2bc0c45129c3e

SHA512
c7511ad1ede4089888f19f43c015286ab4a86b41bec9c193f6d1fe6967e92a570438ccd2aa90b48096b9f3f4af74b93dc1eb8d740c9abe90ef2e690a47da55cd

Download Submit
/storage/emulated/0/data/.push_deviceid

Filesize
32B

MD5
6ea1dc8d38125dba8c60b32deb4ac564

SHA1
83cf8c64b7c52ca5124c3c66727fb297235a773c

SHA256
e4402f3a14bb4c7b0a0d6411c08ae511c0052b409c39a67c15bcfb880ab84e68

SHA512
b45aa5285ba9dcd89101780bf7d88bc5c21f544a14ca9f16ce1b495212294e4a22634db42da893db1effdce081c8825f409e0f30fc5a821dd09610a09a7429ed

Download Submit

Analysis

Sharing