Analysis

  • max time kernel
    2626881s
  • max time network
    162s
  • platform
    android_x64
  • resource
    android-x64-20231215-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
  • submitted
    23-12-2023 16:09

General

  • Target

    462604d1a1758a31fca11665d4e5570305400bef432e01516c47ced8753c8c9e.apk

  • Size

    28.3MB

  • MD5

    2baae2962e8283316df6c96099bb2595

  • SHA1

    527273e8a9ec58ed4f16e86a0af6ae7c08e3a190

  • SHA256

    462604d1a1758a31fca11665d4e5570305400bef432e01516c47ced8753c8c9e

  • SHA512

    6dc35793ff29e6dda27424966292f01a1aed845de3132d20362a4b15085c795d041a05961b8fa9a5d94aa4cbce3e050efe86cb9cdd42ae3ec2a9066978697752

  • SSDEEP

    786432:+8i3tXCM4BwIzD4usIBDl+PTTUcfIp5TPRSWAwp35Gr:ri3tXCMMw44u9BD0TdfaRRgwp54

Score
8/10

Malware Config

Signatures

  • Requests cell location 1 IoCs

    Uses Android APIs to to get current cell location.

  • Loads dropped Dex/Jar 23 IoCs

    Runs executable file dropped to the device during analysis.

  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Reads information about phone network operator.
  • Checks the presence of a debugger
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 2 IoCs

Processes

  • com.example.cifnews
    1⤵
    • Requests cell location
    • Loads dropped Dex/Jar
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4996
  • com.example.cifnews:ipc
    1⤵
    • Loads dropped Dex/Jar
    PID:5193
  • com.example.cifnews:pushcore
    1⤵
    • Loads dropped Dex/Jar
    PID:5277
  • io.rong.push
    1⤵
    • Loads dropped Dex/Jar
    PID:5346
  • com.example.cifnews:pushcore
    1⤵
    • Loads dropped Dex/Jar
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5491
  • com.example.cifnews:ipc
    1⤵
    • Loads dropped Dex/Jar
    PID:5775

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.example.cifnews/.jiagu/classes.dex

    Filesize

    6.0MB

    MD5

    b53495dbc3cde4d092774acaf5864efa

    SHA1

    f22bd8fa0a5b7f07f683d69e66d2c08bacdba33f

    SHA256

    149313e1fdb0022a0946d3e3d1d67a8574ef27c37bc22f724775c06d66e50466

    SHA512

    75d8025dfce9cb70feb9df5d54b7116794461ecde230da3bad501cc8356b5a0ed7c6eab6e31b689d1f48201b1416a01bebd8880ac73afe144740fecc86d48395

  • /data/data/com.example.cifnews/.jiagu/classes.dex!classes2.dex

    Filesize

    3.2MB

    MD5

    6c40a5f27f246a3aba2d1f3b9a92cce3

    SHA1

    e5563c09405ca9f20b0f639f1de8da6c49a0e3ea

    SHA256

    64b023d0dabb7cfe85d62e9b324fb86ebe9a96854558c06e3bbd7567d5ff1648

    SHA512

    d0290d0d9656831679a28aacd3659c1a94d259c7a1c33f81a105b5ddfd8d16e6af8ce763318394a4309882e14fbec7d89222370ee31ce8f35f3d769780a57d89

  • /data/data/com.example.cifnews/.jiagu/classes.dex!classes3.dex

    Filesize

    6.4MB

    MD5

    999fedd3f38b4d0a11b38784e0754375

    SHA1

    599dc7500b9b041021eb8b6c85efda7efdf9b303

    SHA256

    3ad425e4632c4776e32d0b9f25f14f8b3f2947c62e071f8ceab7fdecd08a79d9

    SHA512

    c73b4bc56b27cf414bd197404c0d6e3fb6600cd63463c4f1da6aaa4b44b8ea0abf901a0fdd6f280a0f9f5a37b5d578c27622c61727265ff0f2c9ea804de59f0f

  • /data/data/com.example.cifnews/.jiagu/classes.dex!classes4.dex

    Filesize

    3.4MB

    MD5

    1b50fb48fadaced2b17d9d16f068c827

    SHA1

    e469d5dff751986a2207a9af0bc154b7c1ab67a9

    SHA256

    73dd746fb78b169e2b40327719bb63bb58778893bd20108a977933c111fb42aa

    SHA512

    f19cc3e4dfa6340c0a9238c1f60e935dc93d5e1d7de7592ac09cb9f6d3e1beef71d80d8df84fceacf02f072e37d8560576437ec5f90cd7aa2503aac447f35b48

  • /data/data/com.example.cifnews/app_lib/libRongIMLib.so

    Filesize

    719KB

    MD5

    6cae37fa6f54468133caae7193c8040b

    SHA1

    32ed206789906fd3806cf71464e1de71208ef844

    SHA256

    4904c044f2a1f42e5773163c4e32195dcc4372de82a35fa02e734f5dbf2ab8c2

    SHA512

    ab8c1bb77e6f9e2ddfbaef903af2b241e3e70185c6603dd62e450a7cb4b217d4ccf4aa23b1cd15a6b1789813296849bd33e0f1c57e345ef0925964ab891c04f9

  • /data/data/com.example.cifnews/cache/image/journal.tmp

    Filesize

    31B

    MD5

    8c92de9ce46d41a22f3b20f77404cc1d

    SHA1

    8671a6dca00edb72be47363a7071be65cf270373

    SHA256

    68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274

    SHA512

    30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

  • /data/data/com.example.cifnews/databases/sensorsdata

    Filesize

    8KB

    MD5

    2d2f4f95643619f050430290f480cc17

    SHA1

    10309263660ca83d91ba9191c373e971b8bf57d0

    SHA256

    c7266a2946dc5d8a515cad4dc1134fd301601d8145d635b0db367466e9702243

    SHA512

    0af5f05990ac5d82b6cf23e6fa28cf20c261f4e0cf08defdd83e88ee84b190507425dab63cf1095642ef9dd93c8649fccadf87b5f2bec3eab2de14690ab62ada

  • /data/data/com.example.cifnews/databases/sensorsdata-journal

    Filesize

    512B

    MD5

    3c7c5b9c5c1d5eecee3038ed852b6b30

    SHA1

    874ffee51065e56230bb5559397940254d795521

    SHA256

    e7f850040158de99c0932e2fd61476fefbf85050b39c21d42c3a2b9f83122fd4

    SHA512

    9020d8c30a71ff03daf251da698f7ef431405ca5b2222b39737978c2c90d3770253d6e4f7e46f9369e3d922d0ec087dc13da7f853a3c9cf139d8a861a23b9f30

  • /data/data/com.example.cifnews/databases/ss_app_log.db

    Filesize

    307B

    MD5

    bb17dbee9bc16a1c98cab1b1d8c6d636

    SHA1

    07f2dd8d644e1edf1b307540648c70be7ae3ea4d

    SHA256

    7feebefd3d6cbe9e1dbf7cb85d6a13dfa846b36f296aad6c6a039dc98438bf7e

    SHA512

    8a88bc835ed0d9f2d821eb0e67ab54644652ff24a3fe1c6dfc48046053a125596cf4783febd736bd2627b395fb655d84da04cf3ad7eb85126d5578fe2fc300f1

  • /data/data/com.example.cifnews/databases/ss_app_log.db-journal

    Filesize

    32B

    MD5

    1108cb8505b46650ff7b7357c99794b0

    SHA1

    f07c16fb7ea638e3ad85f140731a97b3f5a2b046

    SHA256

    573464d6f58e895560d7870f2be3b2ebdd910e8bc7443115a118f4f56c04a29f

    SHA512

    73e910d865b89fe50329ccc36032f46c3eb263ed62bafb3742d9422bdc856c217a2177bd7617f09e601346870fb7c320778da5901d6b7b85167e82ea5adb3278

  • /data/data/com.example.cifnews/databases/ss_app_log.db-journal

    Filesize

    32B

    MD5

    e6f9328b7f7639225a4ff0f6df4639e2

    SHA1

    eb68927fbdb5312e670b16b5eb5dddaed6685699

    SHA256

    fa857695b1c58670534503073aa5a659e5dd50507a2bb210728f8eebd764e49b

    SHA512

    8cb4849a9ec68543d2930879a46a8dfa54ad324d51e370d39960c7163ede8ac382b801effdd875da4d57c5a978b0b6cd1d6f2eb179c4f99c9043935dc71ef0f8

  • /data/data/com.example.cifnews/databases/ss_app_log.db-journal

    Filesize

    4KB

    MD5

    9203af6336c714da3787c0df076bfa48

    SHA1

    da283505873b68262a8deea8bf723cee98f2077b

    SHA256

    c6175a84f713f738e67a7c8cb80cf1c1db8a3e38e6360f4f4b50b23553cae709

    SHA512

    359d8bc65dd607905e97d96c997039b0f40a3777b88d4a98b862de72580cda27e55015bff5cf8737b78c34e75d12e69f2311037405d6936e80b8ab4e4ddaea1c

  • /data/data/com.example.cifnews/databases/ss_app_log.db-journal

    Filesize

    12KB

    MD5

    aceb613d15a509d6a8c493715ab58128

    SHA1

    7dc04c590e44c34d3577b115fba629be28f9d04a

    SHA256

    d30b6353bad39820e6c5867896c78951bdb131e7932904764c027dea1083145f

    SHA512

    b5aae510ef6a4d803adf2f8bc676fed9d0b543e4fc7fb4335a30425e307134b2fbeb36d66e06e4961abde5a14cbfd463bb103c4bf187a16eb18de508806d9431

  • /data/data/com.example.cifnews/databases/ss_app_log.db-journal

    Filesize

    12KB

    MD5

    8b0ad9fe164d4400b91995ebe005f159

    SHA1

    723e5241acd731a2a4beb067e2c0b894828faeb7

    SHA256

    e7ded7338870113f3bea69b2a4776ec01c0b7bad099aa0d15435509db1800f14

    SHA512

    f76beb6042f71c5f9c523875c33034cc8a4782712853dc681933ddc700cd06b99b7da3d915625bd11038c10d92dd9b1fa023e00b957aa3e0c477646b60f3ce1c

  • /data/data/com.example.cifnews/files/.jglogs/.jg.ac

    Filesize

    40B

    MD5

    df9cee7d877df73f9d020da856535364

    SHA1

    4175193e215288144c1048be3e6e28ee0417e7e6

    SHA256

    2cf74d5ce0c228831e3f4fe17446cc77bc43bb15f16e4bcc4df75cadfae91d94

    SHA512

    43e13a74e1d137bf27beeafd9432ed15a7cedf2278a8b4ee6294800f6282a7186f87383141fa04a22307ab248d0099acd3441836ec3afb7a1c0c899a8c9c3a85

  • /data/data/com.example.cifnews/files/jpush_uncaughtexception_file

    Filesize

    8KB

    MD5

    584ab6495fe0874fa33ce451de678e51

    SHA1

    e35d0ccf981c07e2a3c4eb3c070d35fb852180a9

    SHA256

    cc63b5da7bea4d178810bc92022e850dae205c043c03a96f8088b1e9e35c05ca

    SHA512

    a3335c044a33ca44199df94f13da6933e306c0affddce2bc3892f7f8968fd11301c469a2a0be19ede0bcc56df360e69f5ac7c2b971b3b228e9ca17fddea59730

  • /storage/emulated/0/Android/data/com.example.cifnews/files/tbslog/tbslog.txt

    Filesize

    491KB

    MD5

    42f23f69d9fb1028c9f50c09734e2ba7

    SHA1

    4eda99025e0fbcc563d7b4dbb30def9b69f3d12a

    SHA256

    3852e2bd8d2a8f8fe6168792fb7a385d5c4d8281a09c2880a9ebbaf8d5faa7d1

    SHA512

    9101e26a56bcc29f948be41fab1f05d442f3b52b8380a86f275f7a02fe35c1e08d510ec32d29827e5bffc69947aa19ff80fc5dacbdb3966d2004ce83be564642

  • /storage/emulated/0/Android/data/com.example.cifnews/files/tbslog/tbslog.txt

    Filesize

    491KB

    MD5

    e77a4812888a47327579639aef1b742e

    SHA1

    5411f639d7fa941fdebbcd112157e23d1b8a7103

    SHA256

    a8f3fca7fc7d5994d058b87c9c46643d5bac94e8ca567fff3f95d1e4a96c5c5d

    SHA512

    7b30026fd461fb142ef55f7b3f92147415dc8142fe354ab5824bdcc4201fe41f2463da5a3539322aff57a782b79130abaa10745138d9d6b58b0d48bac3f25abc

  • /storage/emulated/0/Android/data/com.example.cifnews/files/tbslog/tbslog.txt

    Filesize

    491KB

    MD5

    1f2a1d09ec2e6faa5dee22d19677f373

    SHA1

    3078bbc4b1f7a1269240b8eed7a3e3e0cc595d84

    SHA256

    06db05639a2fee7d4dbc2dd81caaf3d17b8af8c63d424597f4f6b91e36ee89a5

    SHA512

    9f846722c57711435003627dbff57bf34dfb1d66896b876fe6355d3b16b1536ed362c3d3e4ca246fc9b6d836c39d480c100723e3e7006f18aa278dd15b9e17b0