d6dac5c1b09ac4bc7205b9eee3d742744c3925ea7cb40856bdc14c3050cae36b

Analysis

max time kernel
3253540s
max time network
152s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
30/12/2023, 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

190efd49ed74eddb7abd5c974f70271b.apk
Size

12.2MB
MD5

190efd49ed74eddb7abd5c974f70271b
SHA1

59b5f2ad2353ae96e9847c82ce86370ac15127a6
SHA256

d6dac5c1b09ac4bc7205b9eee3d742744c3925ea7cb40856bdc14c3050cae36b
SHA512

7e069d3de6c0447bb1629c2a6d11086e5db6a7dbc641ddbc103fa4687643878adbb6d284189a912e9c3fbeb604c6da0081e457ebb77c079f9c56e68e12f89f1e
SSDEEP

196608:ek/wpLy1sndyFl7v3gs9gatKu0Yq9LA+HHA7L3pDOxq+YDnM76IvdHeIw:eEWn8Fl7Ys9zpqXHHwOE3M2Y2

Score

7^/10

Malware Config

Signatures

Checks Android system properties for emulator presence. 7 IoCs

description	ioc	Process
Accessed system property	key: ro.serialno	com.odbpo.fenggou
Accessed system property	key: ro.bootloader	com.odbpo.fenggou
Accessed system property	key: ro.bootmode	com.odbpo.fenggou
Accessed system property	key: ro.hardware	com.odbpo.fenggou
Accessed system property	key: ro.product.device	com.odbpo.fenggou
Accessed system property	key: ro.product.model	com.odbpo.fenggou
Accessed system property	key: ro.product.name	com.odbpo.fenggou

Checks Qemu related system properties. 7 IoCs

Checks for Android system properties related to Qemu for Emulator detection.

description	ioc	Process
Accessed system property	key: qemu.hw.mainkeys	com.odbpo.fenggou
Accessed system property	key: qemu.sf.fake_camera	com.odbpo.fenggou
Accessed system property	key: ro.kernel.android.qemud	com.odbpo.fenggou
Accessed system property	key: ro.kernel.qemu.gles	com.odbpo.fenggou
Accessed system property	key: ro.kernel.qemu	com.odbpo.fenggou
Accessed system property	key: init.svc.qemud	com.odbpo.fenggou
Accessed system property	key: init.svc.qemu-props	com.odbpo.fenggou

Loads dropped Dex/Jar 5 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/data/com.odbpo.fenggou/.jiagu/classes.dex	4252	com.odbpo.fenggou
/data/data/com.odbpo.fenggou/.jiagu/classes.dex!classes2.dex	4252	com.odbpo.fenggou
/data/data/com.odbpo.fenggou/.jiagu/tmp.dex	4252	com.odbpo.fenggou
/data/data/com.odbpo.fenggou/.jiagu/tmp.dex	4303	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.odbpo.fenggou/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.odbpo.fenggou/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
/data/data/com.odbpo.fenggou/.jiagu/tmp.dex	4252	com.odbpo.fenggou

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.odbpo.fenggou

com.odbpo.fenggou
1⤵
- Checks Android system properties for emulator presence.
- Checks Qemu related system properties.
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data)
PID:4252
- chmod 755 /data/data/com.odbpo.fenggou/.jiagu/libjiagu.so
  2⤵
  PID:4279
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.odbpo.fenggou/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.odbpo.fenggou/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4303
- /system/bin/sh -c getprop
  2⤵
  PID:4359
- getprop
  2⤵
  PID:4359
- /system/bin/sh -c type su
  2⤵
  PID:4385
- sh -c ps
  2⤵
  PID:4438
- ps
  2⤵
  PID:4438
- ps daemonsu
  2⤵
  PID:4464
- ps | grep su
  2⤵
  PID:4483

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.odbpo.fenggou/.jiagu/classes.dex

Filesize
6.5MB

MD5
1812c1b1c359c95280c8ad2601da0a6d

SHA1
67cf34d22978eff9bf8b4530e2b7337c589e9b04

SHA256
c61d5a612f1e25478a848e03003515607bf43508339488fd958d47ac3f115601

SHA512
6d0f277e5222de0dc429fcc339339f5841e69e12bf701eb0443863413ca82fa3d3a9277bc82bf07cf54a77c48005e025ebe7d2e43c1872f3c8aba439d60f8132

Download Submit
/data/data/com.odbpo.fenggou/.jiagu/classes.dex!classes2.dex

Filesize
4.1MB

MD5
3b33522bd24677794f8ec9aeaeda1b71

SHA1
5b2f1485e9adcf8f398e0654de4b71d3836ebf1e

SHA256
6a35ef1b58608cd665f1fb68754070d91e25a89dcbe310b29a041c85e20c9dcb

SHA512
e129e595222fd17096f36957742d04ddbfbefb742d74a101bfe5e9071842090c4952b060f78c54d5e8d69ec9f33c0a1e2dc3dc42d920d4444967891739a59d64

Download Submit
/data/data/com.odbpo.fenggou/.jiagu/tmp.dex

Filesize
284B

MD5
f1771b68f5f9b168b79ff59ae2daabe4

SHA1
0df6a835559f5c99670214a12700e7d8c28e5a42

SHA256
9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

SHA512
dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

Download Submit
/data/data/com.odbpo.fenggou/app_crashrecord/1004

Filesize
58B

MD5
0d210bfb2a0e1f1b4c082a6a0f79de07

SHA1
bb8ed9e364db79d1d9f2fcde3f15091893222faa

SHA256
988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d

SHA512
536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

Download Submit
/data/data/com.odbpo.fenggou/databases/bugly_db_

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.odbpo.fenggou/databases/bugly_db_-journal

Filesize
512B

MD5
1207804d978d3f4506769e87df7daefd

SHA1
9e03b01e412851f01af0267414faab31c1ceaff4

SHA256
79fa2ba00c55248ea6162990eeb44ed8b2a4bab6af2c3d668592746e5f8ffbf5

SHA512
b0485ae8927a3d9e5786802ac5dec045f31891cb8c490dd20dd21f193b529ec70d17a86453b2f67ab4cf6a7d4cd9cb3a9cd825d5d4527c6107479f988d29c49b

Download Submit
/data/data/com.odbpo.fenggou/databases/bugly_db_-wal

Filesize
16KB

MD5
ac69d2fdd7622930a715e9fd8834898c

SHA1
28f968a530f30ee884fc7b89daa03728d9c27fb7

SHA256
7c567eb0ee549d712aadca7892393514aa35b9f52459f31666213c27b1cb0982

SHA512
794efba87492fc79ff29beff6867e53cac5a952bc81ea7a97f33a690ef5a3386fd818a28b0fec0d30f932bcf9177832580132055e197f5654c8f4efe3fff9fb9

Download Submit
/data/data/com.odbpo.fenggou/files/.jglogs/.jg.ac

Filesize
40B

MD5
e3fcea7f87353c73eb5c7ccb182f8f7c

SHA1
37f66623a8fa411a0a435d378d71f2286f4268d8

SHA256
530d090b48bfb7351c75d2f540e1cefe33bfbfbe9046de63099fe93b4041a546

SHA512
5aa9de22065003a849379b875e43f3ce64f3050fea1a107ac8343c4b13bf7642a595d82ae61931086bafa1b8d35bf33ea520c5f0674bceb196c345340eaab6b6

Download Submit
/data/data/com.odbpo.fenggou/files/.jglogs/.jg.di

Filesize
340B

MD5
b507c24f4c34766ff0600a75620854ea

SHA1
75d79b39d174f043d31d523be4a3fd1982a9f1e9

SHA256
1b2dea6ed79a5396f8e0a15a17d5d5dd5222b6d89f905ab56bb36609f9323d3c

SHA512
e264161673a13e40fae4da77206e2ac39a2d09377f614174c575dc27ec0b9d9a530a18da29549026cb163073847f2456cd22825aa4a5479be6aab73f38156132

Download Submit