5d64db95fb49c796352be760033a2b81848843ba91938db4f4314ec6f814d80f

Analysis

max time kernel
3826634s
max time network
152s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
07/01/2024, 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

490ae168025ca96fe9cf19a67eaaf95b.apk
Size

21.8MB
MD5

490ae168025ca96fe9cf19a67eaaf95b
SHA1

eb5290260c241279f980d3882bc1ad36309875f0
SHA256

5d64db95fb49c796352be760033a2b81848843ba91938db4f4314ec6f814d80f
SHA512

c95211a74d19494271bf3e8df37d99c059d37efae679ba79d498eb82586e9de60987218388b3129e4f560668751378508501db9b489315f79683fb54c7aab210
SSDEEP

393216:MijekcF/RKDP/nqecWcyTF+z+SFLrtWm7Kv07AV4QkxFtRS:MijekkZ8P/lcuw9Wae0g41rt4

Score

7^/10

Malware Config

Signatures

Checks Android system properties for emulator presence. 7 IoCs

description	ioc	Process
Accessed system property	key: ro.bootloader	com.kuxiang.shuiliangdong
Accessed system property	key: ro.bootmode	com.kuxiang.shuiliangdong
Accessed system property	key: ro.hardware	com.kuxiang.shuiliangdong
Accessed system property	key: ro.product.device	com.kuxiang.shuiliangdong
Accessed system property	key: ro.product.model	com.kuxiang.shuiliangdong
Accessed system property	key: ro.product.name	com.kuxiang.shuiliangdong
Accessed system property	key: ro.serialno	com.kuxiang.shuiliangdong

Checks Qemu related system properties. 7 IoCs

Checks for Android system properties related to Qemu for Emulator detection.

description	ioc	Process
Accessed system property	key: init.svc.qemud	com.kuxiang.shuiliangdong
Accessed system property	key: init.svc.qemu-props	com.kuxiang.shuiliangdong
Accessed system property	key: qemu.hw.mainkeys	com.kuxiang.shuiliangdong
Accessed system property	key: qemu.sf.fake_camera	com.kuxiang.shuiliangdong
Accessed system property	key: ro.kernel.android.qemud	com.kuxiang.shuiliangdong
Accessed system property	key: ro.kernel.qemu.gles	com.kuxiang.shuiliangdong
Accessed system property	key: ro.kernel.qemu	com.kuxiang.shuiliangdong

Loads dropped Dex/Jar 6 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/data/com.kuxiang.shuiliangdong/.jiagu/classes.dex	4269	com.kuxiang.shuiliangdong
/data/data/com.kuxiang.shuiliangdong/.jiagu/classes.dex!classes2.dex	4269	com.kuxiang.shuiliangdong
/data/data/com.kuxiang.shuiliangdong/.jiagu/classes.dex!classes3.dex	4269	com.kuxiang.shuiliangdong
/data/data/com.kuxiang.shuiliangdong/.jiagu/tmp.dex	4269	com.kuxiang.shuiliangdong
/data/data/com.kuxiang.shuiliangdong/.jiagu/tmp.dex	4326	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.kuxiang.shuiliangdong/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.kuxiang.shuiliangdong/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
/data/data/com.kuxiang.shuiliangdong/.jiagu/tmp.dex	4269	com.kuxiang.shuiliangdong

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.kuxiang.shuiliangdong

com.kuxiang.shuiliangdong
1⤵
- Checks Android system properties for emulator presence.
- Checks Qemu related system properties.
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data)
PID:4269
- chmod 755 /data/data/com.kuxiang.shuiliangdong/.jiagu/libjiagu.so
  2⤵
  PID:4294
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.kuxiang.shuiliangdong/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.kuxiang.shuiliangdong/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4326
- /system/bin/dex2oat --instruction-set=x86 --dex-file=/data/data/com.kuxiang.shuiliangdong/.jiagu/classes.dex --dex-file=/data/data/com.kuxiang.shuiliangdong/.jiagu/classes.dex!classes2.dex --dex-file=/data/data/com.kuxiang.shuiliangdong/.jiagu/classes.dex!classes3.dex --oat-file=/data/data/com.kuxiang.shuiliangdong/.jiagu/oat/x86/classes.odex --inline-max-code-units=0 --compiler-filter=speed
  2⤵
  PID:4375
- sh -c ps
  2⤵
  PID:4398
- ps
  2⤵
  PID:4398
- ps daemonsu
  2⤵
  PID:4425
- ps | grep su
  2⤵
  PID:4444

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.kuxiang.shuiliangdong/.jiagu/.jgck

Filesize
4B

MD5
17833529d383cac554babbe3c0e69997

SHA1
8ca78baa6fee2fd94dda59289a66fe5ff5a2be47

SHA256
13337a9bd7e7087df133a7e19894dd9541724a0103eb9d847c1727bdb0837bcb

SHA512
125c3b70d356bd144bcbbe5400b6ce28700934f2bf5a17fdbe610c26f2f15f6d104e9db35bf360e800d110f9a411e79f11aed88f6c8de3bef84b7aa0e8c8b44d

Download Submit
/data/data/com.kuxiang.shuiliangdong/.jiagu/classes.dex

Filesize
5.8MB

MD5
bd3bda62814d0fd70fb80bc77a161061

SHA1
7f3e6fa929c31a9e90a1ad09e88f989d1d1eff5b

SHA256
9dd9cb32370081111a1fe2ba904b7d037df55a61cf5cdf9564eba6077581963e

SHA512
77f586f52f306e447ae08c267bd4fe2926adb51e53668edabe8a37b7d7162e29cfb318652cb12d7a28156d4baf24269201afcc5839874a48150dd84ceacf9b5d

Download Submit
/data/data/com.kuxiang.shuiliangdong/.jiagu/classes.dex!classes2.dex

Filesize
6.6MB

MD5
ce819e6e367f7451d3350bea6aad3fe7

SHA1
e268a4781dbe5e8a753abaa9cb4cfbc7af8012b9

SHA256
c51d905041836cf838dd88d67ea19b6e3a5878acc5a6101708a71331d05dd272

SHA512
f8994bf5bda2ec7ed305e8d7d24ec2a01df13d0432529fa7f4712be86cba6169273cee1551782895852a895872175876bb3abdcb0ca541a450e346aa9b6816aa

Download Submit
/data/data/com.kuxiang.shuiliangdong/.jiagu/classes.dex!classes3.dex

Filesize
1.3MB

MD5
c3aca1ed5915a3093e13b6978e7a1689

SHA1
ae2b7a3dc44836087e86ed6622fabf92a7398ec0

SHA256
fd61ea2aad836578a4f129619ff7751bb799dea4eb55b68effba841620a17d79

SHA512
d8bbba5a06c94f9a195239728f2d44c4a3b7403964c6fdec7071f23e4d6e1a6eccce85158aed931ff9b0cfd664e9a0d574ef165ab2c3ebb069d95af1ebad2ecf

Download Submit
/data/data/com.kuxiang.shuiliangdong/.jiagu/libjiagu.so

Filesize
455KB

MD5
e5a53000766ebc433b27d6a66ec4f555

SHA1
2c8f53f1c03aec2005bcad67d731f07261dabde0

SHA256
78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e

SHA512
370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d

Download Submit
/data/data/com.kuxiang.shuiliangdong/.jiagu/tmp.dex

Filesize
284B

MD5
f1771b68f5f9b168b79ff59ae2daabe4

SHA1
0df6a835559f5c99670214a12700e7d8c28e5a42

SHA256
9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

SHA512
dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

Download Submit
/data/data/com.kuxiang.shuiliangdong/files/.jglogs/.jg.ac

Filesize
40B

MD5
da35077e21a9d7fc58d2a8f82e3e1c1b

SHA1
45856094510c11b72099c26717848cc65c536bd9

SHA256
77f6ebb620a870dbd5aa0bdb39f35a8afab4988bc528f81c1ef22e922fdee860

SHA512
3718f9eb1bc0ccabd72b92aab80ce28a5225c06424e67904a1676a503d86af226c776b12a2f05641e22b8f6ecd0904917912f8d6ee29e01ef1a63eab147c93ac

Download Submit
/data/data/com.kuxiang.shuiliangdong/files/.jglogs/.jg.di

Filesize
340B

MD5
b2a9a3262e1f39a860ac2233688edccc

SHA1
4327a6318eece11327048aeb27a8986fd63f61cd

SHA256
b3b63a369bcd633d9f5177b433401163bab69a18adb39d7a62b6bc48440caabc

SHA512
748c54c2c39f0035769e47406a03fbe97b68b7ee3012202488a6dcf7a0ff8b5eae49af93fc5a197544a3d0b6afcb03a2eb35fcdbd12e3f92aabdab172133c12b

Download Submit
/data/data/com.kuxiang.shuiliangdong/files/.jiagu.lock

Filesize
27B

MD5
c6f6dc59213e76a7f61c627675afe96c

SHA1
82f53b447fcc8c14928769e5b9f414ec7f7ca6d1

SHA256
9845e41789916323f7e4b60663035176ffdb3157dd840fd3c392992941c1bee5

SHA512
dd37edf3fd2a662be224da4bfa1db4d9e0b9f8e39b445f265bbac0a41e92dc61d55109735ac7665810ce7868d8dc9e6668baa9494f261a5fb805299dd287ac45

Download Submit