934145fa41c3cce105c994c9fe5129b9976c8d929107a53775b977df6c25d768

Analysis

max time kernel
147s
max time network
155s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
19-04-2024 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa84ca282f3b047f13106e006ae930ba_JaffaCakes118.apk
Size

25.7MB
MD5

fa84ca282f3b047f13106e006ae930ba
SHA1

9d84c549de34ac38c85b8a793f24faa88fa0aee1
SHA256

934145fa41c3cce105c994c9fe5129b9976c8d929107a53775b977df6c25d768
SHA512

ca490a8b278a939aa09e3f66f56412fcfb8672b86c0a8fde58d2133e797e7bb21dd99aebbb35ba395c07bbce29b63bbe6e91e58d09fdfbec52f357b649bd8bf4
SSDEEP

786432:eme8i7o6+8Qe+Xjwi9D9nyEHgFIQS1d78:6JouQe6wi9D9yEgIQsd78

Score

8^/10

banker discovery evasion

Malware Config

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Loads dropped Dex/Jar 1 TTPs 11 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/data/com.crgk.eduol/.jiagu/classes.dex	4269	com.crgk.eduol
/data/data/com.crgk.eduol/.jiagu/classes.dex!classes2.dex	4269	com.crgk.eduol
/data/data/com.crgk.eduol/.jiagu/classes.dex!classes3.dex	4269	com.crgk.eduol
/data/data/com.crgk.eduol/.jiagu/tmp.dex	4269	com.crgk.eduol
/data/data/com.crgk.eduol/.jiagu/tmp.dex	4302	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.crgk.eduol/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.crgk.eduol/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
/data/data/com.crgk.eduol/.jiagu/tmp.dex	4269	com.crgk.eduol
/data/data/com.crgk.eduol/.jiagu/classes.dex	4341	com.crgk.eduol:pushcore
/data/data/com.crgk.eduol/.jiagu/classes.dex!classes2.dex	4341	com.crgk.eduol:pushcore
/data/data/com.crgk.eduol/.jiagu/classes.dex!classes3.dex	4341	com.crgk.eduol:pushcore
/data/data/com.crgk.eduol/.jiagu/tmp.dex	4341	com.crgk.eduol:pushcore
/data/data/com.crgk.eduol/.jiagu/tmp.dex	4341	com.crgk.eduol:pushcore

Queries information about running processes on the device. 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.crgk.eduol
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.crgk.eduol:pushcore

Queries information about the current Wi-Fi connection. 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.crgk.eduol

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.crgk.eduol:pushcore

com.crgk.eduol
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device.
- Queries information about the current Wi-Fi connection.
PID:4269
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.crgk.eduol/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.crgk.eduol/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4302
- getprop ro.product.cpu.abi
  2⤵
  PID:4373

com.crgk.eduol:pushcore
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4341

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Process Discovery

T1424

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.crgk.eduol/.jiagu/classes.dex

Filesize
5.9MB

MD5
5aa89c7f5270b9b1d89c09f2b4e11cbd

SHA1
6cc4c0bad966958b1708b6e1ae940fb07d651918

SHA256
a020375ca91d98087a58448ad6ac60ec889fab36a4a343e184cca3a1ded535cc

SHA512
edacc6bf32e441c49487bb32fd89908171f08a4bf4d693bde3bbd391e871e81b8dec50cf312b503f1b4c78a04f40fbe9ffd084d1b65722cea33c8b1bdc2e6595

Download Submit
/data/data/com.crgk.eduol/.jiagu/classes.dex!classes2.dex

Filesize
6.0MB

MD5
fdaf8dda238c700ff707fca71884cc78

SHA1
1fb362a7f9f1a75756073866e366b2ef65b60275

SHA256
b94b873e76d1724a97242815ae0a6c29ad9aac6cda9879db1b83f528b79e1225

SHA512
763d72ad552bb39972e50325bc525c21251317eefd14a8e3825c2852474609f53e8fc141e7b2d4fc9017f05a4734a25da158ff280ff8e4d8bd95f28ec13058b4

Download Submit
/data/data/com.crgk.eduol/.jiagu/classes.dex!classes3.dex

Filesize
1.3MB

MD5
5c5884e375ecd0cd6cdbadfab91ebe5a

SHA1
e2ad95d4bcddb240853c3de906c7093fa8384cce

SHA256
a308eb4b1a4c7bb73ba8fb7f4694f33f89bccad53a383ecc8deae27169c2fb48

SHA512
880c1d602e3f08516a28e4f86aa09f6f97ad8aae491cd23332b24fe456da8b7a04b7f1baf491a049a00cc125adff1e06c66d8ae75187c68109841d582e7f8eff

Download Submit
/data/data/com.crgk.eduol/.jiagu/libjiagu.so

Filesize
480KB

MD5
6e8ea47d2d8500b7fb8855394fdf0526

SHA1
d3c719bda605cd787c4acf30507edb76b7fb6070

SHA256
cc3b55086867ed7136d474a21b1359f49e6afed3b74fbb4ba5f11b36ce1f4d46

SHA512
385241f905c46ead517e4e0bcaf2fe00160ba0f7f40c6926ba288bf41d46e77a8bd63ec0a97d57a5b65cf6fb1f93b5f86f51d9cb24809ae934ebdb2fd49c0b70

Download Submit
/data/data/com.crgk.eduol/.jiagu/tmp.dex

Filesize
284B

MD5
f1771b68f5f9b168b79ff59ae2daabe4

SHA1
0df6a835559f5c99670214a12700e7d8c28e5a42

SHA256
9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

SHA512
dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

Download Submit
/data/data/com.crgk.eduol/databases/tiku_db.db

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.crgk.eduol/databases/tiku_db.db-journal

Filesize
512B

MD5
3153ab4987580e8a8aa13fbe836ab1bb

SHA1
2d7f814a344570c197f5e63aeed4a3fd36fbf1a0

SHA256
84d716d2ec589bb232aae23ce8582447cb3cc166550cea8118c0370ed20c450b

SHA512
18cc525ca4d3cb9b100e08c7ef65e69fa4b95355aee2b7702ed1f252e10dc8ac184041762515a54725c8ace2fb80203ca22888938c4dd09770fa5d4fcf69079e

Download Submit
/data/data/com.crgk.eduol/databases/tiku_db.db-shm

Filesize
28KB

MD5
cf845a781c107ec1346e849c9dd1b7e8

SHA1
b44ccc7f7d519352422e59ee8b0bdbac881768a7

SHA256
18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

SHA512
4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

Download Submit
/data/data/com.crgk.eduol/databases/tiku_db.db-wal

Filesize
84KB

MD5
be27eb2092cb703b76b8e31991453b81

SHA1
9c24dfa74d5cf847e3cae3e72d74317fa431b18c

SHA256
e3fa74e20c2019771e10590a1815fd41ec31cf64fb134e5eef79ef09345a17b6

SHA512
c815b704a3de283555be12be9721d60b2dff735f462c389c67b00da68c0dc938600077924a0ac1eedff89a44f7a89ae19075a125907ec521f8be80569b7de74f

Download Submit
/data/data/com.crgk.eduol/files/.jglogs/.jg.ac

Filesize
32B

MD5
f262f9749c3768e22313d2666acf6eae

SHA1
be90c167b2d8ce1b2985dbbda8a4d5e848129479

SHA256
088699e484a18d10cba145c010c6a8fb6b5b57b222d1296ac533828f0238fbe2

SHA512
43b2a65b34fa1c18a005434a3bd5bfaaddc38dee598050a2b656538e7723a8108198b8cf0bb0f10af095f43c148e6d96ef608d3359347cfd01bbc070b61c937a

Download Submit
/data/data/com.crgk.eduol/files/.jglogs/.jg.di

Filesize
340B

MD5
d40490546a3b538ed5a8fce0bd2de423

SHA1
fa0643db43b57ba6b95fa1d3f5544d771d8edef3

SHA256
4099337786edd5a987f0b5d0bfdbcc6e2557ad97784c489c59b3452cc164ca36

SHA512
025995484f35071a8634d5c3d3fd8bf27cc571201e13982fbc894f53b324c33beb3f36b6e156f61714d11e6109b47847944d3e99ccce918d25ac5797d256149d

Download Submit
/data/data/com.crgk.eduol/files/.jglogs/.jg.ic

Filesize
32B

MD5
e6563c962818d098573bb7ca8406c070

SHA1
4d08d9114528c9ad691cd47471785679dd52de1e

SHA256
75a42a04129703c07d6fcb1d2359f0d7b27ea9c2c3201a3ac60b4eb62c6b9937

SHA512
5d5962c808c1fee58eb77bb2358cd78aa5e4a4758ba7382295372f4dc1e7fad767f096e5362f04d6292772396f1edcb748c679b4c9ccd3bade8fbe63d1bbeb8e

Download Submit
/data/data/com.crgk.eduol/files/.jglogs/.jg.rd

Filesize
572B

MD5
49044f8aac7c6c51ad029f9bf42f21e4

SHA1
252c853fe0caf637734b9ac026c8dfd5b8fbb3f7

SHA256
565b881c54cf71da8f02423c3ca99fa56e6299c4bacd78acab5a4cea13e6d6f3

SHA512
6af64cd8530e349e92615f4babcc174788a29fef9969d04c0fb297a7279ebfbf23ee520855b116a7029650d0ad3225ff41a794535aa05541ed884979acbf36c8

Download Submit
/data/data/com.crgk.eduol/files/.jglogs/.jg.ri

Filesize
314B

MD5
d4a8aa742c254f78fe7d12f51fd456d1

SHA1
d11f758ab96bef7bc8fef4adfbe828a7e2583c71

SHA256
5ccb255d3358685ae351eb947192d7e56a6bf04c8345deebbe6314a5958e1b88

SHA512
d8263aed97fdec008dbc0ec6f79c4629dd025e83c7048cf477c719ced9e9cd2d3eb89b5da4803eed132467b2dcbd66d5a6b43668fccda0cf300ff69c4cf49741

Download Submit
/data/data/com.crgk.eduol/files/.jglogs/.jg.store

Filesize
32B

MD5
448e391c59eef34ee1defbe4dee4c41f

SHA1
df1f890987371d7d8e6963c68b787856e42bc146

SHA256
55612e17689f4bb05f27e18b4f6d06ffef92a6a8893a5cfdd3d5b99a6028b549

SHA512
ce336ce895ba861dda7da27e8869dea065eb3c3403cac55cdf1935409e5ebc95b495370f87ed7416af20af533b15615472e333ae9f2fd2713040f526835399b7

Download Submit
/data/data/com.crgk.eduol/files/.jiagu.lock

Filesize
572B

MD5
cc783806f1c84d5132e794c698a55c92

SHA1
b9565cdd0324a2b603a0a86c266240b71eccaf4d

SHA256
7ef57206dc06cf79cbd72466ee33986f63b563756d015a4c81a7ea7f4a69ca0d

SHA512
14bf50b8ac2eab0f4c5e7cf950a7dfa878c29b1a2ccd321144308e709abbf7dbef0abe395f78e7a330ba09ff0ed54953d924073dace518eae210df322ccbc19b

Download Submit
/storage/emulated/0/360/.deviceId

Filesize
48B

MD5
1d8d16c4e3b19ebf18988530d9b9a757

SHA1
bc94c1cce05cd848a53271ecb9c5311e27ffebf5

SHA256
abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7

SHA512
4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

Download Submit
/storage/emulated/0/360/.iddata

Filesize
32B

MD5
5c60f56af28964ef3affd05f0181d657

SHA1
1fe7062b1e67c0907148dcebe228decb95de573c

SHA256
d4e7071b0c3d6c35ea2dedf216f5cd0f0b3ced940621dc814cedf67fc2ff6cb0

SHA512
8f92dbfe49e8279700cc99af6f57be30c3864771fbe7aca38525dce196b34d43c90d2d7f2ef6dc5bf68bc3bc38c98458284efb3b0c3d027f433e4666a3c8c4a5

Download Submit
/storage/emulated/0/Android/data/com.crgk.eduol/files/tbslog/tbslog.txt

Filesize
2KB

MD5
c655cbee320cd23d1037325113c8651a

SHA1
b393f21dbcf65e21e27e7167e9b33c3a2e792f07

SHA256
9de807222d3126a17720697f198e8c7b33fe6f7c63fb45c460dd2bce6190bc1d

SHA512
e116ced7630b75975987d8a334bda9ee31197d403f81a90b4b072b177aacdf39f4cf5e17cf9fd318fb478989f9426da56dbcb82d067199837a806e3471140ff9

Download Submit