46523ecfa60ce68efbb7f443bdd9e0ff2dcc3436392b5af289b7339452099a36

Analysis

max time kernel
150s
max time network
156s
platform
android_x86
resource
android-x86-arm-20240506-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240506-enlocale:en-usos:android-9-x86system
submitted
09-05-2024 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b787b542ef71301a03a5ebcbc1310bb_JaffaCakes118.apk
Size

5.1MB
MD5

2b787b542ef71301a03a5ebcbc1310bb
SHA1

c6bd48c918b3d8c25c44acebaf2a8e36ef84f8b8
SHA256

46523ecfa60ce68efbb7f443bdd9e0ff2dcc3436392b5af289b7339452099a36
SHA512

1752a6cf729b1cfb0a53bf6a8042ab0469d2e672dab3d3649278efa20e60a1ba6808ad3f8ecae6663a7d994db842d726b06c5f738a36f75aa7f943fbee645062
SSDEEP

98304:niV+JvptJbc8qciDFE3ny6DuyZ0RjDr2QtNexvbXwg7:nxvpXH0HRyORXr2AwbXwK

Score

8^/10

collection discovery evasion impact persistence

Malware Config

Signatures

Requests cell location 2 TTPs 1 IoCs

Uses Android APIs to to get current cell location.

collection discovery evasion

Location Tracking

T1430

Geofencing

T1627.001

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.shenwokeji.activity

Checks CPU information 2 TTPs 1 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.shenwokeji.activity

Checks memory information 2 TTPs 1 IoCs

Checks memory information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.shenwokeji.activity

Loads dropped Dex/Jar 1 TTPs 6 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/data/com.shenwokeji.activity/.jiagu/classes.dex	4159	com.shenwokeji.activity
/data/data/com.shenwokeji.activity/.jiagu/tmp.dex	4159	com.shenwokeji.activity
/data/data/com.shenwokeji.activity/.jiagu/tmp.dex	4159	com.shenwokeji.activity
/data/data/com.shenwokeji.activity/.jiagu/classes.dex	4230	com.shenwokeji.activity:mult
/data/data/com.shenwokeji.activity/.jiagu/tmp.dex	4230	com.shenwokeji.activity:mult
/data/data/com.shenwokeji.activity/.jiagu/tmp.dex	4230	com.shenwokeji.activity:mult

Queries information about running processes on the device 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.shenwokeji.activity
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.shenwokeji.activity:mult

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.shenwokeji.activity

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.shenwokeji.activity
Framework service call	android.app.IActivityManager.registerReceiver	com.shenwokeji.activity:mult

Checks if the internet connection is available 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.shenwokeji.activity
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.shenwokeji.activity:mult

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.shenwokeji.activity:mult
Framework API call	javax.crypto.Cipher.doFinal	com.shenwokeji.activity

com.shenwokeji.activity
1⤵
- Requests cell location
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4159
- sh -c ps
  2⤵
  PID:4345
- ps
  2⤵
  PID:4345
- ps
  2⤵
  PID:4386

com.shenwokeji.activity:mult
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4230

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Execution Guardrails

T1627

Geofencing

T1627.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Location Tracking

T1430

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.shenwokeji.activity/.jiagu/classes.dex

Filesize
1.6MB

MD5
dd08f4b2d16104bdbf2f919b183ec3ed

SHA1
ef6b788782dfa18715566075bda25a3c9ce04228

SHA256
f2b64dfe076ca1c25f145645e984882685fcfe52ccf9c421217047bac8e0ad80

SHA512
77c6917acf8b5f0c85a46ddec9a50812a3da54726da53f50789397ae58e9194c867213fc4ad4f5862670273a53fa6e4d7072c6e97d2d192e89054ff60a6d8fc0

Download Submit
/data/data/com.shenwokeji.activity/.jiagu/libjiagu.so

Filesize
496KB

MD5
f07656a2f51ecb23edc102003c32b764

SHA1
3ef18f74b609313887b9e825c56a54b5a9eef20e

SHA256
f6847402ab69102f8495aac58b9beddde9a71dc52470c5de17e382eec2a6b913

SHA512
34b337d2cf98ec3009f80ff299e43984a1c911e5f9eb5942a915915cb7b5b591ffc9f1b79a7989534c2583a703a3f0857e74be68cdd71388f68d5bef354f7238

Download Submit
/data/data/com.shenwokeji.activity/.jiagu/tmp.dex

Filesize
284B

MD5
f1771b68f5f9b168b79ff59ae2daabe4

SHA1
0df6a835559f5c99670214a12700e7d8c28e5a42

SHA256
9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

SHA512
dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

Download Submit
/data/data/com.shenwokeji.activity/files/.jglogs/.jg.ac

Filesize
40B

MD5
e2def70b4f1d3f128fc56f48e56a0ba7

SHA1
6fc2bba267fdaa72d128ca9e390c24cb56147495

SHA256
849ecafd887da6169e947192ef0bc9232aced9d1d039a9741d1ef6e834acf0da

SHA512
2e385b92d094b1c8927be13efc685c4261af5fe84631d9723eb9dba7b40c8d4c4ac63e99712ef19b0129207ae98b1444ef4231b99d9a591d4c97ec591e0d82f2

Download Submit
/data/data/com.shenwokeji.activity/files/.jglogs/.jg.ac

Filesize
40B

MD5
4b5f378b5f98882ce53d9b202382b5df

SHA1
a8bae082127e10ec42b6bc3fa97001c265fb2865

SHA256
30ee5e3a522cca4b76fabd7e9004b336ef3eebdf8bb2868fb5785c5b62f5cbdb

SHA512
ca285348a86ea4955143625f13a4fec3c2a5ba12356cdefa3cd78117a6d8108549fbf41b2122db201ea2ff82519c849545c3ba004e6900f2a4fb8c5d522a8d07

Download Submit
/data/data/com.shenwokeji.activity/files/.jglogs/.jg.di

Filesize
340B

MD5
9b4f09141612dba19fc90ce7f8ced548

SHA1
6f3bed2ee1e4d774c3ac5601a2271236e2a2adc8

SHA256
8c3c729de9961d13931bbb211fb4acb7bfc8466dd3fe93bcbf63b0a60eb100db

SHA512
367091a718a7e02cfe4f064371e0f7a6171570be60995ff2325f50cc03bb2959862f9aef0f4b22fe84bde38d5b0e6e53e189a3600a90f2da0e7e7bed5487b2ab

Download Submit
/data/data/com.shenwokeji.activity/files/.jglogs/.jg.di

Filesize
340B

MD5
05f867927b66a4f48ce9dead6e192d82

SHA1
73c60e56acae6a153cdca2cb8fbe0c2bbf04f501

SHA256
7501dac6bc55ba674fd0e0e164da9ff70ef8cb675264c6fec7d0fe14f50946b7

SHA512
4e987d5e105ce4135d3a2f12ba607cc56357ad80c052dfee5a7959ce343ef150e57dd49c26093fe755b5fb2878f39ea6993638e561b59e9f12137f8ff10b86b9

Download Submit
/data/data/com.shenwokeji.activity/files/.jglogs/.jg.ic

Filesize
40B

MD5
046671473e7b8bc1e2b551e286539b5d

SHA1
9126ebbdc0bc64e4b334c5535552023031b987f9

SHA256
7b76b38be737d736801895748e8489a30f6ba3cc087c5a16cdc4bfd607a81b02

SHA512
17a22240e49e16871c3cace1d8c33c2840633b789e3223fa1dec446b2588e00f15df785177f0623047ef86997a4bcf2f4f3b27b91712b3f8edf51d3e198b709a

Download Submit
/data/data/com.shenwokeji.activity/files/.jglogs/.jg.rd

Filesize
73B

MD5
e74056f9bb4e789aefa52c9df59f8d1e

SHA1
e3a3040918150ae132b894d0d616fdff61214d89

SHA256
3b9c9a94ed61248628cfb20433698a0c93ddb6a5af7780ef2789f2a180341fc9

SHA512
e9729042c79f69f751c7f0e16c1644d75b850b2491eb32f7b500ea3d73f0c03f977a72458f0ca4d3cabff73532e61c0915cb3ebaa4a8eb124a54a48e77b296a5

Download Submit
/data/data/com.shenwokeji.activity/files/.jglogs/.jg.ri

Filesize
314B

MD5
3d7f9631c2d4e851bd2e4162733eae4e

SHA1
1d13b9c488c98a4f0771e6ac9c7459c32c017a0f

SHA256
b5376b0ea33235cde05035b24e0c5bcdbea83d6e944103fbd859529d6153ddda

SHA512
cb682342b1d036e18e350a3c424e0a6fce3889de00a9170fe3c1ffaf4045c6d325aeac19cf63456ea4cb021b5fc9f30c59d880484ae7ebdb4f84053368de2c39

Download Submit
/data/data/com.shenwokeji.activity/files/.jiagu.lock

Filesize
202B

MD5
14c425a80960e881dc618915c4be1b0b

SHA1
365d9dbd0ec695151b18f8a37690d582685833ff

SHA256
5a76cbfb576b51018045dc99c16631444ed492a4f73ba9daad5f71190deab461

SHA512
8ab34ba86d06d92a857a9994a77f7015278ac7b4e5155bd35ba56ca1db0976d111492a6add82ca8b1e443bbf0a40167f97d0e9d79dc80b18b08a86980a76a8bb

Download Submit
/data/data/com.shenwokeji.activity/files/jpush_stat_cache.json

Filesize
119B

MD5
e1ef22ad145f8e12d109678fa4ad6cea

SHA1
4e4ae708faacb878776be4de7cd2419614d429ce

SHA256
3bc935a880c63a6329e10e6cbe89e68ea27bc0968e8b754f3662f2dfbe7afbf2

SHA512
c415f11d4ebbcdbdd58d9a143b509230348abe1e28777a9280e2ba791139ccb4815240b8a2254e3f9becd561c656350353bb319a880ddf263ab0c50bca06dcff

Download Submit
/data/data/com.shenwokeji.activity/files/jpush_stat_history/normal/nowrap/ef752e12-ea69-49d3-bf16-9f91d38169aa

Filesize
159B

MD5
2433bdfa4f76615806caa6392c3a3dd1

SHA1
d72804c485902d51328d4ee63ef68f96da928626

SHA256
e43451a5e2aad541803c493b2aa9ed17d638dbe9108608d2860faa1193d34fd9

SHA512
14fc8c11d74ce53f7d6d078e6c42480cfc35e34c9a9970778ee288750496dccba5d0bfb91990a163c2eea5183b483507fa58f38aa500708bb0ec41197ed096a2

Download Submit
/storage/emulated/0/360/.deviceId

Filesize
48B

MD5
1d8d16c4e3b19ebf18988530d9b9a757

SHA1
bc94c1cce05cd848a53271ecb9c5311e27ffebf5

SHA256
abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7

SHA512
4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

Download Submit
/storage/emulated/0/360/.iddata

Filesize
32B

MD5
2a982fff00994f5cfdb8329404227ab7

SHA1
d6437c8e158a9fb49a2018dfa0ce0308a65a651b

SHA256
f239be63edb89ce31a83015f6c077210b3a6bfdaa456c264b18def4716dca71a

SHA512
c45d54a8a9d1cf7752db35d1385bf7c5b633bcb51f719b9d29001cf5ef5dbd3bb55126a3826b888f4a506b479b37ab81c3cea0b9a58ac8cda8a6c69bb716c410

Download Submit
/storage/emulated/0/data/.push_deviceid

Filesize
32B

MD5
0b333f60dc623cf19bc9329bf5bd96cf

SHA1
9e62cf38cdf02ab9ac5fd90079a809426af158a1

SHA256
45af7a8a2e3b0688596334ac2eca84927180e44c52e33d0e818f0a8c8eced4cd

SHA512
354aabf9861dc8ef502b70f15f1be74e4fea7e2d0b8c4b68c7178ed2daee6f28d422e79c1c28d01f909b4ef995c09961c8f0e6bccb02e652545fa0d9369d6b78

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads