a6bb0a1880093c14aac97821dc1149f98bf61400060f1ad282d4a0da306db109

Analysis

max time kernel
147s
max time network
152s
platform
android_x86
resource
android-x86-arm-20240506-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240506-enlocale:en-usos:android-9-x86system
submitted
11/05/2024, 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

336f89c323d8ca4edaa636a59a5662cc_JaffaCakes118.apk
Size

18.0MB
MD5

336f89c323d8ca4edaa636a59a5662cc
SHA1

6e90d965a40a320536130bd026153e6c6585d7b3
SHA256

a6bb0a1880093c14aac97821dc1149f98bf61400060f1ad282d4a0da306db109
SHA512

9992275c4ceacf3cda7f01d00d85ed977d8d8b9b23450fa776da19aa462186cef919a8e6fca1cf18a8ff39751cfe7e678e663578b70c70409569499ebaad3af1
SSDEEP

393216:+NKMf1mAplwBcHUcd+r2tF9Ya3g7gf/dgSRYe3uu:+NKMf0ApyqHLF9Twc2SWeX

Score

7^/10

discovery evasion impact persistence

Malware Config

Signatures

Loads dropped Dex/Jar 1 TTPs 11 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/data/com.xgbuy.xg/.jiagu/classes.dex	4261	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes2.dex	4261	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes3.dex	4261	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/tmp.dex	4261	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/tmp.dex	4299	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.xgbuy.xg/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.xgbuy.xg/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
/data/data/com.xgbuy.xg/.jiagu/tmp.dex	4261	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/classes.dex	4339	com.xgbuy.xg:pushcore
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes2.dex	4339	com.xgbuy.xg:pushcore
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes3.dex	4339	com.xgbuy.xg:pushcore
/data/data/com.xgbuy.xg/.jiagu/tmp.dex	4339	com.xgbuy.xg:pushcore
/data/data/com.xgbuy.xg/.jiagu/tmp.dex	4339	com.xgbuy.xg:pushcore

Queries information about running processes on the device 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.xgbuy.xg
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.xgbuy.xg:pushcore

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.xgbuy.xg

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.xgbuy.xg
Framework service call	android.app.IActivityManager.registerReceiver	com.xgbuy.xg:pushcore

Checks if the internet connection is available 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.xgbuy.xg
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.xgbuy.xg:pushcore

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.xgbuy.xg

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.xgbuy.xg
Framework API call	javax.crypto.Cipher.doFinal	com.xgbuy.xg:pushcore

com.xgbuy.xg
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Listens for changes in the sensor environment (might be used to detect emulation)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4261
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.xgbuy.xg/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.xgbuy.xg/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4299

com.xgbuy.xg:pushcore
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4339
- cat /sys/class/net/wlan0/address
  2⤵
  PID:4467

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Credential Access

Discovery

Process Discovery

T1424

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.xgbuy.xg/.jiagu/classes.dex

Filesize
6.6MB

MD5
af40ddebf367d3418c410ba2bbdb34a6

SHA1
9a5c0f557da523fb37d3ea9f1dad84e45b78b8ab

SHA256
fd4c1d3b24b0138f6f355235f35815ff43de7e73e5029854ac0581f6d5b4cb45

SHA512
6ca004321a8ef7f6a08b5be12833971bf017ff58c753ebe73d682abcf5633f084b9b1f5c3453432894f8ce8c9b306963b345cc0d6503450667d9ef66d3ac0ae7

Download Submit
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes2.dex

Filesize
6.5MB

MD5
56a56032a56816197231ccd2c1447841

SHA1
42b24c7723619c5bbfff5625ee1f4ff7a9afb34a

SHA256
920b1975141f98268ddde30a18db00a3c92776c8472763640b06009b90ccf039

SHA512
f47a2ee1f15a58887d5158bf141277a7d6488fcd31a9c85ca0d6706a4252433b812e8a49e956fba313393ac55333bee777394d300e136d489a484f5e883e3165

Download Submit
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes3.dex

Filesize
2.1MB

MD5
63eb01b23dce33b6abd34b5693031ca8

SHA1
870abc96ae069aa034b1b647244af5465a881ddf

SHA256
3798ad86a5974af83d89bc71f1737c1747ca4561beb07f74a214675efab02629

SHA512
eac344e6167fc50acfca60a177bccf404cd0eb595b0b3e948f88af21ac3d7c14a49d0d7162bc5ef529b9107132c8ac3d0242186ac1b0ac231acc31e8f969311a

Download Submit
/data/data/com.xgbuy.xg/.jiagu/libjiagu.so

Filesize
486KB

MD5
50750315eef281575611bc425174b939

SHA1
acaff02526d7b4c257e00002ed09af364f66a401

SHA256
c8d37512f73bef5a1c1b060676cdc6d508a8d8dd36f2438f5d6353c9b8524bef

SHA512
60584a993992a68e8d0a53be705e3a9d52fc126df26b9bdcf80d14e659f1d70bceb926e0a99a69fdf40f1c09fd61aa52c2d2c008ee5c3ef59af5922a75161ea9

Download Submit
/data/data/com.xgbuy.xg/.jiagu/tmp.dex

Filesize
284B

MD5
f1771b68f5f9b168b79ff59ae2daabe4

SHA1
0df6a835559f5c99670214a12700e7d8c28e5a42

SHA256
9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

SHA512
dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

Download Submit
/data/data/com.xgbuy.xg/databases/xinggou

Filesize
4KB

MD5
b0b254e10c81a34773a77b440fb3d1e4

SHA1
c68f72390b63e4834341e647833cf15ed20b1079

SHA256
bb16e927536ab45b8bb45bb7c6466dfceba8975d5f0bef721b2492425706d557

SHA512
264bc29d4cb8477e08be75e417bc15982efa54440cd13638455592d0ea5c7e16844e650b80e51f82af382af90f7b04c86d2c02f357a05be08a4f6be603d28a73

Download Submit
/data/data/com.xgbuy.xg/databases/xinggou-journal

Filesize
512B

MD5
868320db90f38057f768b0185dd5d7d3

SHA1
ff6320840c951f19b50094b487b832c31b39bd62

SHA256
72ec6f036935cdbca04013bf9f65619b5fdc0fa1367cde4dcb6ea73fe78b1032

SHA512
6766f42f28dcc57268f5a9764621fba966052624c7a447dd4b2eceb2d2a90ebdb0ab9dca88c2e7950713f967fa9e5c4d1559f2c86c3cc65d7c61fce2bb958845

Download Submit
/data/data/com.xgbuy.xg/databases/xinggou-wal

Filesize
16KB

MD5
187b112504ce1af0f92825d2e8125e73

SHA1
4b9811db1badf7cef9e550eb4e7ef46eda22afda

SHA256
f800a96c5381657b75f149276ce1136ee56518e595b50704c104eefaa4695c0d

SHA512
cfcaf0a43dbc8a3ad778672bb2b4d4e47ace5b81ff2e56406fcc6639c1563f9b545ad34539f01598338da2629d2fea18d8618d00957023a5fff7f325add98072

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.ac

Filesize
32B

MD5
1264f30db5bc978090c891fc9ba97820

SHA1
22a1664ca5bac8af36bdaf8e4098c02c7fc9c1fc

SHA256
6383110e70c2cf20a67539bbf759d99229ac2dcd214cae6a3c5de840497bab2c

SHA512
f3ec53223344ea4763479b39ae62a3dde4b83e0db05d4707c9e2c914725943063706c6c53e6fc043ee13640ac98242775c901b84ec76eb3edf11615bd0084488

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.di

Filesize
340B

MD5
97cfd1d2a4398f6d2b1d81ff7fdf0179

SHA1
0f50c10b9952e52fbdcbde31e8b270e0761eafbb

SHA256
636c1d8a58b867d59b11aeca838de9a3c6e78d4a664617546e0543f68312ebfe

SHA512
14aec41d87614202ea8b5a6aef3a997472a8d156f4e22db071260aa58ffd2644959d0c125b92e2a986f50963f324282dcc5851228f5b72b22a2b7d75ab73209b

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.ic

Filesize
32B

MD5
9afbf0dc0b4a4fd0a874cfec2c55461a

SHA1
a42766499eef11be1120ff87588b7f715c1b2a7f

SHA256
75c6a927b6cffe50b1a48e8aff766f5d543dec5aec8010b835ab4c4d8dd3da37

SHA512
863cdc25dd26bc2db5a80480a5d5bd16965ce02afc94f732f31c24bdcd3daaae24d41504f0eefead9a8ecc402aa2e798ce100e8a225b13b38b05aa433456185d

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.li

Filesize
100B

MD5
2b6ce527a216ca3e3e182595ebd2e5c3

SHA1
a03c4e811e961f6438fa4a69a8cec259dcfc1742

SHA256
7ab7ab08bc66058c8764984b08d5e51739cb243a8ac289430900dafa29ceb051

SHA512
0b9b79b3e19b9b904b5f8e571b69149a83c71b7a81eca4cf96c5ced76ffdb7886e0507aa95a29966603fb58e11a8840ae8f845c03207bf428e756c136e0d8b0b

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.rd

Filesize
73B

MD5
7cef4bf7b995564773e94229541dfd48

SHA1
4270195392562f55dabae96238b59d535f5d35f5

SHA256
b599c40c0ae5855d3ebfb7b876a0390274d0432e41e5d58b4f347e941f2bbb1f

SHA512
74c9fdcf8183f798bfc0eaff0bf1b0950a72bce6689e2c00ecba8e98d975a4e0e872f8ea406f400de8f6941fcd56bf75820e044585ddb52df1d9b851cdedceb3

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.ri

Filesize
314B

MD5
a67126626fe0393a3dcac9a281718aca

SHA1
5da23e81bf7b56b192e9e999441656960f3ef997

SHA256
b63d6a1cef28625c77f3be778469797bc614cee884e399d5ea26b2eb2ffa063a

SHA512
c23fa139b5919e0d6187267f235d1de9ccee552547797f35af06343f8e7ea507e42e82648b95668e15885ff5aece043aefccffe182b10299b8e6568b2859b6b5

Download Submit
/data/data/com.xgbuy.xg/files/.jiagu.lock

Filesize
27B

MD5
e88eb673c8f14330fc7d624f3aaa52e1

SHA1
454c21f0190959a215171b9baf3ab80c9faab975

SHA256
5e4490e27b2fe24a68f1b17c9d8dc893f6425fe397358bc3f9d97687440fe0f3

SHA512
beebd5cbfb908f67edaf894db68995ab0691bdeba26c5f269de94f7c17130db840d1e0fc9b262124bba9cbe114401e83cd8115deb6c99704c78a81b1528b3997

Download Submit
/data/data/com.xgbuy.xg/files/Mob/mob_commons_1

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
/data/data/com.xgbuy.xg/files/jpush_stat_history_pushcore/normal/nowrap/e7d9c480-5f5e-47a3-89ef-7ec01636c21d

Filesize
202B

MD5
90edbd6396584fa8f659363e8b9a64d0

SHA1
fa7d8b24b6d5c9029208454d5d6501bfbaca4fa9

SHA256
7e532dfc63fd82509b4fbbecb7c2ba80c85ae9a7b629730bd237d9c1fc187518

SHA512
a9cfc5cbabce07ca6ae98bf8ae0395c03f974f169a2c275027d1528ac94b15556e9555050314d109c6cf426d9c3a86c1deb7c3e1f07ab1df7286380f44a8c5f5

Download Submit
/storage/emulated/0/360/.deviceId

Filesize
48B

MD5
1d8d16c4e3b19ebf18988530d9b9a757

SHA1
bc94c1cce05cd848a53271ecb9c5311e27ffebf5

SHA256
abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7

SHA512
4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

Download Submit
/storage/emulated/0/360/.iddata

Filesize
32B

MD5
283364c2988155f588aea963bd9124ad

SHA1
19155a7efc00da656ccec010e4387aa676ae81bf

SHA256
09fe81fd4c96fc3b2baacfbf882fba50cb53a90a874233c7c8333bb18aff5cd6

SHA512
0ce74fcc4ff624741153f75ca1680cdc3e293a60ae5594b457e9b5e5e78852fae0764c289b4b7db658c8a9c8f8115ad68fbe0224d46c7b482a8e7d8b1d4fafad

Download Submit
/storage/emulated/0/Mob/.slw

Filesize
66B

MD5
19402718bfb1c685a726b4e1d846ad98

SHA1
02a7e30044a67085f2f1da24e16e4ecfede65b72

SHA256
079f790e6a1934a94542559f53a89a824aafd3173d956b6019291955aeeb33d0

SHA512
25254318c22cfd301c8bcd479f45797d502b6ab5f14265dadfa3d87b4dd1942a629d3cbc2f0b600cf73b4fe910e3773432f56a0a7b4343e280e20c5a6af0320b

Download Submit
/storage/emulated/0/Mob/.slw

Filesize
66B

MD5
5376297da698294a17e3200d3d0d3b7d

SHA1
675745b8d8992ddd3e476b330891cb4a5cad8b53

SHA256
b9bb70904e233150e2037f5f682d676721526f651be7072329c44bce14f30261

SHA512
cb2f974a65173fdcd523d7d15017ad6f56eee431e4c3d3581fac31a1f7a9bdbd04272c163c1035bbd8c6e2338f6227a9f4b7edf17487d86e8ed98e2ebc2526b9

Download Submit
/storage/emulated/0/Mob/comm/.di

Filesize
92KB

MD5
adebce9e846baf4b02f54b9f182c44a8

SHA1
00e52b77d3b8ecf46952cbc22cb1db31b6fb6f10

SHA256
202feddf5c8c659ca37b8ac3ce0be70f69f4eb2f56395d5936e8f1400ab714fd

SHA512
463be4f6b37bf81ec86159a608a5d9775623bd3889815eb09e08fbf15b9af8344fec786a00fb406e38e7d30e9fdab7a6580ace0ad7f216b68d02c8978c4eb8f5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads