Analysis

  • max time kernel
    8s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20240506-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240506-enlocale:en-usos:android-9-x86system
  • submitted
    13/05/2024, 06:58

General

  • Target

    3e41a3189f5816e580e7a5e653c771a4_JaffaCakes118.apk

  • Size

    14.8MB

  • MD5

    3e41a3189f5816e580e7a5e653c771a4

  • SHA1

    ee83fb61fdac08cb55a24ca584ee7c9ebb611f55

  • SHA256

    6c083c3489fd114b31f6ee890e38803e5ecb5c63b57d81016942929053e1f533

  • SHA512

    fdca84a0b6df78c83d2735782ac85f217772bb69318441cb6c1c459675787ac78bcf2aba060c8ab807cc597bf9573a93e02b69aee7a9e8e384224e1347393e38

  • SSDEEP

    196608:G643nJBOAmDjd9BaXJ3N0DzjsTIurChbKDbYBVveNyDbc8rCsfRnK0d6zdtfBjNt:h43n7nmF94cDz4rnQdDA8rpRnAfhNPU6

Malware Config

Signatures

  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks if the internet connection is available 1 TTPs 1 IoCs

Processes

  • com.dada.syn
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about running processes on the device
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks if the internet connection is available
    PID:4461
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.dada.syn/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.dada.syn/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4523

Network

        MITRE ATT&CK Mobile v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/com.dada.syn/.jiagu/classes.dex

          Filesize

          5.6MB

          MD5

          8aa4ebf070d44b83919fbc31a9714dd6

          SHA1

          3580a4071c27f476f720cea1d5ebc8f139700929

          SHA256

          71599b1a14c7d9904416b515867ec6abe17c563ed038e34d2693991471780d6d

          SHA512

          cc7b56437220762921b2707820a8b89c542355e0a924786541dc296a1f80f7a4368326c81dc8f0782f16f07cffcc6b186aae7c4e3dd7e0c49ea305c0394a58b3

        • /data/data/com.dada.syn/.jiagu/classes.dex!classes2.dex

          Filesize

          3.4MB

          MD5

          cb43eafa46bc4a4ec3f5f829b2e003d3

          SHA1

          8026adf7ae582182c36c723deda5d736c48ac666

          SHA256

          dafa5b33ecbba11bc44bc1f9cbdaa22ca13a295b84be7fe3f47e4c33671f6ecc

          SHA512

          8386eda944b8edbe7dd0a3a6f07c29aebccfad5ca448d7a9c270075c606d3580104fd80af11b96b0c1c51536e43e19ad70bd7b9d1d4f0d9451572ee235997b8c

        • /data/data/com.dada.syn/.jiagu/libjiagu.so

          Filesize

          475KB

          MD5

          5aea02f4e4c77fbf2e7a27f7ca9cc06b

          SHA1

          522db1748608e9173547b29b7aa82ddc3542c534

          SHA256

          5a1c513b347e2a929769e2be67552c1d591704f08f7b5590282b66cc2c7d7bd2

          SHA512

          5c979a11f5e896829db906f533756efc1cf3c5a7e35ecc9e376a0aae818f2dada013441649feac2e188bd51affbbf35156e32fdc6552e185bddbc547f3850316

        • /data/data/com.dada.syn/.jiagu/tmp.dex

          Filesize

          284B

          MD5

          f1771b68f5f9b168b79ff59ae2daabe4

          SHA1

          0df6a835559f5c99670214a12700e7d8c28e5a42

          SHA256

          9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

          SHA512

          dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

        • /data/data/com.dada.syn/databases/MessageStore.db

          Filesize

          4KB

          MD5

          f2b4b0190b9f384ca885f0c8c9b14700

          SHA1

          934ff2646757b5b6e7f20f6a0aa76c7f995d9361

          SHA256

          0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

          SHA512

          ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

        • /data/data/com.dada.syn/databases/MessageStore.db-journal

          Filesize

          512B

          MD5

          692857f27ce9d2fc3a174ec0f344bc66

          SHA1

          a710c7f086a97b6868aff606a60bc37912a911c7

          SHA256

          8c0ef0e268b9c9ab2a62c5dbd37aac14f631b6c3817f413f2defe08bedbf56ac

          SHA512

          9a181495ff3bf8bb37e9b771e3441d35c36628e353c58b704c23f347dfd3a322c00df880e975c3be976b25bab76880b9b7f7addb69cfa272c8589fc8c3f542f5

        • /data/data/com.dada.syn/databases/MessageStore.db-shm

          Filesize

          28KB

          MD5

          cf845a781c107ec1346e849c9dd1b7e8

          SHA1

          b44ccc7f7d519352422e59ee8b0bdbac881768a7

          SHA256

          18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

          SHA512

          4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

        • /data/data/com.dada.syn/databases/MessageStore.db-wal

          Filesize

          48KB

          MD5

          718ca63db4b6a00b19e02107177610b4

          SHA1

          ae91b454734dd388158dff3df1d020fb872962aa

          SHA256

          f8108a2c04d9925ba11e622b8e40a76252e6c2d9754c5a502fac771bf2505a0c

          SHA512

          339139a8f7c81479dc84b34bd519eac9e0f9bd76b717584aa1df35cd554f2f7a28eeca68aaac969dee48081d83116b0bbe3cbcffe888897cc1ed23287a12c92e

        • /data/data/com.dada.syn/databases/MsgLogStore.db-journal

          Filesize

          512B

          MD5

          9bb2fd0fc8715b0dbab187516954f82a

          SHA1

          1251582775a47c93e5e1e3ddb198b77f1acbbf7e

          SHA256

          77da1b66789578df8ee534c65f422e9a3fb46228eca4fac4b419f3668162327f

          SHA512

          290f4991dd4cf0eba2af8955d4521a77fd11dd5b76a9f0e5f60dfdd010dee2ef1fdf974db92315424d281c548c5e3547975d7f3f3359a84c6aaf527be2de0fae

        • /data/data/com.dada.syn/databases/MsgLogStore.db-wal

          Filesize

          68KB

          MD5

          3e88559492011bdc84db401ac78414f0

          SHA1

          625e958b0021f539f857b4f23c69cbb948847943

          SHA256

          5767784d99cbab15a8ffc9f2ba2792a1216f66a0efce6fe771e25d2db2a6cc3c

          SHA512

          9b4d3d3aba0fc625012088083ebc2dbdfa1340cde1b79a3cffec698accd2dbedabdce99b7fc125576c40fa48fe8f69ac280624451a25af72483450be7394d2ae

        • /data/data/com.dada.syn/files/.jglogs/.jg.ac

          Filesize

          32B

          MD5

          8ecca02eca0f8032a08aaf6736ac7595

          SHA1

          227abcc8f86104bb4bdf004de6180382837a6c5f

          SHA256

          c5c18797bc6aff2f83278e067a3a37c05dfe681e82961b949eb2e88bcb61df34

          SHA512

          7c7d75a684c86471a270d51f54d4b50155da6dc74e815394bae6601816dba0563457ea69932d03209b8a75ddb50cbb879c4f6738251a71a0edaaf820cfa517b9

        • /data/data/com.dada.syn/files/.jglogs/.jg.ic

          Filesize

          32B

          MD5

          11e95665c13c5dd65af52e4eeeca28aa

          SHA1

          a9f9f3775d35a77b1f9a73c7c4068166f48279ef

          SHA256

          0af0e02aacac44b0b0afa7f34df74bc1752b06e98acc4fb149bbd8a21d99c04c

          SHA512

          665159275cd39b104e77b54cc4b6be4a782fa91ab693bf9086fb619e446fb46d4269f8afe5104a97d90aa16be1eecab4055d51d84b1b93419333fed574078e6e

        • /data/data/com.dada.syn/files/.jglogs/.jg.rd

          Filesize

          73B

          MD5

          a6d25161c4c7fa07c5776d3f78afecc8

          SHA1

          bc7be30764295be3c5973fa4a48fd1934ea14e05

          SHA256

          ed7bae0ab6d9168d492f06f65d4ed6f4921cb7c835d0ac5861373b79fd549b15

          SHA512

          a601f780547417ed0dffe612458d35114af6ef2597a986aa61b230627d1accb7f16dd2c791e77f4be102bb6df1090fbda672072b1321776751c6b613be5519f9

        • /data/data/com.dada.syn/files/.jglogs/.jg.ri

          Filesize

          307B

          MD5

          44f0b226a79c5d7944cc0909d4dda035

          SHA1

          3da2c09bf6ca248a5c157c422dc73fb7e8bf1df7

          SHA256

          a5f568321c343635bae0725640ad4b3f59244f37958e6d8f37a286ec0c68fd8b

          SHA512

          c0be6c91ab663ff99f3405968b7e941931faaa5c6f9a1c65d016690ee1e40c541bcabc1b1bda2b5143f03c08946a16b64bee19088f2115f6c9601d73a6f2cd85

        • /data/data/com.dada.syn/files/.jglogs/.jg.ri

          Filesize

          307B

          MD5

          6c3a367f978c65496af315340d15cb05

          SHA1

          0b0d25adfacd34ac3b4d44cf07b2a556b431d526

          SHA256

          ba214d7de6191ebb136e61434bb5e7fdcc9009e362745b7a58129c2588e370f5

          SHA512

          830eb7402936e013292ddf12dcb34dd080f328b17fa85844cb30303dd2ae075f71e4ee87cb746c08254cc70c4edbe8980445769732f20a23ae84e2416ac2efcc

        • /data/data/com.dada.syn/files/.jglogs/.jg.store.report_pid

          Filesize

          32B

          MD5

          51982a65863cc095368f242f7c75043d

          SHA1

          5e29109513c55faf5fa1a64f2331642048c4b380

          SHA256

          4c73877910e868879f5d52d1f7a49c3568241e0d3472ebe7ef874ea2d069f41b

          SHA512

          dc6424d4bad5b706d55170ba819ddacc2d7f9a03eff7e3b3a0fadc5bbe27613acd1ddca1f00085bbc74b2d1ba36474d937f4887a4e65f1a00c5fe9289e0c06d9

        • /data/data/com.dada.syn/files/.jiagu.lock

          Filesize

          27B

          MD5

          6e882efb9933ce4e049ef04929c839a7

          SHA1

          791a6a3b0f1433a912a120384374ba0749d38377

          SHA256

          68ee430927c60d5818f1dd52e615e16c3dfcec7edddc738773f95ace3b98a9c8

          SHA512

          beebc790b543b5170c3dc1812acedacd83feea9bc5137945e76884283d659247b3280f9adbb2d1224174e559050f75c72361218e1c8b6905f8739140bd45d470