25553e71cb02639488b4ab709b6ce50601c5f64042c44c3218369d3d197f09ad

Analysis

max time kernel
177s
max time network
184s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
15-05-2024 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4870b47ea45399e6f0cf43b90cb6c476_JaffaCakes118.apk
Size

18.0MB
MD5

4870b47ea45399e6f0cf43b90cb6c476
SHA1

979b8485dee91e1c1bddb82d39b324099490625d
SHA256

25553e71cb02639488b4ab709b6ce50601c5f64042c44c3218369d3d197f09ad
SHA512

444b195a8f749bfe8f58eb1f93d0755ee6496a1ed7eb48a3de6de8a21df7a069a59011d82b9e2cdf15a725f424f996d0bfd647f2a6923a3fd1f153664fc58792
SSDEEP

393216:+NKMf1mAplwBcHUcd+r2tF9Ya3g7gf/dgSRYe3uf:+NKMf0ApyqHLF9Twc2SWeK

Score

7^/10

discovery evasion impact persistence

Malware Config

Signatures

Loads dropped Dex/Jar 1 TTPs 11 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/data/com.xgbuy.xg/.jiagu/classes.dex	4326	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes2.dex	4326	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes3.dex	4326	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/tmp.dex	4326	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/tmp.dex	4357	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.xgbuy.xg/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.xgbuy.xg/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
/data/data/com.xgbuy.xg/.jiagu/tmp.dex	4326	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/classes.dex	4443	com.xgbuy.xg:pushcore
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes2.dex	4443	com.xgbuy.xg:pushcore
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes3.dex	4443	com.xgbuy.xg:pushcore
/data/data/com.xgbuy.xg/.jiagu/tmp.dex	4443	com.xgbuy.xg:pushcore
/data/data/com.xgbuy.xg/.jiagu/tmp.dex	4443	com.xgbuy.xg:pushcore

Queries information about running processes on the device 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.xgbuy.xg
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.xgbuy.xg:pushcore

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.xgbuy.xg

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.xgbuy.xg
Framework service call	android.app.IActivityManager.registerReceiver	com.xgbuy.xg:pushcore

Checks if the internet connection is available 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.xgbuy.xg
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.xgbuy.xg:pushcore

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.xgbuy.xg
Framework API call	javax.crypto.Cipher.doFinal	com.xgbuy.xg:pushcore

com.xgbuy.xg
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4326
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.xgbuy.xg/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.xgbuy.xg/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4357
- cat /sys/class/net/wlan0/address
  2⤵
  PID:4467

com.xgbuy.xg:pushcore
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4443
- cat /sys/class/net/wlan0/address
  2⤵
  PID:4538

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Process Discovery

T1424

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.xgbuy.xg/.jiagu/classes.dex

Filesize
6.6MB

MD5
af40ddebf367d3418c410ba2bbdb34a6

SHA1
9a5c0f557da523fb37d3ea9f1dad84e45b78b8ab

SHA256
fd4c1d3b24b0138f6f355235f35815ff43de7e73e5029854ac0581f6d5b4cb45

SHA512
6ca004321a8ef7f6a08b5be12833971bf017ff58c753ebe73d682abcf5633f084b9b1f5c3453432894f8ce8c9b306963b345cc0d6503450667d9ef66d3ac0ae7

Download Submit
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes2.dex

Filesize
6.5MB

MD5
56a56032a56816197231ccd2c1447841

SHA1
42b24c7723619c5bbfff5625ee1f4ff7a9afb34a

SHA256
920b1975141f98268ddde30a18db00a3c92776c8472763640b06009b90ccf039

SHA512
f47a2ee1f15a58887d5158bf141277a7d6488fcd31a9c85ca0d6706a4252433b812e8a49e956fba313393ac55333bee777394d300e136d489a484f5e883e3165

Download Submit
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes3.dex

Filesize
2.1MB

MD5
63eb01b23dce33b6abd34b5693031ca8

SHA1
870abc96ae069aa034b1b647244af5465a881ddf

SHA256
3798ad86a5974af83d89bc71f1737c1747ca4561beb07f74a214675efab02629

SHA512
eac344e6167fc50acfca60a177bccf404cd0eb595b0b3e948f88af21ac3d7c14a49d0d7162bc5ef529b9107132c8ac3d0242186ac1b0ac231acc31e8f969311a

Download Submit
/data/data/com.xgbuy.xg/.jiagu/libjiagu.so

Filesize
486KB

MD5
50750315eef281575611bc425174b939

SHA1
acaff02526d7b4c257e00002ed09af364f66a401

SHA256
c8d37512f73bef5a1c1b060676cdc6d508a8d8dd36f2438f5d6353c9b8524bef

SHA512
60584a993992a68e8d0a53be705e3a9d52fc126df26b9bdcf80d14e659f1d70bceb926e0a99a69fdf40f1c09fd61aa52c2d2c008ee5c3ef59af5922a75161ea9

Download Submit
/data/data/com.xgbuy.xg/.jiagu/tmp.dex

Filesize
284B

MD5
f1771b68f5f9b168b79ff59ae2daabe4

SHA1
0df6a835559f5c99670214a12700e7d8c28e5a42

SHA256
9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

SHA512
dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.ac

Filesize
32B

MD5
1264f30db5bc978090c891fc9ba97820

SHA1
22a1664ca5bac8af36bdaf8e4098c02c7fc9c1fc

SHA256
6383110e70c2cf20a67539bbf759d99229ac2dcd214cae6a3c5de840497bab2c

SHA512
f3ec53223344ea4763479b39ae62a3dde4b83e0db05d4707c9e2c914725943063706c6c53e6fc043ee13640ac98242775c901b84ec76eb3edf11615bd0084488

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.di

Filesize
340B

MD5
fe1e1398b76be3340b17e3888b464c80

SHA1
d596e556d8a0c43a507bc3ab63c077c09640e2aa

SHA256
e1beb8d3045fb639022ab602727763b70561561e34a0fc85731328b64223c8db

SHA512
87a1790c194de3ea04acd2cc6c5535e8047ce2234acb5879a499ce53f845fa401acab54fb0491754c06d445637d217532a8009843a51effeebf9610204ab2335

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.ic

Filesize
32B

MD5
9afbf0dc0b4a4fd0a874cfec2c55461a

SHA1
a42766499eef11be1120ff87588b7f715c1b2a7f

SHA256
75c6a927b6cffe50b1a48e8aff766f5d543dec5aec8010b835ab4c4d8dd3da37

SHA512
863cdc25dd26bc2db5a80480a5d5bd16965ce02afc94f732f31c24bdcd3daaae24d41504f0eefead9a8ecc402aa2e798ce100e8a225b13b38b05aa433456185d

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.li

Filesize
100B

MD5
db54980a32f30cbde802fc34e698a349

SHA1
71b83d6f958796a119851aed6a117d0d4da5927c

SHA256
4b8e92a5df285c239bac88a55afb5dfd711985a5adfa855714cb24271a651ae2

SHA512
1e7b222c3f962dea37d21a39f9a8c1a535fc198675fb1a9725b5eb60f2246db95545b808c2016e0d77c170d3be1607b81f543ef1b0899bd4b3fcf6ca03568fa3

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.rd

Filesize
73B

MD5
7cef4bf7b995564773e94229541dfd48

SHA1
4270195392562f55dabae96238b59d535f5d35f5

SHA256
b599c40c0ae5855d3ebfb7b876a0390274d0432e41e5d58b4f347e941f2bbb1f

SHA512
74c9fdcf8183f798bfc0eaff0bf1b0950a72bce6689e2c00ecba8e98d975a4e0e872f8ea406f400de8f6941fcd56bf75820e044585ddb52df1d9b851cdedceb3

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.ri

Filesize
314B

MD5
7faa405c17b077a874b7ac18a1b67dc6

SHA1
2306e8f44b3cdb9bb25996015da113bb8d83fe79

SHA256
77cee37f8566bc5a11504be17ae6ad688d6f6b964d30c28fe11fe00e1cc808b4

SHA512
0081c34ab42d62096054a741d7b813ef42024945286069c58f8a2818057006243bf0ab607fd4962f8b80eff81bc003d0c68202311e0174df0663aa5cb06e1c9d

Download Submit
/data/data/com.xgbuy.xg/files/.jiagu.lock

Filesize
27B

MD5
e2933cef4012bac575c0f6459ca485da

SHA1
4c4eb455abfa822b4de2de776624ed9610f7d944

SHA256
b9a48c1b4f5b930c6149ce43cf939c69e8cdde2bab8ea721df91d63d56748804

SHA512
4fbfe27b6a563921ef0bbc58a03f825ba1396b7d4cf4d45a88983354c47883f9c3bf947a0850fa460c7ea3438128f0c132611a92f98bf9a6610b3ab19479cbde

Download Submit
/data/data/com.xgbuy.xg/files/Mob/mob_commons_1

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
/data/data/com.xgbuy.xg/files/jpush_stat_history_pushcore/normal/nowrap/cef7828b-8661-4869-8b7d-c7a27a910f97

Filesize
202B

MD5
6567a15e8608776831d645436edbc95f

SHA1
924c2d801f100849959580841158a9b14138ce6d

SHA256
3813c0365d1f93c73e71e561e1dd19135ddb54a230d273800ff1283bfeda6c9c

SHA512
bcb72de84aa4e20b11312718e4e41a543baa06a9b09d2df94d3150f727dc46b46e821c6364c7f8b9e11100ea9256b9d865037b5b8b1aebb933c1a2546389306b

Download Submit
/storage/emulated/0/360/.deviceId

Filesize
48B

MD5
1d8d16c4e3b19ebf18988530d9b9a757

SHA1
bc94c1cce05cd848a53271ecb9c5311e27ffebf5

SHA256
abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7

SHA512
4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

Download Submit
/storage/emulated/0/360/.iddata

Filesize
32B

MD5
7b801701b5b2b649a5a51f947e566fc3

SHA1
2042b7f728ed4a7ff8e909d51d76ff8daa087c43

SHA256
311ac443ec73c464fb640a740eca79f5c1d2f936ed8235fec42f1df9ef88c1b8

SHA512
8e3f09b021f502f268428bedf6af43b2aec0c06c675af9d9403c35ae22c5514dd5c7904d959e8c15df38ae20cb9dda6687c6ccbb01aed0565392d9579624221d

Download Submit
/storage/emulated/0/Mob/.slw

Filesize
66B

MD5
19402718bfb1c685a726b4e1d846ad98

SHA1
02a7e30044a67085f2f1da24e16e4ecfede65b72

SHA256
079f790e6a1934a94542559f53a89a824aafd3173d956b6019291955aeeb33d0

SHA512
25254318c22cfd301c8bcd479f45797d502b6ab5f14265dadfa3d87b4dd1942a629d3cbc2f0b600cf73b4fe910e3773432f56a0a7b4343e280e20c5a6af0320b

Download Submit
/storage/emulated/0/Mob/.slw

Filesize
66B

MD5
5376297da698294a17e3200d3d0d3b7d

SHA1
675745b8d8992ddd3e476b330891cb4a5cad8b53

SHA256
b9bb70904e233150e2037f5f682d676721526f651be7072329c44bce14f30261

SHA512
cb2f974a65173fdcd523d7d15017ad6f56eee431e4c3d3581fac31a1f7a9bdbd04272c163c1035bbd8c6e2338f6227a9f4b7edf17487d86e8ed98e2ebc2526b9

Download Submit
/storage/emulated/0/Mob/comm/.di

Filesize
112KB

MD5
bb5d704e375d1686d6c1961e5cb500b1

SHA1
72486236640e8ca2b2cd09541c47c4572e9abaf8

SHA256
7bfce7b17bcba8a0a7e6ab82c5d44dbf76a116e5b20996021e007fca8f7721a2

SHA512
c68c9850400035a94327ccafd355828d85c091bd489d13243eaf7531bad204d9762871ba68674101141f08d1406d2c9dab7887bf97e70e2ff77c94c99272a63d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads