Analysis

  • max time kernel
    167s
  • max time network
    182s
  • platform
    android_x86
  • resource
    android-x86-arm-20240514-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
  • submitted
    17/05/2024, 15:43

General

  • Target

    503cebbbec920e1e7c2b6b9629963fe8_JaffaCakes118.apk

  • Size

    19.7MB

  • MD5

    503cebbbec920e1e7c2b6b9629963fe8

  • SHA1

    4cf2990698331351c1fdf52878fea7ca7128d663

  • SHA256

    52f42759b12eadd13a2c13e3b3746a1faed3c8a5eb1cd5079e3bc4fc37dfd7e4

  • SHA512

    fefac369e49a3c15d305b78b14fed2a02a113aebffc8e71113cbf164b478d7750d79fb2cc3810036d8988189e88f87dc9c1b34f87550aad44745f26698362f35

  • SSDEEP

    393216:VnWRr+NQRdQJiNvwvw8F5LWZhMvwvwDyCzQaG7gxCKVSWxhpxn0JkgaOi7Q:VorSM+iNvwvw8F5LchMvwvw2CzQaPFD6

Malware Config

Signatures

  • Checks if the Android device is rooted. 1 TTPs 4 IoCs
  • Requests cell location 2 TTPs 2 IoCs

    Uses Android APIs to to get current cell location.

  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries information about running processes on the device 1 TTPs 2 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries information about the current nearby Wi-Fi networks 1 TTPs 2 IoCs

    Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
  • Checks if the internet connection is available 1 TTPs 2 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.jingdong.pdj:guard
    1⤵
    • Requests cell location
    • Loads dropped Dex/Jar
    • Queries information about running processes on the device
    • Queries information about the current Wi-Fi connection
    • Queries information about the current nearby Wi-Fi networks
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks if the internet connection is available
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4323
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.jingdong.pdj/files/hotfix/rocoo_0.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.jingdong.pdj/files/hotfix/oat/x86/rocoo_0.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4351
  • com.jingdong.pdj
    1⤵
    • Checks if the Android device is rooted.
    • Requests cell location
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Queries information about running processes on the device
    • Queries information about the current Wi-Fi connection
    • Queries information about the current nearby Wi-Fi networks
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks if the internet connection is available
    PID:4474
    • /system/bin/sh -c getprop ro.board.platform
      2⤵
        PID:4505
      • getprop ro.board.platform
        2⤵
          PID:4505
        • rm -rf /storage/emulated/0/log/
          2⤵
            PID:4535
          • /system/bin/sh -c type su
            2⤵
            • Checks if the Android device is rooted.
            PID:4564
          • /system/bin/sh -c getprop ro.miui.ui.version.name
            2⤵
              PID:4593
            • getprop ro.miui.ui.version.name
              2⤵
                PID:4593
              • /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
                2⤵
                  PID:4631
                • /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
                  2⤵
                    PID:4650

                Network

                      MITRE ATT&CK Mobile v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • /data/data/com.jingdong.pdj/app_crashrecord/1004

                        Filesize

                        233B

                        MD5

                        d2dbef03d0e9a5a327fadc520ba9ce97

                        SHA1

                        dc63c610d544e769f074e0d5f3920c938763f712

                        SHA256

                        512777f2df858c4a56ca9b888e6741b46b0e11ef5c529686c3339f6dabf4c627

                        SHA512

                        dca52dc718126315d96b01db7e4bc7a42b0a18a39916f47d4513fc039127ed0d9aa4e582d3f8f766849880c82d11b0c94a10dc95a8189e9bb47722e6381a6c9c

                      • /data/data/com.jingdong.pdj/app_crashrecord/1004

                        Filesize

                        512B

                        MD5

                        bf6144889bdb44c97395633a85f7c008

                        SHA1

                        0d697d00feac57d4721c3dc8d6661f108e1698c0

                        SHA256

                        676737178fd6ffb3c956a3611283a074920382f927706bb86bc0ef3bf4f162c3

                        SHA512

                        cf8abf87401b580bdd8ad9710ed0f738ccfc90d19aacef1b3ea16a69278a1a628d0c1b3e5d6d46ee4e8d77f00d329bace71597d5d19c0bc3b11e958e80afb68d

                      • /data/data/com.jingdong.pdj/databases/access.db

                        Filesize

                        4KB

                        MD5

                        f2b4b0190b9f384ca885f0c8c9b14700

                        SHA1

                        934ff2646757b5b6e7f20f6a0aa76c7f995d9361

                        SHA256

                        0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

                        SHA512

                        ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

                      • /data/data/com.jingdong.pdj/databases/access.db-journal

                        Filesize

                        512B

                        MD5

                        2c412bab344ef622116c2742c6a61ee2

                        SHA1

                        03d0d0684ee1f8b43f1dc65e4e4cdd5f27c15ebe

                        SHA256

                        e0131e3b536e044cd4f2fea92b2f09a6f6abe4170cdbb42fda4e66546d3a8112

                        SHA512

                        7fac2d7f9efb471f562a28837f7b345027fba240992b64ec6a1ec5f5c4baf099af70ea65afaedab5fb8d266791909031e091c9b4a2ee9d7c29532af21423ab1b

                      • /data/data/com.jingdong.pdj/databases/access.db-wal

                        Filesize

                        76KB

                        MD5

                        83e3e0e0c83eb88c571eee3606248e7c

                        SHA1

                        7911eb54608d786cfe8e16da17631d0fac5f84bf

                        SHA256

                        8517b5841d259cf599a0b5804e69be4930687f870d024f5f45edc9f74d28a221

                        SHA512

                        b1d7c1006d920bcacffcb8f334748c6349e75f76d0c40cd58d46cc4cf145c0668c6e11b289d28a6b990591c94bd07bd2c4fb4a4cfb34482e0fc1677745ed3036

                      • /data/data/com.jingdong.pdj/databases/bugly_db_

                        Filesize

                        4KB

                        MD5

                        aa99281ce0cd69a9302f8b64b918ad75

                        SHA1

                        ccafc0e5fb16198e466b209a888301f4100fafe8

                        SHA256

                        a3cde8388c50e78c7b3c8dab1d0c46c64c375248031adbb6a5802e3da65bb431

                        SHA512

                        a8b80f09a555652d3e4b9775b6aa58341dad7fb120509e128df417533ba361353b19530306e8691f1ce5fc0c69f1a89d29bd2eb176291a5e85b945d14c9eb085

                      • /data/data/com.jingdong.pdj/databases/bugly_db_-journal

                        Filesize

                        512B

                        MD5

                        c8a2b36335e25a88a066b86f84529c07

                        SHA1

                        7cff924c4f92f7d4c908bf94ad312f0161a5d300

                        SHA256

                        8f215d93d96cdec8dd4a9fdda0a55a2ceed64e4b4906c2c43dd0d1e9eb57ed55

                        SHA512

                        bf5fcc919997f82c00b1c81b6fcb66f9ec00d0faee3ec55ac94e23028d1170f5786e772e56f36c077989cf7e592dbbc6b42508c5fcf3f27970de1b20b2297963

                      • /data/data/com.jingdong.pdj/databases/bugly_db_-shm

                        Filesize

                        32KB

                        MD5

                        bb7df04e1b0a2570657527a7e108ae23

                        SHA1

                        5188431849b4613152fd7bdba6a3ff0a4fd6424b

                        SHA256

                        c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

                        SHA512

                        768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

                      • /data/data/com.jingdong.pdj/databases/bugly_db_-wal

                        Filesize

                        100KB

                        MD5

                        3a80469fce1ed46531e697f1f12dcb99

                        SHA1

                        939f17b5ac15c223d775423f85d47ee560491430

                        SHA256

                        534a270f860702e0d6c4f4e4e4e391e1c3904ff6ecd84c4bc98bea652e305cc0

                        SHA512

                        7df7fe889f5921dfea27f5614a4f4dadf1ee608bafe52ab1b4b8844771443d73a8c707a7e46a04c4eb31dc6c286ae2cd15d66339fc58f46ba251f93b18ccfb09

                      • /data/data/com.jingdong.pdj/databases/bugly_db_-wal

                        Filesize

                        84KB

                        MD5

                        bdbc265c689eb95c51ca0b48ed9d2ae2

                        SHA1

                        2bad6f2769413bc0d718025b7d964e4bfcba1acd

                        SHA256

                        06407a9fea14a8aecfcc0cd6c645da7f5015300da271698c7f3a8669c35475a2

                        SHA512

                        365950a28b43ab8d5dc29dfbfc0fded500bc0cb3d04735be4527e5e206a53b0179e39d591e8e432de8501ea09b1807ec24ec6df7d2a0aaa37a3d7fdfe20bf768

                      • /data/data/com.jingdong.pdj/databases/pri_tencent_analysis.db_com.jingdong.pdj-wal

                        Filesize

                        52KB

                        MD5

                        7f444ec25764c1dd552906beb7ba94c0

                        SHA1

                        04e9343165f267de58e355b4394e602f197ba4bd

                        SHA256

                        7ecaf449ea28a20ed8770e4c660afccf04e792628cea6d7079bdbf36df04a9f4

                        SHA512

                        d9a4e6c37ec956595be832e9b59a2a255bc0fc0ec517b75519533938564db2179107b4b3ed03f4cd1dc4b85509574590ef8d268a574d565f0dd5ec63c567aa0c

                      • /data/data/com.jingdong.pdj/files/hotfix/rocoo_0.dex

                        Filesize

                        456B

                        MD5

                        46744a1aca14068de6e9b1e472d2c05a

                        SHA1

                        d874561ebfe19828cf1b46d52fc350cefd0e6f4e

                        SHA256

                        ddef743e2ccf1f205ae953e1899b2587f2676e8ddbe18d10064b91bbc9d46e3e

                        SHA512

                        59c7e824f117745ec1a51981532bcc92a439dba52cd786ffeba65bdb7682c46bc688282d2219c968f28d9949eb8c0de47fcbe4843ca2ab062ba6954b21c4d9ac

                      • /data/data/com.jingdong.pdj/files/versionName.txt

                        Filesize

                        32KB

                        MD5

                        5cd7df6f0da1041317520d2a213f2425

                        SHA1

                        c616adc821d873c7967afa9792b4710ae258dd39

                        SHA256

                        4477667df23eb82d488f2fe19a6be089539ba770eba91cdadd7f497de5093c60

                        SHA512

                        89c9f1c419875b08f496372b11e73d6d5ca61d81f6b1d2585f9ab2ea579385d0b07535f05948b25b57ae98fb28625afe1dcf923557664363a2d53b739cd0049e

                      • /data/data/com.jingdong.pdj/files:PatchVersionCodes

                        Filesize

                        16B

                        MD5

                        d86352ca9ec4e4199aeeb584f96de13c

                        SHA1

                        d6f9d1c2112729dacd06898b5d372c5ee6491530

                        SHA256

                        ee4706172c9bfd2e5cab7ad96af4e270a07346a6c6db6bbc3b0d3b2b1e525271

                        SHA512

                        38c4c969e12f738be5d8d9e0edf88a135ed382a5f54490a55a895e141925e102f4ccb417efd21e8b7646d89ee53d49f23dc0e4cf4325ab878cba762dd805682e

                      • /data/data/com.jingdong.pdj/files:channelId_2_1

                        Filesize

                        25B

                        MD5

                        b6d6e45731e85d04945994d952e0ab18

                        SHA1

                        46055a17ce2e302a3330a2412730ac00e50069b5

                        SHA256

                        9425f5ec8c3f41caea0a46c9eb9b568ace5f707b6b0539b725ed87fd7576240a

                        SHA512

                        bed70a68c8d6d001dac2d325ec6dd1703fa5a8bc9dedb058f928aefea0c46df2c64083baafb935a4ea63596c830b767f4a6bd2a07d683b0b4f3de04d51d948c8

                      • /data/user/0/com.jingdong.pdj/files/hotfix/rocoo_0.dex

                        Filesize

                        456B

                        MD5

                        8ae8a68f62b0a97af7a3ebceb544091c

                        SHA1

                        98fa1f16b1ceb1764c284f5c36c5216360c17691

                        SHA256

                        3452be53d4ab744d9134a75942a29e09b3001fbbb9d19bf027563823a14593cb

                        SHA512

                        0090f6be8dd347ad3f8f5ddaa963b2d49f5f60685a485fab0d4dfe87c4b8793a73b2c1b91f903b95571e604f3231b7023c99fb868c3a7a1656ceb910f596e5a9