Analysis
-
max time kernel
179s -
max time network
189s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
17/05/2024, 16:59
Static task
static1
Behavioral task
behavioral1
Sample
50869954220676386f8c1c4c3f3cbab3_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
50869954220676386f8c1c4c3f3cbab3_JaffaCakes118.apk
Resource
android-x64-20240514-en
General
-
Target
50869954220676386f8c1c4c3f3cbab3_JaffaCakes118.apk
-
Size
29.2MB
-
MD5
50869954220676386f8c1c4c3f3cbab3
-
SHA1
3e528e33f4b4c5b9bc7a402ffb2d0f9644f0d822
-
SHA256
226a2cf7eeb8a18f679611cd3163e27429b1dbafc8592bbbb83af06760f361e8
-
SHA512
5eb51e1f4133904d9e772cff3a3203bec725d27707c6e5a8120cdf399aebbbcf1eff74455e164abcf0dcb59825b6c9a10d09d0e9f247a7e25bb62a586c8218d9
-
SSDEEP
786432:QBY1V7jQYXA55/SsegDwtpKYRw34ElTS7gfKGdmy:H1V7jNXEo1ppwxJS7GKG4y
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /sbin/su edu.com.gaiwen.firstchoice /system/app/Superuser.apk edu.com.gaiwen.firstchoice -
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation edu.com.gaiwen.firstchoice -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/cpuinfo edu.com.gaiwen.firstchoice -
Checks known Qemu files. 1 TTPs 3 IoCs
Checks for known Qemu files that exist on Android virtual device images.
ioc Process /system/lib/libc_malloc_debug_qemu.so edu.com.gaiwen.firstchoice /sys/qemu_trace edu.com.gaiwen.firstchoice /system/bin/qemu-props edu.com.gaiwen.firstchoice -
Checks known Qemu pipes. 1 TTPs 2 IoCs
Checks for known pipes used by the Android emulator to communicate with the host.
ioc Process /dev/socket/qemud edu.com.gaiwen.firstchoice /dev/qemu_pipe edu.com.gaiwen.firstchoice -
Queries information about running processes on the device 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses edu.com.gaiwen.firstchoice Framework service call android.app.IActivityManager.getRunningAppProcesses edu.com.gaiwen.firstchoice:mult -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo edu.com.gaiwen.firstchoice -
Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
description ioc Process Framework service call android.net.wifi.IWifiManager.getScanResults edu.com.gaiwen.firstchoice -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver edu.com.gaiwen.firstchoice Framework service call android.app.IActivityManager.registerReceiver edu.com.gaiwen.firstchoice:mult -
Checks if the internet connection is available 1 TTPs 2 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo edu.com.gaiwen.firstchoice Framework service call android.net.IConnectivityManager.getActiveNetworkInfo edu.com.gaiwen.firstchoice:mult -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener edu.com.gaiwen.firstchoice -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal edu.com.gaiwen.firstchoice:mult Framework API call javax.crypto.Cipher.doFinal edu.com.gaiwen.firstchoice
Processes
-
edu.com.gaiwen.firstchoice1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Checks CPU information
- Checks known Qemu files.
- Checks known Qemu pipes.
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Listens for changes in the sensor environment (might be used to detect emulation)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4257 -
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq2⤵PID:4432
-
-
edu.com.gaiwen.firstchoice:mult1⤵
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4336
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Execution Guardrails
1Geofencing
1Hide Artifacts
1User Evasion
1Virtualization/Sandbox Evasion
3System Checks
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
239B
MD5de5c4f775b1afbd032afcfb052b66055
SHA114f36fe3d2bb891aa7af5acce20b8e3e65e079a7
SHA256ddb9dd13d928638e9ffda21335471201d637e2a327fbc43f2745c5db3442b2b4
SHA512ae7766818af60b41aa2c6126413c6baa936844f55c98b43e87325212867f211f5f2e3c64a74d70e6582b13c286b02358382ef8fd4b6cc968dd241229d5a39ed7
-
Filesize
234B
MD5d21ec1a6182985c06b508576f645b1f2
SHA1e054566e56e32cb2c97bf9514d407f1fa1e30729
SHA256c15ff4344adf9eb984b78fd388d6ca655b76ab5ae656a5a8e6b9e180a8186633
SHA51221b70576613d99eda0201d70ab1e49cc114a61cd8320f2e1e7360345b9c40e277572e4d4d4ef621d5ec1a5db2f534c414fe38bff8c1e1f2a7974f8b48cd2d483
-
Filesize
239B
MD5352edda888b3fd1ff5fe530ca9d508b6
SHA192b197dbbb93ee5a8301c8286ab292e0cce62ed0
SHA256bc3c494b0a2059324e33acf992f2f33db44f875e30a253b20a9a6828889f2458
SHA5125cda4a06a659a6898c8ddbf6067e4bc7c33c5490c92209f7e91e8670529f15f511df22e37fdf6bc0f6705fec3eb7b9a62d3286365f6b66dd115edab34726a7ad
-
Filesize
58B
MD50d210bfb2a0e1f1b4c082a6a0f79de07
SHA1bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5444c76902147c45ce364bf2ff641dc7b
SHA126d9df1e54950a6b70d12ddbc47af82973fa0f5b
SHA25615607f938e41f97c76e349685010b4a071baed305a02a2574dd2a4f505f054f9
SHA5120bf6c3204ad5b200c299ab0b6d603490c459bba187208a03421d87f5d5956cc059ba115ef54356e75f25b9344e314a4b24261769e5ee478ade2fa154b8b3610a
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
76KB
MD5feb226723d3ce4477362a57a05bb85a3
SHA16123618a8adc4208afd3768ffbf0cb96927e725d
SHA2568b4449715f2888822c83007db0836ebaa072d071799a7e40f30334c5ee998eed
SHA512ed81f145b93eafef839ab7b99afa056aa2bf31bff32c41c38899856681f5d7b9d0e51d57d875bf44ee6863cec472a830b189381c5a35d2f67e8aab288f6757d0
-
Filesize
80KB
MD5b68b3f7d22f2ea76ec21a4d6f050435f
SHA1d5d155b9097abfd31bd6e05ea34a7c5457dc5629
SHA2567d0e50cbe64397eec9c3e1ea8b766517b081a543f7af0c623b7c11ef8e576b68
SHA51207a976c1253679d331b7f8baf6f4e88eab3fd59c45dbe98bf6ead99e429afb845703eb8c0354cf676d436f72e3c1673b6f40f82d40ef3c5d5c2d8922a726d536
-
Filesize
36KB
MD50adda9c85a5e4808f5b1b74c0a8591a5
SHA15048107883ab1e345af9cf2e6849ce46e0e612bf
SHA2561e17860bba2bb4e3e92df3890aa6dddc973d6602c71519a15556d37bb69de2a1
SHA512646061d3d5849772511bd94e36ca2d775a9a672851629d1812942ec0f0f925714eb7d4ebac44889911320cb6710a2f586014f6b1e126739cab653c4f8deef2d1
-
Filesize
24KB
MD5f21d81348d6ed054e3ab973694cb1e2d
SHA12757d52b19b609afa257427b13e231ea879aa7fb
SHA2566f80c2c624c6a7ef87b1b428d4a1ddd02e1f7f3bfdc894829a71ea098b6f27f3
SHA5121ac8132695f4fcf203fd11b5bf8264e09b2bb5b891897e72aafd43fe19d6a39c0de5a1475dd6519020679aebd25bb76ecb51835bf649205d69c1741b3f33fdf2
-
Filesize
512B
MD538aa85db32c901d20752147ca88f3906
SHA1e67638cb21e56d98f957a951600d400bb91835a3
SHA256cedb8b4b4f45facf5adaef00b37783727bb914bfa54c9a1c04023cfa47509e2d
SHA5127c7be79ad31d5b833a523a4c6618f922108c56299447cf62ccfaffb9bfe0ffe8b85a1b790a90891447b304448532db33fe71735c07236001dd6c87bbd11c0ee9
-
Filesize
48KB
MD5ffb58e06802a793d913580ad163ff546
SHA1ceb1def550ced986d422dfeed7388df3998ae70c
SHA2562f3c93c5e082981dc8708d9f3a3020dd5d2dc311a71c3c69edbf47a452776b91
SHA512c32f059d0ada065e1d3640009568abe5630398d30a333c1d05bf924c329494bad26ad4bd818581624a5d3b764da0d018339012af9080ce87075cdb012f70d205
-
Filesize
12KB
MD5332306b1abf8d15cb30311acbfd9fa7e
SHA1338963babffebf5a8af88d6fc179fb503b354162
SHA2565279e8abdfc05ab4da15e45aa5280216fdfc8147cf082057a1353c2ba09e9d57
SHA512d5ca3651e77f5fa3f6ce01a3ba296bf1cf77ad7f24e86b36342fc744f6303e61229ce0ba87c83a5c61003abab2aa95f3fc7c00dffb8a4887e617e4cbaf602d65
-
Filesize
1KB
MD5a369533bcac3f500c4c0bd5919abb7e5
SHA10e23583797548d37e02ba6850943201a47dbff9e
SHA256686b0dddde4308fa032010ea6bb0f5ec3ec9cc99efffdb5e8befd576abedda84
SHA51275eb01ce6a2568a74c791a3a6b127bb7299a9897126fc8651d45aaf204dff66caf83e64572016476aa2c0897b5cf64feed0e79a1ddc70c337bd282ee99236281
-
Filesize
2KB
MD53cfc0e23a904184fe380574011560108
SHA1d1ff8b4519d246a8ae7f0d808588ff061239e555
SHA2567c1e49ff30bc5f120037f994053c441367730e3f960b673b026e70591e5e8d85
SHA512fd0acd738d36adfa0be25a0ee16dc1f7d20dff5dd991dd948f02d0f3aebaa743e77826bd98c3536d60612fb258caa1e18186a92e1c5b7a48266348e25022d16f
-
Filesize
162B
MD564e8cf1e8e26bee21a1dbede1c930503
SHA1e82751c63af705c2093075a86d56d0a2a73afeb6
SHA2562061a8bc90d3088750631838fba6d33e0a07da883fde4376a7eea7b8a9ea6a44
SHA512c57a8c5dc49e0f0acdc457256b99884643909c3b4059c6f80634964be3d3a59e5084b3f2ab1a15cdb0c73304ed49a57055e8acf5631b40eee2679d88dd21bc3a
-
Filesize
61B
MD539c0d6badd84caf21a91d0f58ec7158c
SHA1af0233f6cd7ceece3a12cbf618fa11e35b7b4c1f
SHA256ac7c3770a289c34a0fa9a788f62f860a3fcafa92492a1b7a795cf275cd32bab7
SHA5124d193c58d0ec7dc7afef10cbe7be72795e86145617da31b7889300640ea711ed38d8c7afd5b35d1a920d0fe719f61dea6352357141a5dd5f8ccec3a169dcc986
-
/data/data/edu.com.gaiwen.firstchoice/files/jpush_stat_history/normal/nowrap/e8c944ce-6908-4994-b0b5-09e46995585e
Filesize159B
MD58c383fce5875b2d4208939c0474a06ab
SHA1a100810a90177ec4189e81b1ec86c48b5562f75b
SHA256f181a1756d64df8f66a14c2f515836079e60208941bcd507c82d5fc8639a7335
SHA51246404e082b80d6d3817095f432a52e5eb520f7c0be50bae836a38d44e7228726e66d8d8f6ada95fdaef30828456768c2aad48b0ba6ac281a9154b74c0f992fa8
-
/data/data/edu.com.gaiwen.firstchoice/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE1OTY1MjEwOTYx
Filesize1KB
MD56ef805ad86b90b8303e8d29bca339e6d
SHA1c2d6c98e230e5e28e53015f436fe8d29dd559f13
SHA25637db3606f4758039fc0855c1334459df1768141887418aec59538080d38bec27
SHA5121b984359edc5e77c2c2e8bef5457421c50c13652ff2817fc748bab3de32f57f196be09e9c0f4b38e431e935b44170299be0800e5e7c9308655351a43f65402bb
-
/data/data/edu.com.gaiwen.firstchoice/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE1OTY1MjQxMjI2
Filesize1KB
MD5b2121bd726930968cb171152053e1919
SHA1ae7ab059333b937ff8fb4b82c8804e48adf842a7
SHA256f502abdef5b7612969a870f0d59aac4745c8b6be736d640eaf0f393206625030
SHA5121735139414c55d5a810faaf064f955ce38a065c5caaadde3436bf8ac617844186895589752b6dee419a5bfb844ad8065555eb3ae4561f15a1c92e7e1b21b09e6
-
Filesize
498B
MD5e990759363d4717d9bb72dc67106a62a
SHA1e64f59ffe35614f59e669b2538028713b09593ea
SHA256bedb51b2129adca6cea11cebd5e184e1f1c78b01ac11024b3af2fb88e6f5c273
SHA5126e43d3f7c4d67b4c643e0eb69f286958f963398a9a7b359a33bf9ed19f1e13935a59c4a7e9b60060f33e477ab25a8dc26cc01be3f2b9fb63c2a5d168346ad2b7
-
Filesize
111B
MD5f5f2740f5a20d45cc46d9abbd1d3f867
SHA102eb0161b0557c1b5eea7458f3ade1adf4467733
SHA256b70fb4cb3953b0cddd01d81eb6030189f2c6ea534ad8706f2d090b79f3269efd
SHA5122dc02951290281ce44696b4845fee404b2e62387162c5b9f68d36e9976236b30bf1551dfa91f446cc8493bcd12a21d444db7548c68d4f68acb744c05dee78cf7
-
Filesize
213B
MD5045f337477751b0280d1abcb25a5c918
SHA15c82db2ec805ab33827a13d1225a739188651243
SHA2569df032fd71ac65ff689a8604abb19bfbf8f000f3b59a77bf218dbeae7329c167
SHA5121ca8e05849ff855dd800ddec84a0278a060c8bbf64e2aabd5ef873927b21312f8925ca8f098db3604e33e12abef9c16bc727462dcccf43f9f20558b0e8df2856
-
Filesize
65B
MD59781ca003f10f8d0c9c1945b63fdca7f
SHA14156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA2563325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA51225a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03
-
Filesize
202B
MD5cd3416d50a26eb526d6ea7853ca1ab82
SHA17f9fc603c3b9842bfdc33e108baef9a756c12388
SHA2561f9fd588b2c195bf99b49574f2c8e1a277b9f522f6e99968b4bf47e17c2412ad
SHA512fea43a7ee46cc9e6d88ca5827bf07057fb60609e98bbaf8a31acc72e653d0114c771ba4ea0da10247f9ffadbf3831c12dab66b4459b9f722ce0cd18bd1a507a0
-
Filesize
167B
MD56c6b732e7a9c0f8d681b3719b6820f1c
SHA1035a601c58ad2b81d5e28a1aaffa0018797c5048
SHA2568a72994f068b2ece1b89b12fe203a8189aa864cf69e3e7c7cb07a6a528417f6b
SHA5128ddd3135ad33955f358a19554f8fc8a66ce2f02dcb426fd1cd4c9ec51f20b1a01740f130ea9bad7a930f33b322b74c7cbf1018ef7e895477329eb6aefb63e108
-
Filesize
32B
MD586dabf46d7989e243b92a3a3f215389c
SHA1fa61c31799e5f2d33fe17e6bcf8004976ac02b94
SHA2567f01ba347441f9e35b60d303f7f3f47c8ed76cfcba7307972e913eabb91a3449
SHA512154bcff2db5ec4ba77fcd5fa2df651706ab6cddb46af498db3f2aa7f8dcb315f0844e61c3165b3f7e3ff20eca6830c26ce808957253949e99e071f6f7f27a727