Analysis

  • max time kernel
    177s
  • max time network
    191s
  • platform
    android_x64
  • resource
    android-x64-20240514-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system
  • submitted
    17/05/2024, 16:59

General

  • Target

    50869954220676386f8c1c4c3f3cbab3_JaffaCakes118.apk

  • Size

    29.2MB

  • MD5

    50869954220676386f8c1c4c3f3cbab3

  • SHA1

    3e528e33f4b4c5b9bc7a402ffb2d0f9644f0d822

  • SHA256

    226a2cf7eeb8a18f679611cd3163e27429b1dbafc8592bbbb83af06760f361e8

  • SHA512

    5eb51e1f4133904d9e772cff3a3203bec725d27707c6e5a8120cdf399aebbbcf1eff74455e164abcf0dcb59825b6c9a10d09d0e9f247a7e25bb62a586c8218d9

  • SSDEEP

    786432:QBY1V7jQYXA55/SsegDwtpKYRw34ElTS7gfKGdmy:H1V7jNXEo1ppwxJS7GKG4y

Malware Config

Signatures

  • Checks if the Android device is rooted. 1 TTPs 1 IoCs
  • Checks known Qemu files. 1 TTPs 3 IoCs

    Checks for known Qemu files that exist on Android virtual device images.

  • Checks known Qemu pipes. 1 TTPs 2 IoCs

    Checks for known pipes used by the Android emulator to communicate with the host.

  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

  • Queries information about running processes on the device 1 TTPs 2 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
  • Checks if the internet connection is available 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs

Processes

  • edu.com.gaiwen.firstchoice
    1⤵
    • Queries information about running processes on the device
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5133
  • edu.com.gaiwen.firstchoice:mult
    1⤵
    • Checks if the Android device is rooted.
    • Checks known Qemu files.
    • Checks known Qemu pipes.
    • Checks memory information
    • Queries information about running processes on the device
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks if the internet connection is available
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5213

Network

        MITRE ATT&CK Mobile v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/edu.com.gaiwen.firstchoice/app_crashrecord/1002

          Filesize

          234B

          MD5

          4a80d418272573b119ba68010685b4df

          SHA1

          03f67236a7e7fd5600b402aa235c6de7a8a38e9a

          SHA256

          d9c2d35c803218fbd0a5fd2a5a4e754ae6365688f8d3ed294363d442e6dd9472

          SHA512

          90a554a3f138961507b4a9e5b5ac2027b9468420cb147d0b0ca1b792b5d2f66c98c33767d62798fc69a0fb9291be3d4545738f08cd21439d81304e820ba2a82b

        • /data/data/edu.com.gaiwen.firstchoice/app_crashrecord/1004

          Filesize

          20KB

          MD5

          5278bb3b13c8a29662d828e99f13f7d9

          SHA1

          0be9fb4022f40eb10a9ebf962fee9b7c918062e1

          SHA256

          b5c09770433d1555842cb0566afd25d77b475aa141198142f3ae3f01ef78b696

          SHA512

          08436578578dd9b5068451d9edb71cf6506e50fafebf3ca3fb4b4d479bf5cb5808d043295ace22a6a9e8ae6c53a88020acbc9683536ee78af9b81a483af7fbd7

        • /data/data/edu.com.gaiwen.firstchoice/app_crashrecord/1004

          Filesize

          58B

          MD5

          0d210bfb2a0e1f1b4c082a6a0f79de07

          SHA1

          bb8ed9e364db79d1d9f2fcde3f15091893222faa

          SHA256

          988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d

          SHA512

          536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

        • /data/data/edu.com.gaiwen.firstchoice/databases/bugly_db_

          Filesize

          52KB

          MD5

          b12752a898772dc098ebdcfaac0c2a99

          SHA1

          ba2257291dd88ba5a9085e9171830d5393495eea

          SHA256

          2d2ba91156e4cdd6539fca592500417a3ca0fa8910b054a6f6da68259e04eeb8

          SHA512

          306b0f58260636f57ccf3f7179208b39cf5cbd33d4442cb56a16e924aaf79f346b3c8790e5d43200d9747ab207000f65b35e7de6f8fce0f824cb87804de3acc5

        • /data/data/edu.com.gaiwen.firstchoice/databases/bugly_db_-journal

          Filesize

          8KB

          MD5

          b10dd56dfddc2b6ea1c9c9bf259b8067

          SHA1

          33cd65af10859b781109c5b32491d6a85e02b465

          SHA256

          883599b00ff00db94f885b15aec12d47293cdaa4b1ca94400cc7f4f5c3788b21

          SHA512

          7c6973a6feeb77c79ae266895f94e35fe2550a8e545221abb456e304b246a885d2917bd255049d679bd756a9b676e670f4d3dd9a22e6ea821f9cdac4579924ae

        • /data/data/edu.com.gaiwen.firstchoice/databases/bugly_db_-journal

          Filesize

          8KB

          MD5

          528244902c29f7e0fee2f5a202007b16

          SHA1

          543578ac04567b6b01bce4188982c5f06fa65b4a

          SHA256

          0d356c5f9bd65cbdd032eb1edd7f4daa85ca5e84ed6f9f6efe79501aaaa281d7

          SHA512

          bb3e4edec16f8bc437f86b55bbdfeb421ba31cde689ff70c6249837ef845e38cda44716fcae6e3f7a0b35a3d2c8703113e53add0a6e95f5fba66ba7b3fc60f95

        • /data/data/edu.com.gaiwen.firstchoice/databases/bugly_db_-journal

          Filesize

          8KB

          MD5

          5aed7f16e1f10e3d928abf2f207dfe2c

          SHA1

          59069027c4b435aeb0d50da67e7341194fe0afb8

          SHA256

          ae2ed1883ad8ee30db707747eb1a13075678d2429096c4f201916cb29ac72baf

          SHA512

          4e88c675098ca2230a3a6b28445c029cdaa146c34000106203b9277a0c61ceacaecfcddac7bfbb7c51e01bd7a6daf4d18ed9a1237109abba10532c46560e0a7f

        • /data/data/edu.com.gaiwen.firstchoice/databases/bugly_db_-journal

          Filesize

          8KB

          MD5

          6ec685440c207359cdcff7cbaf42d4c1

          SHA1

          41333d3973069c6f2de529793b86c325ec120f39

          SHA256

          1947bca65a0f176ea87be66747cd63254ac0309f828204e967e4b59c11d38ea6

          SHA512

          6353f851f5da2f4a90781969164e9a35973a16daf91aff738d4d9102f99d29e198e7fadea3a4940f86239aafcd13a0c8be4ca45c199982b0264d16de55a8571b

        • /data/data/edu.com.gaiwen.firstchoice/databases/bugly_db_-journal

          Filesize

          512B

          MD5

          8db03981a5b490f4a9c9cd3dcbe26b40

          SHA1

          59fc1cdca943e83841b5ba9c87972f59a2c5c78b

          SHA256

          2140fc8e15266baa5dc1868cd41b1fc62d7c6244b41622621fc9ead57bdbbeed

          SHA512

          e634c5d604824ada98a41b98ea03971b8865f4980e726729b94a20cae431c12b5329881cf0d7ddc286833a19f5f28e749da16ce5141b8ec269a72902da4875a9

        • /data/data/edu.com.gaiwen.firstchoice/databases/bugly_db_-journal

          Filesize

          8KB

          MD5

          b0ad97d4a68eaa35e89cef8eddcd2c6c

          SHA1

          27bc0cd3167d9be26ffe9845877d470282e86fab

          SHA256

          3440e12c18a8946d784c4d398c648b3827ea7b8c5234dff4f203b1fc6b7e2944

          SHA512

          d6beef1812aad57517d530a29541e019ec36a5268c0e8b92131b49e8df95caf8dcb045258c2872171eabc99f89074e01fac931db52493feefd5d02ca183ee338

        • /data/data/edu.com.gaiwen.firstchoice/databases/bugly_db_-journal

          Filesize

          8KB

          MD5

          942faac141460ff6db531ffce12b94f9

          SHA1

          e0bdf46a0b15c8d60e09e28a82145ac9cd93cc32

          SHA256

          e7443b6e814231e291c4080cf90d36817789a9cd3b4604e9b5d2ce5babbb0ea7

          SHA512

          0c0b81348c41d822b7f5b78ae8d9c3d838fe8a126e4221e36531da701d8a20b87e34324cf9f57101799dd2d005f2c45235c880a3e4c550d2bafad1b7ace01006

        • /data/data/edu.com.gaiwen.firstchoice/files/jpush_stat_history_mult/normal/nowrap/81be14d1-d332-49f8-8e4a-694c87e3d45d

          Filesize

          187B

          MD5

          baa3563ce43d8e17c63787ee0e0bfa29

          SHA1

          b2ea4fb8b755a8127830e75d43eafcacf2b09488

          SHA256

          1602157b474304c098421c0c7275bbe4a003d1e1ce33a6fcc4ef29fce74d3951

          SHA512

          633c486074b7092427f50a8171048b905f2f075af6d6556641af8ff351d72e4bf777b4465c93949f9a4cf90317ded59587088ba79da7156dd9e1b8da587863ac

        • /storage/emulated/0/data/.push_deviceid

          Filesize

          32B

          MD5

          2d3ca64d64b829d081d56a47cbf5a68f

          SHA1

          5c6b0b0756dc8b9b43177bc125277721df366eab

          SHA256

          8162aa54f9ff43f35638be4dfe59cf4e788049f4e03d4f0999adf3e0429a5fcb

          SHA512

          d578b4d1142be82ca6ae055824232c07185395b4b6702b0c2f470cf68d036f470db208c4370ce1f668a38f0caa1bb93fd396b77401b0f77e3c1e8d71c7d2c04f

        • /storage/emulated/0/data/.push_deviceid

          Filesize

          32B

          MD5

          9a9dd03a1a1755515b84749ff3d356ff

          SHA1

          0f3a7a681729a4f06abbae37285afac4dc5da57b

          SHA256

          2d5519facec1d0d013e6319b97150919137e01d53f6983e84479344bf5b2b91f

          SHA512

          a583d2d89f51886d2d40f39fd533850cd72818d1ad776fea3de4f4fc59e6f0d02b1bea61a101d3e9e9a48495ce884550b3a5f5841ccd10d0797e29ad046abe7b