Analysis

  • max time kernel
    177s
  • max time network
    163s
  • platform
    android_x86
  • resource
    android-x86-arm-20240514-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
  • submitted
    18/05/2024, 07:16

General

  • Target

    538a7dd8b999182f2e3a216ba7986d53_JaffaCakes118.apk

  • Size

    21.2MB

  • MD5

    538a7dd8b999182f2e3a216ba7986d53

  • SHA1

    2ff5ad5744cfb9c23576abc405440a11e49f60ba

  • SHA256

    d67e3a7439656841d1720af95f3faf360553c3d0938cf7390280e6a3d47e3d63

  • SHA512

    5f885ab3c0387353341f8ea31113a70af159acc42e5bc7f57121a5afafbc1717be631bc2676b6ce22d2a1dde5005ec759e36f7eaf7f5756372b60ab9abbba25c

  • SSDEEP

    393216:Hce5m6AbuViFLRLamoq1V/8sQ7wXvDdsKkrq3X2Md6dYlAXFcxo9XOfVVHSeTWG/:ybDRLamoqbmOD6g3X/duQAGxok/HSeSw

Malware Config

Signatures

  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

  • Loads dropped Dex/Jar 1 TTPs 6 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks if the internet connection is available 1 TTPs 1 IoCs
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.pombingsoft.clumsyman.gtx
    1⤵
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Queries information about running processes on the device
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks if the internet connection is available
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4266
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.pombingsoft.clumsyman.gtx/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.pombingsoft.clumsyman.gtx/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4304
    • cat /sys/class/net/wlan0/address
      2⤵
        PID:4422
      • sh -c ps -ef
        2⤵
          PID:4444
        • ps -ef
          2⤵
            PID:4444

        Network

              MITRE ATT&CK Mobile v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • /data/data/com.pombingsoft.clumsyman.gtx/.jiagu/classes.dex

                Filesize

                5.8MB

                MD5

                1e38cae7edb80121ae6aa34afd61ed81

                SHA1

                f0252d2aa050345c2a238d5d633203fbc438375f

                SHA256

                a480a7d7e626b00fc85ebdada35b85f3a79fac9f66bc98bc13ddc52b19ae901a

                SHA512

                b44dfd3c38cdefbbb899358ea706979edf15725b753891b2cbac3ccca59bb11a1cf7dd875daee09f06079420fbd063d21bd06648f1e54ad4e321ce34f808942f

              • /data/data/com.pombingsoft.clumsyman.gtx/.jiagu/classes.dex!classes2.dex

                Filesize

                4.0MB

                MD5

                19f1dbbdd8c2a9e81a0dad975b2f4190

                SHA1

                01dbbf6faef8e9aeaed60c315d04516089bb58b2

                SHA256

                18da70de72e35e3bcc7af8f42f3939429d1e24b9178692a6c998a22feecd6386

                SHA512

                8ba77c29424314d53673dd39657648e388131bf4e8228cabcafd69fb00d1f1863b6b7f152660e8d04a4f4ae876f351d607999e2ae3a4f8737fcb8271a2e6f0ca

              • /data/data/com.pombingsoft.clumsyman.gtx/.jiagu/libjiagu.so

                Filesize

                475KB

                MD5

                5aea02f4e4c77fbf2e7a27f7ca9cc06b

                SHA1

                522db1748608e9173547b29b7aa82ddc3542c534

                SHA256

                5a1c513b347e2a929769e2be67552c1d591704f08f7b5590282b66cc2c7d7bd2

                SHA512

                5c979a11f5e896829db906f533756efc1cf3c5a7e35ecc9e376a0aae818f2dada013441649feac2e188bd51affbbf35156e32fdc6552e185bddbc547f3850316

              • /data/data/com.pombingsoft.clumsyman.gtx/.jiagu/tmp.dex

                Filesize

                284B

                MD5

                f1771b68f5f9b168b79ff59ae2daabe4

                SHA1

                0df6a835559f5c99670214a12700e7d8c28e5a42

                SHA256

                9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

                SHA512

                dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

              • /data/data/com.pombingsoft.clumsyman.gtx/app_ebody/res/xmtok/37673/uuloi

                Filesize

                2.6MB

                MD5

                a4be05e15ad132090b309f396e91ff58

                SHA1

                8c8b8354188d80d9abf60f4f63883d2b92a553f2

                SHA256

                e2c35ba3e0b82ced9693b57da9c9c57a1e9914d272a8f94f9f39b40ec3451016

                SHA512

                1db29d80bdec4939d19566a9714cb400fcf7baf17b306b6b65ec92f573aa1910262cd4b51d9791af38b5951ef39bbb499a9003b9e0c528c31a2a21e45f09f341

              • /data/data/com.pombingsoft.clumsyman.gtx/databases/cc/cc.db

                Filesize

                36KB

                MD5

                5d7ea1a23af19b4340cc8d90f28297d5

                SHA1

                4cfe95b23a9e98378d69c4290af81b51fbe76aea

                SHA256

                474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da

                SHA512

                33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

              • /data/data/com.pombingsoft.clumsyman.gtx/databases/cc/cc.db-journal

                Filesize

                512B

                MD5

                838312cee4983d1385bf837fc45d9d7b

                SHA1

                4e05e1bfe0be54109d5dd1d004b6edbbf03695c9

                SHA256

                adc693660c4c54f03748c73c63fbef0c3520ecfd1bf6ca5b847ea549e562f3dd

                SHA512

                818d71ce38a04426c60662ac338992372e63dd8c92f00956c371aa1a05ed688998d5bc5f1cf8a97d2354beda8602f892c37dc98c4e9522c705069a6d0299dcc6

              • /data/data/com.pombingsoft.clumsyman.gtx/databases/cc/cc.db-shm

                Filesize

                32KB

                MD5

                bb7df04e1b0a2570657527a7e108ae23

                SHA1

                5188431849b4613152fd7bdba6a3ff0a4fd6424b

                SHA256

                c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

                SHA512

                768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

              • /data/data/com.pombingsoft.clumsyman.gtx/databases/cc/cc.db-wal

                Filesize

                48KB

                MD5

                d06c547df7f0ab95b0b80b41152dc850

                SHA1

                d8579ae6e5bd03dd936df4e32e4780bb5965f46d

                SHA256

                7218c17b7a2af7779d7a4b39590435f4de5f97b1799edbc6970bfeb8debbd66a

                SHA512

                969d8506677d7456a244966052f5ac2b043cd7ed6cada326edd0fa231e134378608120b05e26e3d0ed399f4f291fd02b0fc1010ecf1d140fce41087da30f2a8c

              • /data/data/com.pombingsoft.clumsyman.gtx/files/.jglogs/.jg.ac

                Filesize

                32B

                MD5

                598c39ec5628009a581772339fc90b31

                SHA1

                9bd77127cda6a8380aef45df5293a1331a52c5a2

                SHA256

                e1960be5d6233f422aae668f890ba71b87d711781c274ca8f26e51d3d3dbff98

                SHA512

                7e0c121c26eb56137c511cd17ea8b462945a0cfecfce8231344514dad782b8df57698fc119d80eff6fbd1d9f461bf6bdec49a8a89bbe9787c687eda9926ad6f1

              • /data/data/com.pombingsoft.clumsyman.gtx/files/.jglogs/.jg.ac

                Filesize

                40B

                MD5

                1e251ba80230daa026f82280c1f9e67d

                SHA1

                216e535e7768bc945bcca4a8422583a82b463abe

                SHA256

                e727f351ef9d6e4a8049f360be3f9dacbc2c4b69f28c7ffb6e6db6a9c66342ce

                SHA512

                2e4d1212c1264f434bd207ca6bc12421b7cc7a4a4033ec9d12aed6f7e08ea69418744865857f37c3bb362c06ea34ab82166d9dda0f8e58ca6af43787750ee8be

              • /data/data/com.pombingsoft.clumsyman.gtx/files/.jglogs/.jg.ic

                Filesize

                32B

                MD5

                d681e68c04eeef10693b497b64266a68

                SHA1

                1e12fe8463fb6555f342e6d634cef27c3e287103

                SHA256

                cc8e7fe6e436fe3f015f53b601cc9dae24ada526689dc5c3f8be353edc139f98

                SHA512

                88e35222451b375a3b16505b8356425480ce82f3da86c52aa021902b02c4bddc043ca31a624093381e607104e402acaa885a8ff2f07d10f72b414d35d065841a

              • /data/data/com.pombingsoft.clumsyman.gtx/files/.jglogs/.jg.rd

                Filesize

                73B

                MD5

                d733713b9451e67ab5b42696e37cb00a

                SHA1

                4211f6293fcdb26659fd27797e236081af42ba28

                SHA256

                f53e9ccb2826358dddd7f843ddb4b0b1da7a1f442aaca273b831a58cefdc07e6

                SHA512

                d0669c5b2cd12c6ffca899d7d74956826fdef497f84fcc21c8349c95700648d24222d85ef378801a7f54e30b9cca14545cab48fdcbceeb4ac53dc13abf771227

              • /data/data/com.pombingsoft.clumsyman.gtx/files/.jglogs/.jg.ri

                Filesize

                307B

                MD5

                05a11301911ce68ff072c3fd18c04ce8

                SHA1

                74f32c54c335863493651240dd8c03ba100236ab

                SHA256

                dfbb5c079ca6e867ca362803efea9dd73c0a0146a7876c5fe588ffdba0168b21

                SHA512

                55b417fdc37cc765224ea695390d7e9e8e5bbacbea4e4a338386841f2784c49db9fc54937bb53bd703d78fc8eb5cab5aacb9678cdaba04666943930687401bbf

              • /data/data/com.pombingsoft.clumsyman.gtx/files/.jglogs/.jg.ri

                Filesize

                314B

                MD5

                536b6910b5b281e79b05d281a4e77359

                SHA1

                b10abb84b2a38a2f3d0633563599013dd776906e

                SHA256

                1cf5b3f88ead49517f6042839278e75bf3833e0dcd460708fb9c5201882a4401

                SHA512

                7cc1a36e481b55538211ecec6b29761bfd2cb98e7e23c50e94411b47a584d7e7d8d93411f63027862a440688098406dd29694d4508237537b633341f3b6d6753

              • /data/data/com.pombingsoft.clumsyman.gtx/files/.jglogs/.jg.store.report_pid

                Filesize

                32B

                MD5

                d6255e6c286e6468695858280af749d4

                SHA1

                a77e7874cc2134ef52f9a4d079c0b31c0e3a0b35

                SHA256

                d8d869c579f909277f599903e50d9e9cc9fee16741339419b88ea2bf53675eba

                SHA512

                055ed7141604fea9c75a62b47a508fb68c18b4188a4139587cf9459dfaceff10525b83eefdb2f3955d0fd5c2e1d1988ae075251cfcfd90bdb57d0bc93ff9eb85

              • /data/data/com.pombingsoft.clumsyman.gtx/files/.jiagu.lock

                Filesize

                27B

                MD5

                0e60ae281f9b40166957b93180150e4f

                SHA1

                0457fc9d57c9e4e4800acd302fd50ffc97ff0c17

                SHA256

                268bbeee0421e4caebea1dea2ee30dc4b631ed20dfe54bc73b2585fc32318831

                SHA512

                63f32ea3fd22a6db6ab62061a0e1b303a7bedf8fd76c953a3a26bfc07472f28414e7a9680985553146613516bf00b93b3797bd49a7019740245ba44879b188a4

              • /data/data/com.pombingsoft.clumsyman.gtx/files/ebody/as/cheuu

                Filesize

                8B

                MD5

                959b6b1736444a0c8199f4962878212b

                SHA1

                fc8ecc1e5fb7243fa5d4856ce19ea037408fc384

                SHA256

                6bebbf0e7366e29cc6d3dd90528ae9ee091f311c6da3602ed5248c3a2b7ab745

                SHA512

                ed3c9a782d7c9db5ae2a2acb24ffa93dc8d68023610077cf0df72689576c412e98fa7a00e49c2940b0d9432c00f98bf968526da70705da84f0ecf0685707a5dc

              • /data/data/com.pombingsoft.clumsyman.gtx/files/ebody/res/37673/vva

                Filesize

                2.6MB

                MD5

                c7464d7ac75c59a56ff2f6a0f9374094

                SHA1

                e18fb726a5a36039aa18c383b265e79a343479e4

                SHA256

                c22c33159bbba233c5747086b13a5ee067c44bc7726267e4d02b8993fde1f344

                SHA512

                93fd8ca48d0febfc386b9cfb4eb01e5aaf72ff0f9e1abd4720884fa0c93d422728f61da7edebabc1267a8aa2c4f6aa831c8d5a596d08f6b64ef696e19188a9f9

              • /data/data/com.pombingsoft.clumsyman.gtx/files/ebody/res/37673/vva.jar

                Filesize

                342KB

                MD5

                c575a286b11bbafcf8e4905d27f30977

                SHA1

                92f75a7425564f8e5ced10e4ef098c378a0748bd

                SHA256

                185c4ce6748aecf146255ae05828bb01d88b523d7c930e058c851ea5d329beba

                SHA512

                f71571ee69dbb5fea7ac72572b1e50bfac1c7b0a577a5163631410d9f002ce38ebc1e3da4b43000a3575b68b30c70609269c48d165e1cd326474d3e46e19087e

              • /data/data/com.pombingsoft.clumsyman.gtx/files/ebody/seey/tmd

                Filesize

                32B

                MD5

                f22d1c9d8805a03089a14cb8f0a077f0

                SHA1

                fbf44eea9680293a31ffaefdf4a51fe76b661b96

                SHA256

                c799bb41ae4a0e972aa7f51fa42bddcb39740813d1549c792a1bfd1cb159be49

                SHA512

                9c14964bf702554b46136efa6238920b25cdba7f228d72eb66de2efeed0e7f6a785770fc97bbd53819538c23add5ec41ed99933809c30ff8a95311728b044ae3

              • /data/data/com.pombingsoft.clumsyman.gtx/files/ebody/seey/tv

                Filesize

                5B

                MD5

                1c4ec9002d8f6c1ddae5c151e48cf718

                SHA1

                2425cc273831d722bee4906c14c03fe497b99c08

                SHA256

                f6c857ed9fb74036aad1662f0450a84601f9eaf5f9eb0e6943136fa6ffab21b0

                SHA512

                6371c3db3d1dd610f1d22a8a5c5ba3efb8e4d0fd8df158f0dcc001238072717bb1d385152e4b8f67d7283eaf41d0582f6381e859f83f673e8b4ec48ce59d76ac

              • /data/user/0/com.pombingsoft.clumsyman.gtx/files/ebody/res/37673/vva.jar

                Filesize

                1.0MB

                MD5

                7eb039aa7728169a015707a82e1b41a4

                SHA1

                adeae37340af1ce383c908cdc4d375b270b30a60

                SHA256

                9e4e34e3db9a85d0e2f937c85255f2c924df7465284c9f8d91f9ab4ed8f2c49c

                SHA512

                c60f5c867ff34eed8186741ed2947e21ea7f3264114347ff64c90d9e04381238f0a3fbae18ef4ddc3c4b390935a21ebcfa311815384615574e9c9f90a825f7ca