Analysis

  • max time kernel
    169s
  • max time network
    175s
  • platform
    android_x64
  • resource
    android-x64-20240514-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system
  • submitted
    18/05/2024, 07:16

General

  • Target

    538a7dd8b999182f2e3a216ba7986d53_JaffaCakes118.apk

  • Size

    21.2MB

  • MD5

    538a7dd8b999182f2e3a216ba7986d53

  • SHA1

    2ff5ad5744cfb9c23576abc405440a11e49f60ba

  • SHA256

    d67e3a7439656841d1720af95f3faf360553c3d0938cf7390280e6a3d47e3d63

  • SHA512

    5f885ab3c0387353341f8ea31113a70af159acc42e5bc7f57121a5afafbc1717be631bc2676b6ce22d2a1dde5005ec759e36f7eaf7f5756372b60ab9abbba25c

  • SSDEEP

    393216:Hce5m6AbuViFLRLamoq1V/8sQ7wXvDdsKkrq3X2Md6dYlAXFcxo9XOfVVHSeTWG/:ybDRLamoqbmOD6g3X/duQAGxok/HSeSw

Malware Config

Signatures

  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks if the internet connection is available 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.pombingsoft.clumsyman.gtx
    1⤵
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Queries information about running processes on the device
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks if the internet connection is available
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5165

Network

        MITRE ATT&CK Mobile v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/com.pombingsoft.clumsyman.gtx/.jiagu/classes.dex

          Filesize

          5.8MB

          MD5

          1e38cae7edb80121ae6aa34afd61ed81

          SHA1

          f0252d2aa050345c2a238d5d633203fbc438375f

          SHA256

          a480a7d7e626b00fc85ebdada35b85f3a79fac9f66bc98bc13ddc52b19ae901a

          SHA512

          b44dfd3c38cdefbbb899358ea706979edf15725b753891b2cbac3ccca59bb11a1cf7dd875daee09f06079420fbd063d21bd06648f1e54ad4e321ce34f808942f

        • /data/data/com.pombingsoft.clumsyman.gtx/.jiagu/classes.dex!classes2.dex

          Filesize

          4.0MB

          MD5

          19f1dbbdd8c2a9e81a0dad975b2f4190

          SHA1

          01dbbf6faef8e9aeaed60c315d04516089bb58b2

          SHA256

          18da70de72e35e3bcc7af8f42f3939429d1e24b9178692a6c998a22feecd6386

          SHA512

          8ba77c29424314d53673dd39657648e388131bf4e8228cabcafd69fb00d1f1863b6b7f152660e8d04a4f4ae876f351d607999e2ae3a4f8737fcb8271a2e6f0ca

        • /data/data/com.pombingsoft.clumsyman.gtx/.jiagu/libjiagu.so

          Filesize

          475KB

          MD5

          5aea02f4e4c77fbf2e7a27f7ca9cc06b

          SHA1

          522db1748608e9173547b29b7aa82ddc3542c534

          SHA256

          5a1c513b347e2a929769e2be67552c1d591704f08f7b5590282b66cc2c7d7bd2

          SHA512

          5c979a11f5e896829db906f533756efc1cf3c5a7e35ecc9e376a0aae818f2dada013441649feac2e188bd51affbbf35156e32fdc6552e185bddbc547f3850316

        • /data/data/com.pombingsoft.clumsyman.gtx/app_ebody/res/xmtok/37673/uuloi

          Filesize

          2.6MB

          MD5

          a4be05e15ad132090b309f396e91ff58

          SHA1

          8c8b8354188d80d9abf60f4f63883d2b92a553f2

          SHA256

          e2c35ba3e0b82ced9693b57da9c9c57a1e9914d272a8f94f9f39b40ec3451016

          SHA512

          1db29d80bdec4939d19566a9714cb400fcf7baf17b306b6b65ec92f573aa1910262cd4b51d9791af38b5951ef39bbb499a9003b9e0c528c31a2a21e45f09f341

        • /data/data/com.pombingsoft.clumsyman.gtx/databases/cc/cc.db

          Filesize

          36KB

          MD5

          0908e924aa236931dc7166fef6e00862

          SHA1

          7782648d6d8f6e835bd47058d4852932c096a467

          SHA256

          38f8548795ca7470b449dd1de9598c07a247ba59883c0764c9c96ff0b7d31d7f

          SHA512

          3c16fbc5172aed04cd206e776c46d26e911732c6e3631536410a71f1d217449475727ac9b3175e827c5ce645a1da9e05900258ee6ca27c936a9060f241361dee

        • /data/data/com.pombingsoft.clumsyman.gtx/databases/cc/cc.db-journal

          Filesize

          512B

          MD5

          58a4b2caf6f6f80ee677a1f2e01a5ec5

          SHA1

          476c25c4ce101cf022c1127a6bb6af1e64c25f2c

          SHA256

          0fa6d206abb4b6588d083d611c5ca39dddcdd536f17d527670ca0a8a2c40fa36

          SHA512

          767796feefbd9bf8ecfe8685c1f753420f8fdf10f4f56472e6dd9c60d6360c827a806afca14d46194599e5cdbc8e9f8c1865e3ed3d8f1e8aac2ffafa98fd787a

        • /data/data/com.pombingsoft.clumsyman.gtx/databases/cc/cc.db-journal

          Filesize

          8KB

          MD5

          f7f30856356fbbe46f5fc8c3a88d8982

          SHA1

          af69b5c3873b46bdd4700151d175f1522a333ff7

          SHA256

          fb081408deb523a69c63810989aa533f9fe32173e4d86784107b6b65fd26f1f9

          SHA512

          054b0999f8db5f4ae7ef520c8ae6f4f782422ea8b535349358638b1a7d29139cd02f8c17d8f3ff0f5707bf256b4e0c306f92f2b601dc813d4b2f0e2b8dd0ec6a

        • /data/data/com.pombingsoft.clumsyman.gtx/databases/cc/cc.db-journal

          Filesize

          8KB

          MD5

          583cc87956c69ec6113a799ede790e0b

          SHA1

          34353b55430b0edca6251a5a133984d4765ccf4d

          SHA256

          05348ada292bb1e564d7473219c74335d41addcaff69c17f922e89ff3a48b38c

          SHA512

          647b3e135bf204000161695a9af25fd619fd825da6e471317193082fb265b43015e53cac5bc11eb6752c26e59141def68caabc2a8d950ff551fcfbf0be460b3f

        • /data/data/com.pombingsoft.clumsyman.gtx/files/.jglogs/.jg.ac

          Filesize

          40B

          MD5

          1e251ba80230daa026f82280c1f9e67d

          SHA1

          216e535e7768bc945bcca4a8422583a82b463abe

          SHA256

          e727f351ef9d6e4a8049f360be3f9dacbc2c4b69f28c7ffb6e6db6a9c66342ce

          SHA512

          2e4d1212c1264f434bd207ca6bc12421b7cc7a4a4033ec9d12aed6f7e08ea69418744865857f37c3bb362c06ea34ab82166d9dda0f8e58ca6af43787750ee8be

        • /data/data/com.pombingsoft.clumsyman.gtx/files/.jglogs/.jg.ac

          Filesize

          32B

          MD5

          598c39ec5628009a581772339fc90b31

          SHA1

          9bd77127cda6a8380aef45df5293a1331a52c5a2

          SHA256

          e1960be5d6233f422aae668f890ba71b87d711781c274ca8f26e51d3d3dbff98

          SHA512

          7e0c121c26eb56137c511cd17ea8b462945a0cfecfce8231344514dad782b8df57698fc119d80eff6fbd1d9f461bf6bdec49a8a89bbe9787c687eda9926ad6f1

        • /data/data/com.pombingsoft.clumsyman.gtx/files/.jglogs/.jg.ic

          Filesize

          32B

          MD5

          d681e68c04eeef10693b497b64266a68

          SHA1

          1e12fe8463fb6555f342e6d634cef27c3e287103

          SHA256

          cc8e7fe6e436fe3f015f53b601cc9dae24ada526689dc5c3f8be353edc139f98

          SHA512

          88e35222451b375a3b16505b8356425480ce82f3da86c52aa021902b02c4bddc043ca31a624093381e607104e402acaa885a8ff2f07d10f72b414d35d065841a

        • /data/data/com.pombingsoft.clumsyman.gtx/files/.jglogs/.jg.rd

          Filesize

          32B

          MD5

          0d11f02b7620c6d4a07eb477f70e1050

          SHA1

          d8f16684b1f45eb734579786234d4eca89b60837

          SHA256

          b1f9a0e6d2151b627b4abd8f074d9922bee8602bd0876f3452c04fd2d6241e0f

          SHA512

          62452c7dc7ab6837210cbfb04243df875db0f2695597e24f0f87dd100220c81e176b3a40fc25a35710ee0db9190ef7a4202a1e4e8452467f48b3e1b715678ebb

        • /data/data/com.pombingsoft.clumsyman.gtx/files/.jglogs/.jg.ri

          Filesize

          307B

          MD5

          02ff90310af799f662f21b0c4d4c2a03

          SHA1

          ae69175e8a5d5c774b017a49876f932a59d2a9cb

          SHA256

          495c096d44240a3cc04b33c3b058cbfa3936871f0f3eadbd8009d41d60ad4f90

          SHA512

          00550becd07e9d877d951736d669b9e53e995a499e4140ac4487aaf0310df6ace0094e6fbd02b2e11a341c0ee9ef0c7a4042a344e9b9e1e8d2cd24400a2aa63a

        • /data/data/com.pombingsoft.clumsyman.gtx/files/.jglogs/.jg.ri

          Filesize

          314B

          MD5

          ce66dc8e8cc2b9366c6a7732e2f743f8

          SHA1

          7063589097a48959c36f5ea5d96e0d3a30ff77c4

          SHA256

          bfef4b514f3a58b8349405776fef64cc73808dc1c95692543068862f309955eb

          SHA512

          4a6dc363ca705a3fb2d2cd71a1a2c590d8ccf63cee3a44f9d7db2742091cef5b6128d900d47e48c13009eb43bd93fc906ca0ca3820c9f718e5028ba6ba7210ea

        • /data/data/com.pombingsoft.clumsyman.gtx/files/.jglogs/.jg.store.report_pid

          Filesize

          32B

          MD5

          d6255e6c286e6468695858280af749d4

          SHA1

          a77e7874cc2134ef52f9a4d079c0b31c0e3a0b35

          SHA256

          d8d869c579f909277f599903e50d9e9cc9fee16741339419b88ea2bf53675eba

          SHA512

          055ed7141604fea9c75a62b47a508fb68c18b4188a4139587cf9459dfaceff10525b83eefdb2f3955d0fd5c2e1d1988ae075251cfcfd90bdb57d0bc93ff9eb85

        • /data/data/com.pombingsoft.clumsyman.gtx/files/.jiagu.lock

          Filesize

          27B

          MD5

          4a3459ad107c8be108d241f83a4bd788

          SHA1

          9830000cc11b532256d95b602bd69c1c6456a31a

          SHA256

          ec0e407b4f13c5e876ba5b4058ec06fd85812cdb6803b5decf03ab08ac38d653

          SHA512

          7b3e6f3e5b20ba9d356258725f8f186af3e7cee6bce71f012c4e2f4b0e8e8b14bf3579c76aafc21628c7a4051196bc938b28348c05a01015168cc6c8d39130ab

        • /data/data/com.pombingsoft.clumsyman.gtx/files/ebody/as/cheuu

          Filesize

          8B

          MD5

          341a8c5186aeefa5a49c6559a8263487

          SHA1

          9cd1e3d2bc3d96f8274b79b055746762f42c09da

          SHA256

          78e75bf613817d9f1ef88c33e2d341c3185acbd8c2c7d60c11b6e41af0d140dd

          SHA512

          4cd706e283f90698961e2f8fba314d9afdc728e58037fedf167eea8e6274ab66c26cb4af7c7da0b6765f2324f59351c100f3c8f62d5a74fd8ff5d8fafba9cc46

        • /data/data/com.pombingsoft.clumsyman.gtx/files/ebody/res/37673/vva

          Filesize

          2.6MB

          MD5

          c7464d7ac75c59a56ff2f6a0f9374094

          SHA1

          e18fb726a5a36039aa18c383b265e79a343479e4

          SHA256

          c22c33159bbba233c5747086b13a5ee067c44bc7726267e4d02b8993fde1f344

          SHA512

          93fd8ca48d0febfc386b9cfb4eb01e5aaf72ff0f9e1abd4720884fa0c93d422728f61da7edebabc1267a8aa2c4f6aa831c8d5a596d08f6b64ef696e19188a9f9

        • /data/data/com.pombingsoft.clumsyman.gtx/files/ebody/res/37673/vva.jar

          Filesize

          342KB

          MD5

          c575a286b11bbafcf8e4905d27f30977

          SHA1

          92f75a7425564f8e5ced10e4ef098c378a0748bd

          SHA256

          185c4ce6748aecf146255ae05828bb01d88b523d7c930e058c851ea5d329beba

          SHA512

          f71571ee69dbb5fea7ac72572b1e50bfac1c7b0a577a5163631410d9f002ce38ebc1e3da4b43000a3575b68b30c70609269c48d165e1cd326474d3e46e19087e

        • /data/data/com.pombingsoft.clumsyman.gtx/files/ebody/seey/tmd

          Filesize

          32B

          MD5

          f22d1c9d8805a03089a14cb8f0a077f0

          SHA1

          fbf44eea9680293a31ffaefdf4a51fe76b661b96

          SHA256

          c799bb41ae4a0e972aa7f51fa42bddcb39740813d1549c792a1bfd1cb159be49

          SHA512

          9c14964bf702554b46136efa6238920b25cdba7f228d72eb66de2efeed0e7f6a785770fc97bbd53819538c23add5ec41ed99933809c30ff8a95311728b044ae3

        • /data/data/com.pombingsoft.clumsyman.gtx/files/ebody/seey/tv

          Filesize

          5B

          MD5

          1c4ec9002d8f6c1ddae5c151e48cf718

          SHA1

          2425cc273831d722bee4906c14c03fe497b99c08

          SHA256

          f6c857ed9fb74036aad1662f0450a84601f9eaf5f9eb0e6943136fa6ffab21b0

          SHA512

          6371c3db3d1dd610f1d22a8a5c5ba3efb8e4d0fd8df158f0dcc001238072717bb1d385152e4b8f67d7283eaf41d0582f6381e859f83f673e8b4ec48ce59d76ac

        • /data/user/0/com.pombingsoft.clumsyman.gtx/files/ebody/res/37673/vva.jar

          Filesize

          1.0MB

          MD5

          7eb039aa7728169a015707a82e1b41a4

          SHA1

          adeae37340af1ce383c908cdc4d375b270b30a60

          SHA256

          9e4e34e3db9a85d0e2f937c85255f2c924df7465284c9f8d91f9ab4ed8f2c49c

          SHA512

          c60f5c867ff34eed8186741ed2947e21ea7f3264114347ff64c90d9e04381238f0a3fbae18ef4ddc3c4b390935a21ebcfa311815384615574e9c9f90a825f7ca