Analysis

  • max time kernel
    8s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20240514-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
  • submitted
    19/05/2024, 04:59

General

  • Target

    58a8aba359ac7a49a0dd18797e72120a_JaffaCakes118.apk

  • Size

    29.9MB

  • MD5

    58a8aba359ac7a49a0dd18797e72120a

  • SHA1

    66748cf4c03aafd5a1c82ec21b546864e2044824

  • SHA256

    d0f76739fda55a1fd46c625ff7107c24ee8640cb87c62f4355b9e4d2b36d091a

  • SHA512

    737e846adf22245a1d83e524ad8a8c3f7f23416d8423ef316a587808bd4de1834aa839028f6302cfa11b0667074728b139bee2310abf01324dab3b3b2411b292

  • SSDEEP

    786432:4tVHrOlIwr3HElqEk8rYQhFALkUCBYQwW2JljAs88B9+59sAaaLfKvL:O8xMjk8rYQf+khC1JpAs88Bw59sAaaL6

Malware Config

Signatures

  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks if the internet connection is available 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.epark
    1⤵
    • Checks CPU information
    • Loads dropped Dex/Jar
    • Queries information about running processes on the device
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks if the internet connection is available
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4301
    • sh -c getprop ro.yunos.version
      2⤵
        PID:4346
      • getprop ro.yunos.version
        2⤵
          PID:4346
        • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.epark/mix.dex --output-vdex-fd=54 --oat-fd=55 --oat-location=/data/data/com.epark/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&
          2⤵
          • Loads dropped Dex/Jar
          PID:4371

      Network

            MITRE ATT&CK Mobile v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • /data/data/com.epark/databases/MessageStore.db-journal

              Filesize

              512B

              MD5

              bc7337ab07ca8fc440fbebcaa70f23bf

              SHA1

              5ee4ef176af3e408bae6b70b56741e92af56bf5d

              SHA256

              5b06929579e8ccc170f1a784b48823e0ea0a67beeae7bbb49f32b7007bc586f2

              SHA512

              950267db7d358f179bb72742b395fc3830a2e63edbafac16ef70aaa0c6e4c7e374a0b76ff6f724c42abaa689c50e921054f29f515fc3a9247392b7afe7f04b3b

            • /data/data/com.epark/databases/MessageStore.db-shm

              Filesize

              28KB

              MD5

              cf845a781c107ec1346e849c9dd1b7e8

              SHA1

              b44ccc7f7d519352422e59ee8b0bdbac881768a7

              SHA256

              18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

              SHA512

              4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

            • /data/data/com.epark/databases/MessageStore.db-wal

              Filesize

              56KB

              MD5

              ce962671c0c654340deeab21468743d8

              SHA1

              0dcc2ab67354bd01f3e9b1253ef65be6a58622f5

              SHA256

              d1c7b85ea6ee688ba8db05e0d57d2932dbc2d4025687ddbd41256afecc85609c

              SHA512

              19d0b32c9e6284436824cbacece0fc9f6aa5a6fdda04b032e1a8be7a4a0aa6940e4d85bda2b5f777ff9930db864a99227a2c5693bbf1d445bf97c81c5842a4bc

            • /data/data/com.epark/databases/MsgLogStore.db-journal

              Filesize

              512B

              MD5

              3c85946dd44626c99a2731ff18941734

              SHA1

              824d84acd32c842a8ddec12d056227ea77cc4e55

              SHA256

              89bfd83122becc8b55b0f331086f543addb0fa9eb1118aef3c07656f27aeae2a

              SHA512

              55fccb13434cc5f6d76abc7a76b60e4cdb2f96518815f30b024cb52745bd639cd55d279120d0521eb0eea47473d1728bb11e39fa5b7b11c8baa9e188c555a7e0

            • /data/data/com.epark/databases/MsgLogStore.db-wal

              Filesize

              68KB

              MD5

              7e54ac9e6f53f37e276e38fcd692dcf1

              SHA1

              0841356b9dcaff354a7b9595d5ff7c420520f02d

              SHA256

              89d34810ae1267247f15a2f2454b369093fa916557837c4af599447d87399d8e

              SHA512

              c3c3ef691dc82b3c7d20479e727356eea007bf96e43894927467690715d155163b934841fa8938c12224cc80145c01bfe7b67decafa43fa81e0b24531248b529

            • /data/data/com.epark/databases/accs.db-journal

              Filesize

              512B

              MD5

              1f507c35291b109c7c0682d5b994a555

              SHA1

              fe821c8490afd6d7bc05586d78650f12b43869e2

              SHA256

              eb424c014be7703a468657b2418bed21e14e39c4a47d29791b2f50e0203222da

              SHA512

              003f46f92e50491a029ad60665b71d5180c63e18b6f3c957c5425f4a2af635f5fc4bb6f3826c775bfaed88adc12d03470c0159de3cda6da94702b69830e2f5d9

            • /data/data/com.epark/databases/bugly_db_legu

              Filesize

              4KB

              MD5

              f2b4b0190b9f384ca885f0c8c9b14700

              SHA1

              934ff2646757b5b6e7f20f6a0aa76c7f995d9361

              SHA256

              0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

              SHA512

              ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

            • /data/data/com.epark/databases/bugly_db_legu-journal

              Filesize

              512B

              MD5

              553232dd0615c52a567793158f7f9077

              SHA1

              01a721d08f5d72574a8cae2c8fb32f30cc9a5f86

              SHA256

              b87efe6d0b7e0826ecbf88c472c76f70ebe3979ba48ec50210ba4e595a172761

              SHA512

              e9a12ad3b29f3138eb8bc0464e55fb6985fb2e7a51e2b147a1c08032b451d6e39aa91039b50e6621dacc2edbb808d59efaca891099f499676f959f42ef269fe7

            • /data/data/com.epark/databases/bugly_db_legu-shm

              Filesize

              32KB

              MD5

              bb7df04e1b0a2570657527a7e108ae23

              SHA1

              5188431849b4613152fd7bdba6a3ff0a4fd6424b

              SHA256

              c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

              SHA512

              768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

            • /data/data/com.epark/databases/bugly_db_legu-wal

              Filesize

              92KB

              MD5

              e7672f47a113e6ed840344a6297ba0b0

              SHA1

              6462a7f1c04665a904650a9c90e8d0e23796512b

              SHA256

              355ab59a883b5da23022f79bba4115bd463131286088a1a57bacec76e69baac3

              SHA512

              1040361662b33dc762b9d3733eed145ea2ca377417970fb43b1f1cb9f56ada1f57bfb40a2d6600a3d695f7de1393bad0aa4aa39a54edc86cf381ac8f1714bf62

            • /data/data/com.epark/databases/epark.db-journal

              Filesize

              512B

              MD5

              4b606a8f19f03e2c6452e625f6f8db0f

              SHA1

              6ab5aa708e2af536051e59d6cfec7225abbeb893

              SHA256

              172996407e7b1e688444a8764089bb8b4df82897f5acf66017a2021bac2ffab3

              SHA512

              5e4b9708d064e67f91aebbd8fdc664579b3cb16a424dc55c83ca0f0c25f6983635ff085b42fa54e9c3ddf6ae46f6cc827143ebf30a437fa8cb0f583afebcb920

            • /data/data/com.epark/databases/epark.db-wal

              Filesize

              68KB

              MD5

              4e97dfa0075ac14dd9e840f37fe9d632

              SHA1

              daf1ed6cba0826c480b62da3c85cbfa03e448eee

              SHA256

              6655ca881b9981256c0b63d2421844ecf8babc730a2abcac8fb7559958dc1f89

              SHA512

              a27bd8c1cac8e457f374f3052104bcb34fb77178e947801add5a4fc1c0ccd07c4a3a8fcd0edff3f3f2a2e0aa5f7fc031666fc3fdbc32d12862fbcec8784d1f3f

            • /data/data/com.epark/files/libs/libBaiduMapSDK_base_v5_0_0.so

              Filesize

              333KB

              MD5

              873b2a28bc498203051de1cb168d798d

              SHA1

              c6b9f2b527a582ec2abdf18ede117243b0abc137

              SHA256

              71231d32e62565b6aa24c8f40feee0a1e35b0191af63bcf20347df54104f65ef

              SHA512

              8f76b6cde1cbaefeee1ce55e033a88d5412b9440fe0268351b0e1db536f7214854bed0d723b15ddbd07d23a7bf3a4f4c570fb4dc906bb0d0b4198a5a464190f0

            • /data/data/com.epark/mix.dex

              Filesize

              292B

              MD5

              63f77f99bd2c2b772a479923bde11974

              SHA1

              c7632e7d301e4463fafce85f84e9c3d7da3fdbbe

              SHA256

              4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615

              SHA512

              3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

            • /storage/emulated/0/.DataStorage/ContextData.xml

              Filesize

              111B

              MD5

              13e23a78089c20db2b3ea42dabaf1af2

              SHA1

              85b2ffdab792113b69e3752fb78e34e5922aa895

              SHA256

              46327e99eb21a7d9592580ddef3ff89da2d33506f27cdf4795c62403f51a0700

              SHA512

              faf4df9c56bc85e15e82af758d67b09a0d08c5caf3a90be7a5aa395c0d9b7b5b4e4092b94f8c7d1668afa6b115c748c8eb55a5078e0d3a9ea086a13e785a6634

            • /storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

              Filesize

              65B

              MD5

              9781ca003f10f8d0c9c1945b63fdca7f

              SHA1

              4156cf5dc8d71dbab734d25e5e1598b37a5456f4

              SHA256

              3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793

              SHA512

              25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

            • /storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

              Filesize

              111B

              MD5

              e7115ced63b507fcba26ab17af4e5da7

              SHA1

              3aad5efdb594d91bcf2d63b3ff5ea1c54e0f2c29

              SHA256

              bd0412e3a46445af1c2d0d5998a7cf5ea9fd7d1b0787d0afc9f19cac6b4b6bc3

              SHA512

              aec67c075994bb6551e7f896723c6ec73794681e1294286978ff06ae88f942de3d6141c68373b57b5ba757b894d1a7cff04708a4032684a4b3aac66f1bec5c08

            • /storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

              Filesize

              167B

              MD5

              66e4639c0d75be6a04e65f72aaef9b40

              SHA1

              ce10f41b96f5c4ad4191175ad093f4edf707db78

              SHA256

              c3075475ebe6e36ff48a1e8b1e12ae158ecb4845e3c777ecfac7cffe3529a613

              SHA512

              1b4963520d420dd794e49afe5716e2a27b56f69ab6237e75c02d0b6324f079d38402f61df11f560cbe427afe7687abcc111cb63e620db39997f5c124779e605b