ff8a8cc17acf2ec9b58bb4ba89d1b1a3fadca81e42fe48efc573e093ae7421cc

Analysis

max time kernel
178s
max time network
185s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
21-05-2024 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63efd24b07605ad9d3ce9d35e38657fa_JaffaCakes118.apk
Size

16.6MB
MD5

63efd24b07605ad9d3ce9d35e38657fa
SHA1

ac7fa3eef0d71e15f2c81035bcd7dcbb20d4edad
SHA256

ff8a8cc17acf2ec9b58bb4ba89d1b1a3fadca81e42fe48efc573e093ae7421cc
SHA512

86a9648fa292b5b34296865b99797ea2210707bafd0138f5da1f86a444f25debbe9edf3b816dc9447d6f52d332bfc49079db94358db484ee4bc1595c20e45814
SSDEEP

393216:uwzOYmYzhBaWTHUXJsEC8eSdIkamSc1S8WEc2kkV5Q:3yYrDDjoQSuFci3kV5Q

Score

8^/10

discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 6 IoCs

evasion

System Information Discovery

T1426

Processes:

com.yrtz.qiankundaicom.yrtz.qiankundai:pushservice

ioc	process
/data/local/xbin/su	com.yrtz.qiankundai
/sbin/su	com.yrtz.qiankundai
/system/app/Superuser.apk	com.yrtz.qiankundai
/system/app/Superuser.apk	com.yrtz.qiankundai:pushservice
/data/local/su	com.yrtz.qiankundai
/data/local/bin/su	com.yrtz.qiankundai

Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.yrtz.qiankundai

description ioc process

File opened for read /proc/cpuinfo com.yrtz.qiankundai
Checks memory information 2 TTPs 2 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.yrtz.qiankundaicom.yrtz.qiankundai:pushservice

description ioc process

File opened for read /proc/meminfo com.yrtz.qiankundai
File opened for read /proc/meminfo com.yrtz.qiankundai:pushservice

description	ioc	process
File opened for read	/proc/cpuinfo	com.yrtz.qiankundai

description	ioc	process
File opened for read	/proc/meminfo	com.yrtz.qiankundai
File opened for read	/proc/meminfo	com.yrtz.qiankundai:pushservice

Loads dropped Dex/Jar 1 TTPs 9 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.yrtz.qiankundai/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.yrtz.qiankundai/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.yrtz.qiankundai/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&com.yrtz.qiankundai:pushservice

ioc	pid	process
/data/data/com.yrtz.qiankundai/.jiagu/classes.dex	4311	com.yrtz.qiankundai
/data/data/com.yrtz.qiankundai/.jiagu/classes.dex!classes2.dex	4311	com.yrtz.qiankundai
/data/data/com.yrtz.qiankundai/.jiagu/tmp.dex	4311	com.yrtz.qiankundai
/data/data/com.yrtz.qiankundai/.jiagu/tmp.dex	4344	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.yrtz.qiankundai/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.yrtz.qiankundai/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
/data/data/com.yrtz.qiankundai/.jiagu/tmp.dex	4311	com.yrtz.qiankundai
/data/data/com.yrtz.qiankundai/.jiagu/classes.dex	4382	com.yrtz.qiankundai:pushservice
/data/data/com.yrtz.qiankundai/.jiagu/classes.dex!classes2.dex	4382	com.yrtz.qiankundai:pushservice
/data/data/com.yrtz.qiankundai/.jiagu/tmp.dex	4382	com.yrtz.qiankundai:pushservice
/data/data/com.yrtz.qiankundai/.jiagu/tmp.dex	4382	com.yrtz.qiankundai:pushservice

Queries information about running processes on the device 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

Processes:

com.yrtz.qiankundai:pushservicecom.yrtz.qiankundai

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.yrtz.qiankundai:pushservice
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.yrtz.qiankundai

Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

Processes:

com.yrtz.qiankundaicom.yrtz.qiankundai:pushservice

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.yrtz.qiankundai
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.yrtz.qiankundai:pushservice

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs

persistence

Broadcast Receivers

T1624.001

Processes:

com.yrtz.qiankundaicom.yrtz.qiankundai:pushservice

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.yrtz.qiankundai
Framework service call	android.app.IActivityManager.registerReceiver	com.yrtz.qiankundai:pushservice

Checks if the internet connection is available 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

Processes:

com.yrtz.qiankundaicom.yrtz.qiankundai:pushservice

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.yrtz.qiankundai
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.yrtz.qiankundai:pushservice

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs

impact

Data Encrypted for Impact

T1471

Processes:

com.yrtz.qiankundaicom.yrtz.qiankundai:pushservice

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.yrtz.qiankundai
Framework API call	javax.crypto.Cipher.doFinal	com.yrtz.qiankundai:pushservice

com.yrtz.qiankundai
1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4311

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.yrtz.qiankundai/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.yrtz.qiankundai/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4344

/system/bin/sh -c getprop
2⤵
PID:4415

getprop
2⤵
PID:4415

sh -c ps
2⤵
PID:4581

ps
2⤵
PID:4581

com.yrtz.qiankundai:pushservice
1⤵
- Checks if the Android device is rooted.
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4382

/system/bin/sh -c getprop
2⤵
PID:4508

getprop
2⤵
PID:4508

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Process Discovery

T1424

System Information Discovery

T1426

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.yrtz.qiankundai/.jiagu/classes.dex

Filesize
5.9MB

MD5
5eb6e13df038d7beec3e9ea299fb8894

SHA1
38bf91712cccd3cf2b63205092889bbf1b034d25

SHA256
c52d01411e1477dd5f7cc914614b68096270ccf6225baed91817ddf6393797d5

SHA512
8898c253deb1771f2dca245db3b7b1fc606dc8f7bfef6aea38c8c4060160cd95bca80eea139eea5cbb68ea07b1e94dee5fc3f1edd23bf4a0018f84de8c41609c

Download Submit
/data/data/com.yrtz.qiankundai/.jiagu/classes.dex!classes2.dex

Filesize
3.4MB

MD5
66f3efcf8f337695e490bcc74a69d128

SHA1
62260cdfba2eb46737d4f90b804b71b29c12b825

SHA256
b98f573d640edd0ea4843f5fcc9def8a82cd53f88b11926dacd06f0c56c40a3f

SHA512
01dab38853c69e9649c8ad4142ee156789a7df7dbd83137f4692ea6dcff032b715cb3d1c44d898995b29bb18eefd9522962c607ca800db9632b0744f6d83fad2

Download Submit
/data/data/com.yrtz.qiankundai/.jiagu/libjiagu.so

Filesize
496KB

MD5
f07656a2f51ecb23edc102003c32b764

SHA1
3ef18f74b609313887b9e825c56a54b5a9eef20e

SHA256
f6847402ab69102f8495aac58b9beddde9a71dc52470c5de17e382eec2a6b913

SHA512
34b337d2cf98ec3009f80ff299e43984a1c911e5f9eb5942a915915cb7b5b591ffc9f1b79a7989534c2583a703a3f0857e74be68cdd71388f68d5bef354f7238

Download Submit
/data/data/com.yrtz.qiankundai/.jiagu/tmp.dex

Filesize
284B

MD5
f1771b68f5f9b168b79ff59ae2daabe4

SHA1
0df6a835559f5c99670214a12700e7d8c28e5a42

SHA256
9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

SHA512
dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

Download Submit
/data/data/com.yrtz.qiankundai/app_crashrecord/1004

Filesize
32KB

MD5
9fd42946665608eec81b2f3f96048484

SHA1
4ca171409745a92eb75c5d231eed255219323e2e

SHA256
82fd3c3ab08f8b7574f89f95eb2eaa1a2f4eb2f86ccc400cc42b690b2cae938d

SHA512
9e5770a06af96ce9071b8ad11e557696e74f17cc9104d71af3ad4f72bc3b80eb40318b73739ad0f84c35e24b5bba85a6bd61d9fdd4d5dec00c83abfe9ffa8677

Download Submit
/data/data/com.yrtz.qiankundai/databases/bugly_db_

Filesize
197KB

MD5
e665b04231baca8bf1bd4f98bf3b900f

SHA1
8c8c5cfb5f09774c370fc32271067ebb21a1def7

SHA256
a26368f36f2c42b9c5dc0f704b3ae644ab97de273a5e97591bbb25f441fc8044

SHA512
ee2da3363304d16399ac07ea83e30bb7a42d374885670bff4b6a31d77e8a899da2f06977695511fb56603a7daed98d6259c5c3d6d811d006603fcae1d60f966e

Download Submit
/data/data/com.yrtz.qiankundai/databases/bugly_db_-journal

Filesize
512B

MD5
7f0503aa2f94fad705ea1f39f8912d7f

SHA1
7bcc242450cd62a85289ef98fdbd49b9a55cd867

SHA256
66dd34bcb71ba9394615dee6852eae4158d677fe7e052f199232b7e0e496a6ef

SHA512
525bbc57ae3204867ae44c78318c5edc272f37ae56b487faafee5a4cb7e6d6096861628d82a7e61dc3aa24ab66d29a06f700278262678000782addc33eb03b8c

Download Submit
/data/data/com.yrtz.qiankundai/databases/bugly_db_-shm

Filesize
32KB

MD5
96893dc888c23cd125e6e50861112b88

SHA1
e7ad2c47c3b0cedf7aee43dfa60fa4704eb1ea29

SHA256
de88403d80638d4ef79662003e5c99f7d0c0c95aead189ac928b0832ecd58b05

SHA512
58b878f3721b4e76a523863d42691d0c4898eb1b16312b837d2e485330f8ffdd3b9117340bc79890a6dc9d682cd36f2abcd416c3401e5ccfbbb6130dbad8d96b

Download Submit
/data/data/com.yrtz.qiankundai/databases/bugly_db_-wal

Filesize
76KB

MD5
ebbcf645f8ccd522f30b811d9dea2970

SHA1
390cd573100bab5e12d92d48dfa58769464d23f6

SHA256
8ab1f859919196b3e6787d58d4bf6e2b5f5830eeba0c9a967324d64f4e8fe1b6

SHA512
db3ba332fec065ca66ead659cdef57da1ce25ab2665fb4ad84038a2fe7ff950900b5f286b117c1103709aec4ad886bab3fa0f3867460b99c6fc09f65942285c2

Download Submit
/data/data/com.yrtz.qiankundai/databases/bugly_db_-wal

Filesize
88KB

MD5
358ab43cc3de9957d9c97ef4a5eba226

SHA1
3f403e66eff3cf147bad8867d0a82b6809747a31

SHA256
8914bc1bbbf2f12cd8500a3879e1031dd250b95ab4fe443d0048b75ae20d6ce3

SHA512
bffb35d809e1d9007c452f059d2d9af263c1b0ac6e478cbfcac5a456dc1f5a1229486a21e12c224b8681b71a0e9381a534fe3d3eb037f56d6e3360286efa243a

Download Submit
/data/data/com.yrtz.qiankundai/files/.jglogs/.jg.ac

Filesize
40B

MD5
aa84a538ec24ea8c4a0497c659f0b830

SHA1
c44e09cdcb954477ffc99f13bfe716cfe6660ebc

SHA256
1a1f43a8fc918f8884b71b7af18dd1380f2e385d1d15961b67f29ef63fa6ea84

SHA512
5ed9862fe8a377de5331b559f83335af00bb59c06c75da1caf7c40819507f1249a0294a5e0a6b98d7ac6e54a39d6cd620878f3a31fc4ddbd05a667030d5ad610

Download Submit
/data/data/com.yrtz.qiankundai/files/.jglogs/.jg.ac

Filesize
40B

MD5
609f396fb526b9b9a18cf9064b42c471

SHA1
d63d99da422772b4fe581548c888e9a2a14c294d

SHA256
eee68d2f3519b92349f76d43bb6fc8032e4f446b013de93398d26375df79289b

SHA512
cabe01a76a7596be3ae94a093ced02d499adecb8e0f7f36e4a24c41d251c97f934beec046264842ce73f8e977ca37d91bfe978fe6375d086a5ef5bdb52d6fb7c

Download Submit
/data/data/com.yrtz.qiankundai/files/.jglogs/.jg.di

Filesize
340B

MD5
262b741227b0eb68cfbc27eb31c95ddb

SHA1
b418df78858005fb02f25b02a65564b2b7fc5975

SHA256
fceb4aa267cbaeeda87dabcf3dcf1dc31f6beb1ecc862898e614e0f4d48c9e19

SHA512
ab127e60bda18234c5b42003d3074458f72dc7b25ec4dfa5579aff5466da702e1d34ee2694ea4ff9584a7a71374d9c014a3d94b0795d6bbc810008cc1a92aacb

Download Submit
/data/data/com.yrtz.qiankundai/files/.jglogs/.jg.di

Filesize
340B

MD5
9d54ceb8318cb1b5125eead2aa4d4926

SHA1
5ed1997026de567a3a3e139236758166aed0c255

SHA256
13405b7ddcd3ac8e5c3f1b408472db029d7505e024d52a58c02210efcf2784f5

SHA512
e590137fccc587c588e2009781ea8f74c684372f649dfb9fc618a713842cd2c0aa42aed8957257de288ab7562df42d28af88a250334eea082f9775e469e5bc6a

Download Submit
/data/data/com.yrtz.qiankundai/files/.jglogs/.jg.ic

Filesize
4KB

MD5
ae96463c362bbb936a1c7bcc1f570a62

SHA1
799dbeca1915990011ab247f7e12e45e5fa20dc2

SHA256
1c7184213571180ba6babc9025a95dd5244501a69d46d1dd7b39491b9eea2be6

SHA512
68254ac6737f794b36441a290ee78838865957cfad51ca3026a0f02cc9fcb65df432be6f3b88ceed347b9d6d63cc7966d95210a3d41d50aa4c45ca5bc62fa70c

Download Submit
/data/data/com.yrtz.qiankundai/files/.jglogs/.jg.rd

Filesize
73B

MD5
c3d21f67141d05d665fe6dbde2f0d0f0

SHA1
24fcd33c047ac8af6c3eb917f6ec8747a045cf67

SHA256
e7be219f6e378b26b0e2082d6c8aabb6a555691ca06da7ee57bf5e671ffb9b3d

SHA512
2f0307b872b2cb4e4b5ed8e34fa1e9d7b973a0bfd34ae8451d9fb09091c566cc2d46e9543056de35790f4e8a06eba7c5865650a8b1b9b76b3ef4bf854a4b479c

Download Submit
/data/data/com.yrtz.qiankundai/files/.jglogs/.jg.ri

Filesize
314B

MD5
c0b362dfb03541507d866408c1a16489

SHA1
6dc4ffa78291ef7275b4d49c55946e80ef20e77c

SHA256
1c69478de97b484df10c274d430a3a665b67164aff2b4ec154fb8a129265c604

SHA512
ef7764908f692c9f2acdcde0d84a21f17c8e2a79747b9c32311b8583c435a2164bac899914037e9bde08190320d0ac8af4f1750ec34804dabe5edf333441e2c5

Download Submit
/data/data/com.yrtz.qiankundai/files/.jiagu.lock

Filesize
58B

MD5
0d210bfb2a0e1f1b4c082a6a0f79de07

SHA1
bb8ed9e364db79d1d9f2fcde3f15091893222faa

SHA256
988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d

SHA512
536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

Download Submit
/storage/emulated/0/360/.deviceId

Filesize
48B

MD5
7dd22dc97a93b75d43ac2ef36e18ac54

SHA1
2096e1cafd08a443eea8f12cfabd09758a876b42

SHA256
c2bad394c2274cff3a6d7202b8affea6fe473d1dd97f93c48f9297776b8fbc83

SHA512
7680e1f3c79bc3c148d3abebc68d11296913ef1cb4a4d5db175763766c29957369760766d9324fec5d23176d46e82e982140f905c35e09602346bad531f15c9a

Download Submit
/storage/emulated/0/360/.iddata

Filesize
512B

MD5
2efb34c4ab21ba9d61c758ce49e94188

SHA1
d086c7109ed607890ba1650063a463a8789c2f0b

SHA256
84e4d73335a720d192388d2eac4201e8cee39fdd13bfc5253d855fda43d58931

SHA512
5eaaa701ee0873a75265745ef72e3457e9e9188618f44d1feae5fc84bc5ba43d0f1dbec29f6f66326a29c0615f64f680a92d34001d573c3500336217bbf8794e

Download Submit
/storage/emulated/0/Android/data/com.yrtz.qiankundai/cache/uil-images/journal.tmp

Filesize
72B

MD5
f66400240c6970c08c982fb817266d91

SHA1
9d1d4f138b37e7340ee45be90d71a94c50368b43

SHA256
54a9a5d3f9a85cd524c1503452b9d7d4a3073808547ce69865c94aea7c94c52e

SHA512
8fb9227e3a98dc7abee12993719d97b7da2b930feadbf07cdf6ad624783ac2d9c26fd3965ffff44181efe8168a44f9ed852f30c4b6b7a3ff2b024104ab1b158f

Download Submit
/storage/emulated/0/libs/com.yrtz.qiankundai.bin

Filesize
72B

MD5
f7d5989e4c121f56c5662925088b6a1c

SHA1
7073c642e6416170ac4f1300372f9998f9e73828

SHA256
2152c405da9deddbcff07496d6092a7fdc4ab8226c2288f80b8900c6828c95f4

SHA512
05fab0d0d90d316ad912fc60ac647496e3fb2fc6c063fdc95612551c4b7cc03be9745bf0fe6b56c20fd17821bda40a4d19872fbcb604ea8369877348fb248ffd

Download Submit