88ca809e49b36ffcaeee78ffaf89ef7ef066b6ec4ac554099969f3cd1430d33e

Analysis

max time kernel
174s
max time network
186s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
22-05-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68de169e5c3a055d0302aa540816ac1c_JaffaCakes118.apk
Size

18.0MB
MD5

68de169e5c3a055d0302aa540816ac1c
SHA1

2925e071b97102b9c75654cb09076356bee085dd
SHA256

88ca809e49b36ffcaeee78ffaf89ef7ef066b6ec4ac554099969f3cd1430d33e
SHA512

d345af583bf3453b637b56e16589d41db87e5f77dc0e291934106b904b2c785cbe21d6fc160a5cfd101c4ddec6b9d8ecbe6eecf17510bfdccd647c9dd099c687
SSDEEP

393216:+NKMf1mAplwBcHUcd+r2tF9Ya3g7gf/dgSRYe3u8:+NKMf0ApyqHLF9Twc2SWe5

Score

8^/10

collection discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 1 IoCs
evasion

T1426

Processes:

com.xgbuy.xg

ioc process

/system/app/Superuser.apk com.xgbuy.xg
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

T1430

T1627.001

Processes:

com.xgbuy.xg

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.xgbuy.xg
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

T1633.001

T1426

Processes:

com.xgbuy.xg

description ioc process

File opened for read /proc/cpuinfo com.xgbuy.xg

ioc	process
/system/app/Superuser.apk	com.xgbuy.xg

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.xgbuy.xg

description	ioc	process
File opened for read	/proc/cpuinfo	com.xgbuy.xg

Loads dropped Dex/Jar 1 TTPs 10 IoCs

Runs executable file dropped to the device during analysis.

evasion

T1407

Processes:

com.xgbuy.xgcom.xgbuy.xg:pushcore

ioc	pid	process
/data/data/com.xgbuy.xg/.jiagu/classes.dex	4216	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes2.dex	4216	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes3.dex	4216	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/tmp.dex	4216	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/tmp.dex	4216	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/classes.dex	4318	com.xgbuy.xg:pushcore
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes2.dex	4318	com.xgbuy.xg:pushcore
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes3.dex	4318	com.xgbuy.xg:pushcore
/data/data/com.xgbuy.xg/.jiagu/tmp.dex	4318	com.xgbuy.xg:pushcore
/data/data/com.xgbuy.xg/.jiagu/tmp.dex	4318	com.xgbuy.xg:pushcore

Queries information about running processes on the device 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

T1424

Processes:

com.xgbuy.xgcom.xgbuy.xg:pushcore

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.xgbuy.xg
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.xgbuy.xg:pushcore

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

T1421

Processes:

com.xgbuy.xg

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.xgbuy.xg

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.xgbuy.xg

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs

persistence

T1624.001

Processes:

com.xgbuy.xgcom.xgbuy.xg:pushcore

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.xgbuy.xg
Framework service call	android.app.IActivityManager.registerReceiver	com.xgbuy.xg:pushcore

Checks if the internet connection is available 1 TTPs 2 IoCs

discovery

T1421

Processes:

com.xgbuy.xgcom.xgbuy.xg:pushcore

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.xgbuy.xg
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.xgbuy.xg:pushcore

Reads information about phone network operator. 1 TTPs
discovery

T1422
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
evasion

T1628.002

Processes:

com.xgbuy.xg

description ioc process

Framework API call android.hardware.SensorManager.registerListener com.xgbuy.xg
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
impact

T1471

Processes:

com.xgbuy.xgcom.xgbuy.xg:pushcore

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.xgbuy.xg
Framework API call javax.crypto.Cipher.doFinal com.xgbuy.xg:pushcore

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	com.xgbuy.xg

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.xgbuy.xg
Framework API call	javax.crypto.Cipher.doFinal	com.xgbuy.xg:pushcore

com.xgbuy.xg
1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Checks CPU information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Listens for changes in the sensor environment (might be used to detect emulation)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4216

ls /sys/class/thermal
2⤵
PID:4503

com.xgbuy.xg:pushcore
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4318

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.xgbuy.xg/.jiagu/classes.dex
Filesize
6.6MB

MD5
af40ddebf367d3418c410ba2bbdb34a6

SHA1
9a5c0f557da523fb37d3ea9f1dad84e45b78b8ab

SHA256
fd4c1d3b24b0138f6f355235f35815ff43de7e73e5029854ac0581f6d5b4cb45

SHA512
6ca004321a8ef7f6a08b5be12833971bf017ff58c753ebe73d682abcf5633f084b9b1f5c3453432894f8ce8c9b306963b345cc0d6503450667d9ef66d3ac0ae7

Download Submit
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes2.dex
Filesize
6.5MB

MD5
56a56032a56816197231ccd2c1447841

SHA1
42b24c7723619c5bbfff5625ee1f4ff7a9afb34a

SHA256
920b1975141f98268ddde30a18db00a3c92776c8472763640b06009b90ccf039

SHA512
f47a2ee1f15a58887d5158bf141277a7d6488fcd31a9c85ca0d6706a4252433b812e8a49e956fba313393ac55333bee777394d300e136d489a484f5e883e3165

Download Submit
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes3.dex
Filesize
2.1MB

MD5
63eb01b23dce33b6abd34b5693031ca8

SHA1
870abc96ae069aa034b1b647244af5465a881ddf

SHA256
3798ad86a5974af83d89bc71f1737c1747ca4561beb07f74a214675efab02629

SHA512
eac344e6167fc50acfca60a177bccf404cd0eb595b0b3e948f88af21ac3d7c14a49d0d7162bc5ef529b9107132c8ac3d0242186ac1b0ac231acc31e8f969311a

Download Submit
/data/data/com.xgbuy.xg/.jiagu/libjiagu.so
Filesize
486KB

MD5
50750315eef281575611bc425174b939

SHA1
acaff02526d7b4c257e00002ed09af364f66a401

SHA256
c8d37512f73bef5a1c1b060676cdc6d508a8d8dd36f2438f5d6353c9b8524bef

SHA512
60584a993992a68e8d0a53be705e3a9d52fc126df26b9bdcf80d14e659f1d70bceb926e0a99a69fdf40f1c09fd61aa52c2d2c008ee5c3ef59af5922a75161ea9

Download Submit
/data/data/com.xgbuy.xg/.jiagu/tmp.dex
Filesize
284B

MD5
f1771b68f5f9b168b79ff59ae2daabe4

SHA1
0df6a835559f5c99670214a12700e7d8c28e5a42

SHA256
9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

SHA512
dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

Download Submit
/data/data/com.xgbuy.xg/databases/ThrowalbeLog.db
Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.xgbuy.xg/databases/ThrowalbeLog.db-journal
Filesize
512B

MD5
b429033956b4ac0c17c4ddc042be0935

SHA1
9745002d042a2519aadfb32efa6e8640a9acbfc6

SHA256
e9164dc555a69b818e88e40c11e6d60da65e12d741908856c18647a4c6c519dd

SHA512
292e85d1619c53282af60ad4f36af68c82fb3ac15464a8f7257f7686facd210bd4014edc669996521b6fdb6cbe25b691cc6fa21b2e9c049ae940eadee107f5ee

Download Submit
/data/data/com.xgbuy.xg/databases/ThrowalbeLog.db-shm
Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.xgbuy.xg/databases/ThrowalbeLog.db-wal
Filesize
32KB

MD5
35d165ed5419551f08f73d57863f59f9

SHA1
e0dc3e4e7277c73c51a4af4c0b28e7cead5e7550

SHA256
d536ae4c0d20f97ed8e58dd0c85efadc206e06eb315b27c154ba220033019e02

SHA512
21ec052aad7e6a905c98f09aa951b35646e1634273a4ae7e88819e8b11c77405407eacb53391650f5a3b681a301f45b77b490f489249ada42a7ed79cc67a5249

Download Submit
/data/data/com.xgbuy.xg/databases/xinggou
Filesize
4KB

MD5
b0b254e10c81a34773a77b440fb3d1e4

SHA1
c68f72390b63e4834341e647833cf15ed20b1079

SHA256
bb16e927536ab45b8bb45bb7c6466dfceba8975d5f0bef721b2492425706d557

SHA512
264bc29d4cb8477e08be75e417bc15982efa54440cd13638455592d0ea5c7e16844e650b80e51f82af382af90f7b04c86d2c02f357a05be08a4f6be603d28a73

Download Submit
/data/data/com.xgbuy.xg/databases/xinggou-journal
Filesize
512B

MD5
443a06d7ee53023a548c73c9a1574b8d

SHA1
53e53faefe03cf408529cf795b1e37cc46c66892

SHA256
4f248a4870e3a029b526ff524088759d1f8154b4002b99e78cf3e97f018faba0

SHA512
f18ec155ce7f716658626cb2f327651ca2021c079f0f7eedd1fd15006adb40253065331990386c8708c0db46ae85d140464ea484321a57a6c3802f5d5af3833c

Download Submit
/data/data/com.xgbuy.xg/databases/xinggou-shm
Filesize
28KB

MD5
cf845a781c107ec1346e849c9dd1b7e8

SHA1
b44ccc7f7d519352422e59ee8b0bdbac881768a7

SHA256
18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

SHA512
4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

Download Submit
/data/data/com.xgbuy.xg/databases/xinggou-wal
Filesize
88KB

MD5
06aede0047540f223dbdd6b303fcf6b0

SHA1
75006963702d03b3040d7fdfbf8a2c52831d2058

SHA256
5d84798a827575aa4b4a482bc71454ae44c93ae98769ec877e28e91d9844ba0f

SHA512
a86d42ad1f38bf33dc198768ff419478778d3202012ebf57b7aa7fba312a6135f84604268c6d0697bbd3a3dba6ffd04dee1f50556ad7c9ac3587ce63cbf7953c

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.ac
Filesize
32B

MD5
1264f30db5bc978090c891fc9ba97820

SHA1
22a1664ca5bac8af36bdaf8e4098c02c7fc9c1fc

SHA256
6383110e70c2cf20a67539bbf759d99229ac2dcd214cae6a3c5de840497bab2c

SHA512
f3ec53223344ea4763479b39ae62a3dde4b83e0db05d4707c9e2c914725943063706c6c53e6fc043ee13640ac98242775c901b84ec76eb3edf11615bd0084488

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.di
Filesize
340B

MD5
9c1ac02d3827780e016dd4676783453c

SHA1
3907733be7fc8fa77679a7619586ba7e8bb8f40a

SHA256
a4f792a2acc4de1c302dbde9a0ed460bc3ad91609a37c5034305a2f9052cb7ad

SHA512
cf8601cbe8e5e3f01fc48d051807bbce132a45e22ab0d9ed2fbe85aadc75129b7e2424e169442e41f6b21809f0e78259673576d57c17e2b223dbc38921d4ccb3

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.ic
Filesize
57B

MD5
70a42cba408700f9a6c01c7941a8829e

SHA1
eab01cc2c0671538795fb0b1146017dc099d0984

SHA256
499576707ce2623293166979e59c832be5b8636c64ad39aa63ebcf961910c35f

SHA512
8900d4dc8eed0430babbacb72942401bd22ef7fe5430cad90d3ce0c2c53010220d666aa0e2eb1026f3ec81d574c7fa12585b49222a5f15b01637f6ba134fe70c

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.li
Filesize
100B

MD5
5f3c32c03e02c01922d676310e701815

SHA1
cc580997db4515550f119a61e096313b3e593ec5

SHA256
072174fd67dccb1557267e412d3b18aca7576dbfebda2dd2b892baec10e7cfcf

SHA512
083c3bfe5b647c0bde2f7baa351f3354a46f98aa590fbd14351682fdb85bf543ae4d8ccebcb7570d5cd23bcbd3b92731de693c6be2089f11d0faa09c1060d572

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.rd
Filesize
73B

MD5
1a5d276d1e61ef6ab8262f83cc23eeb4

SHA1
d0979b7b2304f4a8540b132a87ce728637359431

SHA256
54b74f17e1010d576783577bcc52009aeaae6f9c58f3b29f6becd0bbd248091d

SHA512
dc3ab8cdd7c8b549601253ecc5612c6efbd8bddd0fc26f7a463e94eadbea5c8c42e531996a3826bfa6760fd9676f5ece376d8020dda0896f024cd5427fa62f05

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.ri
Filesize
314B

MD5
7fe8694c7d5bac1f11da6effbf104071

SHA1
da54c2be15ae07d9221415cedd7e0f4f7d4c9f72

SHA256
edc3ce27570b96d80f5edcee66ab02ecd10fbc166b6a3b082211cd5ecbeffe50

SHA512
65334625c514d0e11a62e9da441f3aeea88cbd6b49eb1bf6a72d86ece1c0a7362eeef05887a5d5be342401d443a9f6f353659d27c8725a166e0e3dcda0851941

Download Submit
/data/data/com.xgbuy.xg/files/.jiagu.lock
Filesize
27B

MD5
0bda0f0db5c71a4520e02192277ce0ed

SHA1
81d58306d85d1cad99d8e55372c79abcc415f93c

SHA256
43c840a533874b3cedd77c17c185dbc158659c8f569e163f3cc232ba321dbdd5

SHA512
685f09ff380c5ca8738022649fe441493696f41520219e97cbf9c2f4180f981a8a9fa8638691a200209eb688074c35ca36b4c288d75252dd655e892e2bd1508e

Download Submit
/data/data/com.xgbuy.xg/files/Mob/mob_commons_1
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
/data/data/com.xgbuy.xg/files/jpush_stat_history_pushcore/normal/nowrap/604bbe41-4ba5-45b9-8b64-1acaf5970360
Filesize
202B

MD5
04cc7f7d6aecdedd5fa27b9b126bbede

SHA1
1528933ff32ab33a2adee4d0919f280ea7be8668

SHA256
658e739b66bebfd6f0c07cc78da95acb662e72f105d49db6f8730ec4e8e32811

SHA512
59a48273a0ff021a632fdb7ed97ff75f2e8e0c9c0bab03cff8e7605fb5e160d61ac07bf7c945975d4a39bc333ee7a6386150d8738d5077b2cb0a7118213372ef

Download Submit
/storage/emulated/0/360/.deviceId
Filesize
48B

MD5
1d8d16c4e3b19ebf18988530d9b9a757

SHA1
bc94c1cce05cd848a53271ecb9c5311e27ffebf5

SHA256
abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7

SHA512
4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

Download Submit
/storage/emulated/0/360/.iddata
Filesize
66B

MD5
19402718bfb1c685a726b4e1d846ad98

SHA1
02a7e30044a67085f2f1da24e16e4ecfede65b72

SHA256
079f790e6a1934a94542559f53a89a824aafd3173d956b6019291955aeeb33d0

SHA512
25254318c22cfd301c8bcd479f45797d502b6ab5f14265dadfa3d87b4dd1942a629d3cbc2f0b600cf73b4fe910e3773432f56a0a7b4343e280e20c5a6af0320b

Download Submit
/storage/emulated/0/Mob/.slw
Filesize
66B

MD5
5376297da698294a17e3200d3d0d3b7d

SHA1
675745b8d8992ddd3e476b330891cb4a5cad8b53

SHA256
b9bb70904e233150e2037f5f682d676721526f651be7072329c44bce14f30261

SHA512
cb2f974a65173fdcd523d7d15017ad6f56eee431e4c3d3581fac31a1f7a9bdbd04272c163c1035bbd8c6e2338f6227a9f4b7edf17487d86e8ed98e2ebc2526b9

Download Submit
/storage/emulated/0/Mob/comm/.di
Filesize
181KB

MD5
94871c4f686c8c8585e309322ca6da61

SHA1
07dc51f9cb6fe229c94a1588a6cb1af511aae509

SHA256
bd859f193ec506b66a3c10b891dfee507f3975430505a9dec5113be02d7096f3

SHA512
9b9f4c866a048c006d736e9344b0471398e65c56a04a7655df196a75ab7552bb233a0c54cfb9be6e82195b2b66d1cff6f04facd9b649048931e8579cdbb62328

Download Submit
/storage/emulated/0/data/.push_deviceid
Filesize
32B

MD5
349738c46e6d6431d5ba251bc2303f83

SHA1
b53f07c30cbca411967c843b96cfe068151538f5

SHA256
d63f8515248624b43febe384ca424871432abc0b337ef2888692823da05a7322

SHA512
132dc60c258186c2f5e32cad470bcbe5ee0c7c7dcdad7c6f1160b87d5f58b61d416d9d8be661ab395e153793035b200ed8fd5b2e9aec69a1c4a169e01d56bf8e

Download Submit