88ca809e49b36ffcaeee78ffaf89ef7ef066b6ec4ac554099969f3cd1430d33e

Analysis

max time kernel
174s
max time network
186s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
22-05-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68de169e5c3a055d0302aa540816ac1c_JaffaCakes118.apk
Size

18.0MB
MD5

68de169e5c3a055d0302aa540816ac1c
SHA1

2925e071b97102b9c75654cb09076356bee085dd
SHA256

88ca809e49b36ffcaeee78ffaf89ef7ef066b6ec4ac554099969f3cd1430d33e
SHA512

d345af583bf3453b637b56e16589d41db87e5f77dc0e291934106b904b2c785cbe21d6fc160a5cfd101c4ddec6b9d8ecbe6eecf17510bfdccd647c9dd099c687
SSDEEP

393216:+NKMf1mAplwBcHUcd+r2tF9Ya3g7gf/dgSRYe3u8:+NKMf0ApyqHLF9Twc2SWe5

Score

8^/10

collection discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 1 IoCs
evasion

System Information Discovery
T1426

Processes:

com.xgbuy.xg

ioc process

/system/app/Superuser.apk com.xgbuy.xg
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

Location Tracking
T1430

Geofencing
T1627.001

Processes:

com.xgbuy.xg

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.xgbuy.xg
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.xgbuy.xg

description ioc process

File opened for read /proc/cpuinfo com.xgbuy.xg

ioc	process
/system/app/Superuser.apk	com.xgbuy.xg

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.xgbuy.xg

description	ioc	process
File opened for read	/proc/cpuinfo	com.xgbuy.xg

Loads dropped Dex/Jar 1 TTPs 10 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.xgbuy.xgcom.xgbuy.xg:pushcore

ioc	pid	process
/data/data/com.xgbuy.xg/.jiagu/classes.dex	4216	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes2.dex	4216	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes3.dex	4216	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/tmp.dex	4216	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/tmp.dex	4216	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/classes.dex	4318	com.xgbuy.xg:pushcore
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes2.dex	4318	com.xgbuy.xg:pushcore
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes3.dex	4318	com.xgbuy.xg:pushcore
/data/data/com.xgbuy.xg/.jiagu/tmp.dex	4318	com.xgbuy.xg:pushcore
/data/data/com.xgbuy.xg/.jiagu/tmp.dex	4318	com.xgbuy.xg:pushcore

Queries information about running processes on the device 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

Processes:

com.xgbuy.xgcom.xgbuy.xg:pushcore

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.xgbuy.xg
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.xgbuy.xg:pushcore

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.xgbuy.xg

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.xgbuy.xg

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.xgbuy.xg

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs

persistence

Broadcast Receivers

T1624.001

Processes:

com.xgbuy.xgcom.xgbuy.xg:pushcore

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.xgbuy.xg
Framework service call	android.app.IActivityManager.registerReceiver	com.xgbuy.xg:pushcore

Checks if the internet connection is available 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

Processes:

com.xgbuy.xgcom.xgbuy.xg:pushcore

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.xgbuy.xg
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.xgbuy.xg:pushcore

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.xgbuy.xg

description ioc process

Framework API call android.hardware.SensorManager.registerListener com.xgbuy.xg
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.xgbuy.xgcom.xgbuy.xg:pushcore

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.xgbuy.xg
Framework API call javax.crypto.Cipher.doFinal com.xgbuy.xg:pushcore

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	com.xgbuy.xg

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.xgbuy.xg
Framework API call	javax.crypto.Cipher.doFinal	com.xgbuy.xg:pushcore

com.xgbuy.xg
1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Checks CPU information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Listens for changes in the sensor environment (might be used to detect emulation)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4216
- ls /sys/class/thermal
  2⤵
  PID:4503

com.xgbuy.xg:pushcore
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4318

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Execution Guardrails

T1627

Geofencing

T1627.001

Hide Artifacts

T1628

User Evasion

T1628.002

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Location Tracking

T1430

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.xgbuy.xg/.jiagu/classes.dex

Filesize
6.6MB

MD5
af40ddebf367d3418c410ba2bbdb34a6

SHA1
9a5c0f557da523fb37d3ea9f1dad84e45b78b8ab

SHA256
fd4c1d3b24b0138f6f355235f35815ff43de7e73e5029854ac0581f6d5b4cb45

SHA512
6ca004321a8ef7f6a08b5be12833971bf017ff58c753ebe73d682abcf5633f084b9b1f5c3453432894f8ce8c9b306963b345cc0d6503450667d9ef66d3ac0ae7

Download Submit
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes2.dex

Filesize
6.5MB

MD5
56a56032a56816197231ccd2c1447841

SHA1
42b24c7723619c5bbfff5625ee1f4ff7a9afb34a

SHA256
920b1975141f98268ddde30a18db00a3c92776c8472763640b06009b90ccf039

SHA512
f47a2ee1f15a58887d5158bf141277a7d6488fcd31a9c85ca0d6706a4252433b812e8a49e956fba313393ac55333bee777394d300e136d489a484f5e883e3165

Download Submit
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes3.dex

Filesize
2.1MB

MD5
63eb01b23dce33b6abd34b5693031ca8

SHA1
870abc96ae069aa034b1b647244af5465a881ddf

SHA256
3798ad86a5974af83d89bc71f1737c1747ca4561beb07f74a214675efab02629

SHA512
eac344e6167fc50acfca60a177bccf404cd0eb595b0b3e948f88af21ac3d7c14a49d0d7162bc5ef529b9107132c8ac3d0242186ac1b0ac231acc31e8f969311a

Download Submit
/data/data/com.xgbuy.xg/.jiagu/libjiagu.so

Filesize
486KB

MD5
50750315eef281575611bc425174b939

SHA1
acaff02526d7b4c257e00002ed09af364f66a401

SHA256
c8d37512f73bef5a1c1b060676cdc6d508a8d8dd36f2438f5d6353c9b8524bef

SHA512
60584a993992a68e8d0a53be705e3a9d52fc126df26b9bdcf80d14e659f1d70bceb926e0a99a69fdf40f1c09fd61aa52c2d2c008ee5c3ef59af5922a75161ea9

Download Submit
/data/data/com.xgbuy.xg/.jiagu/tmp.dex

Filesize
284B

MD5
f1771b68f5f9b168b79ff59ae2daabe4

SHA1
0df6a835559f5c99670214a12700e7d8c28e5a42

SHA256
9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

SHA512
dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

Download Submit
/data/data/com.xgbuy.xg/databases/ThrowalbeLog.db

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.xgbuy.xg/databases/ThrowalbeLog.db-journal

Filesize
512B

MD5
b429033956b4ac0c17c4ddc042be0935

SHA1
9745002d042a2519aadfb32efa6e8640a9acbfc6

SHA256
e9164dc555a69b818e88e40c11e6d60da65e12d741908856c18647a4c6c519dd

SHA512
292e85d1619c53282af60ad4f36af68c82fb3ac15464a8f7257f7686facd210bd4014edc669996521b6fdb6cbe25b691cc6fa21b2e9c049ae940eadee107f5ee

Download Submit
/data/data/com.xgbuy.xg/databases/ThrowalbeLog.db-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.xgbuy.xg/databases/ThrowalbeLog.db-wal

Filesize
32KB

MD5
35d165ed5419551f08f73d57863f59f9

SHA1
e0dc3e4e7277c73c51a4af4c0b28e7cead5e7550

SHA256
d536ae4c0d20f97ed8e58dd0c85efadc206e06eb315b27c154ba220033019e02

SHA512
21ec052aad7e6a905c98f09aa951b35646e1634273a4ae7e88819e8b11c77405407eacb53391650f5a3b681a301f45b77b490f489249ada42a7ed79cc67a5249

Download Submit
/data/data/com.xgbuy.xg/databases/xinggou

Filesize
4KB

MD5
b0b254e10c81a34773a77b440fb3d1e4

SHA1
c68f72390b63e4834341e647833cf15ed20b1079

SHA256
bb16e927536ab45b8bb45bb7c6466dfceba8975d5f0bef721b2492425706d557

SHA512
264bc29d4cb8477e08be75e417bc15982efa54440cd13638455592d0ea5c7e16844e650b80e51f82af382af90f7b04c86d2c02f357a05be08a4f6be603d28a73

Download Submit
/data/data/com.xgbuy.xg/databases/xinggou-journal

Filesize
512B

MD5
443a06d7ee53023a548c73c9a1574b8d

SHA1
53e53faefe03cf408529cf795b1e37cc46c66892

SHA256
4f248a4870e3a029b526ff524088759d1f8154b4002b99e78cf3e97f018faba0

SHA512
f18ec155ce7f716658626cb2f327651ca2021c079f0f7eedd1fd15006adb40253065331990386c8708c0db46ae85d140464ea484321a57a6c3802f5d5af3833c

Download Submit
/data/data/com.xgbuy.xg/databases/xinggou-shm

Filesize
28KB

MD5
cf845a781c107ec1346e849c9dd1b7e8

SHA1
b44ccc7f7d519352422e59ee8b0bdbac881768a7

SHA256
18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

SHA512
4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

Download Submit
/data/data/com.xgbuy.xg/databases/xinggou-wal

Filesize
88KB

MD5
06aede0047540f223dbdd6b303fcf6b0

SHA1
75006963702d03b3040d7fdfbf8a2c52831d2058

SHA256
5d84798a827575aa4b4a482bc71454ae44c93ae98769ec877e28e91d9844ba0f

SHA512
a86d42ad1f38bf33dc198768ff419478778d3202012ebf57b7aa7fba312a6135f84604268c6d0697bbd3a3dba6ffd04dee1f50556ad7c9ac3587ce63cbf7953c

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.ac

Filesize
32B

MD5
1264f30db5bc978090c891fc9ba97820

SHA1
22a1664ca5bac8af36bdaf8e4098c02c7fc9c1fc

SHA256
6383110e70c2cf20a67539bbf759d99229ac2dcd214cae6a3c5de840497bab2c

SHA512
f3ec53223344ea4763479b39ae62a3dde4b83e0db05d4707c9e2c914725943063706c6c53e6fc043ee13640ac98242775c901b84ec76eb3edf11615bd0084488

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.di

Filesize
340B

MD5
9c1ac02d3827780e016dd4676783453c

SHA1
3907733be7fc8fa77679a7619586ba7e8bb8f40a

SHA256
a4f792a2acc4de1c302dbde9a0ed460bc3ad91609a37c5034305a2f9052cb7ad

SHA512
cf8601cbe8e5e3f01fc48d051807bbce132a45e22ab0d9ed2fbe85aadc75129b7e2424e169442e41f6b21809f0e78259673576d57c17e2b223dbc38921d4ccb3

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.ic

Filesize
57B

MD5
70a42cba408700f9a6c01c7941a8829e

SHA1
eab01cc2c0671538795fb0b1146017dc099d0984

SHA256
499576707ce2623293166979e59c832be5b8636c64ad39aa63ebcf961910c35f

SHA512
8900d4dc8eed0430babbacb72942401bd22ef7fe5430cad90d3ce0c2c53010220d666aa0e2eb1026f3ec81d574c7fa12585b49222a5f15b01637f6ba134fe70c

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.li

Filesize
100B

MD5
5f3c32c03e02c01922d676310e701815

SHA1
cc580997db4515550f119a61e096313b3e593ec5

SHA256
072174fd67dccb1557267e412d3b18aca7576dbfebda2dd2b892baec10e7cfcf

SHA512
083c3bfe5b647c0bde2f7baa351f3354a46f98aa590fbd14351682fdb85bf543ae4d8ccebcb7570d5cd23bcbd3b92731de693c6be2089f11d0faa09c1060d572

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.rd

Filesize
73B

MD5
1a5d276d1e61ef6ab8262f83cc23eeb4

SHA1
d0979b7b2304f4a8540b132a87ce728637359431

SHA256
54b74f17e1010d576783577bcc52009aeaae6f9c58f3b29f6becd0bbd248091d

SHA512
dc3ab8cdd7c8b549601253ecc5612c6efbd8bddd0fc26f7a463e94eadbea5c8c42e531996a3826bfa6760fd9676f5ece376d8020dda0896f024cd5427fa62f05

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.ri

Filesize
314B

MD5
7fe8694c7d5bac1f11da6effbf104071

SHA1
da54c2be15ae07d9221415cedd7e0f4f7d4c9f72

SHA256
edc3ce27570b96d80f5edcee66ab02ecd10fbc166b6a3b082211cd5ecbeffe50

SHA512
65334625c514d0e11a62e9da441f3aeea88cbd6b49eb1bf6a72d86ece1c0a7362eeef05887a5d5be342401d443a9f6f353659d27c8725a166e0e3dcda0851941

Download Submit
/data/data/com.xgbuy.xg/files/.jiagu.lock

Filesize
27B

MD5
0bda0f0db5c71a4520e02192277ce0ed

SHA1
81d58306d85d1cad99d8e55372c79abcc415f93c

SHA256
43c840a533874b3cedd77c17c185dbc158659c8f569e163f3cc232ba321dbdd5

SHA512
685f09ff380c5ca8738022649fe441493696f41520219e97cbf9c2f4180f981a8a9fa8638691a200209eb688074c35ca36b4c288d75252dd655e892e2bd1508e

Download Submit
/data/data/com.xgbuy.xg/files/Mob/mob_commons_1

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
/data/data/com.xgbuy.xg/files/jpush_stat_history_pushcore/normal/nowrap/604bbe41-4ba5-45b9-8b64-1acaf5970360

Filesize
202B

MD5
04cc7f7d6aecdedd5fa27b9b126bbede

SHA1
1528933ff32ab33a2adee4d0919f280ea7be8668

SHA256
658e739b66bebfd6f0c07cc78da95acb662e72f105d49db6f8730ec4e8e32811

SHA512
59a48273a0ff021a632fdb7ed97ff75f2e8e0c9c0bab03cff8e7605fb5e160d61ac07bf7c945975d4a39bc333ee7a6386150d8738d5077b2cb0a7118213372ef

Download Submit
/storage/emulated/0/360/.deviceId

Filesize
48B

MD5
1d8d16c4e3b19ebf18988530d9b9a757

SHA1
bc94c1cce05cd848a53271ecb9c5311e27ffebf5

SHA256
abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7

SHA512
4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

Download Submit
/storage/emulated/0/360/.iddata

Filesize
66B

MD5
19402718bfb1c685a726b4e1d846ad98

SHA1
02a7e30044a67085f2f1da24e16e4ecfede65b72

SHA256
079f790e6a1934a94542559f53a89a824aafd3173d956b6019291955aeeb33d0

SHA512
25254318c22cfd301c8bcd479f45797d502b6ab5f14265dadfa3d87b4dd1942a629d3cbc2f0b600cf73b4fe910e3773432f56a0a7b4343e280e20c5a6af0320b

Download Submit
/storage/emulated/0/Mob/.slw

Filesize
66B

MD5
5376297da698294a17e3200d3d0d3b7d

SHA1
675745b8d8992ddd3e476b330891cb4a5cad8b53

SHA256
b9bb70904e233150e2037f5f682d676721526f651be7072329c44bce14f30261

SHA512
cb2f974a65173fdcd523d7d15017ad6f56eee431e4c3d3581fac31a1f7a9bdbd04272c163c1035bbd8c6e2338f6227a9f4b7edf17487d86e8ed98e2ebc2526b9

Download Submit
/storage/emulated/0/Mob/comm/.di

Filesize
181KB

MD5
94871c4f686c8c8585e309322ca6da61

SHA1
07dc51f9cb6fe229c94a1588a6cb1af511aae509

SHA256
bd859f193ec506b66a3c10b891dfee507f3975430505a9dec5113be02d7096f3

SHA512
9b9f4c866a048c006d736e9344b0471398e65c56a04a7655df196a75ab7552bb233a0c54cfb9be6e82195b2b66d1cff6f04facd9b649048931e8579cdbb62328

Download Submit
/storage/emulated/0/data/.push_deviceid

Filesize
32B

MD5
349738c46e6d6431d5ba251bc2303f83

SHA1
b53f07c30cbca411967c843b96cfe068151538f5

SHA256
d63f8515248624b43febe384ca424871432abc0b337ef2888692823da05a7322

SHA512
132dc60c258186c2f5e32cad470bcbe5ee0c7c7dcdad7c6f1160b87d5f58b61d416d9d8be661ab395e153793035b200ed8fd5b2e9aec69a1c4a169e01d56bf8e

Download Submit