313ac76b1563b1ccc7a7f0d99a2ab2a6e9e227e18c3c10861997c8594589aa92

Analysis

max time kernel
63s
max time network
173s
platform
android_x64
resource
android-x64-20240514-en
resource tags

androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system
submitted
22-05-2024 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

664b7798e7f6aa71d4a481a45262f540_JaffaCakes118.apk
Size

24.3MB
MD5

664b7798e7f6aa71d4a481a45262f540
SHA1

5bbdb2d4023e6629c8760c34ff1518fb6aebaeae
SHA256

313ac76b1563b1ccc7a7f0d99a2ab2a6e9e227e18c3c10861997c8594589aa92
SHA512

9b345f8365f39e51996405eaf9fd0fe70df6b4522d984ef9e5ea133b3b79c67c061bb4a9b2d37cc58a37f40ccbc554a5a17a05da4908d77fbaa8dcb550a79eb0
SSDEEP

786432:x7jcfRuyJsEd3m9sTzFteu1za5qsC8h0qsC8hM:x7ofhJj/te6u5pPh0pPhM

Score

8^/10

banker discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 4 IoCs
evasion

System Information Discovery
T1426

Processes:

com.todo.wenyiquan

ioc process

/data/local/su com.todo.wenyiquan
/data/local/bin/su com.todo.wenyiquan
/data/local/xbin/su com.todo.wenyiquan
/sbin/su com.todo.wenyiquan
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.todo.wenyiquan

description ioc process

File opened for read /proc/cpuinfo com.todo.wenyiquan
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.todo.wenyiquan

description ioc process

File opened for read /proc/meminfo com.todo.wenyiquan

ioc	process
/data/local/su	com.todo.wenyiquan
/data/local/bin/su	com.todo.wenyiquan
/data/local/xbin/su	com.todo.wenyiquan
/sbin/su	com.todo.wenyiquan

description	ioc	process
File opened for read	/proc/cpuinfo	com.todo.wenyiquan

description	ioc	process
File opened for read	/proc/meminfo	com.todo.wenyiquan

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.todo.wenyiquan

ioc	pid	process
/data/user/0/com.todo.wenyiquan/[email protected]	5204	com.todo.wenyiquan
/data/user/0/com.todo.wenyiquan/[email protected]!classes2.dex	5204	com.todo.wenyiquan

Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

Process Discovery
T1424

Processes:

com.todo.wenyiquan

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.todo.wenyiquan
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.todo.wenyiquan

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.todo.wenyiquan
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.todo.wenyiquan

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.todo.wenyiquan
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.todo.wenyiquan

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.todo.wenyiquan
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.todo.wenyiquan

description ioc process

Framework API call android.hardware.SensorManager.registerListener com.todo.wenyiquan
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.todo.wenyiquan

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.todo.wenyiquan

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.todo.wenyiquan

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.todo.wenyiquan

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.todo.wenyiquan

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.todo.wenyiquan

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	com.todo.wenyiquan

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.todo.wenyiquan

com.todo.wenyiquan
1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Listens for changes in the sensor environment (might be used to detect emulation)
- Uses Crypto APIs (Might try to encrypt user data)
PID:5204

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Process Discovery

T1424

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.todo.wenyiquan/.jiagu/libjiagu.so
Filesize
486KB

MD5
50750315eef281575611bc425174b939

SHA1
acaff02526d7b4c257e00002ed09af364f66a401

SHA256
c8d37512f73bef5a1c1b060676cdc6d508a8d8dd36f2438f5d6353c9b8524bef

SHA512
60584a993992a68e8d0a53be705e3a9d52fc126df26b9bdcf80d14e659f1d70bceb926e0a99a69fdf40f1c09fd61aa52c2d2c008ee5c3ef59af5922a75161ea9

Download Submit
/data/data/com.todo.wenyiquan/databases/RKStorage
Filesize
20KB

MD5
0e72eb7af758379933df475981fa447e

SHA1
ddd6e54084b247d26d9e07bc060af902893765ed

SHA256
783b181ad5e6d50d16ea508a65aaa863be5eca89b6950a8ec2d8d9250d172427

SHA512
ad1e4a4a2e302e9aadf7c51a3f6d64aae514440ebc4409cc2bc4b117ee16c0ac838edec7bd407d347dce46d0cd1b7c2a835aea6f90636ac9983ef7c6518d1730

Download Submit
/data/data/com.todo.wenyiquan/databases/RKStorage-journal
Filesize
512B

MD5
74190296762b6458e6036957bf06cf59

SHA1
b08b591112b6bda9c2af34c8555113ea4ec8bf9f

SHA256
fe4c2cb48c59d7e45b13277d3203004b23372705932700e0f867c3e24e8e1859

SHA512
3d0a246896a0d5f6626606ec831f1b161e839a3fb6fcc7a07f385b15dd14bfd7c81f1600819df9f64fab9dbec3c382c5461d72c2764aaf29c525f291e4b11f49

Download Submit
/data/data/com.todo.wenyiquan/databases/RKStorage-journal
Filesize
8KB

MD5
dbe9b2f32eb5eb3739639dc961b32803

SHA1
e9f2eb252802bcbb0066e76b28d82eace38e12de

SHA256
10583e6eb38526a44bf61098a5ad64f44bd3ea120ac86f292477dc15f2f58b62

SHA512
9f0d3137d80c7c61e78f88558c0b31f1a83770e1f9457de0b68f14fd2ac81c7edf35025047fe7dc1872902863233b539a9c8ae25e591d70d47e8705b0a87fbbb

Download Submit
/data/data/com.todo.wenyiquan/databases/RKStorage-journal
Filesize
8KB

MD5
9985c6cc31bd320fdfa07b6dd977f752

SHA1
2a8437e920e4f2370f8eb9fce118c582e807f169

SHA256
c937b791227a8b35d3d1c40864ae7b34ee35e9c22716d60ddbb094c9d77ea2f1

SHA512
d0e6ec94c28dc9aef3eae80da13b3e61e3f9b487cb80b2f81b4552324ce81d6c941553d51e00be805448307301ea9357cb3abecc1cfcd5555da80c4fe058a2cb

Download Submit
/data/data/com.todo.wenyiquan/databases/RKStorage-journal
Filesize
12KB

MD5
ceb3ff221afa04242e42061c07703f98

SHA1
95624c66d98ba0653e07442d06bada8c75e92ac9

SHA256
f0204c8c94e3643874325ee5d5c80bc123e2569e94e067fbb1d631bf13e1521e

SHA512
6665ebacaf48e2d907e96bd40989f9aa675fc75380b600d0898c1285934e5cafbb5418f54bdd8aa392fb5fddb46c068f3809c4f3b6e4d38cc611796796c33317

Download Submit
/data/data/com.todo.wenyiquan/files/.jglogs/.jg.ac
Filesize
40B

MD5
91effd48287d4a3b1db4ff7ebb6095c4

SHA1
a71ec91825adf98fee8a31551cfd3fec33f3061d

SHA256
11ec49d3ef682d71a5cd3dd14d645497c25fad884476c430c35ed7a8bf291cd4

SHA512
6becd45ae3b7adc38d56753c2f4ca5f3b2d9acf0caf4d2554a416f7820be0c7ca2aa52c211889f8bc8c2b8352e518f66df0314d93e0d1f46daa7bc6c0409632b

Download Submit
/data/data/com.todo.wenyiquan/files/.jglogs/.jg.ac
Filesize
40B

MD5
f17f87219a4895a0899de4c15f0640f4

SHA1
f9082090561bca1af3fd0be83d1fd7ea586272de

SHA256
73cb575a3b1d38b554828e8a48af8accfd844387c7e2cfce057489fbbaf70aff

SHA512
cafcd17036c78a539405aa17a65d5319bbe558e9b6da22703b23e2e9da95353fe19aab70317c40447951d0735a2e326c02dd6aa901da08f145971faaeb00326c

Download Submit
/data/data/com.todo.wenyiquan/files/.jglogs/.jg.di
Filesize
340B

MD5
bf4dd1935c202441af1460ad3d9a3a40

SHA1
436025be3701bb4988005053b8962f3a88099511

SHA256
0301ee85c801185f0972ce443d390cdbe7d37d70fd8dd043d891a45e959d5fa2

SHA512
aaa696b71447602fb3c8d6d6bdfe09d4ada9d627fb5aa38fd6c74d9f0f3779aefda1a6e6d732fdf72a565dadb5197f40aa37602deddf08d410b1f5711077b114

Download Submit
/data/data/com.todo.wenyiquan/files/.jglogs/.jg.di
Filesize
340B

MD5
0576f4f28bc116d1dd9125c6459f3f47

SHA1
e931ccfc4b97d0ba0d3bd524b270c44f0033f0fe

SHA256
273bb74fa1d9be66c04f57afc6e617597c8a1189b6e16b1db9df44a34f6659d1

SHA512
c803f2e10691ff5fbe2219a874fc999a22567b38e4495e7fd88dbf6c855ad232f81ed515974254975ef0213e8cfde0f406d1da787b11fdfbfb08b126fab2fddb

Download Submit
/data/data/com.todo.wenyiquan/files/.jglogs/.jg.ic
Filesize
40B

MD5
ec6af4313aad6decf5b49587d966f8f6

SHA1
63968032d96496e25efa6349217f7de8888f398f

SHA256
065d7e02b412a38d571b34a196accc88475d5ba6bfd9e6642ed93c20aceb9024

SHA512
74ea7c35783704f1678b0d413bc3959c75930f90a36d9f734634c3399f5ac5952353c466b8472f6e16ce2caf4017e34acc59a163bd1291f87d29eee991bdbbd4

Download Submit
/data/data/com.todo.wenyiquan/files/.jglogs/.jg.rd
Filesize
32B

MD5
4f0eec3305947ea99ecaea2b3247c5b8

SHA1
2e190a540e568cc208124cedafe7787acd7232a6

SHA256
5198fba8785c3ea68fb2666f82a6f3858af75c9120c1bdebec3dc7d5e17a943d

SHA512
2312ff8b8cec58748931919d1d6fe6f2439d0a577521ccbf1302dea616f6561c247c872ba61578024dfc120094421ac35651d08b9d203b6730bf634b9dc86ca6

Download Submit
/data/data/com.todo.wenyiquan/files/.jglogs/.jg.ri
Filesize
314B

MD5
30fb3f9d37578b7ba78225fd5f70ae1b

SHA1
800f6c6d4aaee8c0a43b99110fc9c5e4a0b3549d

SHA256
2f8bc2869025ba54d8c15fa292cf926f98e5fc72ac2e2091d641e0b5e23bb558

SHA512
15bde1a0f2d61b80a0450bd60bcbc65ccb96bba827f0ca12d01c35c3bf9cd24de161e3b65a68ccf004e2936f33990a5b4078b4e6ca795770eeba0dcc33b4a8aa

Download Submit
/data/data/com.todo.wenyiquan/files/.jiagu.lock
Filesize
27B

MD5
a29a98cc8ff55a7edd0f35e0fed7ade9

SHA1
b66c831e6593e82c9cc019720e16413c85905e4c

SHA256
c6396dd9897b436d885d94a3dcb5fe48c96a1c1de84ecb0c9612c28398456ddc

SHA512
1547a18c829819197bf70b6a7910d8b84535c10191dc04329b3080f5ee4a99d37a0cbeb0f1141abab695c23c4ab265a5e8997d937b66f8850b86457943886c5d

Download Submit
/data/data/com.todo.wenyiquan/files/jpush_stat_history/active_user/nowrap/cb395fe8-eeb0-4394-9f09-e9aa6afeff55
Filesize
159B

MD5
21b0ab9296251ee34fbf0ec2fdb035de

SHA1
90062ef488d65e656cc7768241ddd12c6f49f89c

SHA256
2b9717a0a0abc44aeb64b3a5def9315e78e63f84decc52198a7cfbbaf8833c27

SHA512
7713b4d805f85681fa79aa4f948f49a98c3531a676f63be4dafe272e4c811d4ce8e068ac97b413747212cb5b752a8ead5fd114b2e467b6b22070081f72bb0954

Download Submit
/data/data/com.todo.wenyiquan/lib-main/dso_deps
Filesize
288B

MD5
ddf566fa2fcd9b5e8c26c91fe79b7c64

SHA1
5c389edf1d5b2261f9740009a19f4f7e9512018f

SHA256
cfd9d21d00967a5ce1c434abc506c4d8e156bb242528520a7e0606bef1b53b0e

SHA512
62ba402ada962f0afdeb81281fa4a3e7fb9ea8f6b42e30fc57ca00244094fcfd6e1434174b6b808a44e3098adfa7653f61d881168473da0459f6140e99992e76

Download Submit
/data/data/com.todo.wenyiquan/lib-main/dso_manifest
Filesize
5B

MD5
c06857e9ea338f3f3a24bb78f8fbdf6f

SHA1
c5a0a2529d2deb60fec041b4fbd722a2ebe31702

SHA256
957b88b12730e646e0f33d3618b77dfa579e8231e3c59c7104be7165611c8027

SHA512
29f61516876c25379a7bf4faa2b3ca6f6b53eac90e7de47671fec4a818d51441b4025cd7909f7c0a0d113ab6c5ff00cb3700c286bac7319185b77905feec4fb1

Download Submit
/data/data/com.todo.wenyiquan/lib-main/dso_state
Filesize
1B

MD5
93b885adfe0da089cdf634904fd59f71

SHA1
5ba93c9db0cff93f52b521d7420e43f6eda2784f

SHA256
6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d

SHA512
b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

Download Submit
/data/data/com.todo.wenyiquan/lib-main/dso_state
Filesize
1B

MD5
55a54008ad1ba589aa210d2629c1df41

SHA1
bf8b4530d8d246dd74ac53a13471bba17941dff7

SHA256
4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a

SHA512
7b54b66836c1fbdd13d2441d9e1434dc62ca677fb68f5fe66a464baadecdbd00576f8d6b5ac3bcc80844b7d50b1cc6603444bbe7cfcf8fc0aa1ee3c636d9e339

Download Submit
/data/data/com.todo.wenyiquan/no_backup/com.google.InstanceId.properties
Filesize
2KB

MD5
93ceb015640de05d57873d827b73dd76

SHA1
2e9b5db8b8b7c4564164e222616ee5500a244d3a

SHA256
4825fe01d1e42ea59cfcece4809f9ebee8cd89892788d4ebae6d57a83af8d34b

SHA512
8785ba5a1c30b0d024189622376ae7ea89bf8bad1632566d8525cc2fb042f48b728e9177f826e39a2433f487674b2d2f05255c6ac4d13f67283076d66c7b9d14

Download Submit
/data/user/0/com.todo.wenyiquan/[email protected]
Filesize
6.1MB

MD5
a9be0948aa55b12ffd9f74dc9f4fb227

SHA1
d834d5ccc6398b2d9fbae329d7c6a8ac06210608

SHA256
244afcd3831d1cfe95fe610f42cd38f414dbc6e63bdbaa73a7e13954d6b184c2

SHA512
2d202c67bfa15ca6a2549281e12887fc668f68bc36b5488bc8f1b182103a6a5afd2def5297d6e6155153d9faf6e8b3aec8d408f2a367886180706b3373fbd1be

Download Submit
/data/user/0/com.todo.wenyiquan/[email protected]!classes2.dex
Filesize
5.2MB

MD5
647988eb50e4022bd1ee39b2a1b787ec

SHA1
02b6b919f07ce2f7881d3b031a2a5aee2c245887

SHA256
a3608012a01f395aa3c417ab48f31081bcab9f352d574403f0ee455eeeecb79d

SHA512
db05e507625a58cfa625dee85ac078e020fcdc8670a916ae9f47bffd3966b7edb61fd6c777907a0e5a6356732befd7f1ac7e56cd82f71834f58f8271cc95b0eb

Download Submit
/storage/emulated/0/360/.deviceId
Filesize
48B

MD5
4c4c5285293d5141f582aefa4e038669

SHA1
e01852a72e5a8e6f7d63a21426b515118196047b

SHA256
36c5c63f39ddf7a6a9c01946e4f78b95790aa734176802e793e95724a1b5b731

SHA512
097aa673273e307f7bfb7c08861ad389d4b5f7fae55d972a5c1636aa66d0b8d23b5eb9b696cefe0e5b942f23969dabf0147397aeca85fb9a4d75e0473104e399

Download Submit
/storage/emulated/0/360/.iddata
Filesize
32B

MD5
3e7ec44549bf53799b6fc1eec4206878

SHA1
e2c950b6ffa39175ac0d80d347a69410559f4737

SHA256
3afd9d917ee358cbe760749a58335742e1fc37bc677308d1727470c262e93c06

SHA512
8cea1a79bb5e6958b9d94a9daef4a3b28e03e19b80331d5d9384dc606fef3392fe360ab9f1a268c247b977aa9e16286ddab4d8e98a88889ef3e0ca269ec77964

Download Submit
/storage/emulated/0/data/.push_deviceid
Filesize
32B

MD5
987855c8e1af08abf02fd5b734fb3352

SHA1
f9b90d20947d87decddb2d64a147d570036d8d19

SHA256
be951e7ff0cddd3b3893f0756d97f7ed1b373daea5c113507658c2fc0595e393

SHA512
6a958227fb42ed0f44ecb5ae561d85670a339a425e20afca37fb4e8e3b0bba05433887960ab55b0dd8930fea515e3c703b7a6e3024becc429dd322b1f55f0250

Download Submit