Analysis
-
max time kernel
65s -
max time network
168s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
22-05-2024 12:02
Static task
static1
Behavioral task
behavioral1
Sample
shadowsocks4.0.1_android.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
shadowsocks4.0.1_android.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
shadowsocks4.0.1_android.apk
-
Size
8.8MB
-
MD5
a7d32c91f0e650e43db3da6d0f8a9be3
-
SHA1
3260b8ba76dc98ef3ea4878488b2779a8bfc0a86
-
SHA256
0ae7293e2437078ce05e55e0bf1bd27c2d4f4d3f3e7d5b41ac77706f792dd59d
-
SHA512
675fde4ff8fd6163f53cc30673d179a861b491c986a7e3edbb8dbcaa04bd13a9ade3926eddf35f1cd85e53c0403c84af5f4c8f2c35fef5b259a9bdb1a6020efc
-
SSDEEP
196608:eDkVaV095oNK+pb9O7cDgeBtmE0UxvaszD5Mat1z9mX3033U2H5Udrkl/Z:eDkP9iNxRI7mg6tmEHJnzD55kk33U7YZ
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Checks Android system properties for emulator presence. 1 TTPs 1 IoCs
Processes:
com.github.shadowsocksdescription ioc process Accessed system property key: ro.product.model com.github.shadowsocks -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.github.shadowsocksioc pid process /data/user/0/com.github.shadowsocks/cache/1582435991586.jar 4307 com.github.shadowsocks -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.github.shadowsocksdescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.github.shadowsocks -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.github.shadowsocksdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.github.shadowsocks -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.github.shadowsocksdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.github.shadowsocks -
Acquires the wake lock 2 IoCs
Processes:
com.github.shadowsockscom.github.shadowsocks:bgdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.github.shadowsocks Framework service call android.os.IPowerManager.acquireWakeLock com.github.shadowsocks:bg -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.github.shadowsocksdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.github.shadowsocks
Processes
-
com.github.shadowsocks1⤵
- Checks if the Android device is rooted.
- Checks Android system properties for emulator presence.
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
-
com.github.shadowsocks:bg1⤵
- Acquires the wake lock
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.github.shadowsocks/cache/oat/1582435991586.jar.cur.profFilesize
97B
MD552da1a865917e5e9282e4cf8f181f8bd
SHA118aea02c73151e404ecfa226c84ae04b51827065
SHA25641d8bab578685da57f019cd7aa20a984ff6e20ac085544d1940d08af6306c220
SHA51264a31dbd5da80d4613a1eabcc80afb8e0f95036fa6c15165002f247c6128a1ebe391dadfdee95b5e6b7b73a204314e334a5a9148eafd2e9274893bae9ea7631e
-
/data/data/com.github.shadowsocks/databases/evernote_jobs.dbFilesize
16KB
MD5978fdf85b8448e3a7c9015e51477eb49
SHA1793bb88398dc9457935a4416638d5ed3974baf19
SHA2568f72919eebbe45ed6d33b7b763d7e45d76a880128aee9aa5c29d28ab79689a92
SHA512852b2d3e2607c96625e9bcd454c702ccec6a0f07aba3410976d6400ecd2d48ccc92d93c8ce7fcc87a622d04357bd6805a996f11d339ca7fc3eab99c0e991fe38
-
/data/data/com.github.shadowsocks/databases/evernote_jobs.db-journalFilesize
512B
MD563eba976ac4ef255db2e9998225250da
SHA14a2f5c8761b2b75f4cb39257f2f77c91f42bbc28
SHA2564cc28fc39256394e32ac3c55c5daf5572876a28e9db7c79850631cb321c6fe73
SHA5125ce85d91624f5d38f068d50282c919bba43594b47560e661e948ce1005e6749bce63d60ef0c1acab651f45fd51a81fc77e660b43377c04409913603f46ac69c0
-
/data/data/com.github.shadowsocks/databases/profile.dbFilesize
4KB
MD54a4b3fd25101da3e36979b5f74d2d55a
SHA1df96b0d8829dcdb5929febe3b98bee59fb2638c9
SHA2561d99b25629083a08d37bba81a1972bf4cc1f7d0173c41cff9ffd74d0d9ec3712
SHA5128fce4f749b0bf2e5ebd89f8578b5b915bb4f61d67370ddf8fc642f7006b8479452e540893933646f60825fcc4c9fa7d76fa51a7fa2db89ff50df46d93b55c456
-
/data/data/com.github.shadowsocks/databases/profile.db-journalFilesize
66KB
MD52a223c05dde35e3a8dee72ab84f49cb4
SHA11267b6de69729685673af3b337d1c74add17175b
SHA256c698a76dc5dae0cf3ab86e0c44dd83f3e2f2f4642b3d909d515e1f415849bdd1
SHA51266af1a7983365d115f2ce259f261ad58b6a331e4ccea5cf299d221eebd466b755d67727d225ff14cd88b0655d28b81a20045a1ef08186c2b51770fe6ce4e4b14
-
/data/data/com.github.shadowsocks/databases/profile.db-shmFilesize
77KB
MD542d684ac41338d805b83fb49bca06f52
SHA19edb92a3b1c06ba4ac14aeb3cff8cdf5e57e5d26
SHA256f76085cf9b73b97e47fea6363218d1334ea3aa4182900c9353d5a26e397c570b
SHA512b7bc7258714ee5ebea7c02cbd568f9f202396694d91b6731a14f869652448f89d13d7e795131126785271449047fc65bdb9653bb69b040a214034cf9ada5e22f
-
/data/data/com.github.shadowsocks/databases/profile.db-walFilesize
81KB
MD57064173cc58b205edd2878f73ca5e6a4
SHA18aa422d0d501915810f0a8f98d4c4eeb805a4944
SHA2564389bda46e05c20a102eb26ff5dcb2a3d767639d19399a2e52b50bc270910530
SHA512183883d93e68088688b242e743a4d7ba6af2b28a3300f661e6f511755a806979071dd4b09628eb280f54b188f5e3838f678fe3695b7b0475f626c5be0a0d58ce
-
/data/data/com.github.shadowsocks/files/bypass-china.aclFilesize
154KB
MD52f2b711af66d4bf9031bfdda7cb8c923
SHA16102b41241c6870cc155ff22a8987211783529c2
SHA25674599a337a710bc49e4deba89e384caf7c9425b2e5e6854a2210c22172879b51
SHA512f3a494894a830310f6ad06d5465a6a377b97456df07386f397e1ea2ed30a28c2c946851f82aefb5e56310d53a86df73b26ba93d64248e298ddce317b864715d9
-
/data/data/com.github.shadowsocks/files/gfwlist.txtFilesize
145KB
MD5414f560f5af241820291bf7bd2a14d60
SHA1d69a21d0d588f69158635c7fe0cd767c36fbe236
SHA2567b21b6c653a9dbf2c1031611a90df7c773ad00b781bf76da924209ed83eb8036
SHA512251ac6a8f57776ca9b79afa1d9252ae52f8cc63b3c9668c42285675b6689bbcc3b8922f0b06d50b5b6d7a78b6ec6c2ce169dc3e9827352328cb5211f08e40bff
-
/data/data/com.github.shadowsocks/files/hostsFilesize
9KB
MD5e8e0527a01aefdb89afd2c508f131da1
SHA1f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34
-
/data/data/com.github.shadowsocks/files/persisted_configFilesize
226B
MD575ea402e36e8018a11c23aa0701d88bb
SHA121e085fc9d6ff181ae90ada917a4f91fd8439195
SHA256ae1b8579b035229c5a7f1d85280e054588cd1966b2a179faebb911c1fc6bc093
SHA5129ed03a662e1d39ad7ceb585dd50a833a756bb0f9813c4abc9eac85a8f5825a68f2c9d6e0834e6a3d65f362a35cad5f1502e2ac943d5597a1612028b1f1b51bda
-
/data/data/com.github.shadowsocks/files/persisted_configFilesize
28KB
MD5fabb9882c499868be7dbe522e9a076e8
SHA157b1e6bb7cc8695c36cbe8f01e9f046b48c6b704
SHA2561fad2e1853e0add9b66bbffd88cd581d7fcbc5cb94b0b4232a1da4d218846cb1
SHA512bf00cfa716f0f64ff611670f5dffba2e55d316aa6214a5bec3ae851e3fabe09b09b58456fb559180e1933a66722439945a1a68299df9647e84a3597a4ee2454f
-
/data/data/com.github.shadowsocks/files/persisted_configFilesize
32KB
MD5d8879a5608105d88c0d8d7db1f06a5f3
SHA1f8d3f35aa6ae2acee99425dcbee5a2777d21a1bb
SHA25615bbb02bad80327293dc06738458dbec8e0433f6cbd49bafc0b4551e36fea0b6
SHA51238b0598ad63e76f757230e4b8f4b253302eb3055cb98a401470c7dbe773c6cae25c6cf11bcc5f66c2c9f30d36dede142331bb6532e6bea152f3af2ddf0e5e8ad
-
/data/data/com.github.shadowsocks/files/persisted_configFilesize
226B
MD524fb996742b07811f1c5eec62105c1f1
SHA1c9de8c7fe5585f63ec07b62c82dcc135c0bee0e4
SHA256393357e2a59af2342bcaefed2810f422348af0f20c84dc8c3509e61429ffd0b5
SHA512b0e3c358f87a3db8a2cd46d6da26a4af77b534ef8202ace07c37c165589b5a5a0146ac89ee02ef6d9404ccb33f8f8e148adeb92ba64866f96521a9c9de1da271
-
/data/data/com.github.shadowsocks/files/persisted_configFilesize
155KB
MD5b1ab05fcf2cca3d0ce51b7248407a724
SHA1a85c5583fc1b8b2cda9dabd20507b95b633264dc
SHA25675c96b663f5ae34b15b93257a71dc843fe4b665ce216d3ff31cd056bfefeeb87
SHA512ac7c60418808d530a5df56b12eafae13ed90c822e29914c7212dd2de631ff3a4e5ee29d2e57f2ddce2ec824638ebee32beef59adf0e458a7a454ff8229835ce6
-
/data/data/com.github.shadowsocks/files/persisted_configFilesize
215B
MD56202e09b468947cab8df93a5f1a0da4c
SHA1baa6b771a5a758f4a8a1b63d06bccbf124492ea7
SHA2562c26965218a7b7fffeefec1c64ee23f14d9c4d834d3112491f1ed7784411db45
SHA51239f99d0edb83b350b04e6687195709a9c9a7a47ff7aadf2d35cdb08338319c719ebb22fca143351e1cd724e03577f1c6d45257be40671a1872ae2008b29be05b
-
/data/user/0/com.github.shadowsocks/cache/1582435991586.jarFilesize
20KB
MD5fde2ee00cbd121cfab5290b078aa3ceb
SHA1e2b77d5320e155e413d040a8c20020962065b2f8
SHA2562897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56