0ae7293e2437078ce05e55e0bf1bd27c2d4f4d3f3e7d5b41ac77706f792dd59d

Analysis

max time kernel
65s
max time network
168s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
22-05-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shadowsocks4.0.1_android.apk
Size

8.8MB
MD5

a7d32c91f0e650e43db3da6d0f8a9be3
SHA1

3260b8ba76dc98ef3ea4878488b2779a8bfc0a86
SHA256

0ae7293e2437078ce05e55e0bf1bd27c2d4f4d3f3e7d5b41ac77706f792dd59d
SHA512

675fde4ff8fd6163f53cc30673d179a861b491c986a7e3edbb8dbcaa04bd13a9ade3926eddf35f1cd85e53c0403c84af5f4c8f2c35fef5b259a9bdb1a6020efc
SSDEEP

196608:eDkVaV095oNK+pb9O7cDgeBtmE0UxvaszD5Mat1z9mX3033U2H5Udrkl/Z:eDkP9iNxRI7mg6tmEHJnzD55kk33U7YZ

Score

8^/10

discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 1 IoCs
evasion

T1426

Processes:

com.github.shadowsocks

ioc process

/system/app/Superuser.apk com.github.shadowsocks
Checks Android system properties for emulator presence. 1 TTPs 1 IoCs
evasion

T1633.001

Processes:

com.github.shadowsocks

description ioc process

Accessed system property key: ro.product.model com.github.shadowsocks
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

T1633.001

T1426

Processes:

com.github.shadowsocks

description ioc process

File opened for read /proc/cpuinfo com.github.shadowsocks
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

T1633.001

T1426

Processes:

com.github.shadowsocks

description ioc process

File opened for read /proc/meminfo com.github.shadowsocks
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
evasion

T1407

Processes:

com.github.shadowsocks

ioc pid process

/data/user/0/com.github.shadowsocks/cache/1582435991586.jar 4307 com.github.shadowsocks
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

T1424

Processes:

com.github.shadowsocks

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.github.shadowsocks
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

T1422

Processes:

com.github.shadowsocks

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.github.shadowsocks
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

T1624.001

Processes:

com.github.shadowsocks

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.github.shadowsocks

ioc	process
/system/app/Superuser.apk	com.github.shadowsocks

description	ioc	process
Accessed system property	key: ro.product.model	com.github.shadowsocks

description	ioc	process
File opened for read	/proc/cpuinfo	com.github.shadowsocks

description	ioc	process
File opened for read	/proc/meminfo	com.github.shadowsocks

ioc	pid	process
/data/user/0/com.github.shadowsocks/cache/1582435991586.jar	4307	com.github.shadowsocks

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.github.shadowsocks

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.github.shadowsocks

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.github.shadowsocks

Acquires the wake lock 2 IoCs

Processes:

com.github.shadowsockscom.github.shadowsocks:bg

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.github.shadowsocks
Framework service call	android.os.IPowerManager.acquireWakeLock	com.github.shadowsocks:bg

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

T1471

Processes:

com.github.shadowsocks

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.github.shadowsocks

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.github.shadowsocks

com.github.shadowsocks
1⤵
- Checks if the Android device is rooted.
- Checks Android system properties for emulator presence.
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
PID:4307

com.github.shadowsocks:bg
1⤵
- Acquires the wake lock
PID:4338

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.github.shadowsocks/cache/oat/1582435991586.jar.cur.prof
Filesize
97B

MD5
52da1a865917e5e9282e4cf8f181f8bd

SHA1
18aea02c73151e404ecfa226c84ae04b51827065

SHA256
41d8bab578685da57f019cd7aa20a984ff6e20ac085544d1940d08af6306c220

SHA512
64a31dbd5da80d4613a1eabcc80afb8e0f95036fa6c15165002f247c6128a1ebe391dadfdee95b5e6b7b73a204314e334a5a9148eafd2e9274893bae9ea7631e

Download Submit
/data/data/com.github.shadowsocks/databases/evernote_jobs.db
Filesize
16KB

MD5
978fdf85b8448e3a7c9015e51477eb49

SHA1
793bb88398dc9457935a4416638d5ed3974baf19

SHA256
8f72919eebbe45ed6d33b7b763d7e45d76a880128aee9aa5c29d28ab79689a92

SHA512
852b2d3e2607c96625e9bcd454c702ccec6a0f07aba3410976d6400ecd2d48ccc92d93c8ce7fcc87a622d04357bd6805a996f11d339ca7fc3eab99c0e991fe38

Download Submit
/data/data/com.github.shadowsocks/databases/evernote_jobs.db-journal
Filesize
512B

MD5
63eba976ac4ef255db2e9998225250da

SHA1
4a2f5c8761b2b75f4cb39257f2f77c91f42bbc28

SHA256
4cc28fc39256394e32ac3c55c5daf5572876a28e9db7c79850631cb321c6fe73

SHA512
5ce85d91624f5d38f068d50282c919bba43594b47560e661e948ce1005e6749bce63d60ef0c1acab651f45fd51a81fc77e660b43377c04409913603f46ac69c0

Download Submit
/data/data/com.github.shadowsocks/databases/profile.db
Filesize
4KB

MD5
4a4b3fd25101da3e36979b5f74d2d55a

SHA1
df96b0d8829dcdb5929febe3b98bee59fb2638c9

SHA256
1d99b25629083a08d37bba81a1972bf4cc1f7d0173c41cff9ffd74d0d9ec3712

SHA512
8fce4f749b0bf2e5ebd89f8578b5b915bb4f61d67370ddf8fc642f7006b8479452e540893933646f60825fcc4c9fa7d76fa51a7fa2db89ff50df46d93b55c456

Download Submit
/data/data/com.github.shadowsocks/databases/profile.db-journal
Filesize
66KB

MD5
2a223c05dde35e3a8dee72ab84f49cb4

SHA1
1267b6de69729685673af3b337d1c74add17175b

SHA256
c698a76dc5dae0cf3ab86e0c44dd83f3e2f2f4642b3d909d515e1f415849bdd1

SHA512
66af1a7983365d115f2ce259f261ad58b6a331e4ccea5cf299d221eebd466b755d67727d225ff14cd88b0655d28b81a20045a1ef08186c2b51770fe6ce4e4b14

Download Submit
/data/data/com.github.shadowsocks/databases/profile.db-shm
Filesize
77KB

MD5
42d684ac41338d805b83fb49bca06f52

SHA1
9edb92a3b1c06ba4ac14aeb3cff8cdf5e57e5d26

SHA256
f76085cf9b73b97e47fea6363218d1334ea3aa4182900c9353d5a26e397c570b

SHA512
b7bc7258714ee5ebea7c02cbd568f9f202396694d91b6731a14f869652448f89d13d7e795131126785271449047fc65bdb9653bb69b040a214034cf9ada5e22f

Download Submit
/data/data/com.github.shadowsocks/databases/profile.db-wal
Filesize
81KB

MD5
7064173cc58b205edd2878f73ca5e6a4

SHA1
8aa422d0d501915810f0a8f98d4c4eeb805a4944

SHA256
4389bda46e05c20a102eb26ff5dcb2a3d767639d19399a2e52b50bc270910530

SHA512
183883d93e68088688b242e743a4d7ba6af2b28a3300f661e6f511755a806979071dd4b09628eb280f54b188f5e3838f678fe3695b7b0475f626c5be0a0d58ce

Download Submit
/data/data/com.github.shadowsocks/files/bypass-china.acl
Filesize
154KB

MD5
2f2b711af66d4bf9031bfdda7cb8c923

SHA1
6102b41241c6870cc155ff22a8987211783529c2

SHA256
74599a337a710bc49e4deba89e384caf7c9425b2e5e6854a2210c22172879b51

SHA512
f3a494894a830310f6ad06d5465a6a377b97456df07386f397e1ea2ed30a28c2c946851f82aefb5e56310d53a86df73b26ba93d64248e298ddce317b864715d9

Download Submit
/data/data/com.github.shadowsocks/files/gfwlist.txt
Filesize
145KB

MD5
414f560f5af241820291bf7bd2a14d60

SHA1
d69a21d0d588f69158635c7fe0cd767c36fbe236

SHA256
7b21b6c653a9dbf2c1031611a90df7c773ad00b781bf76da924209ed83eb8036

SHA512
251ac6a8f57776ca9b79afa1d9252ae52f8cc63b3c9668c42285675b6689bbcc3b8922f0b06d50b5b6d7a78b6ec6c2ce169dc3e9827352328cb5211f08e40bff

Download Submit
/data/data/com.github.shadowsocks/files/hosts
Filesize
9KB

MD5
e8e0527a01aefdb89afd2c508f131da1

SHA1
f1103e6b260c657ceb3d95f1b023af3fda8b133a

SHA256
f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce

SHA512
fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

Download Submit
/data/data/com.github.shadowsocks/files/persisted_config
Filesize
226B

MD5
75ea402e36e8018a11c23aa0701d88bb

SHA1
21e085fc9d6ff181ae90ada917a4f91fd8439195

SHA256
ae1b8579b035229c5a7f1d85280e054588cd1966b2a179faebb911c1fc6bc093

SHA512
9ed03a662e1d39ad7ceb585dd50a833a756bb0f9813c4abc9eac85a8f5825a68f2c9d6e0834e6a3d65f362a35cad5f1502e2ac943d5597a1612028b1f1b51bda

Download Submit
/data/data/com.github.shadowsocks/files/persisted_config
Filesize
28KB

MD5
fabb9882c499868be7dbe522e9a076e8

SHA1
57b1e6bb7cc8695c36cbe8f01e9f046b48c6b704

SHA256
1fad2e1853e0add9b66bbffd88cd581d7fcbc5cb94b0b4232a1da4d218846cb1

SHA512
bf00cfa716f0f64ff611670f5dffba2e55d316aa6214a5bec3ae851e3fabe09b09b58456fb559180e1933a66722439945a1a68299df9647e84a3597a4ee2454f

Download Submit
/data/data/com.github.shadowsocks/files/persisted_config
Filesize
32KB

MD5
d8879a5608105d88c0d8d7db1f06a5f3

SHA1
f8d3f35aa6ae2acee99425dcbee5a2777d21a1bb

SHA256
15bbb02bad80327293dc06738458dbec8e0433f6cbd49bafc0b4551e36fea0b6

SHA512
38b0598ad63e76f757230e4b8f4b253302eb3055cb98a401470c7dbe773c6cae25c6cf11bcc5f66c2c9f30d36dede142331bb6532e6bea152f3af2ddf0e5e8ad

Download Submit
/data/data/com.github.shadowsocks/files/persisted_config
Filesize
226B

MD5
24fb996742b07811f1c5eec62105c1f1

SHA1
c9de8c7fe5585f63ec07b62c82dcc135c0bee0e4

SHA256
393357e2a59af2342bcaefed2810f422348af0f20c84dc8c3509e61429ffd0b5

SHA512
b0e3c358f87a3db8a2cd46d6da26a4af77b534ef8202ace07c37c165589b5a5a0146ac89ee02ef6d9404ccb33f8f8e148adeb92ba64866f96521a9c9de1da271

Download Submit
/data/data/com.github.shadowsocks/files/persisted_config
Filesize
155KB

MD5
b1ab05fcf2cca3d0ce51b7248407a724

SHA1
a85c5583fc1b8b2cda9dabd20507b95b633264dc

SHA256
75c96b663f5ae34b15b93257a71dc843fe4b665ce216d3ff31cd056bfefeeb87

SHA512
ac7c60418808d530a5df56b12eafae13ed90c822e29914c7212dd2de631ff3a4e5ee29d2e57f2ddce2ec824638ebee32beef59adf0e458a7a454ff8229835ce6

Download Submit
/data/data/com.github.shadowsocks/files/persisted_config
Filesize
215B

MD5
6202e09b468947cab8df93a5f1a0da4c

SHA1
baa6b771a5a758f4a8a1b63d06bccbf124492ea7

SHA256
2c26965218a7b7fffeefec1c64ee23f14d9c4d834d3112491f1ed7784411db45

SHA512
39f99d0edb83b350b04e6687195709a9c9a7a47ff7aadf2d35cdb08338319c719ebb22fca143351e1cd724e03577f1c6d45257be40671a1872ae2008b29be05b

Download Submit
/data/user/0/com.github.shadowsocks/cache/1582435991586.jar
Filesize
20KB

MD5
fde2ee00cbd121cfab5290b078aa3ceb

SHA1
e2b77d5320e155e413d040a8c20020962065b2f8

SHA256
2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685

SHA512
a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

Download Submit