0ae7293e2437078ce05e55e0bf1bd27c2d4f4d3f3e7d5b41ac77706f792dd59d

Analysis

max time kernel
63s
max time network
132s
platform
android_x64
resource
android-x64-arm64-20240514-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system
submitted
22-05-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shadowsocks4.0.1_android.apk
Size

8.8MB
MD5

a7d32c91f0e650e43db3da6d0f8a9be3
SHA1

3260b8ba76dc98ef3ea4878488b2779a8bfc0a86
SHA256

0ae7293e2437078ce05e55e0bf1bd27c2d4f4d3f3e7d5b41ac77706f792dd59d
SHA512

675fde4ff8fd6163f53cc30673d179a861b491c986a7e3edbb8dbcaa04bd13a9ade3926eddf35f1cd85e53c0403c84af5f4c8f2c35fef5b259a9bdb1a6020efc
SSDEEP

196608:eDkVaV095oNK+pb9O7cDgeBtmE0UxvaszD5Mat1z9mX3033U2H5Udrkl/Z:eDkP9iNxRI7mg6tmEHJnzD55kk33U7YZ

Score

8^/10

collection credential_access discovery evasion impact

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 1 IoCs
evasion

T1426

Processes:

com.github.shadowsocks

ioc process

/system/app/Superuser.apk com.github.shadowsocks
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

T1633.001

T1426

Processes:

com.github.shadowsocks

description ioc process

File opened for read /proc/cpuinfo com.github.shadowsocks
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

T1633.001

T1426

Processes:

com.github.shadowsocks

description ioc process

File opened for read /proc/meminfo com.github.shadowsocks
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
evasion

T1407

Processes:

com.github.shadowsocks

ioc pid process

/data/user/0/com.github.shadowsocks/cache/1582435991586.jar 4559 com.github.shadowsocks
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
collection credential_access impact

T1414

T1641.001

Processes:

com.github.shadowsocks

description ioc process

Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.github.shadowsocks
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

T1424

Processes:

com.github.shadowsocks

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.github.shadowsocks

ioc	process
/system/app/Superuser.apk	com.github.shadowsocks

description	ioc	process
File opened for read	/proc/cpuinfo	com.github.shadowsocks

description	ioc	process
File opened for read	/proc/meminfo	com.github.shadowsocks

ioc	pid	process
/data/user/0/com.github.shadowsocks/cache/1582435991586.jar	4559	com.github.shadowsocks

description	ioc	process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.github.shadowsocks

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.github.shadowsocks

Acquires the wake lock 2 IoCs

Processes:

com.github.shadowsockscom.github.shadowsocks:bg

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.github.shadowsocks
Framework service call	android.os.IPowerManager.acquireWakeLock	com.github.shadowsocks:bg

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

T1471

Processes:

com.github.shadowsocks

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.github.shadowsocks

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.github.shadowsocks

com.github.shadowsocks
1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
PID:4559

com.github.shadowsocks:bg
1⤵
- Acquires the wake lock
PID:4598

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.github.shadowsocks/cache/1582435991586.jar
Filesize
9KB

MD5
39293800b1afb1a860e5bb24c29cd3ba

SHA1
6432dd2a2dddb23fd06e085b958cf4c46ee803b7

SHA256
79c6fe51eefffb659811571338f1aef8def305dbbc0ef2633aec20d3054ca398

SHA512
4e2fa5da25119ed546112b0bce2d33cea40ba55ed67ebc13934c56d9f888093b6cbd8c8505535a6cfbc7b500a1213d1f43b83fd18d5ae430e7cb16b4ff3eafbd

Download Submit
/data/user/0/com.github.shadowsocks/cache/1582435991586.jar
Filesize
20KB

MD5
fde2ee00cbd121cfab5290b078aa3ceb

SHA1
e2b77d5320e155e413d040a8c20020962065b2f8

SHA256
2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685

SHA512
a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

Download Submit
/data/user/0/com.github.shadowsocks/cache/oat/1582435991586.jar.cur.prof
Filesize
153B

MD5
f9431a0cde5766b6a47fe517f0dbe91f

SHA1
41ebffb9e03db4e211961286e6c233726d1c704f

SHA256
48409024aacda3669e2112419ca8742dedca12f5310521730db60c8387710616

SHA512
3102a350b8cdbfe686564eb79892a609f3cccd74d4b420f831156b1c57b736853f1cba0988d4dea7bf728f341e3ed2b997274684726afa2d97d31115e5213382

Download Submit
/data/user/0/com.github.shadowsocks/databases/evernote_jobs.db
Filesize
16KB

MD5
47080e3bfcf2db9b8620f2faf6c5857a

SHA1
6f63c1851255e0fa99567f047382074b086d38bc

SHA256
dc4f8a73f49d2a6b41ff425fd08b85c1eba5280c438a1a1ff9832e91dfa56cbb

SHA512
e757043d82798926a5ddd716457accf6616894ad1ad79ec832293a1f662910b663239f899bf05a5c8d90fed5bcb093c5529e5bc842fe9003c1d5902f9ed84473

Download Submit
/data/user/0/com.github.shadowsocks/databases/profile.db
Filesize
20KB

MD5
dbb362c0d7d0be19b2f96de751d8b15e

SHA1
639b969496c25505e24dbb6777b60c6615b08ddd

SHA256
a05e32ebf5a56884e2a53bb1c9b7f72c8d39b42c0f0c994356d75603ca3ad28b

SHA512
07e58c71f9a4970d5763d1c03dea6466d3d63d305403ab964d809b11313718875ea36f1959529517eca33b2ab7a2e6b52c2da61e76c8671f15c0af72e4f256cb

Download Submit
/data/user/0/com.github.shadowsocks/databases/profile.db-journal
Filesize
66KB

MD5
2a223c05dde35e3a8dee72ab84f49cb4

SHA1
1267b6de69729685673af3b337d1c74add17175b

SHA256
c698a76dc5dae0cf3ab86e0c44dd83f3e2f2f4642b3d909d515e1f415849bdd1

SHA512
66af1a7983365d115f2ce259f261ad58b6a331e4ccea5cf299d221eebd466b755d67727d225ff14cd88b0655d28b81a20045a1ef08186c2b51770fe6ce4e4b14

Download Submit
/data/user/0/com.github.shadowsocks/databases/profile.db-journal
Filesize
81KB

MD5
7064173cc58b205edd2878f73ca5e6a4

SHA1
8aa422d0d501915810f0a8f98d4c4eeb805a4944

SHA256
4389bda46e05c20a102eb26ff5dcb2a3d767639d19399a2e52b50bc270910530

SHA512
183883d93e68088688b242e743a4d7ba6af2b28a3300f661e6f511755a806979071dd4b09628eb280f54b188f5e3838f678fe3695b7b0475f626c5be0a0d58ce

Download Submit
/data/user/0/com.github.shadowsocks/databases/profile.db-journal
Filesize
77KB

MD5
5345eae0922ee55726fa0b415b409162

SHA1
c9debc1802e04849fcd05ebc03c2b5111bdd86d5

SHA256
fa7fd9fa49c1791eb90cbf30858036bb73b33cf06b5da81c7e5f799bcd809f6f

SHA512
acee37789c3ec2466db79bf9b71ee7c4ed4560fb041da21459b3ec7c9acf63e3c0845e8050d2f61cd6974d8c4484f46b75042f26b0d3dd5173cc8cb3d73669a0

Download Submit
/data/user/0/com.github.shadowsocks/databases/profile.db-journal
Filesize
145KB

MD5
3b74dd6d87ebcc8d4150bc96e3caf2eb

SHA1
b69e0560b67abc36019da4cc2ba320db406353e9

SHA256
785002141e20a8c864eef7ab345820c6cf1c5e6b4249f4c737623cd9bfb24093

SHA512
dcc7d54ac6609a1d6932cfaa22896fc8668c83462f33465efaac6b943d5e2f1cf8d288fbca8caee882beabf4c64f5b5e54a3fa4f0355f01111f24d05ab6d7a45

Download Submit
/data/user/0/com.github.shadowsocks/files/bypass-china.acl
Filesize
154KB

MD5
2f2b711af66d4bf9031bfdda7cb8c923

SHA1
6102b41241c6870cc155ff22a8987211783529c2

SHA256
74599a337a710bc49e4deba89e384caf7c9425b2e5e6854a2210c22172879b51

SHA512
f3a494894a830310f6ad06d5465a6a377b97456df07386f397e1ea2ed30a28c2c946851f82aefb5e56310d53a86df73b26ba93d64248e298ddce317b864715d9

Download Submit
/data/user/0/com.github.shadowsocks/files/hosts
Filesize
20B

MD5
0eea71665fb6890c06421fd13aa3f849

SHA1
c7f9a550b77ece79052aa1a630098b911883abde

SHA256
081ef9d5367595d16e30b4b4549d9f43537320508b4ce0788963e10e4f808857

SHA512
86f9dc60075413e02e64c5a002f4d69d37e90e0f77e0f535c72b33f9cd9a1e23816d588f6479eba248a99cad7bcdcfa9813309f99ce1e213eab9b6109b25236d

Download Submit
/data/user/0/com.github.shadowsocks/files/persisted_config
Filesize
512B

MD5
cc07c4d2bb330f16bb3e9498aa6a5832

SHA1
59f0284b31023075ec8575c5d132def367973323

SHA256
2a688b804d52b95063b604881e4a34fed11d5dbb6dbbb2001901d4b9c7a2b8b3

SHA512
30ceefd15138fe3d1c81ccac8e5f641e45eedc88f1ea361bacad3409626243e801046bc8ce3b14c2ae1096d34801028dabfea1443685dc72e9c6388f222a52a5

Download Submit
/data/user/0/com.github.shadowsocks/files/persisted_config
Filesize
8KB

MD5
0d692318812d792a00b951d2252a1e58

SHA1
660f653113fd104de24fe219455249b42f9ad557

SHA256
05f71fb8f94ffba725025d3855fc62197e9f961a10470a66f08e8b82ddb97291

SHA512
037ff1632ff9b818d4041f9c7f91a7ff991dacfe523b48595c10110410444ea3432acc0cfd1c8d34492fe787991931df8048de13a44443953f7adba8c64aa480

Download Submit
/data/user/0/com.github.shadowsocks/files/persisted_config
Filesize
8KB

MD5
89de09d4c3406dae4b640775baf7995c

SHA1
9e488991eb3265520f0eb78c097122a60359a7d1

SHA256
c13aacd5642a90e2df31c46d42b2ffc0afcedb46c2ebbfdf4bd6f8eae319420f

SHA512
a91ca5934204997c720d9ac1ca8e87b8627205331977cd89252d9e77e59ae42c66858b3343556592738d70b77a9b2fd02328dcc55b65676b0b37234ad8700fa7

Download Submit
/data/user/0/com.github.shadowsocks/files/persisted_config
Filesize
155KB

MD5
b1ab05fcf2cca3d0ce51b7248407a724

SHA1
a85c5583fc1b8b2cda9dabd20507b95b633264dc

SHA256
75c96b663f5ae34b15b93257a71dc843fe4b665ce216d3ff31cd056bfefeeb87

SHA512
ac7c60418808d530a5df56b12eafae13ed90c822e29914c7212dd2de631ff3a4e5ee29d2e57f2ddce2ec824638ebee32beef59adf0e458a7a454ff8229835ce6

Download Submit