Analysis
-
max time kernel
161s -
max time network
156s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
22-05-2024 11:40
Static task
static1
Behavioral task
behavioral1
Sample
6722af87b4174e30d71df3e3b43ca919_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
6722af87b4174e30d71df3e3b43ca919_JaffaCakes118.apk
Resource
android-x64-20240514-en
General
-
Target
6722af87b4174e30d71df3e3b43ca919_JaffaCakes118.apk
-
Size
8.8MB
-
MD5
6722af87b4174e30d71df3e3b43ca919
-
SHA1
c770dc26eea9bc7fe9fa3e0eab50ca28ba859a6e
-
SHA256
5308b9735f2cb43aae54be98b8d942ddde286cf6c1a9e6d96459ba0326051f82
-
SHA512
f267759c3b4f303fae11693dcc9597d18504b048ece6f6992eaf083b624d24a2e3e5a58b925fef816e9f1caf59c48b237674473b4aa3fed53684423e6b9025d8
-
SSDEEP
196608:mfpWQmgh1fWkxfW41CnRYWkS7ukq2PJGjH0Oh/iPsgnQErvlfjkgFT:mZh1fWk9h1yYOPJGL0c/mlnQ8lh
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 4 IoCs
Processes:
com.pytech.mplusioc process /data/local/su com.pytech.mplus /data/local/bin/su com.pytech.mplus /data/local/xbin/su com.pytech.mplus /sbin/su com.pytech.mplus -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 9 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.pytech.mplus/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.pytech.mplus/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.pytech.mplus/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&com.pytech.mplus:pushcoreioc pid process /data/data/com.pytech.mplus/.jiagu/classes.dex 4313 com.pytech.mplus /data/data/com.pytech.mplus/.jiagu/classes.dex!classes2.dex 4313 com.pytech.mplus /data/data/com.pytech.mplus/.jiagu/tmp.dex 4313 com.pytech.mplus /data/data/com.pytech.mplus/.jiagu/tmp.dex 4397 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.pytech.mplus/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.pytech.mplus/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=& /data/data/com.pytech.mplus/.jiagu/tmp.dex 4313 com.pytech.mplus /data/data/com.pytech.mplus/.jiagu/classes.dex 4430 com.pytech.mplus:pushcore /data/data/com.pytech.mplus/.jiagu/classes.dex!classes2.dex 4430 com.pytech.mplus:pushcore /data/data/com.pytech.mplus/.jiagu/tmp.dex 4430 com.pytech.mplus:pushcore /data/data/com.pytech.mplus/.jiagu/tmp.dex 4430 com.pytech.mplus:pushcore -
Queries information about running processes on the device 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.pytech.mpluscom.pytech.mplus:pushcoredescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.pytech.mplus Framework service call android.app.IActivityManager.getRunningAppProcesses com.pytech.mplus:pushcore -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.pytech.mplusdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.pytech.mplus -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
Processes:
com.pytech.mpluscom.pytech.mplus:pushcoredescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.pytech.mplus Framework service call android.app.IActivityManager.registerReceiver com.pytech.mplus:pushcore -
Checks if the internet connection is available 1 TTPs 2 IoCs
Processes:
com.pytech.mpluscom.pytech.mplus:pushcoredescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.pytech.mplus Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.pytech.mplus:pushcore -
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.pytech.mplusdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.pytech.mplus
Processes
-
com.pytech.mplus1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.pytech.mplus/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.pytech.mplus/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
sh -c ps2⤵
-
ps2⤵
-
com.pytech.mplus:pushcore1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.pytech.mplus/.jiagu/classes.dexFilesize
5.2MB
MD5d1928a8c5903635706cc02094a17bc16
SHA1289a49e45d3c2d5186864d27feabe5a8f42d6b93
SHA25662e083ed14ee9afac08eb0fc2f5cd69b4bf3c29663665f5a5bb078e19307754f
SHA5127d9831f04623aa645f379d473f4c5a32b4cdb126bd971cc2d9f18e9df0d7b0f763cc27adfc6f474f3382d0b425afb7a6be7d9a3dfbced437d5754014dfc58748
-
/data/data/com.pytech.mplus/.jiagu/classes.dex!classes2.dexFilesize
1.3MB
MD5fdfe2f3f84c8555c5be48a5476f23609
SHA18c148a68056f872c2f2cf144053c70dbe9ed893f
SHA2569f7921eb39e73230f0ad8fc1da601ea2521961b04b7f338adc10dae7468e0337
SHA512ab04d1c8f11958c12600576b3da20ce87d5f65ac1a138cb950ecc4efcb9df91db8aef034d6949415d99ff22da13c8fd2eb1e3f86dec33252eb0017dc7b26b3e1
-
/data/data/com.pytech.mplus/.jiagu/libjiagu.soFilesize
485KB
MD5015df5724b50b4fbc6dd0caf7ccb817c
SHA1980780e98c9958aec97ab7a0de8d28a4c5fd9429
SHA256183990718a96d742bc6f1bb04c313e04db6dc62d445ecb294a7f15babd3281c6
SHA512fda8f5343cac8102aade5f1aeac7c5b028ea5d8c92e3d12de92e1ffce30bab47a446f215c9cff7dd1e1bb88980ee0d27b5241e856719fcc1f6a5c25e062e9d40
-
/data/data/com.pytech.mplus/.jiagu/tmp.dexFilesize
284B
MD5f1771b68f5f9b168b79ff59ae2daabe4
SHA10df6a835559f5c99670214a12700e7d8c28e5a42
SHA2569f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d
-
/data/data/com.pytech.mplus/databases/cc/cc.dbFilesize
36KB
MD55d7ea1a23af19b4340cc8d90f28297d5
SHA14cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA51233071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b
-
/data/data/com.pytech.mplus/databases/cc/cc.dbFilesize
36KB
MD5ce6135aa1b1fe4f2c2db2a546d2a5558
SHA179b59582154017aadab783dc266fcb158c252940
SHA2567b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA5122839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4
-
/data/data/com.pytech.mplus/databases/cc/cc.db-journalFilesize
512B
MD5763845f354d54a28c190abe25d921dce
SHA117562bc40af2557540599277f18502f3fc60b55f
SHA256d4177e031859b33e1e3feecbeb81d0a9a1737909285fe3128e89264727ef29fc
SHA512f63c5ee9f95a446bad66b7595bab575d3b872e2101ae96864d064899fd0af71da32d45da28399e0fff14a0bea8dcd1720fdc7dba3366ac958136c4fe78bbbadd
-
/data/data/com.pytech.mplus/databases/cc/cc.db-shmFilesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
/data/data/com.pytech.mplus/databases/cc/cc.db-walFilesize
48KB
MD50d7d9525d211e4fbaa05c6a3c886905c
SHA18eba2d622ef79b66a519bba3dc0d2ff07b5413c6
SHA256b73621dbc6f94d24dc7ac67bfedf99a3f85a430d532eb2f9b15d2a51e17b93e9
SHA5125e7ffef4ff1053418854cae6098d9b0933adabf5217a6f0d715e1643247e0635ce7045366a782047d33125e1f104cd69ed1315e8a5dd096435de45eccefdce1c
-
/data/data/com.pytech.mplus/databases/cc/cc.db-walFilesize
16KB
MD50690244d936c66c4da5cd74a1ae1ac58
SHA1f285788452b0768a6ad7cfafbe20e9b8a6850296
SHA256e2deac92dd45704e1f63cdfb5bbe32488c138ac0130d46d6c03fefba02daba4d
SHA512df306b33004b8572eff588d07faacb18358d94a8e8405814e56babd5cfdc7a3319ec8a1b1be53469877d7ad13df2ee85a0b24733a6e278a565b94e6185e0659c
-
/data/data/com.pytech.mplus/files/.jglogs/.jg.acFilesize
40B
MD525b72ab583925db87746b3c56e500cfd
SHA123818c13d85b12704e067663f3b96fb523cf0a60
SHA2565e77d3dbe0a03f7a836496b17b25221123fa3e0d0f65f1535a5b55829c4ecd38
SHA5129ee12a4abafa0bbc15d8f128edb765529fd9a55d0ad684538542345f252f5e2c4b92eaddbc3f3f3b7f3dc164582676e0bcc6c044feae977d48d9056196fe590c
-
/data/data/com.pytech.mplus/files/.jglogs/.jg.acFilesize
40B
MD5b82010426f08db9ee5ae29bf1659ffc2
SHA162a1c3432c4f7a8f9a0c8c31f0f9917c3279c4cf
SHA256ff0b76ac84e778e1aa098d7b43de8e16823f5087dc8a256f4feff0de2c6c938d
SHA512619e866d22f34d5b5dec93fff1a5ce93f2cdef969cd96aec0ef6725b3c33c1a5b3a323b1739cc4c3504cbfbce51c85a80ea8c09d9cea7e74532bd3f34e1004db
-
/data/data/com.pytech.mplus/files/.jglogs/.jg.diFilesize
340B
MD50a9615fe5de269557c5d86bae00d07c0
SHA16156e8a6a329223fb2c0d8222c457870fdd9b73b
SHA256092b2b1fdfedcc5bd6f74759266a1a8081a08103d7aa4c26a22fa3848aab36c9
SHA512cbc549f2610e41b7009582a0ded0649cd4deb16a987b83ea0e8f7e03c1a0a460ac83911a4734f5e16a9f664e8018c7691b2a91e5a22aafa03756bf1fedefe67d
-
/data/data/com.pytech.mplus/files/.jglogs/.jg.diFilesize
340B
MD5cea080433de7ac490ffa5403f045c959
SHA16263cb21be1b2f5437ef1ee886bcc4385ee455bd
SHA256ad62ca7d780893927cdc7a7195fd55a324c0d528280893e11d5785335c5875cd
SHA5121cc839d4bca5438e2a68be44db421f2770e68748d592cfe3bc7d4231617bdd40a027452c3dffa4799390da74b78fc36531b355f07f2ab31d09125555e5893771
-
/data/data/com.pytech.mplus/files/.jglogs/.jg.icFilesize
40B
MD5313c3b752b7a54c5d995b50350e0f867
SHA12bda43e43a39e22e9538c65d323633f4e7d05c77
SHA256999e2ae4cca388fcbd7ed1434ebe92c8316c1d173cb65192e7c134f6b7d1e815
SHA512ccfbf7b8f53970439bc62a3e88ce72c8e2b3f4d4427b2464edc52d4ce75bc394148ad5564c2037229cd785a5383da375dcf39a42356933ada426a82fbdff42a6
-
/data/data/com.pytech.mplus/files/.jglogs/.jg.liFilesize
100B
MD5d37dd2fc8d37f9a8e65d8cd7e3bbc4df
SHA14dae8063902fb8039ed37eb23bee5d78fce26e59
SHA2567d1fde1c2a40867a932f37daa131dcefb1baab2f72cea58bacc050314c298393
SHA512313958e6e40f373e8af03e1b6e07c40d3ef2e7686553d99a14f4a23736146d8a585f4529b0006cb989bd3e7c4e06189d30f9c09eb844691a58fa4b8edf69dd64
-
/data/data/com.pytech.mplus/files/.jglogs/.jg.rdFilesize
73B
MD5305c9deace2dac3e9bfd0901aad33755
SHA1bf2b19ecfa39d9ea85dad4f78ceddcaada0465a4
SHA25658c5884a73dabec3613ad3be47e57291edc82247dc70f2aea61fe6769873453f
SHA512146717504fc9d7ccb67cbbfeba72c6e444c433e07c10aa9c0429bd2da11c6ad549cc78d3f0c591ee369f4214cbb636cc2f53a3c5010a28cd4309d5686f9616e8
-
/data/data/com.pytech.mplus/files/.jglogs/.jg.riFilesize
314B
MD5d03bbcf08b074d639337a2e45955c79e
SHA13684345e26b4591495ffde22dff1ae73578b3d96
SHA256fb49398a94dd5d6a322baa76981baaeb2e155cb88a63a2941b381c0432d42d97
SHA512c889a24bf982a7db31dbd0b24b20f47064ff142cdff3f5bbf44c1849e95f591e42004aad2210cde763daab2f47496489ca5a7775b2f4aad3f9eacefa30c6f66b
-
/data/data/com.pytech.mplus/files/.jiagu.lockFilesize
27B
MD54227bea12f702c7093a25cdc4b77a10d
SHA1741504046bc94a869b3e59c63e0604b727ed12d9
SHA25695b6b5bd7c3b8c1c108973ea3b24bc9e67f77f487d0a79f1efb616f05c30ccab
SHA512f029354c4f6e1e05d5513de4f3fba57667a07bd64200d5ac5149133125b0aa4d39a6f9eaf2409f24329c0b4648b378669ce2abebe71e494a45a168874d3b526c
-
/data/data/com.pytech.mplus/files/.um/um_cache_1716378122575.envFilesize
1KB
MD58a197d82349c7e02d151e2cb485f3dc9
SHA1c436b6e562ee942299eea96d36830faa292e99e2
SHA256cf54be03f86817681f52088c272bc7a8a1e998e4cb709477e4243c9bc07e7046
SHA512cc7b544f995c7ddfef6dca9de88385717db74349f8d61912c38e901f34770b9a584e35352b7de2c0b3c59bc4c9ba0a154623881942c670ffb18480fdc95aa95f
-
/data/data/com.pytech.mplus/files/.umeng/exchangeIdentity.jsonFilesize
162B
MD53f2a9454b92e87a5cbaafc5ae5f88326
SHA1b47a7ba0638c8cb6aa8345656ac3d3a2afcaf187
SHA256af5d8eaa662bf64c0ad524fa77024e44003111b8829a0429fd8fd221e19cd787
SHA512164fcbb75ef5fcfc3930da49eef4bf2407943de9a2034b93084a00e2a62a167210a1dcf02154c25ca57d7fa0fc0dd932292326dbab43bcf12f9003f5cad4d059
-
/data/data/com.pytech.mplus/files/config.jsonFilesize
34B
MD550a83c0673b7bd66ed816f28c6d33523
SHA145217c19769ebf110369d28ef41a974cca1b24b8
SHA256c42458ceab8e3d06378aed84a8190f4e0b8caae12282d128cbf838f8bc816cb6
SHA512ea5dda6509b9438763a3c372e78491d507e003ee0e91abf59d2d317e2b1001b01c0064e89fdd1cd6ac0c8fc18bc134e5fe35c107e38f3c20cfd157eb2e00d867
-
/data/data/com.pytech.mplus/files/jpush_stat_cache.jsonFilesize
159B
MD56ce300e78b443f47adce7db3da5cbdd0
SHA16fe65af20124cdf6641cd48782a0cf2139f336fc
SHA25614a4c1bab1a12783941428d2fc792ebf1003bada5148de5717ca966de2d407cc
SHA512285af7d49bfc67c69813bc8e9193accb933305631cb0a38071a948c38de360bdd65b69421f2548f33fb2607716ca4eada29c6218402a67598c9cc9b772ed3b3d
-
/data/data/com.pytech.mplus/files/mobclick_agent_cached_com.pytech.mplus63Filesize
1KB
MD52384ae70e7551b54b32b82103fdd47b1
SHA1786c106acbd8ee7b5cb91315138dfbaca762f84f
SHA256466a951e419f6d8c84a6db2d4a908aee3c953cd4643d88f43ad14e6e3df4dfd2
SHA51268b7a10cf74521caf9f74af6e73a3c5f300c775bfe90ce842bf92a6c5ccf71f75d9edc2a49a0dcb15355fed407b97dfa6966fb7b9278d0f812d4132fd45eb812
-
/data/data/com.pytech.mplus/files/umeng_it.cacheFilesize
415B
MD52fa5b313b6bb9e7fb6e9f62ea87a6ce1
SHA153b4100cd972691ab51f00b5270155f99518b478
SHA2564c8dce2b1bfcb8b84fff7fa9d823ef142f64a00f482badab721bf7a33633f20a
SHA5128d0cce3b79c89ea6820d464b39734bb8a56a4666917fa05078dde50d438e046a605b42a07166b77396487e4ab01168a3dca6a83d4a56d34b7c55ea373d8c47b3
-
/storage/emulated/0/360/.deviceIdFilesize
48B
MD51d8d16c4e3b19ebf18988530d9b9a757
SHA1bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA5124562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82
-
/storage/emulated/0/360/.iddataFilesize
32B
MD5a0b61c2557e1991f55d2862c4a210db3
SHA1982ad6ee8aef0d4ed6d4180dde717a9c7cf6ac77
SHA25610befda5cf806a9e2fae1c924d61383a15d3989da1b685c70260e60393e55c97
SHA512421248a353036aed7d07d48593b060fe0617eb7d14dfcba86f8d222e09ad744c57f9f71f12de3ef3d9ffb7b604acb4aa715f03bd3d37e50c1b00a4224a973eb7
-
/storage/emulated/0/Android/data/com.pytech.mplus/pytechltd#mplusclerk/core_log/easemob.logFilesize
1KB
MD5da5b02cdd4054716f77c3819ffb40df5
SHA1c24d56aa33f5230297cafc6f4368afc2885de391
SHA2568d3655e9d350597bd9140215477f5e11553d84de051788e7f4921c3e3970c6be
SHA512522f6d3c426003cda82c3265823d589490690297065cfde66235985b78aef6199d517f88c7744433e5a68f12028b145c13f0287c2c018eaef451212261a4b2ba