84a4ea2b675f079515300f72ff77a34c76ad3eb2378d9e898c2a88207a40b638

Analysis

max time kernel
12s
max time network
135s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
22-05-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67669d1e8e536512cdf383b6ff01b344_JaffaCakes118.apk
Size

28.7MB
MD5

67669d1e8e536512cdf383b6ff01b344
SHA1

0e329075545c02f5007814abcbf20cfa433b2dc8
SHA256

84a4ea2b675f079515300f72ff77a34c76ad3eb2378d9e898c2a88207a40b638
SHA512

47236411cc6f1a138545574bc6e0fa4a2056ba6b165d44aa9d48234c87be5a6a03a66839eadc32edbe111fb6765c6f8ac3080d65d56ee5b1bef7f6d22a10a060
SSDEEP

393216:E1YQfgFQieqNe7CWQ39FowT6lbeUek7Cxx3lqwVUv5jZ++QwjH+pW7E6r62Sqeh3:WYmqNcCjjN6QfxAT+wSpW7EOqFuMtBh

Score

7^/10

discovery evasion impact persistence

Malware Config

Signatures

Loads dropped Dex/Jar 1 TTPs 6 IoCs

Runs executable file dropped to the device during analysis.

evasion

T1407

Processes:

com.witgo.etc/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.witgo.etc/.jiagu/tmp.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/data/com.witgo.etc/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/data/com.witgo.etc/.jiagu/classes.dex	4290	com.witgo.etc
/data/data/com.witgo.etc/.jiagu/classes.dex!classes2.dex	4290	com.witgo.etc
/data/data/com.witgo.etc/.jiagu/classes.dex!classes3.dex	4290	com.witgo.etc
/data/data/com.witgo.etc/.jiagu/tmp.dex	4290	com.witgo.etc
/data/data/com.witgo.etc/.jiagu/tmp.dex	4357	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.witgo.etc/.jiagu/tmp.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/data/com.witgo.etc/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
/data/data/com.witgo.etc/.jiagu/tmp.dex	4290	com.witgo.etc

Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

T1424

Processes:

com.witgo.etc

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.witgo.etc
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

T1421

Processes:

com.witgo.etc

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.witgo.etc
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

T1422
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

T1624.001

Processes:

com.witgo.etc

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.witgo.etc
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

T1421

Processes:

com.witgo.etc

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.witgo.etc
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

T1471

Processes:

com.witgo.etc

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.witgo.etc

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.witgo.etc

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.witgo.etc

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.witgo.etc

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.witgo.etc

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.witgo.etc

com.witgo.etc
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4290

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.witgo.etc/.jiagu/tmp.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/data/com.witgo.etc/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4357

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.witgo.etc/.jiagu/classes.dex
Filesize
7.7MB

MD5
7107289ff51865f99d5307c364e0827e

SHA1
d132c3ecb21e078cf7da16dacc9df32d7b3e8a9e

SHA256
8fd176110139ee0bc53068f5ab3d992ebf85f46ade4523033af600cbb89876a4

SHA512
3b03a3d22bd03b77db1f6930d95cf22325f25324f0f0307b997600647d44d2c99b12c14b12a9f4a1089cb80c1b5000a68a50a65eb480641b29067e4027b2f83b

Download Submit
/data/data/com.witgo.etc/.jiagu/classes.dex!classes2.dex
Filesize
7.5MB

MD5
8eb366b7864e225c5cbeac195e65d391

SHA1
a9a2f62d3dfa1b2ab9305b26cbe2f5f184b2d8fb

SHA256
08283384800dc26574886b0737dc7736bc4e8818182832090bff6556366baaf0

SHA512
9be83db779f5c9ef8326553623ddb0331568e06ce304c06193728f79e70f310724892b8c3d24d61f9436802012c9bc3c5b88d9971aea6988812cd822bfafe7ae

Download Submit
/data/data/com.witgo.etc/.jiagu/classes.dex!classes3.dex
Filesize
176KB

MD5
106a02ed60dff35f2dac8c1bac4af592

SHA1
bc8c18ca3d40a3522a6e87741a57eb13e554fd82

SHA256
b1cffb3f8de897db2b355d7c28ac44676d24ef5051baed17cbb14ec411753aa8

SHA512
14a3ebde72b6fc11ff7a2645fb1f132d83b6c848a89bb2ca40ac899092b7f21214a3520d4c6f31f48ae0e71a4b088ea11dbc044f0ff85da22c2f1ea75d831d21

Download Submit
/data/data/com.witgo.etc/.jiagu/libjiagu.so
Filesize
475KB

MD5
5aea02f4e4c77fbf2e7a27f7ca9cc06b

SHA1
522db1748608e9173547b29b7aa82ddc3542c534

SHA256
5a1c513b347e2a929769e2be67552c1d591704f08f7b5590282b66cc2c7d7bd2

SHA512
5c979a11f5e896829db906f533756efc1cf3c5a7e35ecc9e376a0aae818f2dada013441649feac2e188bd51affbbf35156e32fdc6552e185bddbc547f3850316

Download Submit
/data/data/com.witgo.etc/.jiagu/tmp.dex
Filesize
284B

MD5
f1771b68f5f9b168b79ff59ae2daabe4

SHA1
0df6a835559f5c99670214a12700e7d8c28e5a42

SHA256
9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

SHA512
dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

Download Submit
/data/data/com.witgo.etc/databases/ut.db
Filesize
20KB

MD5
38616785cca0600a03205f84fe330b4b

SHA1
6ac41a6bdcae297d56dac5fdde70be5faccf0832

SHA256
b05c698d5827005da5e04b4fbdcac53cfc83405247353f8e9e145969a820a4e8

SHA512
7ff2901c032607f5fa1f24a48056ae85fe8d67b6c5649233fdad7b66950d359b2fb933344bf1e2fe6255a00c593de7bcf959d201fe8b6ad214249bb31f855a08

Download Submit
/data/data/com.witgo.etc/databases/ut.db-journal
Filesize
512B

MD5
0d12d0694f9654fd35242c32c1ed1ced

SHA1
9c260b24c555c141837cc500328b413a1052620b

SHA256
7275636a2812b0585edf10f8fbb2a97d4f0471dbd7943df1772cfd4b2ce9d22d

SHA512
5871a6fbd0cbcc0e33be4d58e7875fadfa7cd5aef90dd63bd3e77ec205975ce1cd445a6a55f1de4523f1c280b5e1e78849493e74e580bd4e026434e0de0bec97

Download Submit
/data/data/com.witgo.etc/databases/ut.db-shm
Filesize
28KB

MD5
cf845a781c107ec1346e849c9dd1b7e8

SHA1
b44ccc7f7d519352422e59ee8b0bdbac881768a7

SHA256
18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

SHA512
4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

Download Submit
/data/data/com.witgo.etc/databases/ut.db-wal
Filesize
32KB

MD5
16556c8c359b86a5fb019493f66c1df1

SHA1
1a3c2c4d0c50b48fc0522d46f92b05f0d9001dae

SHA256
8e69d36cacbaeb214b381a66d83351a6ae5bf320695bd12bfb2c814b02c9865d

SHA512
e9c547a7382a8e6fbd94ad95132eb6c8bdb5190ed8b3f887e764b0dd00882a4cb8ddb1e3e12011c8ac43dbd8b17a8fa86a9b0526773b73a432858e6d3baa3c26

Download Submit
/data/data/com.witgo.etc/files/.jglogs/.jg.ac
Filesize
32B

MD5
0ebacfe57ca80d59484972c4fdabce31

SHA1
a82da73f9135e85a2ff7dd2c82480bb6e3f8901c

SHA256
54edb2101bd055fa1688432aa8335efd1b206bbfe9a65eed0341fc2941eb9589

SHA512
bdc27590aab8844ecb3fe71b15b62130860fe780a7f10329310c63206e20ad73beac2e7cd50ac43a4ddc417221e851bf73abf1586df93728ff45c030b0c799ed

Download Submit
/data/data/com.witgo.etc/files/.jglogs/.jg.ic
Filesize
32B

MD5
ec9b1cce61d868ffd2936ff5e815e8f8

SHA1
69772bbb4d48a249f1afd47e59ac8c7985d2b017

SHA256
4232ac800aa33b951f2f2638ac3c9e1667bfe06a814a9145bfa4c55f6b2d354e

SHA512
1a22fe50a07349072c3d600bf1519acd88fbc1b797411c930c041286afd4fecca44a0c6b56e975b859592d89b91e44671b68f45c6e159aecf217c93210826489

Download Submit
/data/data/com.witgo.etc/files/.jglogs/.jg.rd
Filesize
73B

MD5
90c43928ede974ef8d2dd00c58021782

SHA1
c62c389e8800dadcac821bccd41f4f34385b69f7

SHA256
d0e4c3c1ca0ee9a56159b174936845cf853f5144ef40af9f27d77277c1ff53bd

SHA512
b406890d90cc973421c3d5423debc56780335ac9f6a603a704f43ddf8a460797a98dc780e93e3e5e056e041a614447242f61b3be31d222fbc1b43913f997a015

Download Submit
/data/data/com.witgo.etc/files/.jglogs/.jg.ri
Filesize
307B

MD5
c8626f187c19439266027cdbe5432709

SHA1
0f251993049046191194c14381006804aa038eae

SHA256
256b01208e689ee5818b988bc7ef49026f48369a89707e17267a31549c0ba665

SHA512
2ed7a773e71e8a418fde26175f839b8961adf0e49aacd962abbe14d564a20e221fad28d6450143d64c1cd6023500ce806fd2c057e0b2bbde38056526ee188d32

Download Submit
/data/data/com.witgo.etc/files/.jglogs/.jg.ri
Filesize
314B

MD5
32a4437c314616bbb177eb7e2e35c0ae

SHA1
0030c000840a98419deb98272ec2d60e13ac0efc

SHA256
f769aa338d2c51d4eceb746e7853a804cb9dc5525a49ade4954354cea1d3f464

SHA512
c53f64d664006df5c6939ef980725a141ba95c47de0ab914d5e4fc0a6d3f33ba48444446c2b115f36f3e79d3b48d81077fb2c105c5a13eaf4c3d257bcf3d39d8

Download Submit
/data/data/com.witgo.etc/files/.jglogs/.jg.store.report_pid
Filesize
32B

MD5
8ca4b38c391d3da4dd59b08385c1cd45

SHA1
de5dacca30057fb91f16a2bd9dcc5f2978865d93

SHA256
cc6de00374e5d3c7f6831c0d2a3f0c5e5a1771a6f8cb1c8c8a79a01420d3b1e0

SHA512
d2bfa48b2fee787be4eae043ca9c7428f45ff10cb6c728b1105638dee0587a5da7af78442f87df144a989601b753b31a4f7a1994ee50d326f3417f0494d0c9c6

Download Submit
/data/data/com.witgo.etc/files/.jiagu.lock
Filesize
27B

MD5
7d038842096e99b541116591b8babdf3

SHA1
69be1a10ce54f4857c5b8fde51f66c7c8c656801

SHA256
fdab78e0e478d999680db30f4e2db6e815959257b2b74cd11fde2a55c9169afc

SHA512
fc66c4686ee5756befa3dbb23754e212cd671dfdb1534243d65b0b6d37c0b4c14cd6b97c09c1bf6c5c12b228d15a80869b9dc9bbe3e428363288c3a7d329209e

Download Submit
/data/data/com.witgo.etc/files/com_alibaba_aliyun_crash_defend_sdk_info
Filesize
222B

MD5
89f8026df0cc2879b62141ee83b45c20

SHA1
51863e2845d7fe465893aedba6a003e194bd0a35

SHA256
c138015ca8765d260512bc4fd03f1c7c114ae183fe73a706dd215c542b6bc1d7

SHA512
09a53fb5d5509a3a67380977abc6e20a0970a0dc387f6ecf4646e9df837124838dd552a54cef2e016fc05ebb1e3510d229038b17f5b48a632356e2b12d538e36

Download Submit
/data/data/com.witgo.etc/files/libcuid.so
Filesize
129B

MD5
24151bb2fcd111e2d2b0de8b3f32c008

SHA1
727db57edd4eca1221c2d2cb5fcc9c5abafeaf4f

SHA256
194d78f0e79a58b01d3c0c550570f1f6fb641cbab8f65738b199aa9784edf008

SHA512
0152381cb070c9fbd2076b5d9f974bc15eb7a756df450bbaa1744c6c3ac0982fb50c61e7cf1aa8367157ffece12c30b534a6347f97cc8d9eb9fd4f15d64869fc

Download Submit
/storage/emulated/0/.DataStorage/ContextData.xml
Filesize
111B

MD5
69768f877e8e52a0db3c4270f6d11825

SHA1
2d1b336706d752879442ef2f8e436283c98d87c9

SHA256
06d4f3cbe9e39d539382122958eb9a9249cc880408d42582906626cc0f09d129

SHA512
7a3a35aaa7385b80380399bd7864fb15f672541a353b52bb8673dc5a404e3af4daed4c1636bdd3d90e7d2dca7e6ebe8e79a14aa86db4bc09b10d349ea6816a27

Download Submit
/storage/emulated/0/.DataStorage/ContextData.xml
Filesize
213B

MD5
54cc7f5cdc489538471e612eb4c3d83f

SHA1
e3e4748511a1bf5d56cfa400eaa2ceb62b430c56

SHA256
423ede5828cec90d2417f09cad42de293ff1a6fc4a7c388fb5df93299add9cff

SHA512
a77ce026fc0f7e3ff101c0595a12a9ea74d2234c754d04b8f0e9640c4bffb3a9c9d9a8309787ce9ccd45d2a58bfe7b92b02a8da8246a35daafb912573b143192

Download Submit
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml
Filesize
65B

MD5
9781ca003f10f8d0c9c1945b63fdca7f

SHA1
4156cf5dc8d71dbab734d25e5e1598b37a5456f4

SHA256
3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793

SHA512
25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

Download Submit
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml
Filesize
111B

MD5
1cf0095d00cdc8fe0cf4b4d8b80f1e99

SHA1
f9d219278848525e368053a92c6ed2b1cb8601fa

SHA256
aa473fa1d293929548f311f4d1d8e21fe0cd26ec7dc59a5cad02db63405b9a63

SHA512
b0ee232d98f648ba7c3cc9ef582488d28f1793c1e8c4813ec74fb41690a6a27c062153e12f530b82ede461993277443643a5aed6cda5dca66db654e1b3e45696

Download Submit
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml
Filesize
167B

MD5
11625b604b4ff436afbab0c7607b7467

SHA1
60f0009de7e095a1b8d32a1ecf4478e6f58ae411

SHA256
41d5c78f54c8af9d37e738fff39248723a28d660aea3ca7224a115afad4f9701

SHA512
b9e687260236ffcef4a150aaf6926ef59960d4c2dc454621be7aea639f0906be3049c288fee83911121b15526dad7c64ca0c00c6371d2a1d86b81904c655c68e

Download Submit