Analysis
-
max time kernel
179s -
max time network
190s -
platform
android_x64 -
resource
android-x64-20240514-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system -
submitted
22-05-2024 15:14
Static task
static1
Behavioral task
behavioral1
Sample
67b172e6012f096d10b3da344dfade56_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
67b172e6012f096d10b3da344dfade56_JaffaCakes118.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral3
Sample
QMJFQ.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral4
Sample
QMJFQ.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral5
Sample
QMJFQ.apk
Resource
android-x64-arm64-20240514-en
Behavioral task
behavioral6
Sample
gdtadv2.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral7
Sample
gdtadv2.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral8
Sample
gdtadv2.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
67b172e6012f096d10b3da344dfade56_JaffaCakes118.apk
-
Size
16.8MB
-
MD5
67b172e6012f096d10b3da344dfade56
-
SHA1
4e687059cd30da75d655bafbf170051905fa6c77
-
SHA256
80a1a9da3fdee9a38fc55b58b19bbf769bd808499742744cb94992ad95139b56
-
SHA512
13902afd5153daf6306db2f1c96dba1c26fbf99658d236528e748755648926b9d83a882a4b7ad74c3af4fa2191aa3795434b22e706f9ccedcb8f4a4bf3bbe077
-
SSDEEP
393216:BfeClFPcMiYTfb1KSof0R+9nAlm4ZEahkNCNw:BmClFP/iYTD1KZ0RmAfZEN9
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
Processes:
com.duocai.caomeitoutiao:pushcoreioc process /system/bin/su com.duocai.caomeitoutiao:pushcore /system/xbin/su com.duocai.caomeitoutiao:pushcore -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
-
Checks Android system properties for emulator presence. 1 TTPs 4 IoCs
Processes:
com.duocai.caomeitoutiao:pushcoredescription ioc process Accessed system property key: ro.hardware com.duocai.caomeitoutiao:pushcore Accessed system property key: ro.product.model com.duocai.caomeitoutiao:pushcore Accessed system property key: ro.product.name com.duocai.caomeitoutiao:pushcore Accessed system property key: ro.serialno com.duocai.caomeitoutiao:pushcore -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.duocai.caomeitoutiao:pushcoreioc pid process /data/user/0/com.duocai.caomeitoutiao/app_libs/ymdex.jar 5290 com.duocai.caomeitoutiao:pushcore -
Queries information about running processes on the device 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.duocai.caomeitoutiaocom.duocai.caomeitoutiao:pushcoredescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.duocai.caomeitoutiao Framework service call android.app.IActivityManager.getRunningAppProcesses com.duocai.caomeitoutiao:pushcore -
Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.duocai.caomeitoutiaocom.duocai.caomeitoutiao:pushcoredescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.duocai.caomeitoutiao Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.duocai.caomeitoutiao:pushcore -
Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
Processes:
com.duocai.caomeitoutiao:pushcoredescription ioc process Framework service call android.net.wifi.IWifiManager.getScanResults com.duocai.caomeitoutiao:pushcore -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
Processes:
com.duocai.caomeitoutiaocom.duocai.caomeitoutiao:pushcoredescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.duocai.caomeitoutiao Framework service call android.app.IActivityManager.registerReceiver com.duocai.caomeitoutiao:pushcore -
Checks if the internet connection is available 1 TTPs 2 IoCs
Processes:
com.duocai.caomeitoutiaocom.duocai.caomeitoutiao:pushcoredescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.duocai.caomeitoutiao Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.duocai.caomeitoutiao:pushcore -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
Processes:
com.duocai.caomeitoutiaodescription ioc process Framework API call android.hardware.SensorManager.registerListener com.duocai.caomeitoutiao -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.duocai.caomeitoutiao:pushcoredescription ioc process Framework API call javax.crypto.Cipher.doFinal com.duocai.caomeitoutiao:pushcore
Processes
-
com.duocai.caomeitoutiao1⤵
- Requests cell location
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Listens for changes in the sensor environment (might be used to detect emulation)
-
com.duocai.caomeitoutiao:pushcore1⤵
- Checks if the Android device is rooted.
- Checks Android system properties for emulator presence.
- Checks CPU information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.duocai.caomeitoutiao/app_crashrecord/1002Filesize
243B
MD5fd60a593242dc77bb5ba33c3f4f3731e
SHA1ab41a132b922b05c333a8d2b8623a174eecc4be0
SHA25662a6e63c4d82ca25ffe47d3316dc73de05e515a3ebb08e27ae6dbdc39c893bf8
SHA512293afeab3ef06e72c7635929b9ade3dc830184bac146ff205988e14a4a2914d3bbe00ce13fa6380e353291211c32eb88d053c3a8d0e01e26a4bf60837c50f4f1
-
/data/data/com.duocai.caomeitoutiao/app_crashrecord/1002Filesize
58B
MD50d210bfb2a0e1f1b4c082a6a0f79de07
SHA1bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1
-
/data/data/com.duocai.caomeitoutiao/app_crashrecord/1004Filesize
234B
MD5412b4b9c67b8fda4fb24c5af72e459f5
SHA1bd6814ab02a9bff4a902f2cd10a100bc632452b7
SHA2563e6b11be13a33440b09532c3a78b36d8472a53fb40e615a3893378a667b83441
SHA5122ac357863ca812a0603d2dbe6b8996218728565ffd56bec900735c3e379d33a7f9cf078150c6f845f69d522b6592744dc37e4e4c3b8f9f537e89075a2d1dd98c
-
/data/data/com.duocai.caomeitoutiao/databases/ThrowalbeLog.dbFilesize
40KB
MD5f6733880caadd1ce6ed76e66441c3dc0
SHA1f935c20289c09eb32ce99b24882fbabbbc67db3e
SHA2563e8a6da56a773e89bf15dc0c775122ba2da9e9a11551445040743897e9dc7dbc
SHA5129efc280a125012c1ef96d6518f0d95f82906c9d3a80389f5fb6d40ac799511391a9d00c38e5afa3aa0a2d46b338adbb442da8e561486d299d4015380a641a01e
-
/data/data/com.duocai.caomeitoutiao/databases/ThrowalbeLog.db-journalFilesize
16KB
MD540f742db7aaaf083df4801bf8ba1418f
SHA14fa4a0af409afaa3eff0a414a236219f6bfde126
SHA256493996dee3ec97be027fde0d1675e82ee86aef78b31b88b9edd76d4bbb6a0778
SHA51286ee572db9719583555bf3558b88b5dddee408f95205b50711fc3f72090e0a779c986158f3d527c7b233ae5d8cfa104342cc16af4829d0b65b43ca283301ad1f
-
/data/data/com.duocai.caomeitoutiao/databases/ThrowalbeLog.db-journalFilesize
16KB
MD535cc50f13a2192cf28947f9db2259288
SHA11addbe52cd650b5055f66ac724e520fb24a38726
SHA256b93346e9949f36cab8e1197326139957bc919e32d01ef92c1ef7ed63e04f9f63
SHA512e90bc5e8bb6b5edeeb5e8f83c9c1ac3d4db08c6a6764cc7ab11e20d08ec9168315ae2843dd06471a5997a2a12660607db635c67685900ae4247255eb7f0218b3
-
/data/data/com.duocai.caomeitoutiao/databases/ThrowalbeLog.db-journalFilesize
16KB
MD5bdfec677828fc9b0c9142e32e27048fe
SHA17b6766ae36720a2096ed82067df0f450f24413c0
SHA2561620e79ed2c44758d165ac0b473aece6f0cbd5543b69bb0bff788fdb7ad09d19
SHA51270e1ea0b86336764aacf04e4f7fdfc9c0c77a9bea05dc157d40b67b262538f26dbf56a085317ee5971087ed246a7bf3fcc2556a519ecb2f294ef7aa8d76833c3
-
/data/data/com.duocai.caomeitoutiao/databases/bugly_db_Filesize
28KB
MD5d5d30887a22bcf8602322a7243b98181
SHA1396c82404d582d4f4e3dcd3c51cf7946cdc6bdf6
SHA25682c4440de88aa8d65031eb9017bf2607e73a5f970fc84a1b8f553a53102183fc
SHA512868ee391884c281215b6aee63d18db70d1c968ef02b33c29be99fbdefab69073feae6f04a9ab4a8b704a3c1ede2a604331f7cf06a64c4fa3ef87fd352e42db3f
-
/data/data/com.duocai.caomeitoutiao/databases/bugly_db_-journalFilesize
512B
MD5d37527810cdb275f054cbe5393833ccf
SHA1ed1105b7e53b979d93926d0e55545bd7596ddf9a
SHA2568f34e2c942d8451e8bb574003c160f23dc950833e6d6bf606b01c416fdc6c7e2
SHA512c1b1ec28a55c25718c419f12a6f4a3cc6fd4d9a9afcd4d92e3919e5e648818ff9efbf04e24e0aaa229658ceca29c0b55abd6ce3f561c9190935288750f6b28b5
-
/data/data/com.duocai.caomeitoutiao/databases/bugly_db_-journalFilesize
12KB
MD5026d192f0ccafc960a5c60dcac1ac85f
SHA13448015abee119867244c8dd6c4132b38035fffb
SHA256f4c9a5dbb8d58489e0c8e5d74e5b01033c3d8c868fe81a5fd9e2f9a24febbd87
SHA512a30d23a54d08bae9f7b3cc72a1558993ab944b633a8aa589fdaea2cfc98a5ced0815236cb3dc6f9e574c6241f23e7294883f85bf3f6952684507394259ddd8be
-
/data/data/com.duocai.caomeitoutiao/databases/bugly_db_-journalFilesize
8KB
MD577375e3a18789386a07a2b663b6477fb
SHA173be467d82721900bdf17ddf103a29b48537bd29
SHA256a4258e845eff2e75350a6a43892d3b581ee836154c7f44c469cae0ccba57d4ef
SHA5120ae7a220eef9f9c388498020f0bc57423c04604090bfa957b1f04517e5be6b7e6664e11547cd7fff8e99f96ac6f5065432dbb5762af57e34473bb0579c00b632
-
/data/data/com.duocai.caomeitoutiao/databases/bugly_db_-journalFilesize
8KB
MD5f6b3d6735119ab9e721a8b2c4e460f65
SHA18c236700e46b997693065f0657ed4d2814831449
SHA256d2a399896465a129e1107dc21b2b19329415a2d922fed1ca53d15f1b8f5b9017
SHA512ad67b5e4448b1ea406b58563f10aff915d44e794d439f6a043ee4b1be8210d0a023f7eb5dc85a398e25e2c642cc93756b062f900e0cfd25ed7a73942689d2d97
-
/data/data/com.duocai.caomeitoutiao/databases/jqIqJYOT3JpTFilesize
20KB
MD5aa8cf740d7594640c484d58b6121c2fc
SHA1797e5f48647676ec07ec3c676e9ba9f7bccd4c1b
SHA256c2372ad4c8c046bb454778b7bb1d3e8b313ba1d26cb70497fae36f2d26da1255
SHA51260b9e0c5b5733f0f222884e280fec08695f99346f5af51cce64eb7ec16fb338a548a2422f47e494ebb45b945f4f6a8846eecad6ff8cbd9f01716e9408573bf6c
-
/data/data/com.duocai.caomeitoutiao/databases/jqIqJYOT3JpT-journalFilesize
12KB
MD5c93360a7e8bc3f29ec78da2e7c5420f8
SHA12c0999bdb2342e9ca2abecd8055c5674fa0f4603
SHA25635f9977aabfc14ca96c85aff057744e161503a98fe14184ae780460b8ceb9709
SHA512c077ca6162598a309e136ea989d53906267ab88ae11a2a8f172f02a6e57a4470c24fdb82454bbb7619ed301c9dcf76a1edf15737f5995eb25dadca621f352df9
-
/data/data/com.duocai.caomeitoutiao/files/Mob/mob_commons_1Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
/data/data/com.duocai.caomeitoutiao/files/Mob/share_sdk_1Filesize
23B
MD58e24e79baab91c4d0604eaa9006a0cb3
SHA1e427afc94a4b957a7096f73e395a10ea404c076b
SHA25665ee797326cb9d94a4c8b13fb114a7273d80af9ae547496bf56556c479f75e4d
SHA51245bde5e1b5da5e54f7f5baf24cf4d9158ccf5813f0babc05677437bfedf1d54c4707090a1c425089e8f9582a85fed80b25c1e1f30ec2051afc6fe68bb8a76bae
-
/data/data/com.duocai.caomeitoutiao/files/jpush_stat_cache_history.jsonFilesize
166B
MD574986aa3b826211426fa779c00da2c38
SHA162a4bcefd5577b4d791190cc7d894827a58d9bc7
SHA25613d16b35f9d171731def3e7f647a56fe6747e2c3b9474fd58c04c7617f8a8dc0
SHA5125807369322e17d58b282d440dbb84b98834556eb935f59cf1d950a73c4e9a5ac9a1db25cb41eab21dab5fe0a8172774725cfeec432afccddafebc6505cb44a97
-
/data/data/com.duocai.caomeitoutiao/files/jpush_stat_cache_history.jsonFilesize
340B
MD530ff90078c1f9c4627ef6b52f7dc25b6
SHA16d5617ae753312f4c0b3cc925b989d6d23a61ac6
SHA256b85f9e7ba9775c4f9959d69aca67e8400a2e66f4e13bdc576128309897de7507
SHA5120982116dce45fc22485e18b128371574528186f0878e1b912e9e720db1c70398db5f0b915b8050a345c0f4208902eee7d9245d276e582ff6d52d6ec296ce3da2
-
/data/user/0/com.duocai.caomeitoutiao/app_libs/ymdex.jarFilesize
742KB
MD59daeada774305a8e182827ec87f39946
SHA1e310284ce0990602951ae27527daf9466b77f315
SHA256591486135eb9c5420007a46c8c77f5e125ca838d0bf665b0d79ceda43b090087
SHA51280a10fca88222d0dfc098c5b612ec5309810ce54dd58d7da2a6faf5b8a8ececfc24dc47f9629288f3950c5d58b8836543b431fb03e1c742c96ab286ea49bdc1b
-
/storage/emulated/0/Mob/.slwFilesize
66B
MD519402718bfb1c685a726b4e1d846ad98
SHA102a7e30044a67085f2f1da24e16e4ecfede65b72
SHA256079f790e6a1934a94542559f53a89a824aafd3173d956b6019291955aeeb33d0
SHA51225254318c22cfd301c8bcd479f45797d502b6ab5f14265dadfa3d87b4dd1942a629d3cbc2f0b600cf73b4fe910e3773432f56a0a7b4343e280e20c5a6af0320b