1b14907b70f5c159ce7927d674ed80700e38befbc9177196b4a065a3aa641a5c

Analysis

max time kernel
179s
max time network
186s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
22/05/2024, 16:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

67ee22e185c0f2296ce5205d33f8419c_JaffaCakes118.apk
Size

10.4MB
MD5

67ee22e185c0f2296ce5205d33f8419c
SHA1

e46597cbf74310d57fb3e4f030765b8c5d768211
SHA256

1b14907b70f5c159ce7927d674ed80700e38befbc9177196b4a065a3aa641a5c
SHA512

f0b15f5b748de58b4ddf219d8ac42f128493e4934f7dcfced7fcea9b7826077f8b0046f5aebc4a95f16879d0f94b1b2387d7ea6504bf96068f0141533d200517
SSDEEP

196608:+VA9uBg1fAjdsDa1iHE9tKftrzfrTfEVmIQD/+ilOx6jow78AzupE3LcSCeKk/9:XuuajdkcGftHrTfEEnD/+6OVAJglNG9

Score

8^/10

banker collection discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 4 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/xbin/su	net.joydao.shc:remote
/system/bin/su	net.joydao.shc
/system/xbin/su	net.joydao.shc
/system/bin/su	net.joydao.shc:remote

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Requests cell location 1 TTPs 3 IoCs

Uses Android APIs to to get current cell information.

collection discovery

Location Tracking

T1430

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	net.joydao.shc:remote
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	net.joydao.shc
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	net.joydao.shc:remote

Loads dropped Dex/Jar 1 TTPs 12 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/data/net.joydao.shc/.jiagu/classes.dex	4298	net.joydao.shc
/data/data/net.joydao.shc/.jiagu/tmp.dex	4298	net.joydao.shc
/data/data/net.joydao.shc/.jiagu/tmp.dex	4379	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/net.joydao.shc/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/net.joydao.shc/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
/data/data/net.joydao.shc/.jiagu/tmp.dex	4298	net.joydao.shc
/data/data/net.joydao.shc/z_ij_d_p/ij.dex	4298	net.joydao.shc
/data/data/net.joydao.shc/.jiagu/classes.dex	4569	net.joydao.shc:remote
/data/data/net.joydao.shc/.jiagu/tmp.dex	4569	net.joydao.shc:remote
/data/data/net.joydao.shc/.jiagu/tmp.dex	4569	net.joydao.shc:remote
/data/data/net.joydao.shc/z_ij_d_p/ij.dex	4569	net.joydao.shc:remote
/data/data/net.joydao.shc/z_ij_d_p/ij.dex	4569	net.joydao.shc:remote
/data/user/0/net.joydao.shc/app_bwap_1/p.dex	4569	net.joydao.shc:remote
/data/user/0/net.joydao.shc/app_bwap_1/p.dex	4569	net.joydao.shc:remote

Queries information about running processes on the device 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	net.joydao.shc
Framework service call	android.app.IActivityManager.getRunningAppProcesses	net.joydao.shc:remote

Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	net.joydao.shc:remote
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	net.joydao.shc

Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getScanResults	net.joydao.shc:remote

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	net.joydao.shc
Framework service call	android.app.IActivityManager.registerReceiver	net.joydao.shc:remote

Checks if the internet connection is available 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	net.joydao.shc
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	net.joydao.shc:remote

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	net.joydao.shc:remote

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	net.joydao.shc
Framework API call	javax.crypto.Cipher.doFinal	net.joydao.shc:remote

net.joydao.shc
1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4298
- chmod 755 /data/data/net.joydao.shc/.jiagu/libjiagu.so
  2⤵
  PID:4324
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/net.joydao.shc/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/net.joydao.shc/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4379

net.joydao.shc:remote
1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Listens for changes in the sensor environment (might be used to detect emulation)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4569

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Credential Access

Discovery

Location Tracking

T1430

Process Discovery

T1424

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/net.joydao.shc/.jiagu/classes.dex

Filesize
3.2MB

MD5
c31516eec839d612a65576f4ed80591e

SHA1
03c3b832e4b895957f181311101d9b8c79a2deb8

SHA256
2e1d21ee59fd8da3054f9d83f3e3ef8a0cf9be20cb856a85ba7528805ff005d2

SHA512
0ec41177689a9eb6ae493e1b5709ae8a667f93dcc9fb9375452cc708f4a16b378eb008a37b40d18631f631da7195847430209cc7fd8068c94cc97fbde13c16f6

Download Submit
/data/data/net.joydao.shc/.jiagu/classes.dex

Filesize
6.0MB

MD5
afafe51606a32183daccb316e4d3bfe5

SHA1
ecafbcec2e58b7eef0eb6345c48fbb3acc5dad0e

SHA256
7a084df17084e834b85b402a7a36dda85362bdb94b73aac2dd17959310d2d9a7

SHA512
7318c7bf5c3ea77ee84d751fbda4cf534753c44d8cc51b1b032c9d8c072f5f2cc7cf27d15e3304c6080afb5f27ac35307423346942d8b7e64401e373cfdd542b

Download Submit
/data/data/net.joydao.shc/.jiagu/libjiagu.so

Filesize
455KB

MD5
e5a53000766ebc433b27d6a66ec4f555

SHA1
2c8f53f1c03aec2005bcad67d731f07261dabde0

SHA256
78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e

SHA512
370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d

Download Submit
/data/data/net.joydao.shc/.jiagu/tmp.dex

Filesize
284B

MD5
3481cbaae8f0b04a4ce59c4db8433fb9

SHA1
1a3d91c93f8e434e01b7b2181b48d2fdb73cf6f7

SHA256
b3230e035beff10aee7cac1e4c275d91cf168bf9c8375b4ed191c424e88b703a

SHA512
4d2fe64fdfd93c0fc100820605e5c6bf2841efcdeaa0d9147941e38c3a07466fabdf8d9ab7d2b119c53fe24a919a92aadda4561df80eb29abca0ac3dd9946a93

Download Submit
/data/data/net.joydao.shc/.jiagu/tmp.dex

Filesize
284B

MD5
f1771b68f5f9b168b79ff59ae2daabe4

SHA1
0df6a835559f5c99670214a12700e7d8c28e5a42

SHA256
9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

SHA512
dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

Download Submit
/data/data/net.joydao.shc/databases/ut.db

Filesize
4KB

MD5
dc6bc5cb0c8ee6a9f907ad84f282d669

SHA1
9d0763ee54f81c7352efedbedf9dcc9e65604b75

SHA256
061265b54488ec29f1dcfda85cdfe4f20ca788b2133b51fcfa172ebfcbe57e2a

SHA512
28a82405634c775b3602bd970eb57f5ce20605ca4b2f10628071a1b2be86924cc86dc9f242f9ab7da5a7d12dd8b4056d507d0e14a3e81bd7d5d4196cc7222f4b

Download Submit
/data/data/net.joydao.shc/databases/ut.db-journal

Filesize
512B

MD5
5dcd090f0c45860c5edfe5280a61d340

SHA1
573f81e847b1c89aa335fc05aa89899459efac24

SHA256
ed19b413711bb0b372b22f5f0c3d982c2abae71ae4b3cd422a965ffb73a7a88c

SHA512
5a02f34ecc095426183b31fa4baee30e73a328f0f59acf59233be8c07068b324c94992e725df4c35b3b304b04dfc2ce60627fed96c6c0f307a2a27d56a7b2b0b

Download Submit
/data/data/net.joydao.shc/databases/ut.db-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/net.joydao.shc/databases/ut.db-wal

Filesize
12KB

MD5
6df70bc5150497b4432b7f20dce0a031

SHA1
b68e1ef680dd8f6fe1d33864e0afe028d0ccfaff

SHA256
6e1608366e1c4c08aba7ecec9171839df257b4182eb23b7f24715ecd35740b73

SHA512
ffd6273f6e93e8030792ad10795140e5114ff9f2e69b97ca78fec0e4f1355a196782890adad0240600b21a076eb8da2f9a8cc05c5cffc5e345bed72360a0a305

Download Submit
/data/data/net.joydao.shc/files/.jglogs/.jg.di

Filesize
340B

MD5
f58c988c0694a17961a2343790bdd86b

SHA1
180ce64d0d3040bf53f7e3e174146a880812ad45

SHA256
15a12231d6080e927af90a3ed43a66e5f32e8dca12413f14825837c675b96d5a

SHA512
480afd3045c1a3d1d47413f9d226fb899c170ac6f418c6b38e98ccf07ed7b045060f9e1f12ab537c4d8c056580b071fa6828d9bba3d575bbc95187e5d95187d0

Download Submit
/data/data/net.joydao.shc/files/.jglogs/.jg.ri

Filesize
314B

MD5
c137d335d8b4fd75c296ea05a7dba7c0

SHA1
5d8edb2517331c2a24852558470086f889c2c1d1

SHA256
7394e382d18885ca4e8def16908dc714c196b4bcef9598a32bf92a4fe3b21c8c

SHA512
7cfbb8e0392d51515d3f0a5f8891b1d187e70ba465b02d3240112de734363fc69e1098b0c7e98563b05f4dfa2e010ec16acaa777be0cf7eff2b33222b862e52d

Download Submit
/data/data/net.joydao.shc/files/.jiagu.lock

Filesize
27B

MD5
0c0d342adb466469e6fbf4aa1056bfbe

SHA1
270b5c6261caec6614ee6112057300c273e09f63

SHA256
f4cc0be23d4bccd6407e9e8eae6688448667e5923a18f38469e3b9727880ec35

SHA512
7fa8b821009845f1c267e1b76bab2b70b90f53cec5528fc5d55566a0952a29e043aee94b5457bdf6922bac80671ad61acecbafe5698e3d4c7e3f19fe357adc11

Download Submit
/data/data/net.joydao.shc/z_ij_d_p/ij.dex

Filesize
9KB

MD5
9f3d660a039b3c0a5a85b415ae0743e5

SHA1
71064e72eaf0b3faaf174ce0c5db8b63a9e45d55

SHA256
3e5e0d1b1c2b140fedaa3ba799e5a944c29e6270631739012517cd795af2edc7

SHA512
460c8a4060a2e966f022bdb5b6ef8629c12ac6e82040667729979de5754301c1e804837cd77a4b1d42b25a8319b80f225aca8d35b6d8824706d3d9b4f9a31b1b

Download Submit
/data/data/net.joydao.shc/z_ij_d_p/ij.dex

Filesize
9KB

MD5
b6607728b4168c1e47b4cc47c54db43e

SHA1
f574052b15a41afb21a9cfe07e39bbfedef8c89b

SHA256
5118e52e1f7e81a436714b401a7f659d09c4b3ed80bc85c0466811b3a19058d5

SHA512
83dd9b6e46048fc4ceec1a84cd39160aaa511dcb9fffedaa5b2b8eba300945629a8cb7d260156152cb4b5aad45fa141b545d47670c79283d1557554fcd500199

Download Submit
/data/user/0/net.joydao.shc/app_bwap_1/p.dex

Filesize
98KB

MD5
176589d2ff919fff3f1e1ce68941eb11

SHA1
eb947351d9a8f3926a865f01f1c1d8eb5cba6106

SHA256
6f9da6f2a50d2e89cd978c1d82f450aa0bb6925f3ad58c3e2d23edd52e9d8611

SHA512
82e2b06b2c229b19c75200e1cb07695f49552813ed59e3bf276e2983e4d38ae4b9652c0a687b14d93095c93d35813569375e9c049b638478bd9a3188f840b927

Download Submit
/storage/emulated/0/.DataStorage/ContextData.xml

Filesize
98KB

MD5
befeaf7ca1ad1eb4c6597fd18de4f5ad

SHA1
c02cbf8fad5cb84acb58b826165f2725f2287728

SHA256
c7362e6b8d3a672a4d930bda5722e54494d125b0d380012b2bb0e2c43aca885b

SHA512
21c15923a646742347a500b939e27a872544c5e0585a7d1bce0e8f6d6fdc08f07ab50aaa9419e14f329716ff6e4e17de5a9bcd6afc38ef67fcad984db8557958

Download Submit
/storage/emulated/0/.DataStorage/ContextData.xml

Filesize
111B

MD5
c038d747ae4913bd110cee3f51816bc7

SHA1
44cfc435db951ed9c52668ed6780a091a1302a3e

SHA256
fd8b415c207a9f7f69b1c59b4ffa98e88efd0d22d629c4a79f3ea6f019f5a73c

SHA512
fba3d47a2bf2e02e33e99835c07e2dc8bd45181e66aaadad4a00ae05ae1ec54b7fd598fb73acc2f178a80a07aa715a69295f1b72c5fd7caa66a4e0f8c1c81d16

Download Submit
/storage/emulated/0/.DataStorage/ContextData.xml

Filesize
213B

MD5
f3127368868d8bf9949a5caa2153b584

SHA1
f9626141d4c5987cd0a03f59806e79a2fb3b5fdb

SHA256
dfdef9649b676d4a64d7bc6d7728c96b0d4930ca4c656218e7b12f5058785a96

SHA512
491f3fd086c45714b943fe581992b9c96da13d9249de1b27e44832c513c0f36d880e4065c1afc298a1e61e691d46363ce1c30d0a94b28295d13e2cc7a3072863

Download Submit
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

Filesize
8KB

MD5
3c10187f82f879580cc0b6825e46edd7

SHA1
61d697d5255f1109435812dda095f6365d710969

SHA256
df701777e822fb5669de445a4ad10172a58d403b1d5e8639e4d8c3cddce4720b

SHA512
1fa6ad1308f62d5895df67daa2ee83ebeb63c91795a2d6760bc5ac9ad3bb8d4de24dbd246f81f1c3d34a07ff2e2446707047d4ab1bad9152081bb97186aa908d

Download Submit
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

Filesize
20KB

MD5
2d680d3be5a4f928113823c184f0ac27

SHA1
ecf02580ea74b562355f6dbd58a87a671b8a4dfe

SHA256
0eded1fe7cbe3d75c45f74f6ae5d9f1446195bf6c65dfac5cd3dba3ba9e2a51b

SHA512
64969293cb21d5ac4d2fa20cc700b0ca000a20b6d0d81a2bbe076ce7cc80b6b82c9143f5e3a20bcaa01970ac7bba9a115cedbf4d5c8ce91cc80b91b87be6c764

Download Submit
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

Filesize
167B

MD5
8e514881d62c3e3086a0d8d8c8b7d7b6

SHA1
3b388ad68b3a2ea2640264e5be93e51fbece947f

SHA256
354bf88526ff036ed5a056e5bfab2c4087e59eca847b2af76430e93ca10fc8ef

SHA512
a79d5172f6c1a82cc2d952f5404f86dc05a41170a548328279dc893f2244a2bffc869371984f4b1aa76e545e8e297d57fea12b5f4a89ec73d01941f06db0cf9d

Download Submit
/storage/emulated/0/360/.deviceId

Filesize
96B

MD5
bfddcecb8c7b09e4493a1e5e88ced1e9

SHA1
08b20677a198ef9146bd1e42faf39840e982067a

SHA256
4be7f93d7789f06f254f23bcad035196a70097afec7eee131152b905f955db80

SHA512
38a1b1071fdea1aac6472c2a8f49159b75158b401c20fde32774307924a966d938d5cb80e3dce17a694e4c32548cb0971ab27f5cb5017015f0795e7a12724a80

Download Submit
/storage/emulated/0/360/.iddata

Filesize
32B

MD5
d81fce06f21da6a1fef96ed7ec5ce475

SHA1
34bdaf50149e83e525efc065e57933c5277cc038

SHA256
34d65ab522c7216a41aabbbbb6d5007f9e2dacbc542118402de6406a79443b37

SHA512
cc02149aae4c46733f9c9851b842288b579dce6eb502a49e9b85f387420940d9397aa4ed66044d783056cb6509e162152e6aa139f177dd77fdfed71e87e33591

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads