Analysis
-
max time kernel
140s -
max time network
183s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
-
submitted
22-05-2024 17:45
General
-
Target
6815176d7a3ece3b2c62af5c970c0188_JaffaCakes118.apk
-
Size
7.8MB
-
MD5
6815176d7a3ece3b2c62af5c970c0188
-
SHA1
57486f150dd6fb3fcb4706a12b975e71081b19f4
-
SHA256
6949fe5d05cca09e88ebc10abc5d6fd2bec9cfe40e08ca9495c027c66aeb03f6
-
SHA512
289be5cf1329800d27b64bafa13af90cd83f891e3def443126308d724b9d7e6e4997972b477dd3abf79b78d2aa2cb8178e2177ee78c1745acb4c4c53f75d51b3
-
SSDEEP
196608:dj3sDa1CHYjZnBdbOkSzh4qvlPLUE3yumlB479R:dj3kc/BAJmUFUE3MBW9R
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 4 IoCs
-
Checks Android system properties for emulator presence. 1 TTPs 7 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks Qemu related system properties. 1 TTPs 7 IoCs
Checks for Android system properties related to Qemu for Emulator detection.
-
Checks known Qemu files. 1 TTPs 3 IoCs
Checks for known Qemu files that exist on Android virtual device images.
-
Checks known Qemu pipes. 1 TTPs 2 IoCs
Checks for known pipes used by the Android emulator to communicate with the host.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 5 IoCs
Runs executable file dropped to the device during analysis.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Checks if the internet connection is available 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.hanxing1⤵
- Checks if the Android device is rooted.
- Checks Android system properties for emulator presence.
- Checks CPU information
- Checks Qemu related system properties.
- Checks known Qemu files.
- Checks known Qemu pipes.
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
-
chmod 755 /data/data/com.hanxing/.jiagu/libjiagu.so2⤵
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.hanxing/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.hanxing/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
/system/bin/dex2oat --instruction-set=x86 --dex-file=/data/data/com.hanxing/.jiagu/classes.dex --dex-file=/data/data/com.hanxing/.jiagu/classes.dex!classes2.dex --oat-file=/data/data/com.hanxing/.jiagu/oat/x86/classes.odex --inline-max-code-units=0 --compiler-filter=speed2⤵
-
sh -c ps2⤵
-
ps2⤵
-
ps daemonsu2⤵
-
ps | grep su2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.hanxing/.jiagu/.jgckFilesize
4B
MD5f4f8bb94baf85c357f03f72778575369
SHA1973aba883aba3c1d77499cf970a1781a18b7c3bc
SHA2560e52c31291eabad79cd2ebda9164d3ed91da85f668750572498dbe55cf7b0445
SHA512b29c9d0ac76523a3df77bcf1452e20065586e60219a2e2435bd07dcc9b4ae5705e56dcfd8f76c665495bce10eb8fd7e20a1a7b5b2469bc5aee915fcf5bf79fd5
-
/data/data/com.hanxing/.jiagu/classes.dexFilesize
4.2MB
MD533195bb83f536606f134da691b397754
SHA128351f7e0de3c56aae8b3af2634d8f785c005460
SHA25608957e959ebe72e250f2b43d20c0114c6c71af04866f0700741cfbb8b24a712c
SHA51266dd569655b7b1368d41dc579121b8b2c8b9f6d8f871b507696cc1b2bc9f6d9bc85dcbc61bab0a37909726628ca01e34d8de54d905fb50fc900f1021a9a34e1b
-
/data/data/com.hanxing/.jiagu/classes.dexFilesize
6.7MB
MD5d640f526ac432601e7e16453d4d687e3
SHA1b631e043729b3e3173dc95499a1a3cc5613f48d6
SHA2563161b68ffe1dfe3ef50eb56ecbf5050f14e2d917af780808c73297e83767fe36
SHA512297be995a0def827a7bbf1b24f2920e5bda0332f78aabfd14328efe94fe5d62d25d90c42ec83c643be3212fea4f343b60c762b0e255d5451d85804261fedbbd8
-
/data/data/com.hanxing/.jiagu/classes.dex!classes2.dexFilesize
963KB
MD5d0a272838b8f97d601137049684773e2
SHA18dfffef398bbcf0472fa266b62146c34a2baf90f
SHA256ba178a49fb79e3f6bac4f68d94c9d833194aec40aec0f342ca1b2c04bb40ebea
SHA512223e1bd2f70559daa8cd737ccd238b3108b8e67ed0fc0e049f3b41f972e2af11aaebd6ef26ce8b8cd076998bb5cc74e794a51f739f978881c448b69880b12a43
-
/data/data/com.hanxing/.jiagu/libjiagu.soFilesize
455KB
MD5e5a53000766ebc433b27d6a66ec4f555
SHA12c8f53f1c03aec2005bcad67d731f07261dabde0
SHA25678e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e
SHA512370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d
-
/data/data/com.hanxing/.jiagu/tmp.dexFilesize
284B
MD5f1771b68f5f9b168b79ff59ae2daabe4
SHA10df6a835559f5c99670214a12700e7d8c28e5a42
SHA2569f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d
-
/data/data/com.hanxing/app_crashrecord/1002Filesize
221B
MD52943e7141cc2cb710423dda191822831
SHA1c8c4de0de7c47efd190f97e9466781ee6dac4fb9
SHA256cd7f6a9fde1d5325846faedf4d098a81a19f7cdc16baadb28c5d275b4b5db08f
SHA512713851aaaf5e43e442f5c89fd3f6a1fcbc1037efb3aaba06a97264d45f830537faeec0d5027e2a6d0576865e2de311841981255720f4a6fbfd71aec715ec9d60
-
/data/data/com.hanxing/app_crashrecord/1004Filesize
221B
MD58bbaccbdb79b795a105bd0d4c2c5e048
SHA11051c5e9f46fef7415e44e1c4b08f4835d33b178
SHA25615864796a41c35f311cb0f40b7212b6304e5b01a7b57ecdc9770f9ce7e0ae550
SHA5124dd89058d0058d6dcec97075c2a62d582d7c3d75d52bc1464e25c3e850f57a097b7ad72085c9da1d177c2cdab9d10bcba9e1ec46c23dd16ed380b3c8d3577a9e
-
/data/data/com.hanxing/app_crashrecord/1004Filesize
58B
MD50d210bfb2a0e1f1b4c082a6a0f79de07
SHA1bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1
-
/data/data/com.hanxing/databases/Application.dbFilesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
/data/data/com.hanxing/databases/Application.db-journalFilesize
512B
MD586adb493d2de4adf8cc324a53a54f5ba
SHA14149e24d38ec5f70cb6a2d94f9bd986135b42591
SHA256a361638c828b54cbba139dcba65cd58c5fc51ca16465175ecd820cf7b920caee
SHA5122157e8cb4ccdef8e165cad62c3f45b9e77a9621051007fa8228d788d93e85817c677a68e38b6911425f94ca6011d827baaa8338fd1df60fad43b2e6f266f1be8
-
/data/data/com.hanxing/databases/Application.db-shmFilesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
/data/data/com.hanxing/databases/Application.db-walFilesize
20KB
MD53cf6cf897904fe1667cbc8368256de4b
SHA1722e8229ea2f08f74e05c332d6f8cab5eaad9f17
SHA25692e8e76ed2669c1f6f7b33627377b16dd029560222935104c2214e420a509c93
SHA5129cb18f1d89e7f323045505272b79ed00b61feb983e60310f193597f6e38168e97b9c7e299cfb4999a225936cd46c2ab4322d069e342cfb64c19f5a30333f34f5
-
/data/data/com.hanxing/databases/bugly_db_-journalFilesize
512B
MD50aadb6bb3202e7bde2bab78af9d1ec6a
SHA104eaef0c4b1f7925d7fcad532a7dca61e1b40d03
SHA256fe2a7cd39565b335dcaaa15dd1a2b54c135d4458c660e7789285bc97075f5366
SHA512492b1e3b2506298b33ccc780c61899ae5a50af36cc6a08975215ee3f26742bcb611afb7e497b0b06feda486ab8d2fa32a363862fa26e989093ca0d2b912be355
-
/data/data/com.hanxing/databases/bugly_db_-walFilesize
76KB
MD5e3d63c16dac974c59150cedd545be9dd
SHA1dddfdb191cf62b5baf3e8b38259ac8a5e84d58a9
SHA25692bdca250f6bd689844b849d15961df5b06e09194cb469e2f8d20ecce31f3d87
SHA5120948435fb9e4340a9918191b10bbfffce9c1c71b6634e4285cf4e54ac4ddd299d483c30e112ee7327d70078ddca468e40e9c953c55be6f341c61ffd020ca09aa
-
/data/data/com.hanxing/files/.jglogs/.jg.acFilesize
40B
MD5d710f32e942d58e1560431faa294d64e
SHA1eff1beb62282aae59b61de9197b0ceeb0c92331e
SHA2569c6692bd2cb0ae733e8c77450c87574ac419c92bdb23f92726cd019f6ec713ea
SHA5121866bbffe7dcb8f7d218c351cb18bf5733ed81ba3aaf6491cf56974006a228dd8ac75587e137b7a731c594f23c249cdd8135b7b1eac0259c9bb952ac68210b93
-
/data/data/com.hanxing/files/.jglogs/.jg.acFilesize
40B
MD5b9c3d2eeab2b938978303c16928d58b5
SHA122d098459ac9d3828c8394c241712410a15ffbe9
SHA2560806b04afc3a5d82c6dc311d49a1ba27e25a774b0641c4b67542be546deddb27
SHA512bd0e1898cce3090fe7fe0fdefe94d415dc35d7af278a30ae97fe7772d593c40004408bac83535e29cf292bd15b6b769a86459eac1edd97c6a2f0640657194abe
-
/data/data/com.hanxing/files/.jglogs/.jg.diFilesize
340B
MD5df5a4bfce2c9cdd0b9ec307aaf079cfc
SHA1fdc3fa59c57249792c08bb74f876aa1e099e6074
SHA25662fb048e3f2d72d55b7b7caaea9c698714317b485a1339416b3d6984baecd8eb
SHA5124001c775dabb5760a497f11ea423f92e85bbb7da984f5cd7a3376e2f1eadf6041c1c45ddea8fe6dd3065494c72bbc27c32155333a674ae023482d1d8553ed6ad
-
/data/data/com.hanxing/files/.jglogs/.jg.diFilesize
340B
MD5f15fee74d7b06ad8712c4c2c99c60935
SHA11cc4f4362e2746d404bf151c52d632277e94734d
SHA2566f7ab5a6bcc9fdf5fd6a3eb7a3fb9e0cfdbca9224db7c090f60bc23a3b610622
SHA512729ddbe1bae0660160b66a31ebc364d47728985f16ac7dcc1e8708b394ff5ad6330a9dedfd4e043a8b23b84244d6146a877dfbd1e7d78c2f7cfccd8154512c76
-
/data/data/com.hanxing/files/.jglogs/.jg.icFilesize
40B
MD5e8a832c65d3b9719b6d9b2d46e4d66de
SHA14a950baf6248f1fe9b2cb3b96bb97e6457866fbe
SHA25683566bb1799ee3a770806cf671e8a7de5edfad415f60064413ee32c26492aff3
SHA5128b7d3773196218f46cbfe535e3687e2ebaca4a77f23623f6a88a6dbd217a85e8ace9b5aeee69b744f6d71467db0f826a0635ae7cfb574613a019320d4cdb54c9
-
/data/data/com.hanxing/files/.jglogs/.jg.riFilesize
314B
MD5a2f7e2e416c9989bc4ce5f916d8424cc
SHA1f00bb422b1388e98c65345b10f669f5bc8813b19
SHA256e0d94e310d1897889dde6630422061cbf99a36a62ab22bd4abcd6b3731f62545
SHA512673323b549de640b55583b6232a9348386c96636d152f0ad500b5bdd938a7af4a8a8606b5df1dc5ac65f67b6288f6b53c007986c8c5ca0d412492d9c22977768
-
/data/data/com.hanxing/files/.jiagu.lockFilesize
27B
MD59390c8bdb8bd097d4a5fe28bbc71bf5a
SHA10993cd95d964ca3d797210677013471d61642969
SHA256f5e882f913b9968733b918a290c46728c44d34ff198a76f2a5adbd2ef2772e42
SHA512108ebe22e048beece8f0011bcf9bf9c549007dd12c85d57b68374ade319a60b48e7d97af43994dae073333d8e654a87a153ba87ff2f02109e43a9cfcaf075d3d
-
/storage/emulated/0/360/.deviceIdFilesize
48B
MD51d8d16c4e3b19ebf18988530d9b9a757
SHA1bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA5124562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82
-
/storage/emulated/0/360/.iddataFilesize
32B
MD581ac5f26be4b9adecc439c07931cd61c
SHA16b40be3e9754a4e47d43c676483d4e202b94a846
SHA256d761ae70327694ed1d19039690650c6d1abe88f3b34b8ee49248865ade6e4607
SHA512bd137d696c06221cf71bd612dd4a8812eb384674c2878bbc272ed2b4440a5c415b91d4715d148a37384a8ceb0a93e87213c9e54b55e4a81abd64201229c7fc18
-
/storage/emulated/0/Android/data/com.hanxing/cache/uil-images/journal.tmpFilesize
31B
MD58c92de9ce46d41a22f3b20f77404cc1d
SHA18671a6dca00edb72be47363a7071be65cf270373
SHA25668bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA51230f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56