cb81a06c056a438ccf9ceb4a3db5e8e2d43c96e01d5ad5290c2552d896c3f0bb

Analysis

max time kernel
70s
max time network
138s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
22-05-2024 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6864b12ccf68093159ff1e9d771bc716_JaffaCakes118.apk
Size

6.5MB
MD5

6864b12ccf68093159ff1e9d771bc716
SHA1

be6dc2ef5814df66151245a3004f77d7430a4b9d
SHA256

cb81a06c056a438ccf9ceb4a3db5e8e2d43c96e01d5ad5290c2552d896c3f0bb
SHA512

6203866e5c822d271cf3565ee5fcf68460ca736568d994483ad45b63d6da551ac57d291bee2a9051ab13eddde96416d12f04eafa675750f2183f46b2a25797e3
SSDEEP

196608:s/zcWNvDF+ulf8v0KZQEnyJg6uyHcuw7H2WM:SND+ZygdyI7HJM

Score

8^/10

banker discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 6 IoCs

evasion

T1426

Processes:

com.zydm.ebk

ioc	process
/system/xbin/su	com.zydm.ebk
/data/local/su	com.zydm.ebk
/data/local/bin/su	com.zydm.ebk
/data/local/xbin/su	com.zydm.ebk
/sbin/su	com.zydm.ebk
/system/bin/su	com.zydm.ebk

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

T1418.001
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

T1633.001

T1426

Processes:

com.zydm.ebk

description ioc process

File opened for read /proc/cpuinfo com.zydm.ebk
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

T1633.001

T1426

Processes:

com.zydm.ebk

description ioc process

File opened for read /proc/meminfo com.zydm.ebk

description	ioc	process
File opened for read	/proc/cpuinfo	com.zydm.ebk

description	ioc	process
File opened for read	/proc/meminfo	com.zydm.ebk

Loads dropped Dex/Jar 1 TTPs 5 IoCs

Runs executable file dropped to the device during analysis.

evasion

T1407

Processes:

com.zydm.ebk/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.zydm.ebk/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.zydm.ebk/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/data/com.zydm.ebk/.jiagu/classes.dex	4275	com.zydm.ebk
/data/data/com.zydm.ebk/.jiagu/classes.dex!classes2.dex	4275	com.zydm.ebk
/data/data/com.zydm.ebk/.jiagu/tmp.dex	4275	com.zydm.ebk
/data/data/com.zydm.ebk/.jiagu/tmp.dex	4306	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.zydm.ebk/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.zydm.ebk/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
/data/data/com.zydm.ebk/.jiagu/tmp.dex	4275	com.zydm.ebk

Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

T1424

Processes:

com.zydm.ebk

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.zydm.ebk
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

T1421

Processes:

com.zydm.ebk

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.zydm.ebk
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

T1624.001

Processes:

com.zydm.ebk

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.zydm.ebk
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

T1421

Processes:

com.zydm.ebk

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.zydm.ebk
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

T1471

Processes:

com.zydm.ebk

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.zydm.ebk

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.zydm.ebk

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.zydm.ebk

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.zydm.ebk

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.zydm.ebk

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.zydm.ebk

com.zydm.ebk
1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4275

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.zydm.ebk/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.zydm.ebk/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4306

sh -c ps
2⤵
PID:4445

ps
2⤵
PID:4445

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.zydm.ebk/.jiagu/classes.dex
Filesize
4.9MB

MD5
47ce906e675d3957522a9e9d17101bdb

SHA1
696a93423bb1e4633c5e239ef3da3f12d2d11f61

SHA256
1b179e9f44ecd576ee419f1e4579c4410ed5c854c8f398b7e0aee33cac1cbaf9

SHA512
4e3e51ace657ec66505f3230783904020f607b2eea0e4051d7b055767948b1858b546319c45df07d246e894cc2af2f2c63fdd6e6fadfa97a9bfd3ced8aeea108

Download Submit
/data/data/com.zydm.ebk/.jiagu/classes.dex!classes2.dex
Filesize
4.8MB

MD5
f7fd791bf3f89d69633cb102c7954f85

SHA1
d0a0519199c46dd88a2ff701db6daeefb6df8d1f

SHA256
fa3be5e823cf11f0908f91109d753d1335409210850acf373b583f465c0267e7

SHA512
0f8ecd853bdd057fbd6c85dbafab1a1ed6716f4c858191669c447a0c5102e37fe03735f0f08210151f0e75427a46d882cb97443efcc21e6786d71764140aa70f

Download Submit
/data/data/com.zydm.ebk/.jiagu/libjiagu.so
Filesize
497KB

MD5
e102893683a16d223c852ac584155d58

SHA1
5560d79d71fb1951d6ab0a464af87429a4933c2b

SHA256
41c76fbc6aabf843f22a1cf49a457bb99a7579b7260e46b2841c30afd82523c8

SHA512
3129498f917661361bc9a0eaba6b7b6490c2216e19dd7cc802b1f2f22fc16ae43b86a7ca97273cd2e2504a7e7e08a173daac34f5085a21ffd4ac1d84e76cb8ab

Download Submit
/data/data/com.zydm.ebk/.jiagu/tmp.dex
Filesize
284B

MD5
f1771b68f5f9b168b79ff59ae2daabe4

SHA1
0df6a835559f5c99670214a12700e7d8c28e5a42

SHA256
9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

SHA512
dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

Download Submit
/data/data/com.zydm.ebk/databases/download_mgr_info.db
Filesize
16KB

MD5
5def1c711f8eea9f0d390e9d41be624e

SHA1
5cbb2d423fd0da1c4f17a8a461b53393b2df99c7

SHA256
4dd1983edf1973248db223cd6bc6c242847b02c24382c5a04eb7af036fe4db87

SHA512
efd6c1d9bcc36258bd3f303fb8a3bc1f46649facc9e54a79af94c5a88173f0cfa5e805380fccd315e0d9c5e238d1f53363bc6f6b04340981665e7638efabf1a5

Download Submit
/data/data/com.zydm.ebk/databases/download_mgr_info.db-journal
Filesize
512B

MD5
af576d65d2f91b601142e3d6a9e2b9a7

SHA1
db261a4be2c65c061c408333e0a812759aab198d

SHA256
e9e1378cfd9e49942fcfdc5b6097fba767cd9aec23eda8270b19a1c09e076f8d

SHA512
0b18a30774838d2ba778657081cd91a7b39c96738e775f7796635859216e2eb2a8dd73071421154071f71f18e058d628bc31b6fd93c2accbe86e9eae1ca15685

Download Submit
/data/data/com.zydm.ebk/databases/download_mgr_info.db-shm
Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.zydm.ebk/databases/download_mgr_info.db-wal
Filesize
28KB

MD5
fd7f14a4cf33ef10a3f103dc3536356d

SHA1
e4effb3fbcb75f3aeecb24d22fc773f1c7d6a5a4

SHA256
ddce849a5387ff009b6ed1118e635d398d612f188985518525019905f89a2076

SHA512
21b40f46d1eff42e06f38ae1d271f3b4da51775d9e5ea8394ee45d3a64c95637335292472930f887c552df04d258de0c4a685d60b8d119567d278b01fc5a5dbc

Download Submit
/data/data/com.zydm.ebk/databases/downloader.db-journal
Filesize
512B

MD5
0a46058607aae7459fa35a4b0d17b428

SHA1
4178bd9c5c31317a8c01dd4f154a28fd0746fe06

SHA256
752d439dc65b2190b1bb003e1ac90bb3b073531735701b78f2b2f3058e67536b

SHA512
6ba898758891a0c09fc7d11db79ad5bcace286e5f7b25093b73fa61226c4c3faf9b3ec63ac0816d7a32806f46ac46fa3b5a7fe1ccda54f80ab4ce5a9987477e2

Download Submit
/data/data/com.zydm.ebk/databases/downloader.db-wal
Filesize
32KB

MD5
6572cdc6f44d09f6305e422fd110426f

SHA1
7b551c6d3dc9a04904742344faf7430707e3b1c7

SHA256
936a04386488e10be5ff6238c4d37e3aa2f7786a9e52fe8375b291a22379d734

SHA512
b3b919168a05ee965554fe7049e6816eb81d6fb328933bd02e61d7c548a076090845b626cd6fae21a4be8e8901d81101b9fd73e06d226852f3d91ca95345c86d

Download Submit
/data/data/com.zydm.ebk/databases/ttopensdk.db
Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.zydm.ebk/databases/ttopensdk.db-journal
Filesize
512B

MD5
ed1458d75e5fc37c1755d2bfef6b2da8

SHA1
2bfde9d129547bc09f1c38c8921c1c6bad9d92b3

SHA256
50f8c3a80dc9713f2b3380621d254120fae46d95dc46fa5508d6c29aa18c9557

SHA512
591aa789124485deef38cbc9f758ef26617c19a75d6c0e5b1efcf152edf4fa4eb1825dad12649c13e7be6c32d9f2c5583399207b0062b248fbd06f987ce76394

Download Submit
/data/data/com.zydm.ebk/databases/ttopensdk.db-wal
Filesize
52KB

MD5
40ed7999828365c744f834a1a29eefc3

SHA1
05e3dca953462206e8b756b4e53d0f622bece3b5

SHA256
4072f300a334024cddbe8d203b885614b8890674b282152ea39af0274fc3968f

SHA512
50cf511c605540af2ef4defc17ee8025c1150b04391c59f61af7bf092757039ba030db26b693ac43f386ef1037c7c5f60d1c7eed7962a87fe25b1b675cb17df1

Download Submit
/data/data/com.zydm.ebk/files/.jglogs/.jg.ac
Filesize
40B

MD5
8c4feb070847756913cff4bce47395ed

SHA1
ad07948482cc158e3665ab479ef42b03c69d7448

SHA256
dd6ddb98f2ccbc5d0ecde496bed09bd3cd81e80d04aeb7540615ab46a7459e1b

SHA512
c1cc06b3d5bae106229b36db9b539f4f89862e2d2f40c144af08d6f14a6dc5cbee89399b69a7ba300e850f13a63b4000c748d4532c9bac839bf602acc39fcadb

Download Submit
/data/data/com.zydm.ebk/files/.jglogs/.jg.ac
Filesize
40B

MD5
3a14ca466603d4cdebaf821fcecb794d

SHA1
7250c38c28bb930e8e10bb85cea28a624fa29cce

SHA256
a4daeea38a514653ee6724c0fa372ab484f054f77b2eef9688e9636e4da705ed

SHA512
58795e4fb7cc2134d8d836d94270a6ab0fa811242b49ba465a1fc80aa91411838470219b505c5ce5b334ef8ebd1d5004ccb066546d1ea9edbb85307971ca1aec

Download Submit
/data/data/com.zydm.ebk/files/.jglogs/.jg.di
Filesize
340B

MD5
674d91e7a03d93a49319ddd649fac9e2

SHA1
76b376d47a6edcf74a6352abc573bcb98cf52574

SHA256
5e69d229d7972b31c10ba9cf918c93a0cff77ff8ddc362323fdcd2bddedc8fcd

SHA512
911a46b1fc4c598e676963474a13dea49d15c414549b5d14d909aa997886335df520f6bbc79fe8630eaa9fafb59ffbd0308ba9e4a62d0f3e08ca5df20427c919

Download Submit
/data/data/com.zydm.ebk/files/.jglogs/.jg.di
Filesize
340B

MD5
ce3d1aba0ee56a83c528d0fba36416e8

SHA1
e2a559bfef56a1590d346b9b98f22fa9993435b6

SHA256
666bd6a53078fb78662a2885e8c8c2cb8bebdf2bef4121931f946c7ff538e988

SHA512
84c67477b3575afa106a3be8d3d3c13635487366b54b9fd1e6a1c325d0788dfc8a656e66555ca814355153d803c9c0b58c6d1e1533042a3d047cc2d791211286

Download Submit
/data/data/com.zydm.ebk/files/.jglogs/.jg.ic
Filesize
40B

MD5
f14270993ad5952d69958cfc8450ab5a

SHA1
2f7c6ffb13f2fbe497bde18e505fd9aad007f0f9

SHA256
97522f211667eca88df89485ab3cc8563c7688a6f9945ecbd5e08a5b2edad634

SHA512
27fe6a27eaa24c1e9d5a9b77ce93ab3d1f226845fc031f6720d0871f71c7ef83642319da53ece53a5aadf9d68de151d74c73b3832ad2efec76dbd3e3f2e0e3dd

Download Submit
/data/data/com.zydm.ebk/files/.jglogs/.jg.rd
Filesize
73B

MD5
3dbd8d58e0324b1b61e8c6d4a0dc836e

SHA1
041ce8d9f544aea181015ceb018a742b78f446b4

SHA256
968a1ccca50bd3f87385dd0bc219f1c83dc3831dba42e03d6aa98f689d95b7d5

SHA512
947b56cc9ae05e078d1b5e8e2f02860be56132b4b8828a2731ecdd3b1f878e5b97dffa420658df9b929082735befa3f2ef167626ca2971d69b6be2875fd95d67

Download Submit
/data/data/com.zydm.ebk/files/.jglogs/.jg.ri
Filesize
314B

MD5
6f5fb43a271a6a30ea704ee595d32741

SHA1
7e4916d437a06bd8bbe286c0463034dd9135ae01

SHA256
9f8d015f3a637f2a0d570056822eb912d70484a05bf0dbcb849cca02e06c3673

SHA512
3e2c0f979ccad8106fec075dcd6942c0702ca2e5f4de3b863f37e88e53b2ed7eeb13f989ef1759d41eff91131144daa65f4dc1e2eceb9ffeaf8c0f464d9e0b0f

Download Submit
/data/data/com.zydm.ebk/files/.jiagu.lock
Filesize
27B

MD5
cb80990537637a0ad29cd35017e2ab17

SHA1
227caeaf046669ba1b08a0984ef70a354f330085

SHA256
27ad7ba36ddb830011ca60fcb02a157f051ff8b435c52f9e9f33ed892978c60b

SHA512
af0cf721a5d9de5ca37597a2818ed2a36362826866086f7210c31eaeca8dfe17fe68accc319c2d269d888134ca6d69d6c3597dc52be1386c308af5f5f9d00411

Download Submit
/storage/emulated/0/360/.deviceId
Filesize
48B

MD5
1d8d16c4e3b19ebf18988530d9b9a757

SHA1
bc94c1cce05cd848a53271ecb9c5311e27ffebf5

SHA256
abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7

SHA512
4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

Download Submit
/storage/emulated/0/360/.iddata
Filesize
32B

MD5
d8be680a5d0c17bcd295387b7ad9bb61

SHA1
46c11f96a825929d4704927d3a22a9bb47aed454

SHA256
99e2455b21cd3a36b12deb4e847b2edc0fdb1555df9ac78e69f4c28feb519931

SHA512
b15ec306b4ed0b83a3beaa349c91a0b4b7c5c5c316876f40a7b01a7a1a65a42536b4f691431f81fbe98afd412155b4f39a54ecd4eb50ffc14b1fed191cd5d15b

Download Submit