e9ff46678676202cc9914f3c9afe72cf74c869a02dc52c248c4d55f785b13ab6

Analysis

max time kernel
179s
max time network
184s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
23-05-2024 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

694f7d0bc6d74343eab1ceffd67090ce_JaffaCakes118.apk
Size

18.0MB
MD5

694f7d0bc6d74343eab1ceffd67090ce
SHA1

c18248daeaae8f59b83b117c14de7bb25b35ae23
SHA256

e9ff46678676202cc9914f3c9afe72cf74c869a02dc52c248c4d55f785b13ab6
SHA512

9c51e4dd3cd86fdfc4f5488521e53790ecd1cd109f933ee0dde1e0b8f5eaec09c1651a3cab002e165e65b7c5529b5b3331bd286d7daa0059247a27d37a7ba1d2
SSDEEP

393216:+NKMf1mAplwBcHUcd+r2tF9Ya3g7gf/dgSRYe3uL:+NKMf0ApyqHLF9Twc2SWeg

Score

7^/10

discovery evasion impact persistence

Malware Config

Signatures

Loads dropped Dex/Jar 1 TTPs 11 IoCs

Runs executable file dropped to the device during analysis.

evasion

T1407

Processes:

com.xgbuy.xg/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.xgbuy.xg/.jiagu/tmp.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/data/com.xgbuy.xg/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&com.xgbuy.xg:pushcore

ioc	pid	process
/data/data/com.xgbuy.xg/.jiagu/classes.dex	4312	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes2.dex	4312	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes3.dex	4312	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/tmp.dex	4312	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/tmp.dex	4383	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.xgbuy.xg/.jiagu/tmp.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/data/com.xgbuy.xg/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
/data/data/com.xgbuy.xg/.jiagu/tmp.dex	4312	com.xgbuy.xg
/data/data/com.xgbuy.xg/.jiagu/classes.dex	4422	com.xgbuy.xg:pushcore
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes2.dex	4422	com.xgbuy.xg:pushcore
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes3.dex	4422	com.xgbuy.xg:pushcore
/data/data/com.xgbuy.xg/.jiagu/tmp.dex	4422	com.xgbuy.xg:pushcore
/data/data/com.xgbuy.xg/.jiagu/tmp.dex	4422	com.xgbuy.xg:pushcore

Queries information about running processes on the device 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

T1424

Processes:

com.xgbuy.xg:pushcorecom.xgbuy.xg

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.xgbuy.xg:pushcore
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.xgbuy.xg

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

T1421

Processes:

com.xgbuy.xg

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.xgbuy.xg

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.xgbuy.xg

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs

persistence

T1624.001

Processes:

com.xgbuy.xgcom.xgbuy.xg:pushcore

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.xgbuy.xg
Framework service call	android.app.IActivityManager.registerReceiver	com.xgbuy.xg:pushcore

Checks if the internet connection is available 1 TTPs 2 IoCs

discovery

T1421

Processes:

com.xgbuy.xgcom.xgbuy.xg:pushcore

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.xgbuy.xg
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.xgbuy.xg:pushcore

Reads information about phone network operator. 1 TTPs
discovery

T1422
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
impact

T1471

Processes:

com.xgbuy.xgcom.xgbuy.xg:pushcore

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.xgbuy.xg
Framework API call javax.crypto.Cipher.doFinal com.xgbuy.xg:pushcore

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.xgbuy.xg
Framework API call	javax.crypto.Cipher.doFinal	com.xgbuy.xg:pushcore

com.xgbuy.xg
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4312

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.xgbuy.xg/.jiagu/tmp.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/data/com.xgbuy.xg/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4383

com.xgbuy.xg:pushcore
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4422

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.xgbuy.xg/.jiagu/classes.dex
Filesize
6.6MB

MD5
af40ddebf367d3418c410ba2bbdb34a6

SHA1
9a5c0f557da523fb37d3ea9f1dad84e45b78b8ab

SHA256
fd4c1d3b24b0138f6f355235f35815ff43de7e73e5029854ac0581f6d5b4cb45

SHA512
6ca004321a8ef7f6a08b5be12833971bf017ff58c753ebe73d682abcf5633f084b9b1f5c3453432894f8ce8c9b306963b345cc0d6503450667d9ef66d3ac0ae7

Download Submit
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes2.dex
Filesize
6.5MB

MD5
56a56032a56816197231ccd2c1447841

SHA1
42b24c7723619c5bbfff5625ee1f4ff7a9afb34a

SHA256
920b1975141f98268ddde30a18db00a3c92776c8472763640b06009b90ccf039

SHA512
f47a2ee1f15a58887d5158bf141277a7d6488fcd31a9c85ca0d6706a4252433b812e8a49e956fba313393ac55333bee777394d300e136d489a484f5e883e3165

Download Submit
/data/data/com.xgbuy.xg/.jiagu/classes.dex!classes3.dex
Filesize
2.1MB

MD5
63eb01b23dce33b6abd34b5693031ca8

SHA1
870abc96ae069aa034b1b647244af5465a881ddf

SHA256
3798ad86a5974af83d89bc71f1737c1747ca4561beb07f74a214675efab02629

SHA512
eac344e6167fc50acfca60a177bccf404cd0eb595b0b3e948f88af21ac3d7c14a49d0d7162bc5ef529b9107132c8ac3d0242186ac1b0ac231acc31e8f969311a

Download Submit
/data/data/com.xgbuy.xg/.jiagu/libjiagu.so
Filesize
486KB

MD5
50750315eef281575611bc425174b939

SHA1
acaff02526d7b4c257e00002ed09af364f66a401

SHA256
c8d37512f73bef5a1c1b060676cdc6d508a8d8dd36f2438f5d6353c9b8524bef

SHA512
60584a993992a68e8d0a53be705e3a9d52fc126df26b9bdcf80d14e659f1d70bceb926e0a99a69fdf40f1c09fd61aa52c2d2c008ee5c3ef59af5922a75161ea9

Download Submit
/data/data/com.xgbuy.xg/.jiagu/tmp.dex
Filesize
284B

MD5
f1771b68f5f9b168b79ff59ae2daabe4

SHA1
0df6a835559f5c99670214a12700e7d8c28e5a42

SHA256
9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

SHA512
dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.ac
Filesize
32B

MD5
1264f30db5bc978090c891fc9ba97820

SHA1
22a1664ca5bac8af36bdaf8e4098c02c7fc9c1fc

SHA256
6383110e70c2cf20a67539bbf759d99229ac2dcd214cae6a3c5de840497bab2c

SHA512
f3ec53223344ea4763479b39ae62a3dde4b83e0db05d4707c9e2c914725943063706c6c53e6fc043ee13640ac98242775c901b84ec76eb3edf11615bd0084488

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.di
Filesize
340B

MD5
09fe5deac48ae2e407cc223065f44d88

SHA1
912f398199a354c60d662503c5356ba9ee80b874

SHA256
b717cb995f0d8704e5721e14351ff739193c8257307838879525e0f0cf0e064a

SHA512
e7b185ac3775d4fa19231f9fd44e30bb8f1a3e05bcbc77f322127fd73374412c9955ad598855160e579b1ed55f03a936ec56ff6d63b1958029035094c855fd60

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.ic
Filesize
32B

MD5
9afbf0dc0b4a4fd0a874cfec2c55461a

SHA1
a42766499eef11be1120ff87588b7f715c1b2a7f

SHA256
75c6a927b6cffe50b1a48e8aff766f5d543dec5aec8010b835ab4c4d8dd3da37

SHA512
863cdc25dd26bc2db5a80480a5d5bd16965ce02afc94f732f31c24bdcd3daaae24d41504f0eefead9a8ecc402aa2e798ce100e8a225b13b38b05aa433456185d

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.rd
Filesize
73B

MD5
7cef4bf7b995564773e94229541dfd48

SHA1
4270195392562f55dabae96238b59d535f5d35f5

SHA256
b599c40c0ae5855d3ebfb7b876a0390274d0432e41e5d58b4f347e941f2bbb1f

SHA512
74c9fdcf8183f798bfc0eaff0bf1b0950a72bce6689e2c00ecba8e98d975a4e0e872f8ea406f400de8f6941fcd56bf75820e044585ddb52df1d9b851cdedceb3

Download Submit
/data/data/com.xgbuy.xg/files/.jglogs/.jg.ri
Filesize
314B

MD5
3bec6f9cee7e56a45ba5e2423a3fe9bb

SHA1
80e965a9150a2eb9b43474384f25047bd4c821a4

SHA256
9235a7e79742bc05da3875cfffe29994cd6970f7d34b6a79f422a38a0e1d98be

SHA512
5bc75b6286c63dd14a50cf630e86f52003dbc76f2f6a321af99c52c8317c7a0a4d02d274ac75490e8f7261925fecbf9c1343693baf3253edd5b06a840841f76d

Download Submit
/data/data/com.xgbuy.xg/files/.jiagu.lock
Filesize
27B

MD5
53c408d162994fbbddf0762c0b1d3f7c

SHA1
ea2b9baf73f6bd62be5330c4d01a6ea2c3d1a9fb

SHA256
7e2dbfa5b0278213873eea0d2bdb2b0cc87e5e8fba18f0f6a56b0c4f5bfb2983

SHA512
e66a9e5bd3a3e409f581fb58c1df31b907dae6c281e58f5b4d227069e745ebbcfc5355272161dd83b3b133a8567f2fc2bb0b20b06063c610d834d7232a01af83

Download Submit
/data/data/com.xgbuy.xg/files/Mob/mob_commons_1
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
/data/data/com.xgbuy.xg/files/jpush_stat_history_pushcore/normal/nowrap/3b1e4cb8-030f-48fe-8156-d3473126a5ad
Filesize
202B

MD5
e9e3e9707ff8a9af099a4df21b5f45ff

SHA1
80bda3e6bb1d5b18426d436b63c26822012e2d20

SHA256
dfde86a70e591c00ecbbe92a0edfa5ca0d8565ff90a0e51a1f82090899aad55d

SHA512
cb15455f88318efb78ddab1cecb90da28e93ae05a02c586ffb889a7e57cc919e9cc627c4a4e05f3c30edbb55167cb8bddace5d69ac37e945fe5806cd4b69a898

Download Submit
/storage/emulated/0/360/.deviceId
Filesize
48B

MD5
1d8d16c4e3b19ebf18988530d9b9a757

SHA1
bc94c1cce05cd848a53271ecb9c5311e27ffebf5

SHA256
abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7

SHA512
4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

Download Submit
/storage/emulated/0/360/.iddata
Filesize
66B

MD5
19402718bfb1c685a726b4e1d846ad98

SHA1
02a7e30044a67085f2f1da24e16e4ecfede65b72

SHA256
079f790e6a1934a94542559f53a89a824aafd3173d956b6019291955aeeb33d0

SHA512
25254318c22cfd301c8bcd479f45797d502b6ab5f14265dadfa3d87b4dd1942a629d3cbc2f0b600cf73b4fe910e3773432f56a0a7b4343e280e20c5a6af0320b

Download Submit
/storage/emulated/0/Mob/.slw
Filesize
66B

MD5
5376297da698294a17e3200d3d0d3b7d

SHA1
675745b8d8992ddd3e476b330891cb4a5cad8b53

SHA256
b9bb70904e233150e2037f5f682d676721526f651be7072329c44bce14f30261

SHA512
cb2f974a65173fdcd523d7d15017ad6f56eee431e4c3d3581fac31a1f7a9bdbd04272c163c1035bbd8c6e2338f6227a9f4b7edf17487d86e8ed98e2ebc2526b9

Download Submit
/storage/emulated/0/Mob/comm/.di
Filesize
92KB

MD5
a169d90fdd228f891f39b0d26dc1130f

SHA1
394661be0cba256aab56cbc9b009c6998fa61636

SHA256
bb05c0a54621b6d3e853a915d569c02d83e6e58bf1c7d1658eee2f7ee316b943

SHA512
5af8085c2041de3ddb343b0f6361d61536e6c3016746148c16c3c589d770c1a6ae78a167cbf31c583e6112d893c516d9b988b9cec5021403c447278797cea32f

Download Submit
/storage/emulated/0/data/.push_deviceid
Filesize
32B

MD5
a79e348c1f5e47c2f30da04e5349c975

SHA1
6b2966c7e2a7f6823a65ad31c4b590a4e397851b

SHA256
60b14ea39f37dff8bc063a09c35e510e9edd52cb86f2602d741a2f6a3c6671be

SHA512
41930dcedc854673ee7ed5fdab0e604caac8a7407b260e3080662d796f8c4adb8d0146808e0d49b2e9003b5d608705a642086e0279fc004995c21d49c1b7ec1a

Download Submit