d2680b47b900f6a4e34a1fa0e98d28c593381d71e8de4e74621e423f40c17216

Analysis

max time kernel
141s
max time network
154s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
23-05-2024 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6aab46fd819fd4cc6cb5ff70ee8081e0_JaffaCakes118.apk
Size

8.9MB
MD5

6aab46fd819fd4cc6cb5ff70ee8081e0
SHA1

95ec431bf6363bd3d65dda713ad10f9b1de8529b
SHA256

d2680b47b900f6a4e34a1fa0e98d28c593381d71e8de4e74621e423f40c17216
SHA512

1c948f5e49604f99931f5a6a4909d921d3299cca1b89c5fc8c2e70d0e0254e4f70571681ed3b544000cc319d6eb86a367ffb89a6407aeaf7313aac0f68c896db
SSDEEP

196608:5oTYkVL6t6iiarZiesj3OwKzveRtgyh7qUe3m9O0:5oYkVLCea8tjqzGzZm2T

Score

8^/10

banker collection discovery evasion persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 1 IoCs
evasion

System Information Discovery
T1426

Processes:

com.wandoujia.phoenix2

ioc process

/sbin/su com.wandoujia.phoenix2
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

Stored Application Data
T1409

Processes:

com.wandoujia.phoenix2

description ioc process

Framework service call android.accounts.IAccountManager.getAccountsAsUser com.wandoujia.phoenix2

ioc	process
/sbin/su	com.wandoujia.phoenix2

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.wandoujia.phoenix2

Queries information about running processes on the device 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

Processes:

com.wandoujia.phoenix2com.wandoujia.phoenix2:update_service

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.wandoujia.phoenix2
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.wandoujia.phoenix2:update_service

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.wandoujia.phoenix2

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.wandoujia.phoenix2
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.wandoujia.phoenix2

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.wandoujia.phoenix2
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.wandoujia.phoenix2:update_service

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.wandoujia.phoenix2:update_service

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.wandoujia.phoenix2

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.wandoujia.phoenix2

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.wandoujia.phoenix2:update_service

com.wandoujia.phoenix2
1⤵
- Checks if the Android device is rooted.
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4278

chmod 777 /data/local/tmp
2⤵
PID:4307

chmod 777 /data/local/tmp/.wdj_config/
2⤵
PID:4438

com.wandoujia.phoenix2:update_service
1⤵
- Queries information about running processes on the device
- Checks if the internet connection is available
PID:4663

chmod 777 /data/local/tmp
2⤵
PID:4695

chmod 777 /data/local/tmp
2⤵
PID:4710

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1424

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Connections Discovery

T1421

Lateral Movement

Collection

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.wandoujia.phoenix2/databases/64bd8c52887efcb311f1ea477634d92b_aysnc_downloader.db-journal

Filesize
512B

MD5
4397f3249845eeed11e94dd7257cb224

SHA1
50a91be71afbafed6d367625a1d01ae96c43f84f

SHA256
04fab4fe8b71d0c776420e8a45cae84aa1f49d66320eaab17b629d246cb0513a

SHA512
e547acd066d433fb8a0ebd2a180d3be39a60ec7aca3ede9a55b8e854d12ef2cd495be0b1b22c3249f178c168e742d770028e4e2399b7388f80adeb6dc298774c

Download Submit
/data/data/com.wandoujia.phoenix2/databases/64bd8c52887efcb311f1ea477634d92b_aysnc_downloader.db-wal

Filesize
32KB

MD5
70384ce958bde4315173be36daeb53f5

SHA1
c8dc3834a9522464ef85f3b777bd1fc0425f2f90

SHA256
1b4eefffe15f8b56c5cefe88bd8987116dfda94baccc4dd2262748f407596150

SHA512
0185e98cb48264adb6611f8a6348fb3f9b92462d4d0c2de0b60bc8d57fa953018cd312025dd9cddf75ff9e5e5c8c5e738ffe2be681d71b1a3baadb986df85a18

Download Submit
/data/data/com.wandoujia.phoenix2/databases/downloads.db-journal

Filesize
512B

MD5
342d06acbbc98a0844aea6829d28b69b

SHA1
480899b46e3671ac3acc12fc1866aea9ab124bcf

SHA256
2af7d662565d4d87160bca5ae17f2ca9eeda7be252313c1c667ebf70ab71f11f

SHA512
6b7bf10b8c863e9b7960746f7daac6f5fe73e5afa17e765c824fcf318ca5ae83a40607cf1fa1a4023cd61731567f319be31ee3680279b9853efd1d3749cadb7d

Download Submit
/data/data/com.wandoujia.phoenix2/databases/downloads.db-wal

Filesize
32KB

MD5
aab20174448bf3a1c79b58690bde2e46

SHA1
49cf729a2f02c55c2041efa151ec0edb7ce3ce09

SHA256
b92d302b0a487c2b7558327406d09716a85dc41db4915efe39d52c389d41bf27

SHA512
df77ddfce481e73c55dd1336f7dbad8fb9bca7b384d36932a475d0f551e677038a2afd8b7de1095cd50caa4ce934d822b6fddd3ab57ba47dd6c91189da3ac660

Download Submit
/data/data/com.wandoujia.phoenix2/databases/google_analytics_v4.db

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.wandoujia.phoenix2/databases/google_analytics_v4.db-journal

Filesize
512B

MD5
8ca64aa1271f2f04341777331c7690cd

SHA1
422fabdf8b62877e3a96096408fe7a0d63f1f7b0

SHA256
d129519efb216d4818fbd25aa035e3b37f1a6c441d09fb708e839835fe1ffbdb

SHA512
512e0d9f835030330dca6fa324caf8d44cfd2300a2a0c5cb2d2c7385928446fde5c3259e1f5511a75624858b474f4ef94f3b315805fab9106fad39869f9b821d

Download Submit
/data/data/com.wandoujia.phoenix2/databases/google_analytics_v4.db-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.wandoujia.phoenix2/databases/google_analytics_v4.db-wal

Filesize
52KB

MD5
c0841f8c7813640fa8d736978ebb12b1

SHA1
eb3d29ed667ce14500c44b54e257f61762037f56

SHA256
a51cae06c58304e04a11c48f530f05629b99747b4adffd306368d25b50f91a45

SHA512
81f6f82a23fab336aed7740323c619f22f3d08d68661833a3214b119d4209db04d5b5082b4d57d3cd842c7011edc83e310ad8a0c5040f4a617208134acdd0437

Download Submit
/data/data/com.wandoujia.phoenix2/databases/localapps.db

Filesize
4KB

MD5
0d88e03333baaaeef5182865ad6a5414

SHA1
eb2d0108198f58173ed781926e037aee1f183704

SHA256
5564ae799174d1c3ea5adff5d50f69a2bf3245f602c026e53e21058ee5c735c8

SHA512
8424b1dac5aeac8a90b20dd5e178c0be2dfd6fba333021fa7f5358735f5f0f5f678cc451836091c3ab2d3b160bee42e237f5bbc07df9eff13ed86f5eeedfe329

Download Submit
/data/data/com.wandoujia.phoenix2/databases/localapps.db-journal

Filesize
512B

MD5
a581bba42b7215bc9bc046115cf22cf2

SHA1
a61ec083da2cd38153e332ad9b4b11b624d96e1d

SHA256
03866e7be20c5937b2ede4767f2152f3ece49ccb530b0e21a3356ca356ca4460

SHA512
a6b0ec7b503f1759091b7a9275aca157de5d1b622abf867259b327aeeeb1045f630db78ef8d636d320efc0666a272eb3ce9d02b629e8c3a7b3b4bb1cc5b50e7e

Download Submit
/data/data/com.wandoujia.phoenix2/databases/localapps.db-shm

Filesize
28KB

MD5
cf845a781c107ec1346e849c9dd1b7e8

SHA1
b44ccc7f7d519352422e59ee8b0bdbac881768a7

SHA256
18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

SHA512
4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

Download Submit
/data/data/com.wandoujia.phoenix2/databases/localapps.db-wal

Filesize
40KB

MD5
7cf02a6a27cf43d6cae31ade391f2302

SHA1
010c4e1753e2e739410b5c8d4aa17e89abc605ca

SHA256
13d4f1e966dce60ca4d6fcf4cc1b82f1e02d542e1c6eaee3218f2765f25580c4

SHA512
baee56d6ee8039e55a1c58b183f35833abdaeb21c36029838e7328caa2a3b1e3d5f1fae6fb3a0941a14357d4656ace5b7adb835b805eb5041e85d835d8bca582

Download Submit