82d96c00836fbd3a1ddb1e556888b6f82efa4d9751cd58cc1220ebbd5faf6a55

Analysis

max time kernel
173s
max time network
183s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
23-05-2024 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xihongshi4.apk
Size

9.3MB
MD5

0d1036a2605ad14127890fa666a51cac
SHA1

684c83e65da4dabdf7debe867ce6ef4b3bdc107d
SHA256

82d96c00836fbd3a1ddb1e556888b6f82efa4d9751cd58cc1220ebbd5faf6a55
SHA512

60c987565f7a31cf240955d026c8b0ef18c528c5d104e8c674ad026501220bc62d2e55b75805d3c1945ea76a6b7e72c3ad0fd2fc35ac36c412cfb6460dcb2f9c
SSDEEP

196608:aRO2Q2Yxzo3GAQK8MoZvWTfuxjbpKXyowCYqmzYEZXKZvhfMumx4:aRLrUM3GA78lNefuxpEyoPYqmzTXKZVP

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 1 IoCs
evasion

System Information Discovery
T1426

Processes:

com.helloworld.xhs

ioc process

/sbin/su com.helloworld.xhs
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.helloworld.xhs

description ioc process

File opened for read /proc/cpuinfo com.helloworld.xhs
Checks known Qemu files. 1 TTPs 3 IoCs
Checks for known Qemu files that exist on Android virtual device images.
evasion

System Checks
T1633.001

Processes:

com.helloworld.xhs

ioc process

/sys/qemu_trace com.helloworld.xhs
/system/bin/qemu-props com.helloworld.xhs
/system/lib/libc_malloc_debug_qemu.so com.helloworld.xhs
Checks known Qemu pipes. 1 TTPs 2 IoCs
Checks for known pipes used by the Android emulator to communicate with the host.
evasion

System Checks
T1633.001

Processes:

com.helloworld.xhs

ioc process

/dev/socket/qemud com.helloworld.xhs
/dev/qemu_pipe com.helloworld.xhs
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.helloworld.xhs

description ioc process

File opened for read /proc/meminfo com.helloworld.xhs

ioc	process
/sbin/su	com.helloworld.xhs

description	ioc	process
File opened for read	/proc/cpuinfo	com.helloworld.xhs

ioc	process
/sys/qemu_trace	com.helloworld.xhs
/system/bin/qemu-props	com.helloworld.xhs
/system/lib/libc_malloc_debug_qemu.so	com.helloworld.xhs

ioc	process
/dev/socket/qemud	com.helloworld.xhs
/dev/qemu_pipe	com.helloworld.xhs

description	ioc	process
File opened for read	/proc/meminfo	com.helloworld.xhs

Loads dropped Dex/Jar 1 TTPs 6 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.helloworld.xhs/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.helloworld.xhs/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.helloworld.xhs/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/data/com.helloworld.xhs/.jiagu/classes.dex	4256	com.helloworld.xhs
/data/data/com.helloworld.xhs/.jiagu/classes.dex!classes2.dex	4256	com.helloworld.xhs
/data/data/com.helloworld.xhs/.jiagu/classes.dex!classes3.dex	4256	com.helloworld.xhs
/data/data/com.helloworld.xhs/.jiagu/tmp.dex	4256	com.helloworld.xhs
/data/data/com.helloworld.xhs/.jiagu/tmp.dex	4327	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.helloworld.xhs/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.helloworld.xhs/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
/data/data/com.helloworld.xhs/.jiagu/tmp.dex	4256	com.helloworld.xhs

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.helloworld.xhs

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.helloworld.xhs
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.helloworld.xhs

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.helloworld.xhs

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.helloworld.xhs

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.helloworld.xhs

com.helloworld.xhs
1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks known Qemu files.
- Checks known Qemu pipes.
- Checks memory information
- Loads dropped Dex/Jar
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:4256

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.helloworld.xhs/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.helloworld.xhs/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4327

/system/bin/sh -c getprop
2⤵
PID:4374

getprop
2⤵
PID:4374

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.helloworld.xhs/.jiagu/classes.dex

Filesize
7.3MB

MD5
9c66a8a208dea8b8a29728bd1e3cdd19

SHA1
58ff9fea7354b79fcf148d128dc308e67aa2bd03

SHA256
865d550168ccf32a966e6150f37c0bf70b744bef2170194ca3c5b2d182e715f2

SHA512
524e2fc459c741884863450fef589c553f44b3352682a09f7623d7d0f1a0a59d67a7f6b35ca24b0e8b4d09661501ae56647479c5a1e55b10cccacb65f855f62c

Download Submit
/data/data/com.helloworld.xhs/.jiagu/classes.dex!classes2.dex

Filesize
5.0MB

MD5
63b769e30c51f5a9a8131f2bd665945b

SHA1
ad009dcbeb54aa2d003e27219c4dca83844edb0a

SHA256
d2fc77096a3f92341fdfa76d7a8911018c6c6bb86dc50e84c954f36543b8ffda

SHA512
fe84672acf87ad2d383a2351df43500cd95c8c9698b97cea630f12249a407f2560a165160e19d92ba1456a96be71cf53e6508a439c757c99cf2cf4150dc0d857

Download Submit
/data/data/com.helloworld.xhs/.jiagu/classes.dex!classes3.dex

Filesize
109KB

MD5
4e3ad1d3c38aaeeec9eab3fcdf0356ed

SHA1
8f3ddc51da08aebd85a3a08b026b1f5510424f03

SHA256
86853d726fc56de1fdbeb3809cab3aa9e2d71dff7d1cc11b12fbe1def08bc988

SHA512
06643480745816dbd79091c0835c6cd4bf4509a1b2ca9cfe617c9cab157956951130810f4091dcf17afa5e7694175f0ca4ffbf6be14635974b42f5c275b17aaa

Download Submit
/data/data/com.helloworld.xhs/.jiagu/libjiagu.so

Filesize
668KB

MD5
e70826f98e5acd0e4577200dc2fe8669

SHA1
f6869fc6873a7172995b72081b1a7c993ceee202

SHA256
287f7833a48546ce6b210cc343036f3a705c66b855df18ca90c91163c37505ff

SHA512
d254c05d93f712bb576368f9778c33665844caab652d2a125c1fca2e61d932ba77c39f056ba3b3286f8317d5ac9ddcaee29cc7d4da09fdd52fbbe2fd7f25a949

Download Submit
/data/data/com.helloworld.xhs/.jiagu/tmp.dex

Filesize
284B

MD5
f1771b68f5f9b168b79ff59ae2daabe4

SHA1
0df6a835559f5c99670214a12700e7d8c28e5a42

SHA256
9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

SHA512
dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

Download Submit
/data/data/com.helloworld.xhs/app_crashrecord/1004

Filesize
58B

MD5
0d210bfb2a0e1f1b4c082a6a0f79de07

SHA1
bb8ed9e364db79d1d9f2fcde3f15091893222faa

SHA256
988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d

SHA512
536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

Download Submit
/data/data/com.helloworld.xhs/app_crashrecord/1004

Filesize
228B

MD5
817c210cc3620558d9df07bdb7849692

SHA1
1aceb63171ae253fd1eb55bb2cb5eb200dc2f28f

SHA256
0cd5c31712854c70df056dbbb7c7c533b8aee6cb0fb3565d7df80b1a9e17edd1

SHA512
bdf2ba1844cfeec8faaceee450664fb5914adc1216868484d0d36ea9fe9743901022202d16f829f7721269dab4b77dd088a11cf278afc6e125c2f53f9f8fdd05

Download Submit
/data/data/com.helloworld.xhs/databases/bugly_db_

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.helloworld.xhs/databases/bugly_db_-journal

Filesize
512B

MD5
b79a807cb090629d95b1fa749e3af9e1

SHA1
291b938b1dfbe72d0c490704b19fa23b5acffc69

SHA256
3d951ed272989c1d151a1ba04d28c12860ded03e75dafce5d86c426ff057aab3

SHA512
6defb112a35bf761b094ed56286f6c8cc326881e0e2a4f40d064ac4a4c62f2aeadf914124cacceeac03a7bc30ada15fecad553ea2f70dc49968cfe22a43eaff5

Download Submit
/data/data/com.helloworld.xhs/databases/bugly_db_-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.helloworld.xhs/databases/bugly_db_-wal

Filesize
76KB

MD5
aa807c8970170714f265657246078846

SHA1
228c2f9238897ac5f73fd0dbb73d4d376d06feb8

SHA256
922467e0dd9e014a178fadbdb12934bca0b399a6c316373eeb9c96e87dfc1f9d

SHA512
013b0a028ad997d9f58cfaaee1abdecc813593c98091feaded13244217b28326dc60d06a64aca266b3ecc46042742cedf11714e97956a7e890ca22894f874a7d

Download Submit
/data/data/com.helloworld.xhs/databases/moneyRecord.db-journal

Filesize
512B

MD5
5ba05dac922d4a3123926b59b85d612b

SHA1
02d073c8161e6931a5a3b3c47b8b13216655b333

SHA256
69afb210fad4f29ae91064398b2a50407c184bf56afde016e9cc14048b8c7e32

SHA512
ca0cd42c48812091bf952d0b8d5a232c23ac5c2713e744cf25f64acffa74605fde3af7143a5e4fa060a626cf9ecdf0a187a0fcb75829e31dff2cd9e32f50975f

Download Submit
/data/data/com.helloworld.xhs/databases/moneyRecord.db-wal

Filesize
56KB

MD5
f49d4945e67d071a3bfe234c36e13c6d

SHA1
9fc3f43ebd99d4570671ec7cf3fd2cf52e5a6ef8

SHA256
3b7606f9b6a809e07d2378fdfbf114d9a4ba8ced40252c12de0840b00ad7688c

SHA512
4ec13400331fc2eab09051fec94880ea81bcc0e0159110d14017c8799f97253b091b78d4b0bb0bcd0ea761a1a1404b9bc3086f91b5a642d0fed623bfc8b6c8e1

Download Submit
/data/data/com.helloworld.xhs/files/.jglogs/.cl

Filesize
32B

MD5
bdd6a8b2658301fec147feb04cb58b2b

SHA1
52bbe26eb531c3dd895f414f6602877ede4cee3d

SHA256
0e1effd7858fdc9a9043c0a861f390c933f664375ba92b78deadbf9e8efa1108

SHA512
88d7442f0c16a9b96e1dc80d712521df4facc4ae6f54bb3c649edbb9e117f801f24e86c3cbaf5bf0a4c4fb5dd6128b68a6c261f386b8587a61ec9c868bb5b1ad

Download Submit
/data/data/com.helloworld.xhs/files/.jglogs/.jg.ac

Filesize
40B

MD5
f9428c0ecdaf411197a1165db986cbe6

SHA1
23f6a83e6a37a7f0340bc8f398edf5ad93e101d5

SHA256
51d5f04bdcfae0930c8f6d7d83024d847c79a344bc13c1619d01e074a13b8fb3

SHA512
3f2a76b6841b85d8ef87460f542f76f70f7c567fed4b28cebd416ecaf84d1a0263d97ba132b604df27de8c86b222f9a838185320226044e7eaf6f90cb5948791

Download Submit
/data/data/com.helloworld.xhs/files/.jglogs/.jg.ri

Filesize
307B

MD5
60022612d810ef325ddba817c679f2e3

SHA1
8ac1d6944a82a9d54b83e1ea3b4053ada2fe853e

SHA256
b07469b994603bb55f96660ed2103cd5781536b81dc46473e06ea2f52cf0e70b

SHA512
8bd415dd34a650320d70e73e2b5742b211533af1a8becd349db21513a86ece342e839aa7d833c2d590fe973df3754666e0292d23dd229635a229434e9437708b

Download Submit
/data/data/com.helloworld.xhs/files/.jglogs/.jg.store.report_cf

Filesize
32B

MD5
e63945fb89bb5467bcd937439398a09a

SHA1
2cd11bb007c97eea81148ac338657526ae550ec4

SHA256
86e9c0b30c01056ee1a1a6fb712f58b58240ed81c16cabfd6831cc1fa732aebf

SHA512
1dc687bdf99aa0ba4177547b64a5474c7e033da32ccafb6dba3392bb5622a805cce00502ee1253a3bfad4e7ed007d4f558d5462d6e2afe290e3ff6d73998c22c

Download Submit
/data/data/com.helloworld.xhs/files/.jglogs/.jg.store.report_pid

Filesize
32B

MD5
6ee4502e5af409eddc8f615788acc461

SHA1
af60be46095e9ad8f347fe932cef3635adce363d

SHA256
c7e33c4275786af18b48f220c9a9346d6e85fca845d93f30a4efbb615cb7a449

SHA512
612cd40f093eae141974009ef81b50b9277657bbc288da0cde0f3c76351874bed67276ccb07ba141736059fbaf0114ff3e41eab85ab4388c23763d9f1b977c15

Download Submit