82d96c00836fbd3a1ddb1e556888b6f82efa4d9751cd58cc1220ebbd5faf6a55

Analysis

max time kernel
177s
max time network
184s
platform
android_x64
resource
android-x64-20240514-en
resource tags

androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system
submitted
23-05-2024 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xihongshi4.apk
Size

9.3MB
MD5

0d1036a2605ad14127890fa666a51cac
SHA1

684c83e65da4dabdf7debe867ce6ef4b3bdc107d
SHA256

82d96c00836fbd3a1ddb1e556888b6f82efa4d9751cd58cc1220ebbd5faf6a55
SHA512

60c987565f7a31cf240955d026c8b0ef18c528c5d104e8c674ad026501220bc62d2e55b75805d3c1945ea76a6b7e72c3ad0fd2fc35ac36c412cfb6460dcb2f9c
SSDEEP

196608:aRO2Q2Yxzo3GAQK8MoZvWTfuxjbpKXyowCYqmzYEZXKZvhfMumx4:aRLrUM3GA78lNefuxpEyoPYqmzTXKZVP

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 1 IoCs
evasion

T1426

Processes:

com.helloworld.xhs

ioc process

/sbin/su com.helloworld.xhs
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

T1633.001

T1426

Processes:

com.helloworld.xhs

description ioc process

File opened for read /proc/cpuinfo com.helloworld.xhs
Checks known Qemu files. 1 TTPs 3 IoCs
Checks for known Qemu files that exist on Android virtual device images.
evasion

T1633.001

Processes:

com.helloworld.xhs

ioc process

/system/lib/libc_malloc_debug_qemu.so com.helloworld.xhs
/sys/qemu_trace com.helloworld.xhs
/system/bin/qemu-props com.helloworld.xhs
Checks known Qemu pipes. 1 TTPs 2 IoCs
Checks for known pipes used by the Android emulator to communicate with the host.
evasion

T1633.001

Processes:

com.helloworld.xhs

ioc process

/dev/socket/qemud com.helloworld.xhs
/dev/qemu_pipe com.helloworld.xhs
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

T1633.001

T1426

Processes:

com.helloworld.xhs

description ioc process

File opened for read /proc/meminfo com.helloworld.xhs

ioc	process
/sbin/su	com.helloworld.xhs

description	ioc	process
File opened for read	/proc/cpuinfo	com.helloworld.xhs

ioc	process
/system/lib/libc_malloc_debug_qemu.so	com.helloworld.xhs
/sys/qemu_trace	com.helloworld.xhs
/system/bin/qemu-props	com.helloworld.xhs

ioc	process
/dev/socket/qemud	com.helloworld.xhs
/dev/qemu_pipe	com.helloworld.xhs

description	ioc	process
File opened for read	/proc/meminfo	com.helloworld.xhs

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

T1407

Processes:

com.helloworld.xhs

ioc	pid	process
/data/data/com.helloworld.xhs/.jiagu/classes.dex	5104	com.helloworld.xhs
/data/data/com.helloworld.xhs/.jiagu/classes.dex!classes2.dex	5104	com.helloworld.xhs
/data/data/com.helloworld.xhs/.jiagu/classes.dex!classes3.dex	5104	com.helloworld.xhs

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

T1624.001

Processes:

com.helloworld.xhs

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.helloworld.xhs
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

T1421

Processes:

com.helloworld.xhs

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.helloworld.xhs

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.helloworld.xhs

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.helloworld.xhs

com.helloworld.xhs
1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks known Qemu files.
- Checks known Qemu pipes.
- Checks memory information
- Loads dropped Dex/Jar
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:5104

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.helloworld.xhs/.jiagu/classes.dex
Filesize
7.3MB

MD5
9c66a8a208dea8b8a29728bd1e3cdd19

SHA1
58ff9fea7354b79fcf148d128dc308e67aa2bd03

SHA256
865d550168ccf32a966e6150f37c0bf70b744bef2170194ca3c5b2d182e715f2

SHA512
524e2fc459c741884863450fef589c553f44b3352682a09f7623d7d0f1a0a59d67a7f6b35ca24b0e8b4d09661501ae56647479c5a1e55b10cccacb65f855f62c

Download Submit
/data/data/com.helloworld.xhs/.jiagu/classes.dex!classes2.dex
Filesize
5.0MB

MD5
63b769e30c51f5a9a8131f2bd665945b

SHA1
ad009dcbeb54aa2d003e27219c4dca83844edb0a

SHA256
d2fc77096a3f92341fdfa76d7a8911018c6c6bb86dc50e84c954f36543b8ffda

SHA512
fe84672acf87ad2d383a2351df43500cd95c8c9698b97cea630f12249a407f2560a165160e19d92ba1456a96be71cf53e6508a439c757c99cf2cf4150dc0d857

Download Submit
/data/data/com.helloworld.xhs/.jiagu/classes.dex!classes3.dex
Filesize
109KB

MD5
4e3ad1d3c38aaeeec9eab3fcdf0356ed

SHA1
8f3ddc51da08aebd85a3a08b026b1f5510424f03

SHA256
86853d726fc56de1fdbeb3809cab3aa9e2d71dff7d1cc11b12fbe1def08bc988

SHA512
06643480745816dbd79091c0835c6cd4bf4509a1b2ca9cfe617c9cab157956951130810f4091dcf17afa5e7694175f0ca4ffbf6be14635974b42f5c275b17aaa

Download Submit
/data/data/com.helloworld.xhs/.jiagu/libjiagu.so
Filesize
668KB

MD5
e70826f98e5acd0e4577200dc2fe8669

SHA1
f6869fc6873a7172995b72081b1a7c993ceee202

SHA256
287f7833a48546ce6b210cc343036f3a705c66b855df18ca90c91163c37505ff

SHA512
d254c05d93f712bb576368f9778c33665844caab652d2a125c1fca2e61d932ba77c39f056ba3b3286f8317d5ac9ddcaee29cc7d4da09fdd52fbbe2fd7f25a949

Download Submit
/data/data/com.helloworld.xhs/.jiagu/libjiagu_64.so
Filesize
779KB

MD5
c97cb9e0a35bb1833823a117119db5ad

SHA1
f5760ab6a01f6a5bf3f0f9d50bd3974573f83e46

SHA256
2df4dd2e27c540e29e99e2af58f6f98927736c424a2a4e77a6d8070814044ffc

SHA512
87d94966a55ccdc5edd24c3ecf985d99800361911a563941e31bb6126edb7374be5231ad90cda2ba780836562e570103607d03e6621b14a2cfe34f36de5acfe8

Download Submit
/data/data/com.helloworld.xhs/.oabugaij/.fsgkea
Filesize
1B

MD5
01abfc750a0c942167651c40d088531d

SHA1
d08f88df745fa7950b104e4a707a31cfce7b5841

SHA256
334359b90efed75da5f0ada1d5e6b256f4a6bd0aee7eb39c0f90182a021ffc8b

SHA512
d369286ac86b60fa920f6464d26becacd9f4c8bd885b783407cdcaa74fafd45a8b56b364b63f6256c3ceef26278a1c7799d4243a8149b5ede5ce1d890b5c7236

Download Submit
/data/data/com.helloworld.xhs/app_crashrecord/1004
Filesize
58B

MD5
0d210bfb2a0e1f1b4c082a6a0f79de07

SHA1
bb8ed9e364db79d1d9f2fcde3f15091893222faa

SHA256
988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d

SHA512
536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

Download Submit
/data/data/com.helloworld.xhs/app_crashrecord/1004
Filesize
228B

MD5
88d346282c1f41751c2a8a5e6275fca5

SHA1
6051ee58f174ba256d710efe2cb3d7dae5e73a34

SHA256
d6827567be25d434bd39b6c1a2763216e43c0b177f8911013d5a7e0aa5bafc2a

SHA512
dacfa66338904ce8baf73adb42b9b4dba3b22e4c239f01d7a242ade7d6db9c925613eea081b7335162e95a98a7debb6125c9b7cb5c7a0854204f6a28c1b4ff72

Download Submit
/data/data/com.helloworld.xhs/databases/bugly_db_
Filesize
52KB

MD5
5e7d8006a4b91024dd331b13b1d6b48e

SHA1
ff9dab8947dea858ee853085008a3759abf5280e

SHA256
95e3eaf6fbdf7fac8b36701bf429ab5b587c7b8d8bde1fae015f8bdcdbcaf46b

SHA512
3c2ef4917fd6ffba83e25b608a2c3e36b5ceaaea2000d565af50c921cc11c78121dd937369774683e097c48ea1fe99e3edf726751a745120ff5b6774eae67a7a

Download Submit
/data/data/com.helloworld.xhs/databases/bugly_db_-journal
Filesize
512B

MD5
eacea218fabe21fe66b0c5d95797c20b

SHA1
2e618b2ed51d27340738a665168fffb3d564064b

SHA256
87816bdcbe34deddb6a109884aa87804a5325a733eccafa4d912b5889407c6cf

SHA512
2d7c879b80485cbc571827b961eb4fc5efdc9e0edab53838f10d933d243f9b1e6189d102bb2a2464804958780cb977e526c7d4d9106023c53f02574d716f0cc4

Download Submit
/data/data/com.helloworld.xhs/databases/bugly_db_-journal
Filesize
8KB

MD5
05fdeb6d0542939ab5dad346542f3a42

SHA1
863bcb360494a65c6192cc6f91f9b5ae7c543b52

SHA256
44efc7cba3caaf5c58492ee578435983a174a324d3019db807680c17f6fb7cae

SHA512
8b533b69e0f7fb86cf7e10b81c9cd736a37f9f008053b04a2324807450e566be5bac0a65cd171c91055d790d7d5b771e02dda41baee538c9ed079a0770bcd57f

Download Submit
/data/data/com.helloworld.xhs/databases/bugly_db_-journal
Filesize
8KB

MD5
623c3c16556136b0984abf3b88284cbe

SHA1
75efe711e9460f6b5e3a60fb6ffe9268e3bbe18f

SHA256
5c223c9f0cf87ea846144b4ac53239597b8c063fb01cea8663c5b816dd987f37

SHA512
63fef6d53f0b48bd7335be6b30ae7e36879820753dc69e8e80561f172edc9b7e726cd588a86611af86b9566a814f83c4aa7c65eeb7a904390b522344950f9907

Download Submit
/data/data/com.helloworld.xhs/databases/bugly_db_-journal
Filesize
8KB

MD5
3fbf0324b6ca43dbada2cf5fbdd98628

SHA1
7b75c6fd60ffa8f4f8886aac8df8e107ed85bc03

SHA256
64d433d9d853b7c31003d195e25034c408badcc03b2a17a441dc7dbf4a14b462

SHA512
d61bfd2c9cd45862d251437957d2a964f2ab73151064a30a8451724b2d374e6e2517e619ce9f939bf6354f50df64a2ffdd115c00091d43d4688f08482f24ec71

Download Submit
/data/data/com.helloworld.xhs/databases/bugly_db_-journal
Filesize
8KB

MD5
6dfbeedb82e83a52d19e426b3d00dfd3

SHA1
fc8f13eebdd20dbcf3547bd85fb146febefa70e9

SHA256
6df952b9cbf37a2c11347abf3cb772e37ead5a6b422ca3693661ef8d7a82f231

SHA512
657aa8f008927b3210d97ae449c515d5dcfd034a3b2e10a2d2f0f7e045aa6ccf548f31a6171bf4ab718b030fd2daeb0e2810e55a9cf563cd05a7b0a37dfcd143

Download Submit
/data/data/com.helloworld.xhs/databases/bugly_db_-journal
Filesize
8KB

MD5
01f626ba5629c4fc2518031713ddfbf4

SHA1
91b57e9141459bd5e1dcb3f99ae8d26638906499

SHA256
284979aaca93b30b000969bc05048ff12ce58308acd8e873e05b1c99e80139c0

SHA512
0436e9ad041d7ea1ce6187e95e7ae97a9976f80afdbb9178e91e16e7671e7dc1eaab695c1c7fd37a44a8be102a92b32568a82850328986b7ef237a501170e6dd

Download Submit
/data/data/com.helloworld.xhs/databases/moneyRecord.db
Filesize
44KB

MD5
ecdddbd8d087c15e8e9881e27552b618

SHA1
34ca842bacc94ccdb029016a998a368aa333331b

SHA256
b45543258538a85201ed6aab9d91887f46d1f01fae7181de3ab83883307e5b97

SHA512
3be899614bc2e3a5fb8ce16d0f117bf3b562c4404ddb3dab04021a614af1f655c791b7b617cc468994883bc533201515c8a39284df36a2f23366cb0fbb8b9df8

Download Submit
/data/data/com.helloworld.xhs/databases/moneyRecord.db-journal
Filesize
512B

MD5
b07a9e490587e0d01804b0303b3d451c

SHA1
7f525fa559603d2d6d2c731e21953a7232349fff

SHA256
8c6c14372aaa6860ab5396978a6cfb9136cce7f0cca7f55f1a6749b9439e4cf0

SHA512
5746cdb66b233477f56628b179d80a855485313dc802dbbf602ff60cf2df0a70f8d5a1e5997d749ae28103e14369498d2186d2dca035a2b502306e8d086e124f

Download Submit
/data/data/com.helloworld.xhs/databases/moneyRecord.db-journal
Filesize
8KB

MD5
4b7ec0aa52da8af778ddbbde58fb306d

SHA1
095a50a5b6bf822aaa5940eb7db667ddb4970ccb

SHA256
5b79f0f9efac67bf5850bbce28f2b9ad992dfe86d025d1a8bf155d442ecbf1ce

SHA512
6966115ed853143f789bbf934dbc6174c05afc17cfbbf01c20c6cb97fd9a76b2a521837b47b129c8bed8b44f44d49c14ff69518802dbf5e5fcf70e600c2d69e8

Download Submit
/data/data/com.helloworld.xhs/databases/moneyRecord.db-journal
Filesize
8KB

MD5
f3a0b74bd9e81728494a1e9e6e0b526d

SHA1
7bb8a4eea1cbc257e9c6a51ed0e1d628cf1b8d0b

SHA256
62005e909a8e46792b7558e3af15ed86cfe7bc3a7511c25bde79c2fb70897523

SHA512
ba36dd013a6b64db81df84f9dc5e8c16bb66766b26ca3122484694ba43e528738682b5a27683b4408a991d9779145a059c4ef4141c588390604493592fd1651d

Download Submit
/data/data/com.helloworld.xhs/files/.jglogs/.cl
Filesize
32B

MD5
bdd6a8b2658301fec147feb04cb58b2b

SHA1
52bbe26eb531c3dd895f414f6602877ede4cee3d

SHA256
0e1effd7858fdc9a9043c0a861f390c933f664375ba92b78deadbf9e8efa1108

SHA512
88d7442f0c16a9b96e1dc80d712521df4facc4ae6f54bb3c649edbb9e117f801f24e86c3cbaf5bf0a4c4fb5dd6128b68a6c261f386b8587a61ec9c868bb5b1ad

Download Submit
/data/data/com.helloworld.xhs/files/.jglogs/.jg.ac
Filesize
40B

MD5
f9428c0ecdaf411197a1165db986cbe6

SHA1
23f6a83e6a37a7f0340bc8f398edf5ad93e101d5

SHA256
51d5f04bdcfae0930c8f6d7d83024d847c79a344bc13c1619d01e074a13b8fb3

SHA512
3f2a76b6841b85d8ef87460f542f76f70f7c567fed4b28cebd416ecaf84d1a0263d97ba132b604df27de8c86b222f9a838185320226044e7eaf6f90cb5948791

Download Submit
/data/data/com.helloworld.xhs/files/.jglogs/.jg.ri
Filesize
307B

MD5
4e067bf4bb47b0467bf0c59819cc24be

SHA1
79241009f22e8e0deacdfebbefd644f96c4fb74f

SHA256
fb9ca02968ff28b4c95277b1920bbf03d8efa443fa28030a0a55a9b77d23c5e6

SHA512
06c25a397f8159a1890abe63c2fd2acbbf615366fe88d4e5e0743a70fea9d130e31bede4e34ae7bb486e664a29f3dda2eb9c511568419d7ff9cfb23cf63ea747

Download Submit
/data/data/com.helloworld.xhs/files/.jglogs/.jg.store.report_cf
Filesize
32B

MD5
e63945fb89bb5467bcd937439398a09a

SHA1
2cd11bb007c97eea81148ac338657526ae550ec4

SHA256
86e9c0b30c01056ee1a1a6fb712f58b58240ed81c16cabfd6831cc1fa732aebf

SHA512
1dc687bdf99aa0ba4177547b64a5474c7e033da32ccafb6dba3392bb5622a805cce00502ee1253a3bfad4e7ed007d4f558d5462d6e2afe290e3ff6d73998c22c

Download Submit
/data/data/com.helloworld.xhs/files/.jglogs/.jg.store.report_pid
Filesize
32B

MD5
6ee4502e5af409eddc8f615788acc461

SHA1
af60be46095e9ad8f347fe932cef3635adce363d

SHA256
c7e33c4275786af18b48f220c9a9346d6e85fca845d93f30a4efbb615cb7a449

SHA512
612cd40f093eae141974009ef81b50b9277657bbc288da0cde0f3c76351874bed67276ccb07ba141736059fbaf0114ff3e41eab85ab4388c23763d9f1b977c15

Download Submit