82d96c00836fbd3a1ddb1e556888b6f82efa4d9751cd58cc1220ebbd5faf6a55

Analysis

max time kernel
176s
max time network
185s
platform
android_x64
resource
android-x64-arm64-20240514-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system
submitted
23-05-2024 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xihongshi4.apk
Size

9.3MB
MD5

0d1036a2605ad14127890fa666a51cac
SHA1

684c83e65da4dabdf7debe867ce6ef4b3bdc107d
SHA256

82d96c00836fbd3a1ddb1e556888b6f82efa4d9751cd58cc1220ebbd5faf6a55
SHA512

60c987565f7a31cf240955d026c8b0ef18c528c5d104e8c674ad026501220bc62d2e55b75805d3c1945ea76a6b7e72c3ad0fd2fc35ac36c412cfb6460dcb2f9c
SSDEEP

196608:aRO2Q2Yxzo3GAQK8MoZvWTfuxjbpKXyowCYqmzYEZXKZvhfMumx4:aRLrUM3GA78lNefuxpEyoPYqmzTXKZVP

Score

8^/10

discovery evasion

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 5 IoCs

evasion

System Information Discovery

T1426

Processes:

com.helloworld.xhs

ioc	process
/sbin/su	com.helloworld.xhs
/data/local/xbin/su	com.helloworld.xhs
/data/local/bin/su	com.helloworld.xhs
/data/local/su	com.helloworld.xhs
/system/xbin/su	com.helloworld.xhs

Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.helloworld.xhs

description ioc process

File opened for read /proc/cpuinfo com.helloworld.xhs
Checks known Qemu files. 1 TTPs 3 IoCs
Checks for known Qemu files that exist on Android virtual device images.
evasion

System Checks
T1633.001

Processes:

com.helloworld.xhs

ioc process

/system/lib/libc_malloc_debug_qemu.so com.helloworld.xhs
/sys/qemu_trace com.helloworld.xhs
/system/bin/qemu-props com.helloworld.xhs
Checks known Qemu pipes. 1 TTPs 2 IoCs
Checks for known pipes used by the Android emulator to communicate with the host.
evasion

System Checks
T1633.001

Processes:

com.helloworld.xhs

ioc process

/dev/socket/qemud com.helloworld.xhs
/dev/qemu_pipe com.helloworld.xhs
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.helloworld.xhs

description ioc process

File opened for read /proc/meminfo com.helloworld.xhs

description	ioc	process
File opened for read	/proc/cpuinfo	com.helloworld.xhs

ioc	process
/system/lib/libc_malloc_debug_qemu.so	com.helloworld.xhs
/sys/qemu_trace	com.helloworld.xhs
/system/bin/qemu-props	com.helloworld.xhs

ioc	process
/dev/socket/qemud	com.helloworld.xhs
/dev/qemu_pipe	com.helloworld.xhs

description	ioc	process
File opened for read	/proc/meminfo	com.helloworld.xhs

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.helloworld.xhs

ioc	pid	process
/data/user/0/com.helloworld.xhs/.jiagu/classes.dex	4502	com.helloworld.xhs
/data/user/0/com.helloworld.xhs/.jiagu/classes.dex!classes2.dex	4502	com.helloworld.xhs
/data/user/0/com.helloworld.xhs/.jiagu/classes.dex!classes3.dex	4502	com.helloworld.xhs

Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.helloworld.xhs

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.helloworld.xhs

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.helloworld.xhs

com.helloworld.xhs
1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks known Qemu files.
- Checks known Qemu pipes.
- Checks memory information
- Loads dropped Dex/Jar
- Checks if the internet connection is available
PID:4502

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.helloworld.xhs/.oabugaij/.fsgkea

Filesize
1B

MD5
01abfc750a0c942167651c40d088531d

SHA1
d08f88df745fa7950b104e4a707a31cfce7b5841

SHA256
334359b90efed75da5f0ada1d5e6b256f4a6bd0aee7eb39c0f90182a021ffc8b

SHA512
d369286ac86b60fa920f6464d26becacd9f4c8bd885b783407cdcaa74fafd45a8b56b364b63f6256c3ceef26278a1c7799d4243a8149b5ede5ce1d890b5c7236

Download Submit
/data/user/0/com.helloworld.xhs/.jiagu/classes.dex

Filesize
7.3MB

MD5
9c66a8a208dea8b8a29728bd1e3cdd19

SHA1
58ff9fea7354b79fcf148d128dc308e67aa2bd03

SHA256
865d550168ccf32a966e6150f37c0bf70b744bef2170194ca3c5b2d182e715f2

SHA512
524e2fc459c741884863450fef589c553f44b3352682a09f7623d7d0f1a0a59d67a7f6b35ca24b0e8b4d09661501ae56647479c5a1e55b10cccacb65f855f62c

Download Submit
/data/user/0/com.helloworld.xhs/.jiagu/classes.dex!classes2.dex

Filesize
5.0MB

MD5
63b769e30c51f5a9a8131f2bd665945b

SHA1
ad009dcbeb54aa2d003e27219c4dca83844edb0a

SHA256
d2fc77096a3f92341fdfa76d7a8911018c6c6bb86dc50e84c954f36543b8ffda

SHA512
fe84672acf87ad2d383a2351df43500cd95c8c9698b97cea630f12249a407f2560a165160e19d92ba1456a96be71cf53e6508a439c757c99cf2cf4150dc0d857

Download Submit
/data/user/0/com.helloworld.xhs/.jiagu/classes.dex!classes3.dex

Filesize
109KB

MD5
4e3ad1d3c38aaeeec9eab3fcdf0356ed

SHA1
8f3ddc51da08aebd85a3a08b026b1f5510424f03

SHA256
86853d726fc56de1fdbeb3809cab3aa9e2d71dff7d1cc11b12fbe1def08bc988

SHA512
06643480745816dbd79091c0835c6cd4bf4509a1b2ca9cfe617c9cab157956951130810f4091dcf17afa5e7694175f0ca4ffbf6be14635974b42f5c275b17aaa

Download Submit
/data/user/0/com.helloworld.xhs/.jiagu/libjiagu.so

Filesize
668KB

MD5
e70826f98e5acd0e4577200dc2fe8669

SHA1
f6869fc6873a7172995b72081b1a7c993ceee202

SHA256
287f7833a48546ce6b210cc343036f3a705c66b855df18ca90c91163c37505ff

SHA512
d254c05d93f712bb576368f9778c33665844caab652d2a125c1fca2e61d932ba77c39f056ba3b3286f8317d5ac9ddcaee29cc7d4da09fdd52fbbe2fd7f25a949

Download Submit
/data/user/0/com.helloworld.xhs/.jiagu/libjiagu_64.so

Filesize
779KB

MD5
c97cb9e0a35bb1833823a117119db5ad

SHA1
f5760ab6a01f6a5bf3f0f9d50bd3974573f83e46

SHA256
2df4dd2e27c540e29e99e2af58f6f98927736c424a2a4e77a6d8070814044ffc

SHA512
87d94966a55ccdc5edd24c3ecf985d99800361911a563941e31bb6126edb7374be5231ad90cda2ba780836562e570103607d03e6621b14a2cfe34f36de5acfe8

Download Submit
/data/user/0/com.helloworld.xhs/app_crashrecord/1004

Filesize
228B

MD5
14f572b54c8c37cebd130f21d170389a

SHA1
0134363b6d29c4ae6a57fbf3bd40db7f979c5dc8

SHA256
b1c43acf78c895fa4b3cde70e9d94ac2d64cd0847906ab1addf2481d376ea5e1

SHA512
6c8d37001f77174cd97045975b67d0107b34e8ca735f00d7a4fc2bf077bd6fd645b4bcf3fde4671c8ad77823ce593eac68e404772f9455e91038ac6bb9023adf

Download Submit
/data/user/0/com.helloworld.xhs/app_crashrecord/1004

Filesize
58B

MD5
0d210bfb2a0e1f1b4c082a6a0f79de07

SHA1
bb8ed9e364db79d1d9f2fcde3f15091893222faa

SHA256
988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d

SHA512
536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

Download Submit
/data/user/0/com.helloworld.xhs/databases/bugly_db_

Filesize
52KB

MD5
e87b42e9816a2bbbdd841c74f683d08a

SHA1
c1399b58f39a7d3debe20f8953c3db209b513f14

SHA256
ea96b7372d72c0fbd785d3a07eee6762854fb7eb03a8d77b9b40c6f78f41fe47

SHA512
586fe32c41d6751f5c0b8dee40c33855022f3e2019efa7d890ace5b2bff63be4e43edc1073d977d3f38432ba14afbe788937f4bf1bd692feb8c3756f44efef11

Download Submit
/data/user/0/com.helloworld.xhs/databases/bugly_db_-journal

Filesize
512B

MD5
7eefd1dfcd70564990e8a67cda8ea52c

SHA1
d03634d0a445e081d9689560600e741c6e945355

SHA256
ff3f1cb9fd72fe5d30051603d0f77e2701232e153ac72ee7d99f18af46e625b8

SHA512
8055daeaba1ad6a73aa5a2978ca14263b207dafda1139aafc57a2bab7ff63249ab9619e3ed6a26fe95f1a356a89aa84ba8f2f4a920152e747a1808056a71e707

Download Submit
/data/user/0/com.helloworld.xhs/databases/bugly_db_-journal

Filesize
8KB

MD5
bd97c94ded6e4c889860b48a47f14672

SHA1
336fc8cbb572cf3b39a87537a02f09f9f648fb29

SHA256
832fddfb98264ed6945f6eb43286d669f94856890a364d6ad2c6458af3fa769e

SHA512
e33ef6c835c5499b137c60ad9b2cc07ade18096c8b0cbd5953e69636585d9b031e02270daa869f3cb27f46e5c769f7232760b0ee547ce98cd0d07567e1f9150c

Download Submit
/data/user/0/com.helloworld.xhs/databases/bugly_db_-journal

Filesize
8KB

MD5
2867d83fa4215ded6a029d3d7c2fea4b

SHA1
a91d76cd56d6ce25d0e94761be091fb58420b88b

SHA256
3729fc3423fa5b57740da4604b885b9e1cbee79af8577ebcc2b52b421a5880ab

SHA512
6342e5516bf88185e71d03f9ba85d573044435eac789c4b52dc98222f9ba6220cb4ed35053288d277d81c67d9229fe887ac093dd9b5e42a1edfcc2adb26f6666

Download Submit
/data/user/0/com.helloworld.xhs/databases/bugly_db_-journal

Filesize
8KB

MD5
e099b5bf878759e6e6aa5865e4a17e84

SHA1
866f51e91a2a3c5222573d62e5fec0ab49466c05

SHA256
18970c1963b9c890ebbf50a906fa0999b7bcbdd22141dac189100393b4f2a5e0

SHA512
c66072bff9f3449ac962fb711de13b97d53bde10534054de79c93c6a9afda0ae3596a25a1240613325a57bfe4f3347ff7a56bd34a805c518fc30ba615944c7a5

Download Submit
/data/user/0/com.helloworld.xhs/databases/bugly_db_-journal

Filesize
8KB

MD5
6900a87babedfb6158ba44ae36d36062

SHA1
408f92aad95ceb62dfa1e6076a712080f493a9a1

SHA256
2ccdf4a22eabbdfd6d43e6a4a9253a9fda713ef222e9094da967772aee0bcd95

SHA512
38a457220a19f41e0b955efe58caa9124590146550df98890e9a7072673df06b092e824d49ce7b172022d0bfae80aa4f8b99c73cdf825d11ba1f2d852fe96c76

Download Submit
/data/user/0/com.helloworld.xhs/databases/bugly_db_-journal

Filesize
8KB

MD5
ac7f4ace7f20443b69421a9e4bbe4ebc

SHA1
a9d035b0f7f852dda28c6e81cf54b2c0fc593e24

SHA256
264f3f3bf7c948f5edf7c1bd49de2e9fada75785c4d5ee13061bcd5c8b2f03c1

SHA512
45ed8d1f0f359700126d22c6b86df69fdd467414ab8547634a04b885a01f6eaacd34e0bbfaaeedf5a7f93e541557947bd4a82770a13e053db5d29c4e567aeaa6

Download Submit
/data/user/0/com.helloworld.xhs/databases/moneyRecord.db

Filesize
44KB

MD5
7932a62b0cefcc61845024c631eeba8e

SHA1
e152dba9a27e732f5ecc2f6fe8c5b6a836cc625d

SHA256
bf73df58a5a7e3a71b68dfd6acbf88054e603d86b9f0b45181a17383366a9864

SHA512
d67022a5cee13eb77d79e9968b75cd071e5fa851278eef91e403a8beab45fa6c06bab0be4454b74e644b06ca69de21b6e964ac1bb32a7b7b0fe0b045f12dab5e

Download Submit
/data/user/0/com.helloworld.xhs/databases/moneyRecord.db-journal

Filesize
512B

MD5
1c02e7d4fbd09c59dd1665b5d7a53688

SHA1
7596559c6fc51e0ebd3fb7c5cb5d044e6d7dde68

SHA256
de1a260718f20dfff0332a192521dcfda876d68d1cf181bbe20f93ce528da398

SHA512
463900e50a3f74250a4f544ef1a56fb05c33e0bac9899f6c9b277befc63f0d06fcd131460fd786a6742d7b913fbd8e001648c6d19d1b05f054f2373d35a2f9f1

Download Submit
/data/user/0/com.helloworld.xhs/databases/moneyRecord.db-journal

Filesize
8KB

MD5
a2a4cf4008b7f536b0fd34a5e82ac2a5

SHA1
a23964ed7054b5c4c1d939586b5d1412f0173376

SHA256
cabbd46030497cb638fe7073cfa842e6aaab9551d5b713be9d77131a91343532

SHA512
ce2b21cf012a6c1a45dddae61cdb0ccd435ccefa0434476b77c9edf844548d2d30a69935310aa650c649527ff6ae6e3f9a3356b1cf4457768536ee09eef1bb2c

Download Submit
/data/user/0/com.helloworld.xhs/databases/moneyRecord.db-journal

Filesize
8KB

MD5
ec6573c7cc213ad31e0d7578843d14d7

SHA1
72114edbf8d58a27a21cf42b47b3cf06d11194e9

SHA256
6b59cfb51239d3bb92efb00496299ed199d941e44db11bbe0788d491859ad99e

SHA512
518e127f7b35ea67a65f2d21e55ccd26c51bed22f5118c42925e448af792e4d10b700a40412451d4adcbea479b35a4e10d39115908320d2b6ab57f920c3ea035

Download Submit
/data/user/0/com.helloworld.xhs/files/.jglogs/.cl

Filesize
32B

MD5
bdd6a8b2658301fec147feb04cb58b2b

SHA1
52bbe26eb531c3dd895f414f6602877ede4cee3d

SHA256
0e1effd7858fdc9a9043c0a861f390c933f664375ba92b78deadbf9e8efa1108

SHA512
88d7442f0c16a9b96e1dc80d712521df4facc4ae6f54bb3c649edbb9e117f801f24e86c3cbaf5bf0a4c4fb5dd6128b68a6c261f386b8587a61ec9c868bb5b1ad

Download Submit
/data/user/0/com.helloworld.xhs/files/.jglogs/.jg.ac

Filesize
40B

MD5
f9428c0ecdaf411197a1165db986cbe6

SHA1
23f6a83e6a37a7f0340bc8f398edf5ad93e101d5

SHA256
51d5f04bdcfae0930c8f6d7d83024d847c79a344bc13c1619d01e074a13b8fb3

SHA512
3f2a76b6841b85d8ef87460f542f76f70f7c567fed4b28cebd416ecaf84d1a0263d97ba132b604df27de8c86b222f9a838185320226044e7eaf6f90cb5948791

Download Submit
/data/user/0/com.helloworld.xhs/files/.jglogs/.jg.ri

Filesize
307B

MD5
ce409374a9de084af55f0703c406233c

SHA1
71471c7fd576210ddf789c70f3c11e02f6873596

SHA256
21bd069be2567d1d9a7877219d46438d124a4e6faba5cf555869a6afe4cb7e7a

SHA512
3ecfaf3f3b855403b34e0cba45e21c9f50a9cb7f088e487fa9bf19c170f614a96d3a4ff1720d0766710ab0bd119654a99ab8aa7ef168f4286395a3f67222db2d

Download Submit
/data/user/0/com.helloworld.xhs/files/.jglogs/.jg.store.report_cf

Filesize
32B

MD5
e63945fb89bb5467bcd937439398a09a

SHA1
2cd11bb007c97eea81148ac338657526ae550ec4

SHA256
86e9c0b30c01056ee1a1a6fb712f58b58240ed81c16cabfd6831cc1fa732aebf

SHA512
1dc687bdf99aa0ba4177547b64a5474c7e033da32ccafb6dba3392bb5622a805cce00502ee1253a3bfad4e7ed007d4f558d5462d6e2afe290e3ff6d73998c22c

Download Submit
/data/user/0/com.helloworld.xhs/files/.jglogs/.jg.store.report_pid

Filesize
32B

MD5
6ee4502e5af409eddc8f615788acc461

SHA1
af60be46095e9ad8f347fe932cef3635adce363d

SHA256
c7e33c4275786af18b48f220c9a9346d6e85fca845d93f30a4efbb615cb7a449

SHA512
612cd40f093eae141974009ef81b50b9277657bbc288da0cde0f3c76351874bed67276ccb07ba141736059fbaf0114ff3e41eab85ab4388c23763d9f1b977c15

Download Submit