Analysis
-
max time kernel
176s -
max time network
131s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
23-05-2024 18:22
Static task
static1
Behavioral task
behavioral1
Sample
6bda0ce655979c3e48191675af6cadbd_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
6bda0ce655979c3e48191675af6cadbd_JaffaCakes118.apk
Resource
android-33-x64-arm64-20240514-en
General
-
Target
6bda0ce655979c3e48191675af6cadbd_JaffaCakes118.apk
-
Size
1.8MB
-
MD5
6bda0ce655979c3e48191675af6cadbd
-
SHA1
7047f48d621184e0619ebc89c5a6174ee1d92b5d
-
SHA256
ad6aab977374b179d0af9ba5cbbeca3fc53bf1c19e38fbd22fdddd92d8796fe0
-
SHA512
ff7ea0c8efe735f85513f292e37543f0479f6ae45f129fbeb5b259f0116bbdb4a18b1f4a24659e80049444805f7f562f630c6d9730662a9db985c3156d62388b
-
SSDEEP
49152:HHYQX4bBirCAslxTBv2SoRjEv1KY2JKy9VXmzqI0Z:dq0uAsTciv1MjVXgqZ
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.ymccv6/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.ymccv6/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=44 --oat-location=/data/data/com.ymccv6/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&ioc pid process /data/user/0/com.ymccv6/.jiagu/classes.dex 4297 com.ymccv6 /data/data/com.ymccv6/.jiagu/tmp.dex 4297 com.ymccv6 /data/data/com.ymccv6/.jiagu/tmp.dex 4349 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.ymccv6/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=44 --oat-location=/data/data/com.ymccv6/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=& /data/data/com.ymccv6/.jiagu/tmp.dex 4297 com.ymccv6 -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.ymccv6description ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.ymccv6 -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.ymccv6description ioc process Framework service call android.app.IActivityManager.registerReceiver com.ymccv6 -
Checks if the internet connection is available 1 TTPs 1 IoCs
Processes:
com.ymccv6description ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.ymccv6 -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 2 IoCs
Processes:
flow ioc 22 s.appjiagu.com 28 b.appjiagu.com -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.ymccv6description ioc process Framework API call javax.crypto.Cipher.doFinal com.ymccv6
Processes
-
com.ymccv61⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
-
chmod 755 /data/user/0/com.ymccv6/.jiagu/libjiagu.so2⤵
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.ymccv6/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=44 --oat-location=/data/data/com.ymccv6/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
sh -c ps2⤵
-
ps2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.ymccv6/.jiagu/classes.dexFilesize
583KB
MD53dabf7d388483e28b346a79ad2b5f685
SHA18d1f04b68d2221810794c5d3859ea9613b42115b
SHA2561f797ef70242593ab302c5b681853fffbee463974b1d6c2768972df8130c5ef9
SHA5122ad02d7c0586c69c1053685815a459cba668a7d951c2dd656c90b4f1ac952060044439690ba2ffdb93dd824d4294ab1287c5d5f38ba616bb1885c16a74adeb71
-
/data/data/com.ymccv6/.jiagu/libjiagu.soFilesize
382KB
MD5aa01dd97609092ce310e17bf791069ce
SHA1f000840a8f68ea7beb2e29ea466088daf55609db
SHA256e432c191f918053ce368e1b1f155b2e1f9e84379611b93aabec0106172b73aa2
SHA512766c120a06215d0950aae32026fcde3eafed8d18ae0de7bc8135a7378a9055c8f0040d61574d9af67fe2b5b90eeae64c62d787343858ae375bb6658df8afe7b4
-
/data/data/com.ymccv6/.jiagu/tmp.dexFilesize
284B
MD5f1771b68f5f9b168b79ff59ae2daabe4
SHA10df6a835559f5c99670214a12700e7d8c28e5a42
SHA2569f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d
-
/data/data/com.ymccv6/files/.jglogs/.jg.acFilesize
40B
MD5bedefd803f81d3076f3ec5ef0023dd2e
SHA1fbf08e6bc2bca122ae98275f57cd5b9482fab468
SHA2560354a9264e955f6d93653a47ea8595e8748502a6696b93295e2c1529c626b7af
SHA5124352e9d3daf3098485eeb638e8dfef536be15376dbdd5469aa550fbca2f6b4989e89ebe765366486247ef0e16fba6952e0d99cb4554ad5d4a35ca9a0b9af51bc
-
/data/data/com.ymccv6/files/.jglogs/.jg.acFilesize
40B
MD5a62a5284785fb28549e35cb81ac9d16e
SHA1b8b44e6c3ff33dc25276b93782694601f26f13d2
SHA25629768a14dba4e38e6df700f35cd9bf1ca6f3fdfee8605257ca071ba046c05a9c
SHA51292ee6c6d164dd3092a30b0a869c1d583817e5899a97a0db18f42d11cea4a5885ac8cb5f0d58e40e85a11e536c70095bb618bbc5f2d2c79165ac3e5b61ed2635c
-
/data/data/com.ymccv6/files/.jglogs/.jg.diFilesize
340B
MD56edf8d66fa5d8f714aff215221788319
SHA110734efe5b81efb7b9baa9461c764d694d8afe6e
SHA256446b4e5aad08d253b36bb4c44a5960713e9082e9e0231ce689a2c70db3f8e2cc
SHA512382b2773f2cd085eee3b07ef0d7bd218026b2871be75aadd9822ce73afdd86fcc62e699d7621a212fecf3f3b11bb73562e117d50aa495674531ac10feac06b4a
-
/data/data/com.ymccv6/files/.jglogs/.jg.diFilesize
340B
MD5b5f40a08afd77439520f73b340a276ac
SHA1877c51399088dc2f1b941ce470dcebd206b64476
SHA2562623a2a1224f0e9f036b5fad9f9d2d0cdcca714bf4f9411382331f694ca2e23b
SHA5129068e7af8a0171b1e5de93effc547028894131afcc1a150f3235cfd1578c6fbca9a829ff2c17b5f2aecf46e41792c8dd2204e5e9b55bb2abdbbb25b7730de2c0
-
/data/data/com.ymccv6/files/.jglogs/.jg.icFilesize
40B
MD582be1b3ccc609176f1f9ae6b16b51c0a
SHA12efcac8a7095d341bf8a7e82487a61ec38ab58e7
SHA25664adf210e762a26936bf86152bc31d7dd3d90713b3d70959e05cd8c4c589697b
SHA5121c81f47f2a2ff157256ab8d52fa1bd86150cef04bc5c8e2cacbec10dd7306c14eb9b598dbb86aa2714ea5f3a0e961c14cf9a18ba093badc1db7a0cb4b80dafb3
-
/data/data/com.ymccv6/files/.jglogs/.jg.riFilesize
314B
MD52554bbe091d0dc6c8d84179d3795a97d
SHA149f1e307d42090a5a49aa30c6716a1fd27f5e514
SHA2562bdb4435838a6991cf8b64947b81fa6c67431e7bd51b5e2bd18e95aecd89d123
SHA512562c3ff0e0427deae6ddf0bdd539b3ecd27d911bbb53a472fb32c953508dbf26ddebabbcc46c52b1894a8d65043884e3459418156b40c87134ef79d789bea570
-
/data/data/com.ymccv6/files/.jiagu.lockFilesize
27B
MD5942a1c6cb6e81c0ba6eeada34705ff3c
SHA1829d883515767629ff3e09e3875ecd06889be4ad
SHA2563037e8a0ff58b6c0b6a0a7189f51784992e0105e6a07a1ffe0f425f341ddb80f
SHA512a2de835ce4d8323fdf863c22fc39a283387211c8f7cb26796a138adb3bd6e98e5f187f9d60a54a97885ffebc8c05437d711ee0a54fb031dd2d655b8fc24e7a49
-
/data/data/com.ymccv6/files/com.tencent.open.config.json.100686848Filesize
1KB
MD5f526172de1566b34fdcea744710d9559
SHA1000cb54d9a008a807a1c5a3fd2b2e7cb41e7939d
SHA2568572be02b59f4d514000939ec04a9b4e2380c55265256b724a617d8d0f4c6940
SHA512dc81f0fe345b18c96b1638c67b9ef4c5e60059dfc4a02f3c30a23645d4847abeef46cf467d044c42597115c48052ce0e8ea24328382114a544c5dfd039a95e7d
-
/data/user/0/com.ymccv6/.jiagu/classes.dexFilesize
1.8MB
MD50ad5b37b490dbcdf9a7cb61f4058fdff
SHA1da0aff6000e497e196cb38da5da15bbccb9d2aa4
SHA2561a74a49ada3d8db0c12b5f5e4cbc2cc9b085f2a27a22b70bd827fe9eecfa9d77
SHA5122865e1d37176165fd805e0175c4d869e56cbd6991885e8e88656cf285aa33254fe16598b5108b6979291b8bf46ca61cf5ceca3f85d0ee52e9d0bb2f74ad75819
-
/storage/emulated/0/360/.deviceIdFilesize
48B
MD51d8d16c4e3b19ebf18988530d9b9a757
SHA1bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA5124562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82
-
/storage/emulated/0/360/.iddataFilesize
32B
MD5b2b9946351bfe74597731839e88fa659
SHA1663aeb654d64b25a53ad4e8694e63332a0d2fb29
SHA2564404293817e46a23ab681fff61b10d8968dfccba01b1f5676855ab48d342a47e
SHA51215b9df73b4049e5156b882a1dc1e8f293c20d1447146374e10f657996294ca28248dce40d027947fb0de190a8a94453cb543003d0501b5ad0f96d3f89e1c4180
-
/storage/emulated/0/ymcc/1.zipFilesize
32KB
MD50884fe2df59675c89b9630ea83defb3c
SHA100a1d80fad8ab5a7a394e6ce2ab077214b639e76
SHA256a787978b012fe72ce2519abaafeb2da9e47cc64c1f9606dca581ae528edafde1
SHA512b5b95136691dceacd9b7e50c50c9c4d41897e1c64b32e8911ac6114af5708eafade80e9de30af55bb303819b7b5782e22503a9095593e7525a0bd4f49dabe7e1
-
/storage/emulated/0/ymcc/2.zipFilesize
263B
MD571a47fab57255faa1b341d5567e1a45e
SHA1cd8a50920af447ec3655ab1121df4f8a6b9192d3
SHA25632924751095da3f5b638379cb98b9e05964bfaef7ec0913a08e61c892c2768ea
SHA51280da8142087786887b1c74daf28d2274f0298a515b2b02d366c38205da3fb6f0ac472a527342ac217bc57823bb892dc884f612819ea013088c1ee3b47014b1a6