af82f5e051e2b62b80630ff87fe3e5743d19926031b53165baf2dd8de0687471

Analysis

max time kernel
101s
max time network
188s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
24-05-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6cdcf39fbbbf988a848e725b5186223a_JaffaCakes118.apk
Size

10.7MB
MD5

6cdcf39fbbbf988a848e725b5186223a
SHA1

d0f13f2b444dd9c7f8c2fb41d506e8d17fe94ccf
SHA256

af82f5e051e2b62b80630ff87fe3e5743d19926031b53165baf2dd8de0687471
SHA512

8d7b804651e78a1889c233fe63eca8f9a1942e1d2ea778bc4d947affea1a4521e0e1e5c924bb92656f292a9b18803b6fd5f46b7d64bf1bc42c8b1283e3b109f5
SSDEEP

196608:8P4hqfJHA37R5rE+1SeoQnnNoIC3zcaiQq2LmfJo5Lzi09:kfJgrb/SeoQn+IP2L6uJzi09

Score

8^/10

banker collection discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 2 IoCs
evasion

System Information Discovery
T1426

Processes:

com.duoduo.vip.taxi

ioc process

/system/app/Superuser.apk com.duoduo.vip.taxi
/system/xbin/su com.duoduo.vip.taxi
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

Location Tracking
T1430

Geofencing
T1627.001

Processes:

com.duoduo.vip.taxi

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.duoduo.vip.taxi
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.duoduo.vip.taxi

description ioc process

File opened for read /proc/cpuinfo com.duoduo.vip.taxi
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.duoduo.vip.taxi

description ioc process

File opened for read /proc/meminfo com.duoduo.vip.taxi
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.duoduo.vip.taxi

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.duoduo.vip.taxi
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.duoduo.vip.taxi

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.duoduo.vip.taxi
Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
discovery

System Network Connections Discovery
T1421

Processes:

com.duoduo.vip.taxi

description ioc process

Framework service call android.net.wifi.IWifiManager.getScanResults com.duoduo.vip.taxi
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.duoduo.vip.taxi

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.duoduo.vip.taxi
Acquires the wake lock 1 IoCs

Processes:

com.duoduo.vip.taxi

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.duoduo.vip.taxi
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.duoduo.vip.taxi

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.duoduo.vip.taxi
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 2 IoCs

Processes:

flow ioc

17 alog.umeng.com
62 alog.umeng.com
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Checks the presence of a debugger
evasion
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.duoduo.vip.taxi

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.duoduo.vip.taxi

ioc	process
/system/app/Superuser.apk	com.duoduo.vip.taxi
/system/xbin/su	com.duoduo.vip.taxi

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.duoduo.vip.taxi

description	ioc	process
File opened for read	/proc/cpuinfo	com.duoduo.vip.taxi

description	ioc	process
File opened for read	/proc/meminfo	com.duoduo.vip.taxi

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.duoduo.vip.taxi

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.duoduo.vip.taxi

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getScanResults	com.duoduo.vip.taxi

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.duoduo.vip.taxi

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.duoduo.vip.taxi

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.duoduo.vip.taxi

flow	ioc
17	alog.umeng.com
62	alog.umeng.com

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.duoduo.vip.taxi

com.duoduo.vip.taxi
1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Checks CPU information
- Checks memory information
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4263

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Execution Guardrails

T1627

Geofencing

T1627.001

Foreground Persistence

T1541

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.duoduo.vip.taxi/databases/message.db

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.duoduo.vip.taxi/databases/message.db-journal

Filesize
512B

MD5
5825953b9e4f0c7f7a9c1a8652820c88

SHA1
07997975d636632fef88f775d4003dd46219bae9

SHA256
30a482c53016f241033c1872cb96ac4090800b6b296f233fdfedd4101bb71f46

SHA512
ad8c21df44d1e8b0272d1664cad1e77da12309c10a0c4456cf9ab2c8dd60e78242e3e46a1e8588874cbb7e9554b062e7a143839aa38a8535b64b5f4f4018f627

Download Submit
/data/data/com.duoduo.vip.taxi/databases/message.db-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.duoduo.vip.taxi/databases/message.db-wal

Filesize
32KB

MD5
df1057de47ff1791acb0c4fda0ca4239

SHA1
556480e8b7b13ba9058a37e463695a5eb6e9d28b

SHA256
e646fb8efd1681bb0d8680b09667ba89dce5bfe871beee755f7846c89b37407d

SHA512
c81a7bbc908bbd41799a69704f214463a9d39a1cd2bafa4b5f3eb3ed36892821433c36b104f76faa526ce0139039aede1bd786736359e8aa4742ed42cc1fde7f

Download Submit
/data/data/com.duoduo.vip.taxi/files/.TwitterSdk/cl/com.crashlytics.sdk.android/664FE76D00E1-0001-10A7-0C1A760FEB73BeginSession.cls_temp

Filesize
78B

MD5
34b862b8ab91c1d9747b4e7c4af37512

SHA1
f11f1a48db0d6077dca76c382ef79f45d09943a9

SHA256
fd2fc14f586f6dfa9ec77427fe9a6ced500853ba68c3f4dafb7ea9d0df54dfc8

SHA512
315506646e863d3d161e8d0fefa3f7404a9eceb1974814b28797f8730e5728e1fd8d64eee460d08a2f316bd80d2d72c0c218a448cef0ffa274c23e1d7cbbaa61

Download Submit
/data/data/com.duoduo.vip.taxi/files/.TwitterSdk/cl/com.crashlytics.sdk.android/664FE76D00E1-0001-10A7-0C1A760FEB73SessionApp.cls_temp

Filesize
115B

MD5
fac5021ee69ba3ba7b47e1cf7b94f45f

SHA1
1b6b77332aacbca3d5efd94da11a1ef379318213

SHA256
c323b3a7b225d5567733ce99febea638755f15fc2ba817fd601c54c0f80f2751

SHA512
7c4cfc1cc3380065f26d38b2e790b1fbb5b5fb4ca3a74f3eba305eaf17424670f7341d67bfe8b2fdfa7e3a9af52e7c3e3567818d6a5420b61b1acf704340c8c4

Download Submit
/data/data/com.duoduo.vip.taxi/files/.TwitterSdk/cl/com.crashlytics.sdk.android/664FE76D00E1-0001-10A7-0C1A760FEB73SessionDevice.cls_temp

Filesize
101B

MD5
4ccad93d16f18a64402b54c8da520167

SHA1
e7047641719c2b5407e76d6015ef710239fe08b2

SHA256
68c7dd32058c3b03aeb37c1a1f3024bfcddba952752f69c8e14a06f4fb7b012b

SHA512
f48dbd7fd47eca92ca17a9b23d9460a63f1ac11c2be1ecc10833e774612fd7904699b549a4538c6291c81cfa1bb6114d09686528c8984a9f018e57a0431006e0

Download Submit
/data/data/com.duoduo.vip.taxi/files/.TwitterSdk/cl/com.crashlytics.sdk.android/664FE76D00E1-0001-10A7-0C1A760FEB73SessionOS.cls_temp

Filesize
14B

MD5
9b3d4522944ce6396563812bfdb92fa9

SHA1
6d2a6133c8f01938a48ccc77ef86ad8ca335c020

SHA256
d32805d685a3f50caa7f1c0bd7c8804c4d937a866513289f60e3184f7a591ed9

SHA512
091d87643712530bf9006135db42a5a50742bb5ca3026bcc5f2c1c17bf4fd984a8938d29263b0abde3d15cac196d2230902534e200b0b79485e3a1bd97d95727

Download Submit
/data/data/com.duoduo.vip.taxi/files/.TwitterSdk/cl/com.crashlytics.sdk.android/session_analytics.tap

Filesize
817B

MD5
805eb1a9ac31b3ddb831c6f594c88a81

SHA1
fcfcfda65634fb42b1571751a03796324fc62373

SHA256
e0250adedd782807ffa75aeb7c262e03122ecc73c3ca2257ef9769cdf93c8a2b

SHA512
3dfd974aac6ca6cb43e6a826e325d69f1217f90e9e89a625773cc4c20a70fa67914f722d5b24a660bd4ed011be7efea474d9d634041f353073805cf52d38a939

Download Submit
/data/data/com.duoduo.vip.taxi/files/.TwitterSdk/cl/com.crashlytics.sdk.android/session_analytics.tap

Filesize
354B

MD5
e2e1194fd498fcbb0a0c5dbb35c00de4

SHA1
92efbf32d3938239b0a96029c25939eab9990a30

SHA256
3c47853bea73c54be4ffc9562cdba88461655694c76c64ba177a0ab841004c06

SHA512
209e4fecdd691e34eb29375c724482034ce6b560a2be264c6ee158b7ca03722b2774846f7f9ae1cc54837df62c5de236892c4cf3d2a9ad75fac65ae6194a0363

Download Submit
/data/data/com.duoduo.vip.taxi/files/.TwitterSdk/cl/com.crashlytics.sdk.android/session_analytics.tap.tmp

Filesize
16B

MD5
c33583fae4e0b61cde1c5b9227963237

SHA1
fe2ebe4d27469af1460f7e852031a04208ef629b

SHA256
35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc

SHA512
fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

Download Submit
/data/data/com.duoduo.vip.taxi/files/.TwitterSdk/cl/com.crashlytics.sdk.android/session_analytics_to_send/sa_14e5ef71-c4b2-4bda-a077-a726dad9165b_1716512621348.tap

Filesize
298B

MD5
84713bfdaff8c9b24ad00d8f993a263f

SHA1
ef303b5ba106f3d3315fd1b72fad791ab4f4f2a5

SHA256
02a5a34c041f0af357cd72c303ae9ca259f4dc3cfd66cf76414bcee3ebe6c78c

SHA512
ed6184d0c5afaa52dfd7b1ba17102869034f256b803e4e8ff69616f83b7c51739441db0797fd9fdf53ec23d98b14a78bf8fcf6cd93e62debff4c49f0986c6eda

Download Submit
/data/data/com.duoduo.vip.taxi/files/.um/um_cache_1716512683880.env

Filesize
604B

MD5
d3114d6abaaecd7e62d65c5ce00363d0

SHA1
384740f3f174f5aec6e3a3358ce4d940fd0bc666

SHA256
d1dead811dd91c470241419e08dbc510c6d1287c5467b629f7ecd31584b8795f

SHA512
45cfa51efdfc94867de1277ae8691fba2c017cff940ea37c50d0f0677bf1b5d849addadfa4c5b9272e41597214efa539d6aaee9f2a9cd65b99ca4e9f04240cfd

Download Submit
/data/data/com.duoduo.vip.taxi/files/.umeng/exchangeIdentity.json

Filesize
162B

MD5
34d64a3534818982c045f7d7918d487f

SHA1
9ff4e9f33ab10f2e815a77613b063191f6fa5639

SHA256
fc3fe9a837121815542b54ef2859c4ff0ff29304162985a2c6401aa097ec66e9

SHA512
bbd5394edcae30c77bc5d4841a6a50b90a7a412d1972dce3eced3546568da07584115ce93cef8f9afcdd27f342311272fd9ff98fa529320bf3d5149e563679ed

Download Submit
/data/data/com.duoduo.vip.taxi/files/HCI_USER_INFO

Filesize
248B

MD5
80720ffcfc506015c46ddd33f9de9eb0

SHA1
c057b9b72daffc2fa908c74217d336c7bd95bd7a

SHA256
bb947196746c0b5ea302b143716d2b8e275595e108886b8cc5863924dffa4750

SHA512
778fb89cdf68af3c471fca06cdb5db6d4c9390fc35a1faf1d2c93d9d19a63b077af57f6e1525b5ca20e91a5fdf75cc5c5c1afff646a27660d5ffd3c5b5b97e0a

Download Submit
/data/data/com.duoduo.vip.taxi/files/umeng_it.cache

Filesize
310B

MD5
c242117fd003fe73790854f0a4e5b328

SHA1
fac904b7b63490a17f000f601d88e89c573208b0

SHA256
6db06ed2d9c41612bb7048c8aaf5115815085152784318a05f12d3f15b6b2ef8

SHA512
e2933732f9197d76489a0c3e4debfb4ba74fc8b02b102c35739d297eab2fe170298aab77903d04a31f816014c359889878ddcad3a8214dd672e353d7d5355073

Download Submit
/storage/emulated/0/Android/data/com.duoduo.vip.taxi/cache/locationCache/journal.tmp

Filesize
31B

MD5
8c92de9ce46d41a22f3b20f77404cc1d

SHA1
8671a6dca00edb72be47363a7071be65cf270373

SHA256
68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274

SHA512
30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

Download Submit
/storage/emulated/0/Android/data/com.duoduo.vip.taxi/files/carrierdata/1716512715

Filesize
403B

MD5
10352eebcb8acfaaf2443186aa9408c8

SHA1
606143a844c3397cb620611a347a0b16823ca115

SHA256
02c87d9abaeb363dfbfca6698f63cc72090df5ef5ac54c8982a36fb0ce7a99a7

SHA512
ba902cdf81f554949fa51cbca3afd7688d089049a4198f2271925e7085e2b564bd983a270fc623a172a3d083e679ea45c1f30d4772eaf96bd4ceb502b764121a

Download Submit
/storage/emulated/0/Android/data/com.duoduo.vip.taxi/files/carrierdata/1716512715

Filesize
2KB

MD5
fe289cb8c123cd082431ecb19b91bf1f

SHA1
4fb391abe709c635465f960bc8598101a500be8e

SHA256
92d399f75778fe5aef9e47c52fcb16c4ee742a117dea62c5468d726a285048ec

SHA512
de0befb6c164def919b97f8088cee554845baa2aadf30d982c6a8a73b74432c50d8d89236511261dbb745846fb446fd2a9367f06a87af7439c336eef96810b3d

Download Submit