55035f4bb41653c94b75d256176bde55dcdb543dc73df7b329a436d5ff7500ee

Analysis

max time kernel
179s
max time network
186s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
24-05-2024 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d12a0ba5958ef60908946d1c9687fe6_JaffaCakes118.apk
Size

30.8MB
MD5

6d12a0ba5958ef60908946d1c9687fe6
SHA1

ea745933444cedc6aab302296e58e8268021f038
SHA256

55035f4bb41653c94b75d256176bde55dcdb543dc73df7b329a436d5ff7500ee
SHA512

ffe3999f80b53769b56c148e8697a030ca3cca167af892c7ba33b0e7191f0a4a440ee86828deab9148cf83eaaff0bf624e6321815e20e2f04e4c4d9baf919dcd
SSDEEP

786432:C+HOYbTV6A7GlFTUb4QU8Tw/sat1+T9+2ZV:pHOYXeFTQU8Sz+p+M

Score

8^/10

collection discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 4 IoCs

evasion

System Information Discovery

T1426

Processes:

com.ynxhs.dznews.wenshan.funing:pushservice/system/bin/sh -c type sucom.ynxhs.dznews.wenshan.funing:remote/system/bin/sh -c type su

ioc	process
/system/app/Superuser.apk	com.ynxhs.dznews.wenshan.funing:pushservice
/sbin/su	/system/bin/sh -c type su
/system/app/Superuser.apk	com.ynxhs.dznews.wenshan.funing:remote
/sbin/su	/system/bin/sh -c type su

Requests cell location 2 TTPs 4 IoCs

Uses Android APIs to to get current cell location.

collection discovery evasion

Location Tracking

T1430

Geofencing

T1627.001

Processes:

com.ynxhs.dznews.wenshan.funing:pushservicecom.ynxhs.dznews.wenshan.funingcom.ynxhs.dznews.wenshan.funing:remote

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.ynxhs.dznews.wenshan.funing:pushservice
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.ynxhs.dznews.wenshan.funing
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.ynxhs.dznews.wenshan.funing:remote
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	com.ynxhs.dznews.wenshan.funing:remote

Checks memory information 2 TTPs 2 IoCs

Checks memory information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

Processes:

com.ynxhs.dznews.wenshan.funing:pushservicecom.ynxhs.dznews.wenshan.funing:remote

description	ioc	process
File opened for read	/proc/meminfo	com.ynxhs.dznews.wenshan.funing:pushservice
File opened for read	/proc/meminfo	com.ynxhs.dznews.wenshan.funing:remote

Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

Process Discovery
T1424

Processes:

com.ynxhs.dznews.wenshan.funing:remote

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.ynxhs.dznews.wenshan.funing:remote

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.ynxhs.dznews.wenshan.funing:remote

Queries information about the current Wi-Fi connection 1 TTPs 3 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

Processes:

com.ynxhs.dznews.wenshan.funing:remotecom.ynxhs.dznews.wenshan.funing:pushservicecom.ynxhs.dznews.wenshan.funing

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.ynxhs.dznews.wenshan.funing:remote
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.ynxhs.dznews.wenshan.funing:pushservice
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.ynxhs.dznews.wenshan.funing

Queries information about the current nearby Wi-Fi networks 1 TTPs 3 IoCs

Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

discovery

System Network Connections Discovery

T1421

Processes:

com.ynxhs.dznews.wenshan.funing:pushservicecom.ynxhs.dznews.wenshan.funingcom.ynxhs.dznews.wenshan.funing:remote

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getScanResults	com.ynxhs.dznews.wenshan.funing:pushservice
Framework service call	android.net.wifi.IWifiManager.getScanResults	com.ynxhs.dznews.wenshan.funing
Framework service call	android.net.wifi.IWifiManager.getScanResults	com.ynxhs.dznews.wenshan.funing:remote

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 3 IoCs

persistence

Broadcast Receivers

T1624.001

Processes:

com.ynxhs.dznews.wenshan.funingcom.ynxhs.dznews.wenshan.funing:pushservicecom.ynxhs.dznews.wenshan.funing:remote

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.ynxhs.dznews.wenshan.funing
Framework service call	android.app.IActivityManager.registerReceiver	com.ynxhs.dznews.wenshan.funing:pushservice
Framework service call	android.app.IActivityManager.registerReceiver	com.ynxhs.dznews.wenshan.funing:remote

Checks if the internet connection is available 1 TTPs 3 IoCs

discovery

System Network Connections Discovery

T1421

Processes:

com.ynxhs.dznews.wenshan.funing:pushservicecom.ynxhs.dznews.wenshan.funingcom.ynxhs.dznews.wenshan.funing:remote

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.ynxhs.dznews.wenshan.funing:pushservice
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.ynxhs.dznews.wenshan.funing
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.ynxhs.dznews.wenshan.funing:remote

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.ynxhs.dznews.wenshan.funing:remote

description ioc process

Framework API call android.hardware.SensorManager.registerListener com.ynxhs.dznews.wenshan.funing:remote

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	com.ynxhs.dznews.wenshan.funing:remote

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 3 IoCs

impact

Data Encrypted for Impact

T1471

Processes:

com.ynxhs.dznews.wenshan.funing:pushservicecom.ynxhs.dznews.wenshan.funingcom.ynxhs.dznews.wenshan.funing:remote

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.ynxhs.dznews.wenshan.funing:pushservice
Framework API call	javax.crypto.Cipher.doFinal	com.ynxhs.dznews.wenshan.funing
Framework API call	javax.crypto.Cipher.doFinal	com.ynxhs.dznews.wenshan.funing:remote

com.ynxhs.dznews.wenshan.funing
1⤵
- Requests cell location
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4331

com.ynxhs.dznews.wenshan.funing:pushservice
1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Checks memory information
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4364

/system/bin/sh -c getprop
2⤵
PID:4402

getprop
2⤵
PID:4402

/system/bin/sh -c type su
2⤵
- Checks if the Android device is rooted.
PID:4479

com.ynxhs.dznews.wenshan.funing:remote
1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Checks memory information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Listens for changes in the sensor environment (might be used to detect emulation)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4434

/system/bin/sh -c getprop
2⤵
PID:4505

getprop
2⤵
PID:4505

/system/bin/sh -c type su
2⤵
- Checks if the Android device is rooted.
PID:4607

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Execution Guardrails

T1627

Geofencing

T1627.001

Hide Artifacts

T1628

User Evasion

T1628.002

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Location Tracking

T1430

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.ynxhs.dznews.wenshan.funing/app_crashrecord/1004
Filesize
240B

MD5
f76a2738d9ee1241e509de05854a6b38

SHA1
094fbb47d66bf47496c5f7df562e321bc7c472d6

SHA256
6dfafc68f317c60df2e3ec5d419d070e608b3042af11c7817796f2ec783a4192

SHA512
4e2bd230df21f8cc383bc8c98a15bee52f6c56b06817c3ffe776cb543a68b1d25e0dd1324ed46f83fda2641553950b96308651196716e3f938ef554a58d97ed4

Download Submit
/data/data/com.ynxhs.dznews.wenshan.funing/app_crashrecord/1004
Filesize
84KB

MD5
93985929eaa6d8b39896c1e580c0b09b

SHA1
9267d8ead42bf302abcf80071fd0cc861959ec6d

SHA256
0ae0346c47a6255ab2b9a2f77470558206125c3c050fddb66e20907b711c861a

SHA512
c0f95be11a40b4dd8456537add370c3afc7d1b5aebb160d9149772c0fcecbbcd5d6fb6533e7464ebcf161b7fc525b4b9ae8ad400478126a0f62ce222ec474b99

Download Submit
/data/data/com.ynxhs.dznews.wenshan.funing/databases/bugly_db_
Filesize
92KB

MD5
2181f7d032381a15d83a281b40967ee9

SHA1
d2ee6382152ae20da1f5cb741cf70399b5e2d269

SHA256
f9a7a042df1b129a2c33cdb7318c3773574067d22cb5a6ea10752ff8381540aa

SHA512
7db210d6c592f722ae12fc18421129819c058ba165d25627ea3c6217a02560f67e4bf4cfc4fcf5a04b905951ad03a2a415107745d70253c37876d5411f385697

Download Submit
/data/data/com.ynxhs.dznews.wenshan.funing/databases/bugly_db_-journal
Filesize
512B

MD5
4ff9feea07afa1dc503b081c2412bc67

SHA1
545d7b874500416cc7e7e705bbdb0881efc4780d

SHA256
62dff12a5d06ae611e66a6c54c046f754916d49a5fbcf8245592486e420a895c

SHA512
ac38fb0fef05f687c0d060de718034c9566cba35b130d62fa910d518f9eff9fc4060b10a93e0719b6ad2e2f0c9c58a5a5a2f4460b4c6db8f5c1e50861fcb32ce

Download Submit
/data/data/com.ynxhs.dznews.wenshan.funing/databases/bugly_db_-shm
Filesize
32KB

MD5
4e8994d4beda752e9d28c1d44f678185

SHA1
c358a00bc95882ef1d86ae8eceb90cc81a69ebae

SHA256
b8930c6adcfbcb867f6b5217c15eaa296c8f685e4273919b87994cc42a016611

SHA512
e19af09d8031e1a224e6da57bac1105a3987c59e06d9c81f8d6a1a18311b083fe525426cb96dc2f87632c8cbe3d18cd46e239bc7d548ada5126aeb0008ea0263

Download Submit
/data/data/com.ynxhs.dznews.wenshan.funing/databases/bugly_db_-wal
Filesize
80KB

MD5
49982e707648d231d45440f5e2f72697

SHA1
763740051ac60bd12711211048abada05d105538

SHA256
819dbaa049bd7f311537bef4716d1ae991161e7d28dfa4efbdb837152a189ff4

SHA512
65344dfdbb9ef977d6d8325fa55fc4fd2c65ea28cc69ae8d91a63adb7c1e275686919d1dc3bcb916f86f5a49203e7558b2ce42368bd9890699344600a532bae6

Download Submit
/data/data/com.ynxhs.dznews.wenshan.funing/databases/dznews2_wenshan_funing.db
Filesize
24KB

MD5
b876092ff49038dfd83e6d77f9d322cd

SHA1
13e920aa7b019a46c0378211770b46c96d008109

SHA256
33b1de0981153cffed59ce474a8a16d51decff027e7ad851f737dbcfe2dc0f52

SHA512
dc431b0d7c8d5f786b632cd305b70f9e8575f22e224ca927385bd2451cf319ac2567add1fee6bf8707259a1ba96b24b5a0c1933e18d2f9dbbb04c90ac61da937

Download Submit
/data/data/com.ynxhs.dznews.wenshan.funing/databases/dznews2_wenshan_funing.db
Filesize
36KB

MD5
82aba2d427f63af05eb3c3c0682a7f8b

SHA1
a9307781219f84687bc4578037ad3b11f12f3132

SHA256
e15dda3058f439a41bbe7ac89b8018d3b40933fa760bc3e6c20ea2294bf4ccba

SHA512
f2f0de4df31446b0a656967c5bda350772532ac4dc318be9b384258763e467798207949a4d8db16d47a0c2297c9a2f650c413dc73fd1aee05e3cda7165a4f850

Download Submit
/data/data/com.ynxhs.dznews.wenshan.funing/databases/dznews2_wenshan_funing.db
Filesize
40KB

MD5
9092f116349504a93bf24ad216956a8c

SHA1
9b8d0b8356d72425ce55eb430bdc9c9d97f67824

SHA256
bb717dd6ae8bc2e722b06efd9a72fcb4c202fc9291febd20fe65558120058487

SHA512
0737e5b359d5181fa666dec030bca71c087f602232be79126d9d405957d43bc40c35ab34882164fea924a9d07909ef226a79b399e155ad06c00cb646220ef351

Download Submit
/data/data/com.ynxhs.dznews.wenshan.funing/databases/dznews2_wenshan_funing.db
Filesize
48KB

MD5
ea04d3f4c66f4f554cb961591826518a

SHA1
5b7ace9ebb17d1f0044e19b1d6d25377c08cbb84

SHA256
b2eddf9d02c61bf9fb4a4741b462f1ba3332c84f16c7e2d10fbb440135fa79a7

SHA512
4e51a02cd46090894ddfbd6efa526c65a0059e752f1a1c5b536ee1eed91d73ee9fc672b1077648cdc96a3bcfc0daacbbb71ab72be341170bcd77bde42c27833f

Download Submit
/data/data/com.ynxhs.dznews.wenshan.funing/databases/dznews2_wenshan_funing.db
Filesize
16KB

MD5
f2f16578d0be8afbc73fc2be66c3b2a5

SHA1
3d16af57dc723d9bf90e7f8b08e1dc9d06a7c845

SHA256
13f65dbc4c5063377165e02a6e4ece5061017e947f07e8279b004c205bb64c4b

SHA512
9c3e1bad5c9ccb0ea5bf5c15d753516ffedbad0254610f21674919b3b1f99b42983c6e6acdd61f628723bb406b26fce81c2d3a67ea8ecd1040f0894a5bb00500

Download Submit
/data/data/com.ynxhs.dznews.wenshan.funing/databases/dznews2_wenshan_funing.db-journal
Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.ynxhs.dznews.wenshan.funing/databases/dznews2_wenshan_funing.db-shm
Filesize
32KB

MD5
f92165d08c95f1728878cea2a607af2f

SHA1
19b136d6dfabb1bef629d49118c2da8e6836e3f9

SHA256
1913923d2ed5938829525b6b87f84d2ccff537032033df33a405307b8855d290

SHA512
5bfbd8bd2bc49e525e15a1093c4c75558b8ea38c45632b25477888f39c45e78104e48d2fc2cefd514703429aab946835315e12f5d26ebfc019e62a15cc62437b

Download Submit
/data/data/com.ynxhs.dznews.wenshan.funing/databases/dznews2_wenshan_funing.db-wal
Filesize
189KB

MD5
b1237379c37cdb29ca3b446e9d0843e1

SHA1
e4d3ceb4a5681c226fa7906eec082680613babc4

SHA256
3978051233068cc316c2f3b8cf447762d3478334646f698b69e3deae6fc6ab10

SHA512
6832216166d78b04b0923ca901debf5c7616594030c0147bb76c81b9f3b777b98b6af7b524c54722efc5208825114db91c81ad55abd1f51aab3828fc20cc8b27

Download Submit
/data/data/com.ynxhs.dznews.wenshan.funing/databases/dznews2_wenshan_funing.db-wal
Filesize
20KB

MD5
7ed1c2224b9a27b404019ee4658a7fe2

SHA1
a87399aaed26e02e8b704561fdf5dfa234b229b1

SHA256
4ad2caf09e1b53ac1df11e451c78597b925f5210605487886a5873abe1000f4e

SHA512
7064b5dd6fb0649f638cd3ab04636584e15f83c86556f2c8c582d9268c639945c70f2be094aa510886a0b8c56ee3a8ac053f66e3df2a7280b87156dfb3ccafca

Download Submit
/data/data/com.ynxhs.dznews.wenshan.funing/databases/dznews2_wenshan_funing.db-wal
Filesize
20KB

MD5
dfdcb37484c23da90cbe6901e182629f

SHA1
b79da35a9d2121a786cdc474bbe268fbcf0c8ffa

SHA256
7b54cb7c38c0cdd0e19a877d448cbd21cc766c45a32c8ed479378d2d0909a240

SHA512
7b19f9a4afa03c328643c22715d015e230dcf21f3afa4791b606cb43310d7e7b680eeaa9f3a5e119c097c1e55a575d19f93a8e6a76eefdbe5bd1f41d130ff2c1

Download Submit
/data/data/com.ynxhs.dznews.wenshan.funing/databases/dznews2_wenshan_funing.db-wal
Filesize
20KB

MD5
1f6328b43b67c11a32bf741b2c664c56

SHA1
2159e404b486044991061794ec9b09d668593a82

SHA256
949a30410301684e40ce2c319428d98e2677d997cf21b5e9347d2149ad25a496

SHA512
c4341462688ccce4e10638f450c0b4b57fcfacbda3c36bb17318d427ed553ebc7cec4a0fab7028294e4a3671a0c1416b2c059b0ba35a496ffdf2dac13354a1b4

Download Submit
/data/data/com.ynxhs.dznews.wenshan.funing/databases/dznews2_wenshan_funing.db-wal
Filesize
32KB

MD5
aff8828adfc882f1b74170334548b7a5

SHA1
1f2f1256f44a01d1f516d26df85bfda1cbc720de

SHA256
24e4afe50ad8019312e35b32575781dc62c646de2a48f2f030bb57b92d974111

SHA512
f0f3cb9f731e05dede5ee32661c33c1ac8ccdfe4d429a9258cea3118764a8aa8d6232bfda83af598537d10e1f7c42d794135d805ccc71a4b84bca1bdefaa0581

Download Submit
/data/data/com.ynxhs.dznews.wenshan.funing/databases/pushsdk.db-shm
Filesize
32KB

MD5
233b984f25233c8731d7916f9b30bde5

SHA1
87e7619b4a7c4cc5379120f6fa340c78a88be7fb

SHA256
b018ed350b0484d2bb355d162d0610e00ed4fe5f488734fe19a1c00e94437cec

SHA512
d85877255adadc74cc32dc902b666c172d8cfe849084fd2f709c77a28f4f6b61920c5380f52c886f02a2d1387d40909b6055df37127dee9f650f6cdc3d463b2b

Download Submit
/storage/emulated/0/backups/.SystemConfig/.cuid2
Filesize
12KB

MD5
548717770db397bf94b163bf65d16e18

SHA1
7d6cf331330a852bdc234a4a30ded9088640a7c4

SHA256
8acbb12e4ad5a49c9468cbdc07c92a899759d454acdd60f2e0d95adb4c022a7c

SHA512
722f67ac5632054540cbabfa9627a3489d38a4e2a754102f8dc066a1674a040a75f0afea405341f20ed15d6114a5ba0ff229ba23361b3bb4a227807bc120b16c

Download Submit