Analysis
-
max time kernel
21s -
max time network
185s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
-
submitted
24-05-2024 03:14
General
-
Target
6d27839a77864dd07d1b37f58d4d11a1_JaffaCakes118.apk
-
Size
4.6MB
-
MD5
6d27839a77864dd07d1b37f58d4d11a1
-
SHA1
c89e567e48b28cdad9b77d877590a0390987e495
-
SHA256
16364a06833298982c144cb8a54e6ef80f040c80f39291de3db91e1a529a5008
-
SHA512
f264dc267f74d22b52d1586c20668552818ac0d259db2a6ee87d362c978b6337f93174f72c60b2e1880e231d28c73da8079dfd78fbe266dad1e9178d4dc4ca8a
-
SSDEEP
98304:/CHyv70Fk/wpzMMA1AJTmF/MhC3BM6UirQ25fmEY3:gk/wpzW1s/C3BCirQ25fxg
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
-
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 2 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 8 IoCs
Runs executable file dropped to the device during analysis.
-
Queries information about running processes on the device 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads the content of the SMS messages. 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
-
Checks if the internet connection is available 1 TTPs 2 IoCs
-
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
-
Requests dangerous framework permissions 10 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
Processes
-
jng.jhnv.xgdg1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Reads the content of the SMS messages.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
-
chmod 755 /data/data/jng.jhnv.xgdg/.jiagu/libjiagu.so2⤵
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/jng.jhnv.xgdg/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/jng.jhnv.xgdg/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
getprop2⤵
-
jng.jhnv.xgdg:pushservice1⤵
- Checks if the Android device is rooted.
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/sh -c getprop ro.miui.ui.version.name2⤵
-
getprop ro.miui.ui.version.name2⤵
-
/system/bin/sh -c getprop ro.build.version.emui2⤵
-
getprop ro.build.version.emui2⤵
-
/system/bin/sh -c getprop ro.lenovo.series2⤵
-
getprop ro.lenovo.series2⤵
-
/system/bin/sh -c getprop ro.build.nubia.rom.name2⤵
-
getprop ro.build.nubia.rom.name2⤵
-
/system/bin/sh -c getprop ro.meizu.product.model2⤵
-
getprop ro.meizu.product.model2⤵
-
/system/bin/sh -c getprop ro.build.version.opporom2⤵
-
getprop ro.build.version.opporom2⤵
-
/system/bin/sh -c getprop ro.build.fingerprint2⤵
-
getprop ro.build.fingerprint2⤵
-
/system/bin/sh -c getprop ro.board.platform2⤵
-
getprop ro.board.platform2⤵
-
/system/bin/sh -c type su2⤵
- Checks if the Android device is rooted.
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Execution Guardrails
1Geofencing
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/jng.jhnv.xgdg/.jiagu/classes.dexFilesize
1.3MB
MD596047a5d266f4e1b8dde34ccad9d8ab8
SHA19f3da9c5479af1940039ed713ebd6e7c00d557d6
SHA2569930c5972e9376ec9ecd1ebceeb5456235dccf0cfd3b29396054d04a7b4dd039
SHA512d5a6975a548cbd27a674139973570360942165909eac69c137ee63ec1760ae59bf07533916ecb0997eebc0c668aedfae0af5db89be72d6fe01eaad411b308114
-
/data/data/jng.jhnv.xgdg/.jiagu/classes.dexFilesize
4.1MB
MD51110f9130f556217257ee33d1a5ffb02
SHA12587a3e8edef784c4eb3197bf9ccfb9fee3d69f1
SHA256dfb0b5264791d944b60f0a0ffe6510b80ae6441ae1b3d29754881aed9bf54e74
SHA512c8f4a8c2280116b76c2b2ef50454bc0960698d1b508ae2a07ecad476785272c5a8127f9829c4caa9fe18585fdfb3fa489ba7db8a27d021a38b3084a9f86a0f69
-
/data/data/jng.jhnv.xgdg/.jiagu/libjiagu.soFilesize
456KB
MD57e7125a1193cfa8a696c1b8a6d2a103e
SHA1af193df6127a47f455ebb7d5b792d2e982f4e004
SHA256707cbb7d210699b111f050a382224f04ba2dbf72ecb4ee8f420d5759b6a23681
SHA51291a62f00c2a9dc3c28348ef512ca56ab44d999e11dd806d565109159e79f25833c9141023ad639c7f5132acb8038ca0d7cc049ca2118534570d3ef1b36798b03
-
/data/data/jng.jhnv.xgdg/.jiagu/tmp.dexFilesize
84KB
MD5c13190bc28961498e63ba6f2042c33e9
SHA181b208517cae2793ff67bd748262a9dd988372e9
SHA256dd7a137ae27664f188a4f774aef27abddb254c6a4a5bf3f24ce50a67609c5486
SHA5128098d484cab591c78286cab422c4f1f4e911969d22e992b3284a47da7adc54a125282f1adcd7c7015f89efc0e7dbedfe4f7759f184069320481c15d3fbc5340b
-
/data/data/jng.jhnv.xgdg/.jiagu/tmp.dexFilesize
284B
MD5f1771b68f5f9b168b79ff59ae2daabe4
SHA10df6a835559f5c99670214a12700e7d8c28e5a42
SHA2569f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d
-
/data/data/jng.jhnv.xgdg/databases/bugly_db_Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
/data/data/jng.jhnv.xgdg/databases/bugly_db_-journalFilesize
512B
MD52fc42b4aefef07b0bcf738ffe76f6085
SHA106d24b7bc8359387cf23e4f0e94706e7872ed695
SHA25603a6f823ce3350675a1ea70e4822cc632bfbb6157b9c73c7cb466f7d0b8b4a06
SHA51241f994573d3c7dc0e02dff83f2776cb0ec953146414efa5294d7769a581467c455dd57c138bca449f7516702791386dd21dcf1a352f9ebf44f77b7ff6a82e23a
-
/data/data/jng.jhnv.xgdg/databases/bugly_db_-shmFilesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
/data/data/jng.jhnv.xgdg/databases/bugly_db_-walFilesize
60KB
MD5433a2a067761f03fe38fb8b86a3f2715
SHA1936598099655bd34917bf36b5ee2cc79d0ee0864
SHA2562333ca688f9b37a2cd099ad8dd82ba728441d2dab6ebb9993411e82d2b549f9e
SHA512c77292654eecb14db443c23408324b8812ed4cdae1eac40396df29b44fdef2d0684bb09e2356244e565bb90f6f2eaf60923149d269510e50b77834da9a51e2aa
-
/data/data/jng.jhnv.xgdg/files/.jglogs/.jg.acFilesize
32B
MD5bc26c2a8a69991c367b4c5f9e2217cbd
SHA11240f88ec48e069c8b5a8be7630d73f2e1fa2016
SHA256062b7d389ada7907e2ddd88c7b834e06d222ce4f745b78bad3f75db457f9c97e
SHA51276857428d7e7b432b9baf717351805684b94cce2e2e8eabe416b82cb9467e77a6a886a079585f475116987799a740df5b86a39990d8b7def2835fd9f0c474962
-
/data/data/jng.jhnv.xgdg/files/.jglogs/.jg.diFilesize
340B
MD560cbbc40695d5e129f6fd80cfdd9c671
SHA1b25024c49346cacd25c868e964c56228dbc072a4
SHA25649f44b94c5d576ae8ddb7b50f0b6f20b5241c408311fb7f0602d9fc2f5fa849d
SHA5125665f733bfebff8f80f3571bd8e039d46e9b7a097f7e1a4c26bb7fbc72cd2b804a987ac5c8d3cde8fea764c0502a83fa260fd858b4489f35025c3f075f838909
-
/data/data/jng.jhnv.xgdg/files/.jglogs/.jg.icFilesize
32B
MD5f030f5ad2ca3c34e88674c83ff6723fb
SHA1c464ef5978721dc3ebdc5c00b5cda68387f6963c
SHA256619b5987d3b0f6e8fba168d84d930c6487f250178be08c859abba2fceff8101f
SHA5127f915589cf67e11018604027482a73127da95c655cca37a2b41008d59af4201bde9b9b4fc9aa2e29fe551cd7cc6ab749a61e8243666b6cc5bbf4d44c546e69b3
-
/data/data/jng.jhnv.xgdg/files/.jglogs/.jg.riFilesize
314B
MD58895836d379ee56fb7ff66b89de0fe75
SHA138fd783d519639cefa47497b3d5e86fa5a6c3db5
SHA256e037c81b4b8457fa6b501e950e60509410e296bf5eb9bc0c4ed127162863ced0
SHA512a6fa94c239eab5e5e137d037dc4b7dec024ac34764b5f8d762365436eaf585bfd059426b983525fa73b824d6ea632e071705fab9a5e2d52ab43713b32f775379
-
/data/data/jng.jhnv.xgdg/files/.jiagu.lockFilesize
27B
MD54a6ebe6a1278d56c4e22e68685ccbc76
SHA17ea0f6dde589c171da4779c905b392af16e72630
SHA256beef2f9ae840184cd42b9e500e0e0081c0ea1a28312f0ae875aeb21b28a96088
SHA512c5fc92692514e9c5e21f3b972d09c5ace3d4fc9c487bde79bb2456d5f92281319fe4433d6bc809548d9843ab79fbfd352beaa24fcb1d0843820cff2a5bb8f268
-
/data/data/jng.jhnv.xgdg/files/Plugin2.apkFilesize
96KB
MD5cecd3872a89699f8a52c04b36770ac28
SHA10825677ccb088f8eb59390d3d5c54d29b00a5fbb
SHA25661b4ea846f922634ddfbbd46369b23b8560780fae62db1b0ae90aceb4a976831
SHA5127be6809effa982bbab73df9f2ead279821ac7b2f52e52f5272fdd9fcafdc592ab76251e782cd964974a67f54fef6ca6bba191f2af10c811223650d710cd4c95c
-
/data/data/jng.jhnv.xgdg/files/umeng_it.cacheFilesize
310B
MD52452ca20e46ab827844bb5cecce2fb8e
SHA1690696065c35a9ea9cae8234389752a28483ff2c
SHA256d7083b502466e41674a811bac965d1990cc51d3eb8ec6e0ffa59018adfb61250
SHA512fe2de23bcefc0cc4684197daf377a6abdbf6dc90611541b94a217452307a609642e2eae7bd559d1558ed75ea9ddab9da9597af66d3f24e9e76124fdaf0e6974a
-
/data/user/0/jng.jhnv.xgdg/files/Plugin2.apkFilesize
205KB
MD5e5c8a0f8021064ef97edff3a0aa821d3
SHA1c92a2f236bbd2230b7bb5f83037ab16ff2df7a47
SHA25672b339c0bbf45a6a16d9228cbf65d6efcf4cfd203b86d5d02b7e0a3a9a516bf7
SHA512514b502b5ad6bf092c9d7ab7594667e431f1f308509660bcd48440a487c2e26af375791611e9289bcf3c66cc74a7c7ef1fe773cf5b8fe1fc484197e0ad11ec8e
-
/storage/emulated/0/360/.deviceIdFilesize
48B
MD51d8d16c4e3b19ebf18988530d9b9a757
SHA1bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA5124562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82
-
/storage/emulated/0/360/.iddataFilesize
32B
MD549f8db0fcca5f8bd53511890aa906705
SHA1e4ced0f3c0e56127b52a748357b4e637a2bc342a
SHA25699c294328c1a873bee8d1e313854881c40442dee23e1d79d30bd3dc57e53374b
SHA512c28819a86f1cbf344355aa23221c925139a12cb4c74262bb31aeafbabb86d070af3f8ce9396c1efc883d853df96378b20122ef61fe40f87324260b6532059641