0e779b2aff1137aa69764ddbe256fc55d49fa780e44c5aeafb48447ee58c83f7

Analysis

max time kernel
7s
max time network
131s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
24-05-2024 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e1cc2cb214d8548a5f545d36ad336f2_JaffaCakes118.apk
Size

30.4MB
MD5

6e1cc2cb214d8548a5f545d36ad336f2
SHA1

3d53cb927de9dc067c0e98b1ed0746d9aa8a0842
SHA256

0e779b2aff1137aa69764ddbe256fc55d49fa780e44c5aeafb48447ee58c83f7
SHA512

5afde4f0e9de90eb4f60600ef532442e1d80bbb07a3139aaec583c678064b477450eb107a659e592ec72c533bfa2f064d574c0fa3c2ed176382f40e514b2e343
SSDEEP

786432:RWuHTm7X4Tk7XUQJq7xfKy2jOkLGbN6Q7NiDxB:RWcTmDAk7EfKj6RNH7NiH

Score

7^/10

discovery evasion persistence

Malware Config

Signatures

Loads dropped Dex/Jar 1 TTPs 5 IoCs

Runs executable file dropped to the device during analysis.

evasion

T1407

Processes:

com.ants.avatar/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.ants.avatar/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.ants.avatar/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/data/com.ants.avatar/.jiagu/classes.dex	4277	com.ants.avatar
/data/data/com.ants.avatar/.jiagu/classes.dex!classes2.dex	4277	com.ants.avatar
/data/data/com.ants.avatar/.jiagu/tmp.dex	4277	com.ants.avatar
/data/data/com.ants.avatar/.jiagu/tmp.dex	4277	com.ants.avatar
/data/data/com.ants.avatar/.jiagu/tmp.dex	4342	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.ants.avatar/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.ants.avatar/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

T1424

Processes:

com.ants.avatar

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.ants.avatar
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

T1421

Processes:

com.ants.avatar

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.ants.avatar
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

T1422
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

T1624.001

Processes:

com.ants.avatar

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.ants.avatar
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

T1421

Processes:

com.ants.avatar

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.ants.avatar

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.ants.avatar

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.ants.avatar

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.ants.avatar

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.ants.avatar

com.ants.avatar
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:4277

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.ants.avatar/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.ants.avatar/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4342

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.ants.avatar/.jiagu/classes.dex
Filesize
6.1MB

MD5
02de7dfdfdb1558d61c7d83e99955970

SHA1
c211b763bbae2b209dc7232b25ce99f24c7c7a1b

SHA256
640c0588fe36220c6bc61632e485006d45ca3bf93a626bd8e9ee5233460e22c0

SHA512
7c4624744dd52866f3f92350832728b4b8876f4c9c94b91866a860893ec047cf7f680daaa7cbbd7360bc594cb0a14de5f666903a9441032bf48b14dc642132b0

Download Submit
/data/data/com.ants.avatar/.jiagu/classes.dex!classes2.dex
Filesize
5.1MB

MD5
4f8c9e09d5dbae9935bd17bb0d52aeff

SHA1
b76a105b200225600950b3f39668c9c2831c7d79

SHA256
539ccd79e00eabea802691492d54c7a95616ca1d848427ab772466830963170e

SHA512
fdb3e02fca389cc0ed1beaf4535ffe5f2fb400df893c57345bf45e523b47a0fc8a1fe226ca6aff1db2eead08315708bae629863619c3ccbf2236aa23067e2c28

Download Submit
/data/data/com.ants.avatar/.jiagu/libjiagu.so
Filesize
475KB

MD5
5aea02f4e4c77fbf2e7a27f7ca9cc06b

SHA1
522db1748608e9173547b29b7aa82ddc3542c534

SHA256
5a1c513b347e2a929769e2be67552c1d591704f08f7b5590282b66cc2c7d7bd2

SHA512
5c979a11f5e896829db906f533756efc1cf3c5a7e35ecc9e376a0aae818f2dada013441649feac2e188bd51affbbf35156e32fdc6552e185bddbc547f3850316

Download Submit
/data/data/com.ants.avatar/.jiagu/tmp.dex
Filesize
284B

MD5
f1771b68f5f9b168b79ff59ae2daabe4

SHA1
0df6a835559f5c99670214a12700e7d8c28e5a42

SHA256
9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

SHA512
dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

Download Submit
/data/data/com.ants.avatar/files/.jglogs/.jg.ac
Filesize
32B

MD5
0bcadf7843765a7cecdfbf4a47a82a5b

SHA1
0d2553d486a58cf9c673748d3da61207fbd482e8

SHA256
80fc9d0de6bbc75a5586074195b02ca5561398abbca7a890c2ba87ea2050c786

SHA512
e64dcabe2823cdae991d96fede98da578c31fe003b055472425ba80ddc58ac3b1312f400eef6cba670ef1ba84d5a7f6f3d898949afd8990c25798f77dbd30714

Download Submit
/data/data/com.ants.avatar/files/.jglogs/.jg.ic
Filesize
32B

MD5
aa65acd1f38bff4a9add09a7bd770e36

SHA1
b28ee720c401ed76d0d8bbcb7fdf2a1c8081b435

SHA256
3a6248b328bf32eb71b6708feef5394d3ea6bae3131bb35689aa744a08623293

SHA512
3346d0f209c6b245a2161eeb15a0dcaac08ad0fda5022d98faabd8df9370f68ca2653d3ecfe700b6b462c5d84790df52f419d69d3658c1d54de5a6f7143a3e7d

Download Submit
/data/data/com.ants.avatar/files/.jglogs/.jg.rd
Filesize
73B

MD5
db05297fb8202204e36e75858fc0ca9c

SHA1
b77b4461d37b2617f332c111cb69444abca4b1c6

SHA256
e97f9ab3c7227d9a170fb84f015b28898626d87ab1d53ed94831a79d88fad797

SHA512
e655b639fcc6dc53a1725300cbaa1b594bc01587be856d9fc0cbddfaf0ba943f864009eeb462ffd936f39790c8e3f08923a0881204b6f7a7801e296a2f8b31ac

Download Submit
/data/data/com.ants.avatar/files/.jglogs/.jg.ri
Filesize
307B

MD5
2cf008e9562cba75f2d0cee51f65eea0

SHA1
78aa6bf9f1e1d8c875e01b7cedc52fe5319871c8

SHA256
7e64966c95fb0e67aec982117f0c7097be146538880c1e78e6efa4a6a884900e

SHA512
7e11d4c29a85dd356e85d7d1781deb79b7234df61ada6351835859efaf381e3f254c0cf2913558c870c5b5c3502105640212eba3ccc1720c22a98af93ab1d239

Download Submit
/data/data/com.ants.avatar/files/.jglogs/.jg.ri
Filesize
314B

MD5
b4424beb5e84b8061fa103042a6f0605

SHA1
b2a027220f8ca3f7966f7db735b3a6005fe60e00

SHA256
94edc6ff8ed58a58315e6d34506ceb2e6080ad0edf13d545c8412bc4b29d43fd

SHA512
67bd8df6f0f7d489079ac5230b980519a25eafbde9a75324b8eb345b2cb4c7dfcc673ab5eee8e0c27cab79261d4916310e54619e74f96a7fab4c5a6ffa88853e

Download Submit
/data/data/com.ants.avatar/files/.jglogs/.jg.store.report_pid
Filesize
32B

MD5
c7cfcfa9c6701a3eba7a5fac15585e81

SHA1
f6cafe4cea6b6ec6e48a568884df9335839dbecc

SHA256
6fce4676e31747c5e33b9d9882051afb731bcce36a3b438ed510948ce60dcb25

SHA512
e6e7af440f698f8cd4904d6f564fbd4d8cd8f166b03d33fa750800637576fd499b147c05573e04994a5899782b0c2043c4b00679e98fdc005e132e3afc1d53a0

Download Submit
/data/data/com.ants.avatar/files/.jiagu.lock
Filesize
27B

MD5
f191fbccc5f01524a634cc074f37e47b

SHA1
236414ff870a61b2f936170d9ff3e743e5c3cc06

SHA256
2f33b9a72dbff60807f98086d20b9db1aa16aacc6380b15816a3e3ed8d745662

SHA512
dcc2bd5773e88fc644c3409925f21bb63f039932e7c0f29fc91f3f04324728ee2f3f979faf7954700d830e07c19277e9e78a13c653ad0985eded59213c656f2a

Download Submit