0e779b2aff1137aa69764ddbe256fc55d49fa780e44c5aeafb48447ee58c83f7

Analysis

max time kernel
7s
max time network
131s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
24/05/2024, 09:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6e1cc2cb214d8548a5f545d36ad336f2_JaffaCakes118.apk
Size

30.4MB
MD5

6e1cc2cb214d8548a5f545d36ad336f2
SHA1

3d53cb927de9dc067c0e98b1ed0746d9aa8a0842
SHA256

0e779b2aff1137aa69764ddbe256fc55d49fa780e44c5aeafb48447ee58c83f7
SHA512

5afde4f0e9de90eb4f60600ef532442e1d80bbb07a3139aaec583c678064b477450eb107a659e592ec72c533bfa2f064d574c0fa3c2ed176382f40e514b2e343
SSDEEP

786432:RWuHTm7X4Tk7XUQJq7xfKy2jOkLGbN6Q7NiDxB:RWcTmDAk7EfKj6RNH7NiH

Score

7^/10

discovery evasion persistence

Malware Config

Signatures

Loads dropped Dex/Jar 1 TTPs 5 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/data/com.ants.avatar/.jiagu/classes.dex	4277	com.ants.avatar
/data/data/com.ants.avatar/.jiagu/classes.dex!classes2.dex	4277	com.ants.avatar
/data/data/com.ants.avatar/.jiagu/tmp.dex	4277	com.ants.avatar
/data/data/com.ants.avatar/.jiagu/tmp.dex	4277	com.ants.avatar
/data/data/com.ants.avatar/.jiagu/tmp.dex	4342	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.ants.avatar/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.ants.avatar/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&

Queries information about running processes on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.ants.avatar

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.ants.avatar

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.ants.avatar

Checks if the internet connection is available 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.ants.avatar

com.ants.avatar
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:4277
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.ants.avatar/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.ants.avatar/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4342

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Process Discovery

T1424

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.ants.avatar/.jiagu/classes.dex

Filesize
6.1MB

MD5
02de7dfdfdb1558d61c7d83e99955970

SHA1
c211b763bbae2b209dc7232b25ce99f24c7c7a1b

SHA256
640c0588fe36220c6bc61632e485006d45ca3bf93a626bd8e9ee5233460e22c0

SHA512
7c4624744dd52866f3f92350832728b4b8876f4c9c94b91866a860893ec047cf7f680daaa7cbbd7360bc594cb0a14de5f666903a9441032bf48b14dc642132b0

Download Submit
/data/data/com.ants.avatar/.jiagu/classes.dex!classes2.dex

Filesize
5.1MB

MD5
4f8c9e09d5dbae9935bd17bb0d52aeff

SHA1
b76a105b200225600950b3f39668c9c2831c7d79

SHA256
539ccd79e00eabea802691492d54c7a95616ca1d848427ab772466830963170e

SHA512
fdb3e02fca389cc0ed1beaf4535ffe5f2fb400df893c57345bf45e523b47a0fc8a1fe226ca6aff1db2eead08315708bae629863619c3ccbf2236aa23067e2c28

Download Submit
/data/data/com.ants.avatar/.jiagu/libjiagu.so

Filesize
475KB

MD5
5aea02f4e4c77fbf2e7a27f7ca9cc06b

SHA1
522db1748608e9173547b29b7aa82ddc3542c534

SHA256
5a1c513b347e2a929769e2be67552c1d591704f08f7b5590282b66cc2c7d7bd2

SHA512
5c979a11f5e896829db906f533756efc1cf3c5a7e35ecc9e376a0aae818f2dada013441649feac2e188bd51affbbf35156e32fdc6552e185bddbc547f3850316

Download Submit
/data/data/com.ants.avatar/.jiagu/tmp.dex

Filesize
284B

MD5
f1771b68f5f9b168b79ff59ae2daabe4

SHA1
0df6a835559f5c99670214a12700e7d8c28e5a42

SHA256
9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

SHA512
dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

Download Submit
/data/data/com.ants.avatar/files/.jglogs/.jg.ac

Filesize
32B

MD5
0bcadf7843765a7cecdfbf4a47a82a5b

SHA1
0d2553d486a58cf9c673748d3da61207fbd482e8

SHA256
80fc9d0de6bbc75a5586074195b02ca5561398abbca7a890c2ba87ea2050c786

SHA512
e64dcabe2823cdae991d96fede98da578c31fe003b055472425ba80ddc58ac3b1312f400eef6cba670ef1ba84d5a7f6f3d898949afd8990c25798f77dbd30714

Download Submit
/data/data/com.ants.avatar/files/.jglogs/.jg.ic

Filesize
32B

MD5
aa65acd1f38bff4a9add09a7bd770e36

SHA1
b28ee720c401ed76d0d8bbcb7fdf2a1c8081b435

SHA256
3a6248b328bf32eb71b6708feef5394d3ea6bae3131bb35689aa744a08623293

SHA512
3346d0f209c6b245a2161eeb15a0dcaac08ad0fda5022d98faabd8df9370f68ca2653d3ecfe700b6b462c5d84790df52f419d69d3658c1d54de5a6f7143a3e7d

Download Submit
/data/data/com.ants.avatar/files/.jglogs/.jg.rd

Filesize
73B

MD5
db05297fb8202204e36e75858fc0ca9c

SHA1
b77b4461d37b2617f332c111cb69444abca4b1c6

SHA256
e97f9ab3c7227d9a170fb84f015b28898626d87ab1d53ed94831a79d88fad797

SHA512
e655b639fcc6dc53a1725300cbaa1b594bc01587be856d9fc0cbddfaf0ba943f864009eeb462ffd936f39790c8e3f08923a0881204b6f7a7801e296a2f8b31ac

Download Submit
/data/data/com.ants.avatar/files/.jglogs/.jg.ri

Filesize
307B

MD5
2cf008e9562cba75f2d0cee51f65eea0

SHA1
78aa6bf9f1e1d8c875e01b7cedc52fe5319871c8

SHA256
7e64966c95fb0e67aec982117f0c7097be146538880c1e78e6efa4a6a884900e

SHA512
7e11d4c29a85dd356e85d7d1781deb79b7234df61ada6351835859efaf381e3f254c0cf2913558c870c5b5c3502105640212eba3ccc1720c22a98af93ab1d239

Download Submit
/data/data/com.ants.avatar/files/.jglogs/.jg.ri

Filesize
314B

MD5
b4424beb5e84b8061fa103042a6f0605

SHA1
b2a027220f8ca3f7966f7db735b3a6005fe60e00

SHA256
94edc6ff8ed58a58315e6d34506ceb2e6080ad0edf13d545c8412bc4b29d43fd

SHA512
67bd8df6f0f7d489079ac5230b980519a25eafbde9a75324b8eb345b2cb4c7dfcc673ab5eee8e0c27cab79261d4916310e54619e74f96a7fab4c5a6ffa88853e

Download Submit
/data/data/com.ants.avatar/files/.jglogs/.jg.store.report_pid

Filesize
32B

MD5
c7cfcfa9c6701a3eba7a5fac15585e81

SHA1
f6cafe4cea6b6ec6e48a568884df9335839dbecc

SHA256
6fce4676e31747c5e33b9d9882051afb731bcce36a3b438ed510948ce60dcb25

SHA512
e6e7af440f698f8cd4904d6f564fbd4d8cd8f166b03d33fa750800637576fd499b147c05573e04994a5899782b0c2043c4b00679e98fdc005e132e3afc1d53a0

Download Submit
/data/data/com.ants.avatar/files/.jiagu.lock

Filesize
27B

MD5
f191fbccc5f01524a634cc074f37e47b

SHA1
236414ff870a61b2f936170d9ff3e743e5c3cc06

SHA256
2f33b9a72dbff60807f98086d20b9db1aa16aacc6380b15816a3e3ed8d745662

SHA512
dcc2bd5773e88fc644c3409925f21bb63f039932e7c0f29fc91f3f04324728ee2f3f979faf7954700d830e07c19277e9e78a13c653ad0985eded59213c656f2a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads