0e779b2aff1137aa69764ddbe256fc55d49fa780e44c5aeafb48447ee58c83f7

Analysis

max time kernel
8s
max time network
132s
platform
android_x64
resource
android-x64-arm64-20240514-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system
submitted
24-05-2024 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e1cc2cb214d8548a5f545d36ad336f2_JaffaCakes118.apk
Size

30.4MB
MD5

6e1cc2cb214d8548a5f545d36ad336f2
SHA1

3d53cb927de9dc067c0e98b1ed0746d9aa8a0842
SHA256

0e779b2aff1137aa69764ddbe256fc55d49fa780e44c5aeafb48447ee58c83f7
SHA512

5afde4f0e9de90eb4f60600ef532442e1d80bbb07a3139aaec583c678064b477450eb107a659e592ec72c533bfa2f064d574c0fa3c2ed176382f40e514b2e343
SSDEEP

786432:RWuHTm7X4Tk7XUQJq7xfKy2jOkLGbN6Q7NiDxB:RWcTmDAk7EfKj6RNH7NiH

Score

8^/10

collection discovery evasion

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 1 IoCs
evasion

T1426

Processes:

com.ants.avatar

ioc process

/system/app/Superuser.apk com.ants.avatar
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

T1430

T1627.001

Processes:

com.ants.avatar

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.ants.avatar
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

T1633.001

T1426

Processes:

com.ants.avatar

description ioc process

File opened for read /proc/cpuinfo com.ants.avatar

ioc	process
/system/app/Superuser.apk	com.ants.avatar

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.ants.avatar

description	ioc	process
File opened for read	/proc/cpuinfo	com.ants.avatar

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

T1407

Processes:

com.ants.avatar

ioc	pid	process
/data/user/0/com.ants.avatar/.jiagu/classes.dex	4607	com.ants.avatar
/data/user/0/com.ants.avatar/.jiagu/classes.dex!classes2.dex	4607	com.ants.avatar

Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

T1424

Processes:

com.ants.avatar

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.ants.avatar
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

T1421

Processes:

com.ants.avatar

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.ants.avatar
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

T1422
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

T1421

Processes:

com.ants.avatar

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.ants.avatar
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
evasion

T1628.002

Processes:

com.ants.avatar

description ioc process

Framework API call android.hardware.SensorManager.registerListener com.ants.avatar

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.ants.avatar

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.ants.avatar

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.ants.avatar

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	com.ants.avatar

com.ants.avatar
1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Checks CPU information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Checks if the internet connection is available
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4607

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.ants.avatar/files/.jglogs/.jg.ac
Filesize
32B

MD5
0bcadf7843765a7cecdfbf4a47a82a5b

SHA1
0d2553d486a58cf9c673748d3da61207fbd482e8

SHA256
80fc9d0de6bbc75a5586074195b02ca5561398abbca7a890c2ba87ea2050c786

SHA512
e64dcabe2823cdae991d96fede98da578c31fe003b055472425ba80ddc58ac3b1312f400eef6cba670ef1ba84d5a7f6f3d898949afd8990c25798f77dbd30714

Download Submit
/data/data/com.ants.avatar/files/.jglogs/.jg.ic
Filesize
32B

MD5
aa65acd1f38bff4a9add09a7bd770e36

SHA1
b28ee720c401ed76d0d8bbcb7fdf2a1c8081b435

SHA256
3a6248b328bf32eb71b6708feef5394d3ea6bae3131bb35689aa744a08623293

SHA512
3346d0f209c6b245a2161eeb15a0dcaac08ad0fda5022d98faabd8df9370f68ca2653d3ecfe700b6b462c5d84790df52f419d69d3658c1d54de5a6f7143a3e7d

Download Submit
/data/data/com.ants.avatar/files/.jglogs/.jg.rd
Filesize
32B

MD5
d192239683a27d461ec72516b689da75

SHA1
c861e7acd87dbb4b88b15a3c3329fe118d33033f

SHA256
152e1ddc29faef74a3d2c2d3cec26376cc228f26b4e698660f72b37a65f220d7

SHA512
11d1881424768bd49a893d0c476107cdf99b5af8a37ce69b61385cc556b328facc78cdbbf4c5eed826b89103396f128d7944af7cf929b49dafa706554d16dbc6

Download Submit
/data/data/com.ants.avatar/files/.jglogs/.jg.ri
Filesize
307B

MD5
45914d4fa9803a22682287078e1508fc

SHA1
ad3b538a51ca1a94d493752a1daca33ab9ad4a8d

SHA256
7bd11dda62ff69778542c817c9b773c0e0381c953df8dfe7cccf8bf4a743032e

SHA512
c4a47ebf419cc9f3e7652b7af6bd7e18c4faff051f10fc53f2bc6fe1ad311c9a51da6597b383fd0ec3d3d631899096e857f7f1fd3167ae139d42a1d6c9efd9ec

Download Submit
/data/data/com.ants.avatar/files/.jglogs/.jg.ri
Filesize
314B

MD5
3a7520e36806820468d54549141eea97

SHA1
d0d1e1ed6d1ce4a2f9c1f04ca5bdd19513fcde62

SHA256
6f9508f3cd9348a6e3d9ca1def48cd6baec6126f22d58a63d32850029c7e8d4d

SHA512
9c84d0e069cb4ab723cfa29c8e0b1b675473a30c41098176077792d62e454d132a42f453e00efa738561234fa59a8ee1f3f093d1e61942dc2dd9b5057488a045

Download Submit
/data/data/com.ants.avatar/files/.jglogs/.jg.store.report_pid
Filesize
32B

MD5
c7cfcfa9c6701a3eba7a5fac15585e81

SHA1
f6cafe4cea6b6ec6e48a568884df9335839dbecc

SHA256
6fce4676e31747c5e33b9d9882051afb731bcce36a3b438ed510948ce60dcb25

SHA512
e6e7af440f698f8cd4904d6f564fbd4d8cd8f166b03d33fa750800637576fd499b147c05573e04994a5899782b0c2043c4b00679e98fdc005e132e3afc1d53a0

Download Submit
/data/data/com.ants.avatar/files/.jiagu.lock
Filesize
27B

MD5
49871b5a78c3d607ffca6bac9a0d7be9

SHA1
9008e39d173c30ab2495ab1ec33b355b46c4aba4

SHA256
5c027bf477225c7bedc2901b9b36916cfb36095bd4dc83bdf638d3eb3597776a

SHA512
8c2e844217ca9e4ef350ec0292b770584f2b6870588dbdb70cedc19500025f284cba8bb66ffc44a1e8aff87eb4a4fdb7a5be4a69c99932cd71a5d2fb8d16083d

Download Submit
/data/user/0/com.ants.avatar/.jiagu/classes.dex
Filesize
6.1MB

MD5
02de7dfdfdb1558d61c7d83e99955970

SHA1
c211b763bbae2b209dc7232b25ce99f24c7c7a1b

SHA256
640c0588fe36220c6bc61632e485006d45ca3bf93a626bd8e9ee5233460e22c0

SHA512
7c4624744dd52866f3f92350832728b4b8876f4c9c94b91866a860893ec047cf7f680daaa7cbbd7360bc594cb0a14de5f666903a9441032bf48b14dc642132b0

Download Submit
/data/user/0/com.ants.avatar/.jiagu/classes.dex!classes2.dex
Filesize
5.1MB

MD5
4f8c9e09d5dbae9935bd17bb0d52aeff

SHA1
b76a105b200225600950b3f39668c9c2831c7d79

SHA256
539ccd79e00eabea802691492d54c7a95616ca1d848427ab772466830963170e

SHA512
fdb3e02fca389cc0ed1beaf4535ffe5f2fb400df893c57345bf45e523b47a0fc8a1fe226ca6aff1db2eead08315708bae629863619c3ccbf2236aa23067e2c28

Download Submit
/data/user/0/com.ants.avatar/.jiagu/libjiagu.so
Filesize
475KB

MD5
5aea02f4e4c77fbf2e7a27f7ca9cc06b

SHA1
522db1748608e9173547b29b7aa82ddc3542c534

SHA256
5a1c513b347e2a929769e2be67552c1d591704f08f7b5590282b66cc2c7d7bd2

SHA512
5c979a11f5e896829db906f533756efc1cf3c5a7e35ecc9e376a0aae818f2dada013441649feac2e188bd51affbbf35156e32fdc6552e185bddbc547f3850316

Download Submit