Analysis
-
max time kernel
84s -
max time network
183s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
-
submitted
24-05-2024 11:29
General
-
Target
6e5bb4340cdcd5140743f1a7c58ca214_JaffaCakes118.apk
-
Size
18.6MB
-
MD5
6e5bb4340cdcd5140743f1a7c58ca214
-
SHA1
5c10b057c83b55fa8e678b8620725d85359b3e15
-
SHA256
cc25c7b03025441ab663cb362c8376662ba5cbeed430ce5e5dc37c8d2cb9f2fd
-
SHA512
a22c171439b4856868151553cc16979f0ea5470ce30b703761bca32fcafdaa5f245b194cc2d37cedf20305a0558f501dbbbc006a1556beb9e510b6209c42c772
-
SSDEEP
393216:XGMTcIFk8lm6EOGrbHUbJSK5WK000SKmulC6OcYx31lP:2ccIFk8sOG/u5WxmWCXzj
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks known Qemu files. 1 TTPs 3 IoCs
Checks for known Qemu files that exist on Android virtual device images.
-
Checks known Qemu pipes. 1 TTPs 2 IoCs
Checks for known pipes used by the Android emulator to communicate with the host.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 9 IoCs
Runs executable file dropped to the device during analysis.
-
Queries information about running processes on the device 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
-
Checks if the internet connection is available 1 TTPs 2 IoCs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
Processes
-
com.iloof.heydo1⤵
- Checks CPU information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.iloof.heydo/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.iloof.heydo/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
cat /sys/class/net/wlan0/address2⤵
-
cat /sys/class/net/wlan0/address2⤵
-
cat /sys/class/net/wlan0/address2⤵
-
cat /sys/class/net/wlan0/address2⤵
-
cat /sys/class/net/wlan0/address2⤵
-
com.iloof.heydo:remote1⤵
- Checks if the Android device is rooted.
- Checks known Qemu files.
- Checks known Qemu pipes.
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Requests cell location
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.iloof.heydo/.jiagu/classes.dexFilesize
6.0MB
MD5828a9f157e5b1f5524cdd8300a8f1e7c
SHA1cab1583fa87eca2ece2c97b412217529e7949917
SHA2568a539799680d0c4a718c46c0f413fb24e591bf6082c7748c0be677ec05044689
SHA51233d37344e341de2af40b4eb0c5f564cb2bdb6f2a828f05abc8ae7b6d949189a7d72071572f1d750855813612784ae29486726fcfce52aeed835f666bae28df72
-
/data/data/com.iloof.heydo/.jiagu/classes.dex!classes2.dexFilesize
3.8MB
MD57bd1d790964ff564a87820d8f5afd37f
SHA1196c1229f5250f18fb630d9b1cbea8e6ed8767ba
SHA2565305cfcf525304bb1afe1af6c8f2b44b03d804c6ba36e926d4caa77bfce02ab1
SHA5124a2ba7ce9cc5a634ad4d4591aba16c57aadd3ffff321ad0227968d1b994fe156fceb0e8439000c42eae0679e78600aa0f4e0e2e670e2d791977fd65b3566c629
-
/data/data/com.iloof.heydo/.jiagu/libjiagu.soFilesize
495KB
MD5de685970891708f6edfd18f03c6557ba
SHA1ac50f88327652a72df73d43e9260faf169283c34
SHA256b3124a6f192e562313f1e2d24b292852d4eb87cbe95dccd1d94b3a0540c0c11e
SHA512cd56aa34265252c1457e28f442872dfaedc897607b816526de7e76c88ea00c24feb3542c21be7dc587b58df8ccbb1e045d3533741981212eac4d704143bfffe0
-
/data/data/com.iloof.heydo/.jiagu/tmp.dexFilesize
284B
MD5efde6fc19d25115e44a1ab89a82a8134
SHA196e424ad879a08ed99ae8cdbd7576c17838c67ad
SHA25648f99c97ce3eb5a766bd4572f7e499780442d35c63c9c1964e6440a5bdd861d6
SHA5128a5b13601d1e7f81692efa601df030c839aebd4e4e87266a6e331db499de91dcfcc23ea924dd0b0342c74201df8d70947351a9d55071ad514e94044895c50293
-
/data/data/com.iloof.heydo/.jiagu/tmp.dexFilesize
284B
MD5f1771b68f5f9b168b79ff59ae2daabe4
SHA10df6a835559f5c99670214a12700e7d8c28e5a42
SHA2569f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d
-
/data/data/com.iloof.heydo/app_crashrecord/1004Filesize
240B
MD53ddead4c00e3f82de11832d8db718ec5
SHA1de1817191e78550d0eb1d26fd024cc3e8a2daef4
SHA256b5638cb61314912aca38d3b1ac6ab8144a5db1ea5c95164d799302da8f187eb4
SHA512859ff8ddce6ee8c341cf66d576b14286d68cb0c6306ba229da0b3bac381306a8cbb258757024b20ff5ad493dd0b6b24fc661be2b3f6ee50fdf00525086a96b14
-
/data/data/com.iloof.heydo/databases/MessageStore.dbFilesize
4KB
MD52c350041deb61d8ae78d9d800dfcfcf9
SHA1df06766e7e873aff730718040009051b5722a953
SHA25638775e7c112dbfa89bcf0bdb84fc94df963ee56169ffa33f7bb4224ee7153c07
SHA51213f7819a9f0e3219e73e29b92a96a3f276edf49b2dbc03782e3f4b8c4f84019d606ed2f8fd20f96f6056d2863b2b2934dc9c9c865cbd6dd1b513d26686c661d2
-
/data/data/com.iloof.heydo/databases/MessageStore.db-journalFilesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
/data/data/com.iloof.heydo/databases/MessageStore.db-shmFilesize
32KB
MD594f55d4db0a4034bd380de17ba165dcd
SHA1b6d98ba76464f001732b344ed49ade1f2bc86591
SHA2566d03f3f651555ef26c78ff231eeb73d150e5ea6861dc7f9f3897ced7f4565b6d
SHA51274d654bdc1f4850a55bb8cafc90c593c0edd167c08e26f47911b7d1a25f83fcc0525bcb62edcf0843e844ed93054d06ad9fd7266114b42e87011cfddb2f16d63
-
/data/data/com.iloof.heydo/databases/MessageStore.db-walFilesize
48KB
MD5561c04975bd3658b364a3d75a60be3a9
SHA182fa07a844c3557b99c7b7dc7217d648956a084b
SHA25660afbab0535e6dae380d2ff54279b1e166144d9ad8a8a9298698216af8b5da30
SHA512cc5ff1a4f65333ddead1ed41851078aa7bb04a41557574fa54adb9d8bc29cf0457536ad2cd26c6fed6f09ded007fb1312957adb31dd3b2b5804ce5dedf02c251
-
/data/data/com.iloof.heydo/databases/MsgLogStore.db-journalFilesize
512B
MD55dbb412cd3d3414a0f2aa540313a165f
SHA1317e6975d9752849f8ae44892ca4b1c56ef59fcc
SHA256238cfc548a7c4ac4327680c08b950333a385c6a7ce364738c6f23522e2cd998b
SHA5122d0c0c793da88bd24832eeec962cddff10c7cd4c281789126632541cf2df4d6612efc31dfc07452a852aec715c38fba004d1d9eb4400484f51d89061bee0b3f7
-
/data/data/com.iloof.heydo/databases/MsgLogStore.db-shmFilesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
/data/data/com.iloof.heydo/databases/MsgLogStore.db-walFilesize
60KB
MD572d762fbfcac3070a660f1f05de8a8a1
SHA1c9db3eadf94b10f7241de8eb3ad6a0f80d747894
SHA2560d56b0519168ea0be1f1a3cc1136eef09b20d4744b256200d8fdb3fcadf7a351
SHA5125525aa647f8503009981f7dea11052aea39b282633ab4356004026dde6b82a4aa75158ea48cbb2fd7c6c99dd05461b8e0bb0c07bd8ecc1d5f5dc5a18001a8b46
-
/data/data/com.iloof.heydo/files/.jglogs/.jg.acFilesize
32B
MD5b9870685398500d23cbc6ea04317151c
SHA1b18b02e75551d9e4a4b30b6b0e9e732a08b2d483
SHA25628885cda2c6ce93176a69b3e01f9f119f4353992217e2fff65353283d66210b3
SHA512deaa9c026a7625e3204d2acd95ef94a27cd00591f50d84519467e460e833f3d4f4464a1c6ff845a13e87eaf3f831f7e52a26e14c74ae9dd270279f73c404292d
-
/data/data/com.iloof.heydo/files/.jglogs/.jg.icFilesize
32B
MD5720de8b6b51ae92d1a9ec85a16769b7f
SHA1f3f8d9e599894d3c78ff1a3dc1d6f53f8b40deb2
SHA25613148d5c64badb8ade6f805bac6ce69ff2f64265599f30d9c23d369a2536620a
SHA5121b23b765662ed904157a399dac4f49bb04c323a84668743e6b870f86303fb1f1d8dff65fe6ff9043fcb8b9e9bc5ad467ab5f9de94d2c8f2ffb63b95528714a50
-
/data/data/com.iloof.heydo/files/.jglogs/.jg.pkFilesize
32KB
MD5c45bcc6396d587314cff4c355d350d0f
SHA10472b1d2afb76e57ed5537309618aad55e18f5c9
SHA25684c8c5dfc08be59bcb85c2d3a2e7e6d687e62bb35ec1f631b6920d7cd95b066d
SHA512c393b18cd4ea8d344f2bb7098cbe0dfd83569d6bdaef8df1d52cb754cedafbfea0ce1b484669ff4e02743d84b8b968d336382d8413fa0b086d63eac533930395
-
/data/data/com.iloof.heydo/files/.jglogs/.jg.pk.hFilesize
36KB
MD583f37661da59ea4abb6382d6d44f9928
SHA120e24f5b76ee9804aac4f22ad80172521c5debf3
SHA2560437077d9176bf3ef3061cd5581945f214291bb82457458dbd9644b3e6337ae9
SHA512703deee0a58d29980dc70878f6b107f0c5bcc8bd136e9a37922f26a13fd74287ca015a6f563c3d416a512de145cf017c514dee95efbea82cfd444f95f5b3e59c
-
/data/data/com.iloof.heydo/files/.jglogs/.jg.rdFilesize
32KB
MD579b64841abd3c82b9fb59867e5bd239c
SHA14e13a7e1faaf9b6498af7d6939959beb71d92a9a
SHA2563cd4ec96d06235c038b7daf9bd85723dff8e694ff52b70334d54d4fcb8c503c6
SHA512a232e83d9921143f115b9ca3fca861d57333927bacef99e94ea83775f3530c4a33fe89ec797e68f3565e3b30cd31301972a020ea46a5e9fad17106ae6c692a48
-
/data/data/com.iloof.heydo/files/.jglogs/.jg.riFilesize
314B
MD51e763ad1780f9057f7fd9eb382079794
SHA10662344d261d0175d737decc17c23b9e9938b4fe
SHA2560d7570a5d4d4cba0a7a87210daccd20fbaa4ee63a9ec65f4ea076b091b504fcf
SHA5128f4be715d5729b9ff3962caff42c1b0bbec977d35b4405ea741552bd4abca16ebda8a110fbebd79e9b96c03859cc69582724bac6d7d91be99fb81945144e6410
-
/data/data/com.iloof.heydo/files/.jglogs/.jg.riFilesize
307B
MD52c4bbba43cf20d8788add6bae853bf55
SHA126c4a16c27b38258c90ad6f4c25cf36959967b11
SHA2562b1f821cca95fde9b2ea2a5f25e42936f6f9e00250920e9e052c1004205e6a36
SHA512bf74221fcdc8eb81963be724a111b0ae529c1e4c9fccf692f9480f27913f63d42110dd1c1d19b60206c9806805ee3774441b8b988448b7e3a3a4d16f50ab284a
-
/data/data/com.iloof.heydo/files/.jglogs/.jg.riFilesize
307B
MD5657de8404498815f407c808cd11233b3
SHA1143283330a57a8d03f4ce60558b93b648ca82838
SHA256942b6f3d26c71dce07c6ec4fb80024f4b0ba30571fa22267c0bf678cc2f0874f
SHA51254a0b50e65625563b551487016579ee268e318239971b0d592d4dbe660e3e9933b3a57049cd1516bf97c2644dda6d930f858a6b7b3f5397c723d873b253d31d9
-
/data/data/com.iloof.heydo/files/.jglogs/.jg.store.report_cfFilesize
58B
MD50d210bfb2a0e1f1b4c082a6a0f79de07
SHA1bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1
-
/data/data/com.iloof.heydo/files/.jglogs/.jg.store.report_pidFilesize
240B
MD5f2cbc284dcb4693989a38f77a068b817
SHA1707a0a6c8d9d4500bc5106b9cc48a4943d0d08d7
SHA2566b605fb2448f2c52af7ac29118fe8fa7f65451e2cd0af8a054fc7c5e493743c9
SHA5121d4503e40f2800a16ef91ad656325e297a96144de48a662a956f77731c6f2b19af128e41bec48df55420da6e617e1598b4958d97be1c8d904b690ebfe9b62827
-
/data/data/com.iloof.heydo/files/.jiagu.lockFilesize
112KB
MD5147afb28e17610d046c0515eea973566
SHA148535e21d93a2979c8828031650bdc78baaa6ffd
SHA256fd42766f80630bab07af51c186af5bb25e1922bbe41d09d99412f1067f7425b1
SHA5128127838209eb184a3a472e8a18feee7badfd41e5244f5962db9aaf46e750464631660b1e902a94dde9adea80793bbbe84353b3a7ce9171bb15d3a10aa4cefa68