517f40c8b272a3f90a6a692dd35d8d541492579d5a3bf0300e0d73b12b3100f9

Analysis

max time kernel
177s
max time network
184s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
24-05-2024 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f3e20b3fd75c752c9a872481203bf4a_JaffaCakes118.apk
Size

23.0MB
MD5

6f3e20b3fd75c752c9a872481203bf4a
SHA1

427820d1e3af3bbfe00e538eadfb17aa9adc2c8a
SHA256

517f40c8b272a3f90a6a692dd35d8d541492579d5a3bf0300e0d73b12b3100f9
SHA512

ae04896711a5ce56c1717152e27e21fdb3c1c9cb2e8d04e39e1f0035227e016c6ccd41bdc8679384b5e2a0c8c3a2ffdc32acfceec8b47cc30bdcbec6cbffd19c
SSDEEP

393216:z4W34qmm67G8/ui88dUqytF+Ffh4H+8RXX3W8w9w9Peh+K3W8w9w9PDLoYRsezWS:N/m/7GSdUxtF+FfK19XGxw9mh+KGxw9b

Score

8^/10

collection discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 1 IoCs
evasion

System Information Discovery
T1426

Processes:

com.zhangkongapp.joke.bamenshenqi

ioc process

/sbin/su com.zhangkongapp.joke.bamenshenqi

ioc	process
/sbin/su	com.zhangkongapp.joke.bamenshenqi

Requests cell location 2 TTPs 2 IoCs

Uses Android APIs to to get current cell location.

collection discovery evasion

Location Tracking

T1430

Geofencing

T1627.001

Processes:

com.zhangkongapp.joke.bamenshenqi

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.zhangkongapp.joke.bamenshenqi
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	com.zhangkongapp.joke.bamenshenqi

Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.zhangkongapp.joke.bamenshenqi

description ioc process

File opened for read /proc/cpuinfo com.zhangkongapp.joke.bamenshenqi

description	ioc	process
File opened for read	/proc/cpuinfo	com.zhangkongapp.joke.bamenshenqi

Checks known Qemu files. 1 TTPs 3 IoCs

Checks for known Qemu files that exist on Android virtual device images.

evasion

System Checks

T1633.001

Processes:

com.zhangkongapp.joke.bamenshenqi

ioc	process
/system/lib/libc_malloc_debug_qemu.so	com.zhangkongapp.joke.bamenshenqi
/sys/qemu_trace	com.zhangkongapp.joke.bamenshenqi
/system/bin/qemu-props	com.zhangkongapp.joke.bamenshenqi

Checks known Qemu pipes. 1 TTPs 2 IoCs
Checks for known pipes used by the Android emulator to communicate with the host.
evasion

System Checks
T1633.001

Processes:

com.zhangkongapp.joke.bamenshenqi

ioc process

/dev/socket/qemud com.zhangkongapp.joke.bamenshenqi
/dev/qemu_pipe com.zhangkongapp.joke.bamenshenqi
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.zhangkongapp.joke.bamenshenqi

description ioc process

File opened for read /proc/meminfo com.zhangkongapp.joke.bamenshenqi
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

Process Discovery
T1424

Processes:

com.zhangkongapp.joke.bamenshenqi

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.zhangkongapp.joke.bamenshenqi
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.zhangkongapp.joke.bamenshenqi

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.zhangkongapp.joke.bamenshenqi
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.zhangkongapp.joke.bamenshenqi

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.zhangkongapp.joke.bamenshenqi
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.zhangkongapp.joke.bamenshenqi

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.zhangkongapp.joke.bamenshenqi
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.zhangkongapp.joke.bamenshenqi

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.zhangkongapp.joke.bamenshenqi
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs

Processes:

flow ioc

23 alog.umeng.com
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.zhangkongapp.joke.bamenshenqi

description ioc process

Framework API call android.hardware.SensorManager.registerListener com.zhangkongapp.joke.bamenshenqi
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.zhangkongapp.joke.bamenshenqi

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.zhangkongapp.joke.bamenshenqi

ioc	process
/dev/socket/qemud	com.zhangkongapp.joke.bamenshenqi
/dev/qemu_pipe	com.zhangkongapp.joke.bamenshenqi

description	ioc	process
File opened for read	/proc/meminfo	com.zhangkongapp.joke.bamenshenqi

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.zhangkongapp.joke.bamenshenqi

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.zhangkongapp.joke.bamenshenqi

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.zhangkongapp.joke.bamenshenqi

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.zhangkongapp.joke.bamenshenqi

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.zhangkongapp.joke.bamenshenqi

flow	ioc
23	alog.umeng.com

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	com.zhangkongapp.joke.bamenshenqi

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.zhangkongapp.joke.bamenshenqi

com.zhangkongapp.joke.bamenshenqi
1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Checks CPU information
- Checks known Qemu files.
- Checks known Qemu pipes.
- Checks memory information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Listens for changes in the sensor environment (might be used to detect emulation)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4329

getprop
2⤵
PID:4514

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Execution Guardrails

T1627

Geofencing

T1627.001

Hide Artifacts

T1628

User Evasion

T1628.002

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Location Tracking

T1430

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.zhangkongapp.joke.bamenshenqi/app_crashrecord/1002

Filesize
243B

MD5
f47fbc660b49047f998606d10312664b

SHA1
826621d2e5ac37cc2ea064d10315cb9636b261e7

SHA256
6dc93944f74338130f237bd2256513b8660da208bb820a118e6f305ad8b2848e

SHA512
10c11e2bcde8a1ef5c73731f7c6bea56439cb8f62f8848e286b3c58ee1695e25e6cf54e8cad08a35acbdee90c561f4ba6255155b1914973bef51f04dc4bfccc5

Download Submit
/data/data/com.zhangkongapp.joke.bamenshenqi/app_crashrecord/1004

Filesize
58B

MD5
0d210bfb2a0e1f1b4c082a6a0f79de07

SHA1
bb8ed9e364db79d1d9f2fcde3f15091893222faa

SHA256
988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d

SHA512
536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

Download Submit
/data/data/com.zhangkongapp.joke.bamenshenqi/app_crashrecord/1004

Filesize
243B

MD5
858009ef4f712ec67fe30853d6395e4e

SHA1
9cf5f7d541be773a30d52b579cb025ab0bbdc716

SHA256
fd1bb274a75bef7b206df6f345245296409bfb8c7de3e1763682dc9f2f28f1b0

SHA512
a38a5458f7fcacbc9211855300a0ffced261327c60d2f4db29916838ecd17082a3f7dce00bb1321ab1ac8cc0438894ed8fdb2841218fda74497b6cfa9e0c9628

Download Submit
/data/data/com.zhangkongapp.joke.bamenshenqi/databases/bamen_user.db

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.zhangkongapp.joke.bamenshenqi/databases/bamen_user.db-journal

Filesize
512B

MD5
3e05f73094fbc174bd0dc48fbc46528a

SHA1
b9108e45f1aa20cf9b0c4453fd1fc32255f22455

SHA256
fbecf3b179aa34276dc36246812545e9987a485cd8ada5836db3186b7b4f4c5e

SHA512
e644f1f36fd2f84f2cbebd3d692c394bc7f6f647a60429ae0bc7e7a3a68ec425df85c70f6a2ec3db787be0b36f7c7a9a813977fe363ec9bbc11621f1c8b8633e

Download Submit
/data/data/com.zhangkongapp.joke.bamenshenqi/databases/bamen_user.db-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.zhangkongapp.joke.bamenshenqi/databases/bamen_user.db-wal

Filesize
100KB

MD5
a0f473a239a3394af2fd1416b1e95ef2

SHA1
849669f7d8e077a6c1a54e84fb244fe4d705b99c

SHA256
fd0bc07bfff1cb24000a11f26bcd422bcb094e1574d7ae90c454974417d1dcca

SHA512
6d6ad00ae6b48453bc913f4ce31b317adccab65d0164632348e41a037d275be6cfbac349fa9ae0e6b7e2cfeab94ba970909ef605cedf81dac78aa12d81822b9b

Download Submit
/data/data/com.zhangkongapp.joke.bamenshenqi/databases/bugly_db_-journal

Filesize
512B

MD5
07c9679084677bb14ee2a419bbcad20f

SHA1
b378be4148a7415b34a29eef4d77f6216f9ee0c6

SHA256
d438d879cae86f2ce5471ef2cc99f9ca6dd55faa02a6645829346bf9b340702b

SHA512
3233bb14baa4342184c2df34e4a2f9297891f4b00bc2054facd0349decca2bff62b9130e4d7ee534cb750c48fa6b49cd3f18ce22306ba053576e2e152f9da9d2

Download Submit
/data/data/com.zhangkongapp.joke.bamenshenqi/databases/bugly_db_-wal

Filesize
76KB

MD5
840aa1d27ebff2dfa6558bfc67060f4a

SHA1
d86193a6daa254149804abfa0ba246cd160bcd8f

SHA256
a679cfe6ebf64b5f9bc398f750e2c304e4e2417c8d34f4d89e21cad4e87c42f8

SHA512
b49b4f154ccd9c3a19e1359eff89898b07c24331766067533d07c2d89bc480cb5fb6928878bf27a77ea40e87785ee2aa5e2c0896325f830eefd9bf2a977a1fc9

Download Submit
/data/data/com.zhangkongapp.joke.bamenshenqi/files/.um/um_cache_1716570933377.env

Filesize
728B

MD5
7d911e525a8d8796fa32bb2f772e9519

SHA1
c411b9ffde7d06a52c67690e806add98ce0972d3

SHA256
32eeade5bbf3b19eb93497b2e42dfee9bfa80d7531c0648b3ae50a5e22cb59e7

SHA512
61d4e4242b17d413e73137384b2c6cde030f5723424811dc71f3767519e08db688de8d2515a707e65c15044a77a4d4e33c4918ca71c086c370954a6e57979498

Download Submit
/data/data/com.zhangkongapp.joke.bamenshenqi/files/.umeng/exchangeIdentity.json

Filesize
162B

MD5
310a92ecf9166443fa0f5468f823e898

SHA1
0595f216e897261a4c097e2b1df2174ddbb8d83c

SHA256
81a917a5ca82689453e3df1c735d2d0a21a32076f7f70dcc5484ffe587658b12

SHA512
d921ee0e30f359ebd5bcb0d4fa0c9540738365c14e364781ed63467b96479097626b60b6f0180d84a9d98b851fb27fd680e3dc30d74c9ef4207e4e4453765beb

Download Submit
/data/data/com.zhangkongapp.joke.bamenshenqi/files/AntiCheatingLock

Filesize
1B

MD5
55a54008ad1ba589aa210d2629c1df41

SHA1
bf8b4530d8d246dd74ac53a13471bba17941dff7

SHA256
4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a

SHA512
7b54b66836c1fbdd13d2441d9e1434dc62ca677fb68f5fe66a464baadecdbd00576f8d6b5ac3bcc80844b7d50b1cc6603444bbe7cfcf8fc0aa1ee3c636d9e339

Download Submit
/data/data/com.zhangkongapp.joke.bamenshenqi/files/td_database0TalkingData/1716570873082_4329

Filesize
2KB

MD5
d8c9679fb0606a6ae3b6ff8dbcd419d8

SHA1
8bb048b4c34c2a2684a9153c9031fe95f8731f2f

SHA256
86f311af75112bdc32223669b20b689dcfda7cfdb66e2b624208c03c7d17d5be

SHA512
0d15fc112a35197f3cb85ec5b9b5fe339ff8d145a07fb1b30968101b2eae98c04fbc54e5a308d114068b7199c027c7370eecc78cfb5397da39b5887d301e667a

Download Submit
/data/data/com.zhangkongapp.joke.bamenshenqi/files/td_database0TalkingData/1716570875133_4329

Filesize
2KB

MD5
17a4f8fc36dcf4766e2008d947dfe32a

SHA1
4ee82394af49b213b15eb523f11c1e7a39851069

SHA256
a39bc608c0a20cb944e9be69dfdac71653aca29899f6e395f6b6fcb446950a01

SHA512
c7697e103be45de5d3f0f1ca2bc14db194acee831f4d9425604dd850f054fefa6806161fd044250ea82dad0f7479a7332cc8656b0ffc9c271c8daf3643b12b30

Download Submit
/data/data/com.zhangkongapp.joke.bamenshenqi/files/td_database2TalkingData/1716570872636_4329

Filesize
2KB

MD5
a932294708178d5b4ca7afd6feca4eb5

SHA1
fa573f204c3e867170288a16c7cf35db46b72de0

SHA256
f12a47a87163c8a2adc3dddeff1ac7cac0c5ff9860b7e6e450cdb4f55385bf67

SHA512
9eadce20e38d7f65c51281fa8be95c8df2aa4519367b0209386d33d4645dc6256f00f5a6e3b7385b6f22e813888e9886269ef5dc9b6d6cd7b8ecf2444a0ea0d2

Download Submit
/data/data/com.zhangkongapp.joke.bamenshenqi/files/td_database2TalkingData/1716570874704_4329

Filesize
11KB

MD5
a4a9101b821b7e7991699a51aab72a05

SHA1
bf55d2b3390ab750e47bd89deeb1d39d615f7196

SHA256
76269549e75972c90b1aebfc7cb9e80ff1561585b0268e8fd9fe5ed1d6529808

SHA512
4854bb335ec025899a98b6f8ba4720b63ecd2dedf6e772182662c68792abd89f75d12f5914de331444466f3de775dded4ad27bcd655300c998ad4e826d619d4c

Download Submit
/data/data/com.zhangkongapp.joke.bamenshenqi/files/umeng_it.cache

Filesize
415B

MD5
b0cc6ac86aeb2604672fab443113cbcd

SHA1
d19f865d2425fbdfd42be8ab8db3bdd54a5f870b

SHA256
76765cd043e61249de425bd577db88bdf654d4a4fe0658694675308e27a8ef3c

SHA512
c290036ebe4acd467f8128d0a01a815018dab5cfc4bc1852cfcc5da573140685a291552ea0784d67472bda7f245e636a9bde3abaeab216b5091bacfac1ee0ce4

Download Submit
/storage/emulated/0/.tcookieid

Filesize
33B

MD5
0a2291a4463099a37d77d408f526e4d3

SHA1
a699c1dbf0fab656396371f91312ff7c6bb79b0e

SHA256
cfff92f7bdb14f5f911a939e9abed5224bc4e7257279c85dc201cf1780cdc0b7

SHA512
9c5697a58825e609ef561930bdf4368541514f68105ef968a855ced74b8afa71445fa9acf7ab572c6a4bfc48be07d1611b2b7973be42d60f5795dbe7923b6bc6

Download Submit
/storage/emulated/0/Android/data/com.zhangkongapp.joke.bamenshenqi/cache/uil-images/journal.tmp

Filesize
31B

MD5
8c92de9ce46d41a22f3b20f77404cc1d

SHA1
8671a6dca00edb72be47363a7071be65cf270373

SHA256
68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274

SHA512
30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

Download Submit
/storage/emulated/0/bmsq/accountSave/TDpref_shorttime0.xml

Filesize
127B

MD5
2bbf7192fe2fcbfd738a900ac82a2ae2

SHA1
157b07b43342228ed4244008d12679de041c132a

SHA256
da197b478cef0c7b727a35890f243f99b3e15caab47594882e696cc646802337

SHA512
1c54bce26f2255a9d6bff23e6382cb7af38374ca41d50a4c9e50f507bce0a41c096e623c17c69bacceee746bd6cf87d9ba6451cc7407fc3990a59717ea262d16

Download Submit
/storage/emulated/0/bmsq/accountSave/bmuser_share.db-journal

Filesize
512B

MD5
a846a7f2fb824821714a22c467edf8cc

SHA1
063b7c2c28747c2deeac99aafa578622431ce284

SHA256
5f45af79237afb896e19700611770886b315acbcbb62d3512cd24e3861da3bc1

SHA512
c0f1fbde5524ab0b00c43c48fb013796cc6ea6d5c003d942fa2f9875c51591c87e6355173409fed0504fd9335f6f8e34be4d1610044dd76eccf00c1a4c029205

Download Submit
/storage/emulated/0/bmsq/accountSave/bmuser_share.db-wal

Filesize
32KB

MD5
b45012b85cd01c4bd51e8f192d5b627d

SHA1
53a53a1521a93401520fb6bd79e35285d17df2eb

SHA256
c741c99dc334680851fe88b1d391668d729d9881a3cd78dcdb6aa2630ae37e92

SHA512
9f76dee7b5acddfd13ebd0c3a8587ae68a8fbf5500d6fe3afc45433c33f22556b4299d5698c72d2a42226c6737a5f1c3a6d8a95c33ab4f4ff98ffcbcdb62a527

Download Submit