Analysis
-
max time kernel
165s -
max time network
186s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
24-05-2024 17:19
Static task
static1
Behavioral task
behavioral1
Sample
6f41ed0a6bcac98f036fba178457a0c3_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
6f41ed0a6bcac98f036fba178457a0c3_JaffaCakes118.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
6f41ed0a6bcac98f036fba178457a0c3_JaffaCakes118.apk
-
Size
4.7MB
-
MD5
6f41ed0a6bcac98f036fba178457a0c3
-
SHA1
4028b8e76b021d87725eb3b2636f0eae58972a7d
-
SHA256
5d4f5e65b571e1a4b19a829f3d7b4eb4a19ef8b0d7f6a90d33c960a39dcb2726
-
SHA512
50cbe56cee0f506ef0acb5b5b0bc618ccfe5c1bd3dfdb8f9e71d6a99d04c61273cc6281bef86354d51281ba62a239060e5a42ba8c3cef75de132cadf3d31b39f
-
SSDEEP
98304:p0jXJ6R7OTuQ44BMqr7AsJt1kRuqXWb4EaVkyw/xrzvVp:W16lkRBMq7BrkkqvE1b/FL
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
Processes:
wntgq.dcloud.DUSFWHVI:pushcorewntgq.dcloud.DUSFWHVI:multiprocessioc process /sbin/su wntgq.dcloud.DUSFWHVI:pushcore /sbin/su wntgq.dcloud.DUSFWHVI:multiprocess -
Checks CPU information 2 TTPs 3 IoCs
Checks CPU information which indicate if the system is an emulator.
Processes:
wntgq.dcloud.DUSFWHVIwntgq.dcloud.DUSFWHVI:pushcorewntgq.dcloud.DUSFWHVI:multiprocessdescription ioc process File opened for read /proc/cpuinfo wntgq.dcloud.DUSFWHVI File opened for read /proc/cpuinfo wntgq.dcloud.DUSFWHVI:pushcore File opened for read /proc/cpuinfo wntgq.dcloud.DUSFWHVI:multiprocess -
Checks known Qemu files. 1 TTPs 6 IoCs
Checks for known Qemu files that exist on Android virtual device images.
Processes:
wntgq.dcloud.DUSFWHVI:pushcorewntgq.dcloud.DUSFWHVI:multiprocessioc process /system/bin/qemu-props wntgq.dcloud.DUSFWHVI:pushcore /system/lib/libc_malloc_debug_qemu.so wntgq.dcloud.DUSFWHVI:multiprocess /sys/qemu_trace wntgq.dcloud.DUSFWHVI:multiprocess /system/bin/qemu-props wntgq.dcloud.DUSFWHVI:multiprocess /system/lib/libc_malloc_debug_qemu.so wntgq.dcloud.DUSFWHVI:pushcore /sys/qemu_trace wntgq.dcloud.DUSFWHVI:pushcore -
Checks known Qemu pipes. 1 TTPs 4 IoCs
Checks for known pipes used by the Android emulator to communicate with the host.
Processes:
wntgq.dcloud.DUSFWHVI:pushcorewntgq.dcloud.DUSFWHVI:multiprocessioc process /dev/socket/qemud wntgq.dcloud.DUSFWHVI:pushcore /dev/qemu_pipe wntgq.dcloud.DUSFWHVI:pushcore /dev/socket/qemud wntgq.dcloud.DUSFWHVI:multiprocess /dev/qemu_pipe wntgq.dcloud.DUSFWHVI:multiprocess -
Checks memory information 2 TTPs 3 IoCs
Checks memory information which indicate if the system is an emulator.
Processes:
wntgq.dcloud.DUSFWHVI:multiprocesswntgq.dcloud.DUSFWHVIwntgq.dcloud.DUSFWHVI:pushcoredescription ioc process File opened for read /proc/meminfo wntgq.dcloud.DUSFWHVI:multiprocess File opened for read /proc/meminfo wntgq.dcloud.DUSFWHVI File opened for read /proc/meminfo wntgq.dcloud.DUSFWHVI:pushcore -
Queries information about running processes on the device 1 TTPs 3 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
wntgq.dcloud.DUSFWHVIwntgq.dcloud.DUSFWHVI:pushcorewntgq.dcloud.DUSFWHVI:multiprocessdescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses wntgq.dcloud.DUSFWHVI Framework service call android.app.IActivityManager.getRunningAppProcesses wntgq.dcloud.DUSFWHVI:pushcore Framework service call android.app.IActivityManager.getRunningAppProcesses wntgq.dcloud.DUSFWHVI:multiprocess -
Queries the mobile country code (MCC) 1 TTPs 3 IoCs
Processes:
wntgq.dcloud.DUSFWHVIwntgq.dcloud.DUSFWHVI:pushcorewntgq.dcloud.DUSFWHVI:multiprocessdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone wntgq.dcloud.DUSFWHVI Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone wntgq.dcloud.DUSFWHVI:pushcore Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone wntgq.dcloud.DUSFWHVI:multiprocess -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 3 IoCs
Processes:
wntgq.dcloud.DUSFWHVIwntgq.dcloud.DUSFWHVI:pushcorewntgq.dcloud.DUSFWHVI:multiprocessdescription ioc process Framework service call android.app.IActivityManager.registerReceiver wntgq.dcloud.DUSFWHVI Framework service call android.app.IActivityManager.registerReceiver wntgq.dcloud.DUSFWHVI:pushcore Framework service call android.app.IActivityManager.registerReceiver wntgq.dcloud.DUSFWHVI:multiprocess -
Checks if the internet connection is available 1 TTPs 3 IoCs
Processes:
wntgq.dcloud.DUSFWHVI:multiprocesswntgq.dcloud.DUSFWHVIwntgq.dcloud.DUSFWHVI:pushcoredescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo wntgq.dcloud.DUSFWHVI:multiprocess Framework service call android.net.IConnectivityManager.getActiveNetworkInfo wntgq.dcloud.DUSFWHVI Framework service call android.net.IConnectivityManager.getActiveNetworkInfo wntgq.dcloud.DUSFWHVI:pushcore -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 3 IoCs
Processes:
wntgq.dcloud.DUSFWHVIwntgq.dcloud.DUSFWHVI:pushcorewntgq.dcloud.DUSFWHVI:multiprocessdescription ioc process Framework API call javax.crypto.Cipher.doFinal wntgq.dcloud.DUSFWHVI Framework API call javax.crypto.Cipher.doFinal wntgq.dcloud.DUSFWHVI:pushcore Framework API call javax.crypto.Cipher.doFinal wntgq.dcloud.DUSFWHVI:multiprocess
Processes
-
wntgq.dcloud.DUSFWHVI1⤵
- Checks CPU information
- Checks memory information
- Queries information about running processes on the device
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
-
getprop ro.product.cpu.abi2⤵
-
wntgq.dcloud.DUSFWHVI:pushcore1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks known Qemu files.
- Checks known Qemu pipes.
- Checks memory information
- Queries information about running processes on the device
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/sh -c getprop2⤵
-
getprop2⤵
-
wntgq.dcloud.DUSFWHVI:multiprocess1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks known Qemu files.
- Checks known Qemu pipes.
- Checks memory information
- Queries information about running processes on the device
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/sh -c getprop2⤵
-
getprop2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/wntgq.dcloud.DUSFWHVI/app_crashrecord/1004Filesize
243B
MD5adadabebbcfce107bc52717e2a67e52a
SHA151df82824fedd43aa9a115d3ce1366f773b109c4
SHA25662783d28ad75fbf33188c1c432bd538c68043a4f657bdf30d4e057009d3170b4
SHA51263543de41070d942f1157424467a300b8932600c6eb8d0523bafe4825470afd5b106664911f8b4196c33f8f5b144299e92585d8f120f7bf5f2deab0d3508c83a
-
/data/data/wntgq.dcloud.DUSFWHVI/app_tbs/core_private/download_uploadFilesize
84B
MD5f9772d71140d80632ea89c0c4dd1d90b
SHA1a915af66e726369fd00101bfede9b29bd13940a2
SHA2568cc469d6d53ec6d7fe8c91625de406f8b242329ce4e60f50d55e42f2582a7b7f
SHA512a2397496fb641d75a930f8285522aeebba95043556c021e5e60d1a5b3ff60513caf88195f827d10d45c614c0a028fea13a2941551ddebf93a2920157c3d32869
-
/data/data/wntgq.dcloud.DUSFWHVI/app_tbs/core_private/download_uploadFilesize
14KB
MD593af883be300a05591cd6fe3e24c9b23
SHA1633388ec1d571b107491a23c795c1c142c6f1ec6
SHA2564dd670d0b32d3d4eec5805379a41d4c1494e1be07e7817b06b8a0137d0b6192d
SHA51247d3ad2eff960bdf12451657e352c0f1bdef79c64448fd5eda6b8c5ee3265dc376e46d8b51b1e1ffa42784027f157c86b8c9097b5ac3df547ca3eabe7bf17f5b
-
/data/data/wntgq.dcloud.DUSFWHVI/app_tbs/core_private/download_uploadFilesize
84B
MD5134e76738364108400fcb4acdae0e9dc
SHA16268e0f79f376d29a4fd250ab994a7abc09c4fa5
SHA2562b13a339925e71fb1513fbba8332c51a5f786fd1b44a5f5d65dc2e75da855de7
SHA51265e403c1649d0f26fe156502c4f1ca0a2c94900fce72ad36e6b00a3d69fb25e0613bbc959954fab6845e964542d39e7e9577deb93606290516186b0871ccb519
-
/data/data/wntgq.dcloud.DUSFWHVI/app_tbs/core_private/download_uploadFilesize
84B
MD579b328853e976c89addd27240589a52c
SHA1083a5f9c9e9fed08222ff799c1433c7dfac07090
SHA2567c2414e88b7f01c04416ecf27e2e8597da4da66a013fa7c2317e98efba6a2790
SHA512b1736a07594b432cbfe33f4ce97a2cc517658b205ed697bb9ff484eb64c05be8369c1d52a38db490d8c57a924f2d114d50c775781b24985c936448bad365ce7d
-
/data/data/wntgq.dcloud.DUSFWHVI/app_tbs/core_private/download_uploadFilesize
58B
MD50d210bfb2a0e1f1b4c082a6a0f79de07
SHA1bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1
-
/data/data/wntgq.dcloud.DUSFWHVI/app_tbs/core_private/download_uploadFilesize
80KB
MD564986864e3810289b4d3bd6a8ef2e4e9
SHA114e8e25f258b30411d6bb9c94b82b6f7a55f358b
SHA2567388e41513131d60743cfd7e00b44eb2c146e4bb4bb53d174301a9aea0417040
SHA512d94e9d9f2d96f9e44506dfe60f18080d394af850db87d035f23a4cd82152b06574d7b7c5fbf4eb75e790c635a82e1c96b1ff89a2ec15106139794c0370dc6e47
-
/data/data/wntgq.dcloud.DUSFWHVI/databases/bugly_db_Filesize
4KB
MD53c8cf031b02f47249a4119bc4fd9ed88
SHA1d41c9fe2b92fa8d1a02064a7b927f4a84298d16a
SHA2565dec3afee1082f0733d78ea717ecdcd5166289b61fc12c3454802281d56ed45a
SHA512694184a8e87d5e5aa3dcb0097706dde6c3b7d4865578caad1625979d9cc111326c3cb5db2a52566f1c47a5fe07bcc8c9b6e9651b4336fcffa9751f3a7d5434b4
-
/data/data/wntgq.dcloud.DUSFWHVI/databases/bugly_db_-journalFilesize
512B
MD5996dfca4ce0fadc7a86aa8c111f3b451
SHA1f3efe23d3a0d72aae5c07c46369b0c0a9d4c54bf
SHA2569f7d9982539ecaca73c90adf093bbdbbccbe1f147bb6ce29f567f0f3a8d1cfbb
SHA51207b1fe652c5aedff4449a5052646e0703191fee5725d8a7b7527e2911452e9f0e3d6ac563de60e3554304d2cf075975aefbdcc1f7bd0caaf7137c622c279c831
-
/data/data/wntgq.dcloud.DUSFWHVI/databases/bugly_db_-shmFilesize
32KB
MD54e8994d4beda752e9d28c1d44f678185
SHA1c358a00bc95882ef1d86ae8eceb90cc81a69ebae
SHA256b8930c6adcfbcb867f6b5217c15eaa296c8f685e4273919b87994cc42a016611
SHA512e19af09d8031e1a224e6da57bac1105a3987c59e06d9c81f8d6a1a18311b083fe525426cb96dc2f87632c8cbe3d18cd46e239bc7d548ada5126aeb0008ea0263
-
/data/data/wntgq.dcloud.DUSFWHVI/databases/bugly_db_-walFilesize
68KB
MD5d0cbdd4aae20fb01af77d1e317dc40fa
SHA151decf179954462f3ee9572f028046efb85f94e4
SHA2566183a3cc08202c022df7983d7c94224e41f60cfc376ebca887e95bc61ce442de
SHA5125fcc48f29135d5a7ab1e41a73a15aed52a12ecd57f2ec4d791afbc493ce330833187dab8fa0177de070846734484d66770dcf4c265cb12a07da5aeb41ee077e1
-
/data/data/wntgq.dcloud.DUSFWHVI/databases/bugly_db_-walFilesize
88KB
MD5e33e5b59b82c8248fee242c52a0febec
SHA1fd02835c44add941cef3ebb5576487f85f7be6d5
SHA256ef04c29db1cb7a2194dffd613614ff84d76bfc9374fc15f2d0c9b22424ae5af6
SHA512e46900539f1a6792bbc6a333d2448e67a6f4fab8d268e898990f6998bb8e21697eefdb1ef4fb9ec44f58f77d80a78837c1dab2860000e48bb4aa372882649042
-
/data/data/wntgq.dcloud.DUSFWHVI/databases/ua.dbFilesize
36KB
MD50adda9c85a5e4808f5b1b74c0a8591a5
SHA15048107883ab1e345af9cf2e6849ce46e0e612bf
SHA2561e17860bba2bb4e3e92df3890aa6dddc973d6602c71519a15556d37bb69de2a1
SHA512646061d3d5849772511bd94e36ca2d775a9a672851629d1812942ec0f0f925714eb7d4ebac44889911320cb6710a2f586014f6b1e126739cab653c4f8deef2d1
-
/data/data/wntgq.dcloud.DUSFWHVI/databases/ua.dbFilesize
24KB
MD5dbf85737548c7bb5a124a299384ea796
SHA1e8f3edcc9aad58091d29fc0955299f604fb488b5
SHA2568445b2263342117bcca09a4cc453c68c56fb732163a87602e7ade69bd0a84589
SHA512d174e7794d4fc1fd2e9390cde0cdc9b6a8469ae088800f94a3c5634add0cbe540f8701418e3a375e9b229a6b8a41c8f928514db05688af57a619a8d82e743b78
-
/data/data/wntgq.dcloud.DUSFWHVI/databases/ua.db-journalFilesize
512B
MD53940799c8da887176c55d9642496bdc0
SHA1c18a3d6bce7e1b2c803870e87851e8afd52efdcd
SHA2560477e3166509be9185a7715b86b84bed3705d9768a11e77513cf07d15c343b54
SHA512fb305c4c97ff29ec3dff3397f756edd2a98a517b966d2e84c513994976d7659a2c70822ad6181d012daff7272de4e59a081e96913d6f7130efa7669a8bb48808
-
/data/data/wntgq.dcloud.DUSFWHVI/databases/ua.db-shmFilesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
/data/data/wntgq.dcloud.DUSFWHVI/databases/ua.db-walFilesize
48KB
MD53b18a4adc718add29372fd6c32c7255d
SHA124d58595a9b9256ec117a33974e620ce99d715ea
SHA256074e7dfd8e6816399996f02126e78bfa1b797a96b4e47d4f08c8d6c4e20cb906
SHA5121ce3d477bc00ea293d13109d627991d57a3cc31b41663249cc62994fa75c159e8803f307a7438683185e4f0bc074349122db2f1a836b3696147e4eadfa960ec9
-
/data/data/wntgq.dcloud.DUSFWHVI/databases/ua.db-walFilesize
12KB
MD57665a8cd3eab76b9b82eced3feba108a
SHA1fe0b43914ecc17a25682424f4b4dcad7722c616b
SHA256b7dbdf3400b2f3c904c4c3d2c4e65c1ce76fbe667a292a3e4b15e45a5561abc2
SHA512eef194d82ef4c403f54c92e59a1d31cd186ebdf4b393e643674cf47f7f8d0272a080b4ddcb2b701e844d6a399433ce1f20af7486d945aa120a2d158786556e7d
-
/data/data/wntgq.dcloud.DUSFWHVI/files/.envelope/a==7.5.0&&1.0.0_1716571196725_envelope.logFilesize
1KB
MD5768cb1edeaea4eeb83a929351ad47a7c
SHA1ec182250aec065ba49f6c2646f23ee48ad0055b7
SHA25674063e559f6ae2605272eeca42d8b86d4fa0a93892f40636b5bece874668b5e7
SHA512ad9ce4be7ef09ed65ecc17622bcfafe4aa9aa50d2fac6756d5c0e7499cf4d5e565d5305866f21073686234164cf6ecd85f477d9a68a22b495021f05e2e0162d6
-
/data/data/wntgq.dcloud.DUSFWHVI/files/.umeng/exchangeIdentity.jsonFilesize
162B
MD59e85d3183880cf05dbc0569734ca8828
SHA1ef33d104b0e207f8129996aa746e01fd32bf2cb7
SHA256049233f7355d2c0981c184f7dfd609b1038ec8fd15477100db297c67adc7b3b9
SHA512871e123111d17a6c6f2d667157af3261ea6cfe03e72748d3a00974c7a427f2fac9901c1f1fc15adbca5d98dbf6c97174159499f34f993d1a46f273931dbb8472
-
/data/data/wntgq.dcloud.DUSFWHVI/files/exid.datFilesize
57B
MD5ae47104e6e03648bc92645bcf269a220
SHA1cdbeb4b59e70e762778ba29ceaec82b1a2bce3c4
SHA25683aab6b1cbb932f64a4510241f1115201398eeb460112cbe612002b1b31f9a43
SHA5123892d5555b697250664b0b6ebb80a60a11d7f9bfdb8c9d768076da1cc2cda4f14e68bdc0ddc78744c446a6250c49ee2390b7fe8de8fa5354dbd3b519b0cc40af
-
/data/data/wntgq.dcloud.DUSFWHVI/files/jpush_stat_history/active_user/nowrap/a33be6e6-5899-43b8-b1bb-098dccfb66a0Filesize
159B
MD5d9242f5f3091edb80862c2c697d72ec7
SHA1cfa3ae2920cd4731fe0095215dcac0490b77fa6b
SHA256ce0d7ba1027279af65de28b81a1a3b47dc66252f6451c95f88b0275d2efdbf9d
SHA5123f45d16926062b9ff1643101c9a9fb0f2c756717f370986d8ff6f6fd8647703748a779c0608ae15859eb2d1845d1f8ad21e85cd231964f414e226b9bfbaeca01
-
/data/data/wntgq.dcloud.DUSFWHVI/files/umeng_it.cacheFilesize
415B
MD50d29323cb64727d566acd85c5c7dcbbf
SHA16e23b5a9fd6a13ec4499bedb1ed6c7085b866a57
SHA256a926fcb642a1ef9b3c414e48347a58b483cc1075de6a518ec10b09ddcd4dda29
SHA512cff57c17e5095a00f411006accc9491a70ab6ecfebd3fa690b197efcd120be41739ee0a46027710d568ea797031fea4a631c6f58357f9efcb5d92745cecefce5
-
/storage/emulated/0/Android/data/wntgq.dcloud.DUSFWHVI/files/tbslog/tbslog.txtFilesize
11KB
MD58bc48885dd10b3d50a9365a6c058c2ce
SHA1ff947483f84147dfe690d4aabebe556299a956e8
SHA2566a4f39b3177f3b7587ec82d0644eaa31b25a04ecc83cbd88a8f5ab79c58cae97
SHA512132e15e235254d3ee72db6f0d58af28a16db6f9a64b2d984aae8c663d8d8982a14e883371c875808072dcdeff284492c2fa99d2c4e716abccd1d54c9eb36d732
-
/storage/emulated/0/data/.push_deviceidFilesize
32B
MD5b55f706d2bd3efa5a04a22e408cd7fa0
SHA1088ecf8c25ba708462c2217fac92ff7f0894b39e
SHA2569dfe5ea3d5ea27a286e7060b871a9471cee7fb6e2ef6a23a8eb44ad67d323636
SHA5128182b13b6e5103a3e7f108fee2a3573011010badf0b4ee6ed8f6b72e8b419ea02275a5798f1b99f0e44cca97979f7c04a0c8e6a3aea6e361c940fddc8b692395