5d4f5e65b571e1a4b19a829f3d7b4eb4a19ef8b0d7f6a90d33c960a39dcb2726

Analysis

max time kernel
165s
max time network
186s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
24-05-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f41ed0a6bcac98f036fba178457a0c3_JaffaCakes118.apk
Size

4.7MB
MD5

6f41ed0a6bcac98f036fba178457a0c3
SHA1

4028b8e76b021d87725eb3b2636f0eae58972a7d
SHA256

5d4f5e65b571e1a4b19a829f3d7b4eb4a19ef8b0d7f6a90d33c960a39dcb2726
SHA512

50cbe56cee0f506ef0acb5b5b0bc618ccfe5c1bd3dfdb8f9e71d6a99d04c61273cc6281bef86354d51281ba62a239060e5a42ba8c3cef75de132cadf3d31b39f
SSDEEP

98304:p0jXJ6R7OTuQ44BMqr7AsJt1kRuqXWb4EaVkyw/xrzvVp:W16lkRBMq7BrkkqvE1b/FL

Score

8^/10

discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 2 IoCs
evasion

T1426

Processes:

wntgq.dcloud.DUSFWHVI:pushcorewntgq.dcloud.DUSFWHVI:multiprocess

ioc process

/sbin/su wntgq.dcloud.DUSFWHVI:pushcore
/sbin/su wntgq.dcloud.DUSFWHVI:multiprocess

ioc	process
/sbin/su	wntgq.dcloud.DUSFWHVI:pushcore
/sbin/su	wntgq.dcloud.DUSFWHVI:multiprocess

Checks CPU information 2 TTPs 3 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

T1633.001

T1426

Processes:

wntgq.dcloud.DUSFWHVIwntgq.dcloud.DUSFWHVI:pushcorewntgq.dcloud.DUSFWHVI:multiprocess

description	ioc	process
File opened for read	/proc/cpuinfo	wntgq.dcloud.DUSFWHVI
File opened for read	/proc/cpuinfo	wntgq.dcloud.DUSFWHVI:pushcore
File opened for read	/proc/cpuinfo	wntgq.dcloud.DUSFWHVI:multiprocess

Checks known Qemu files. 1 TTPs 6 IoCs

Checks for known Qemu files that exist on Android virtual device images.

evasion

T1633.001

Processes:

wntgq.dcloud.DUSFWHVI:pushcorewntgq.dcloud.DUSFWHVI:multiprocess

ioc	process
/system/bin/qemu-props	wntgq.dcloud.DUSFWHVI:pushcore
/system/lib/libc_malloc_debug_qemu.so	wntgq.dcloud.DUSFWHVI:multiprocess
/sys/qemu_trace	wntgq.dcloud.DUSFWHVI:multiprocess
/system/bin/qemu-props	wntgq.dcloud.DUSFWHVI:multiprocess
/system/lib/libc_malloc_debug_qemu.so	wntgq.dcloud.DUSFWHVI:pushcore
/sys/qemu_trace	wntgq.dcloud.DUSFWHVI:pushcore

Checks known Qemu pipes. 1 TTPs 4 IoCs

Checks for known pipes used by the Android emulator to communicate with the host.

evasion

T1633.001

Processes:

wntgq.dcloud.DUSFWHVI:pushcorewntgq.dcloud.DUSFWHVI:multiprocess

ioc	process
/dev/socket/qemud	wntgq.dcloud.DUSFWHVI:pushcore
/dev/qemu_pipe	wntgq.dcloud.DUSFWHVI:pushcore
/dev/socket/qemud	wntgq.dcloud.DUSFWHVI:multiprocess
/dev/qemu_pipe	wntgq.dcloud.DUSFWHVI:multiprocess

Checks memory information 2 TTPs 3 IoCs

Checks memory information which indicate if the system is an emulator.

evasion discovery

T1633.001

T1426

Processes:

wntgq.dcloud.DUSFWHVI:multiprocesswntgq.dcloud.DUSFWHVIwntgq.dcloud.DUSFWHVI:pushcore

description	ioc	process
File opened for read	/proc/meminfo	wntgq.dcloud.DUSFWHVI:multiprocess
File opened for read	/proc/meminfo	wntgq.dcloud.DUSFWHVI
File opened for read	/proc/meminfo	wntgq.dcloud.DUSFWHVI:pushcore

Queries information about running processes on the device 1 TTPs 3 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

T1424

Processes:

wntgq.dcloud.DUSFWHVIwntgq.dcloud.DUSFWHVI:pushcorewntgq.dcloud.DUSFWHVI:multiprocess

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	wntgq.dcloud.DUSFWHVI
Framework service call	android.app.IActivityManager.getRunningAppProcesses	wntgq.dcloud.DUSFWHVI:pushcore
Framework service call	android.app.IActivityManager.getRunningAppProcesses	wntgq.dcloud.DUSFWHVI:multiprocess

Queries the mobile country code (MCC) 1 TTPs 3 IoCs

discovery

T1422

Processes:

wntgq.dcloud.DUSFWHVIwntgq.dcloud.DUSFWHVI:pushcorewntgq.dcloud.DUSFWHVI:multiprocess

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	wntgq.dcloud.DUSFWHVI
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	wntgq.dcloud.DUSFWHVI:pushcore
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	wntgq.dcloud.DUSFWHVI:multiprocess

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 3 IoCs

persistence

T1624.001

Processes:

wntgq.dcloud.DUSFWHVIwntgq.dcloud.DUSFWHVI:pushcorewntgq.dcloud.DUSFWHVI:multiprocess

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	wntgq.dcloud.DUSFWHVI
Framework service call	android.app.IActivityManager.registerReceiver	wntgq.dcloud.DUSFWHVI:pushcore
Framework service call	android.app.IActivityManager.registerReceiver	wntgq.dcloud.DUSFWHVI:multiprocess

Checks if the internet connection is available 1 TTPs 3 IoCs

discovery

T1421

Processes:

wntgq.dcloud.DUSFWHVI:multiprocesswntgq.dcloud.DUSFWHVIwntgq.dcloud.DUSFWHVI:pushcore

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	wntgq.dcloud.DUSFWHVI:multiprocess
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	wntgq.dcloud.DUSFWHVI
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	wntgq.dcloud.DUSFWHVI:pushcore

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

T1422

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 3 IoCs

impact

T1471

Processes:

wntgq.dcloud.DUSFWHVIwntgq.dcloud.DUSFWHVI:pushcorewntgq.dcloud.DUSFWHVI:multiprocess

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	wntgq.dcloud.DUSFWHVI
Framework API call	javax.crypto.Cipher.doFinal	wntgq.dcloud.DUSFWHVI:pushcore
Framework API call	javax.crypto.Cipher.doFinal	wntgq.dcloud.DUSFWHVI:multiprocess

wntgq.dcloud.DUSFWHVI
1⤵
- Checks CPU information
- Checks memory information
- Queries information about running processes on the device
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4241

getprop ro.product.cpu.abi
2⤵
PID:4400

wntgq.dcloud.DUSFWHVI:pushcore
1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks known Qemu files.
- Checks known Qemu pipes.
- Checks memory information
- Queries information about running processes on the device
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4483

/system/bin/sh -c getprop
2⤵
PID:4668

getprop
2⤵
PID:4668

wntgq.dcloud.DUSFWHVI:multiprocess
1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks known Qemu files.
- Checks known Qemu pipes.
- Checks memory information
- Queries information about running processes on the device
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4552

/system/bin/sh -c getprop
2⤵
PID:4766

getprop
2⤵
PID:4766

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/wntgq.dcloud.DUSFWHVI/app_crashrecord/1004
Filesize
243B

MD5
adadabebbcfce107bc52717e2a67e52a

SHA1
51df82824fedd43aa9a115d3ce1366f773b109c4

SHA256
62783d28ad75fbf33188c1c432bd538c68043a4f657bdf30d4e057009d3170b4

SHA512
63543de41070d942f1157424467a300b8932600c6eb8d0523bafe4825470afd5b106664911f8b4196c33f8f5b144299e92585d8f120f7bf5f2deab0d3508c83a

Download Submit
/data/data/wntgq.dcloud.DUSFWHVI/app_tbs/core_private/download_upload
Filesize
84B

MD5
f9772d71140d80632ea89c0c4dd1d90b

SHA1
a915af66e726369fd00101bfede9b29bd13940a2

SHA256
8cc469d6d53ec6d7fe8c91625de406f8b242329ce4e60f50d55e42f2582a7b7f

SHA512
a2397496fb641d75a930f8285522aeebba95043556c021e5e60d1a5b3ff60513caf88195f827d10d45c614c0a028fea13a2941551ddebf93a2920157c3d32869

Download Submit
/data/data/wntgq.dcloud.DUSFWHVI/app_tbs/core_private/download_upload
Filesize
14KB

MD5
93af883be300a05591cd6fe3e24c9b23

SHA1
633388ec1d571b107491a23c795c1c142c6f1ec6

SHA256
4dd670d0b32d3d4eec5805379a41d4c1494e1be07e7817b06b8a0137d0b6192d

SHA512
47d3ad2eff960bdf12451657e352c0f1bdef79c64448fd5eda6b8c5ee3265dc376e46d8b51b1e1ffa42784027f157c86b8c9097b5ac3df547ca3eabe7bf17f5b

Download Submit
/data/data/wntgq.dcloud.DUSFWHVI/app_tbs/core_private/download_upload
Filesize
84B

MD5
134e76738364108400fcb4acdae0e9dc

SHA1
6268e0f79f376d29a4fd250ab994a7abc09c4fa5

SHA256
2b13a339925e71fb1513fbba8332c51a5f786fd1b44a5f5d65dc2e75da855de7

SHA512
65e403c1649d0f26fe156502c4f1ca0a2c94900fce72ad36e6b00a3d69fb25e0613bbc959954fab6845e964542d39e7e9577deb93606290516186b0871ccb519

Download Submit
/data/data/wntgq.dcloud.DUSFWHVI/app_tbs/core_private/download_upload
Filesize
84B

MD5
79b328853e976c89addd27240589a52c

SHA1
083a5f9c9e9fed08222ff799c1433c7dfac07090

SHA256
7c2414e88b7f01c04416ecf27e2e8597da4da66a013fa7c2317e98efba6a2790

SHA512
b1736a07594b432cbfe33f4ce97a2cc517658b205ed697bb9ff484eb64c05be8369c1d52a38db490d8c57a924f2d114d50c775781b24985c936448bad365ce7d

Download Submit
/data/data/wntgq.dcloud.DUSFWHVI/app_tbs/core_private/download_upload
Filesize
58B

MD5
0d210bfb2a0e1f1b4c082a6a0f79de07

SHA1
bb8ed9e364db79d1d9f2fcde3f15091893222faa

SHA256
988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d

SHA512
536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

Download Submit
/data/data/wntgq.dcloud.DUSFWHVI/app_tbs/core_private/download_upload
Filesize
80KB

MD5
64986864e3810289b4d3bd6a8ef2e4e9

SHA1
14e8e25f258b30411d6bb9c94b82b6f7a55f358b

SHA256
7388e41513131d60743cfd7e00b44eb2c146e4bb4bb53d174301a9aea0417040

SHA512
d94e9d9f2d96f9e44506dfe60f18080d394af850db87d035f23a4cd82152b06574d7b7c5fbf4eb75e790c635a82e1c96b1ff89a2ec15106139794c0370dc6e47

Download Submit
/data/data/wntgq.dcloud.DUSFWHVI/databases/bugly_db_
Filesize
4KB

MD5
3c8cf031b02f47249a4119bc4fd9ed88

SHA1
d41c9fe2b92fa8d1a02064a7b927f4a84298d16a

SHA256
5dec3afee1082f0733d78ea717ecdcd5166289b61fc12c3454802281d56ed45a

SHA512
694184a8e87d5e5aa3dcb0097706dde6c3b7d4865578caad1625979d9cc111326c3cb5db2a52566f1c47a5fe07bcc8c9b6e9651b4336fcffa9751f3a7d5434b4

Download Submit
/data/data/wntgq.dcloud.DUSFWHVI/databases/bugly_db_-journal
Filesize
512B

MD5
996dfca4ce0fadc7a86aa8c111f3b451

SHA1
f3efe23d3a0d72aae5c07c46369b0c0a9d4c54bf

SHA256
9f7d9982539ecaca73c90adf093bbdbbccbe1f147bb6ce29f567f0f3a8d1cfbb

SHA512
07b1fe652c5aedff4449a5052646e0703191fee5725d8a7b7527e2911452e9f0e3d6ac563de60e3554304d2cf075975aefbdcc1f7bd0caaf7137c622c279c831

Download Submit
/data/data/wntgq.dcloud.DUSFWHVI/databases/bugly_db_-shm
Filesize
32KB

MD5
4e8994d4beda752e9d28c1d44f678185

SHA1
c358a00bc95882ef1d86ae8eceb90cc81a69ebae

SHA256
b8930c6adcfbcb867f6b5217c15eaa296c8f685e4273919b87994cc42a016611

SHA512
e19af09d8031e1a224e6da57bac1105a3987c59e06d9c81f8d6a1a18311b083fe525426cb96dc2f87632c8cbe3d18cd46e239bc7d548ada5126aeb0008ea0263

Download Submit
/data/data/wntgq.dcloud.DUSFWHVI/databases/bugly_db_-wal
Filesize
68KB

MD5
d0cbdd4aae20fb01af77d1e317dc40fa

SHA1
51decf179954462f3ee9572f028046efb85f94e4

SHA256
6183a3cc08202c022df7983d7c94224e41f60cfc376ebca887e95bc61ce442de

SHA512
5fcc48f29135d5a7ab1e41a73a15aed52a12ecd57f2ec4d791afbc493ce330833187dab8fa0177de070846734484d66770dcf4c265cb12a07da5aeb41ee077e1

Download Submit
/data/data/wntgq.dcloud.DUSFWHVI/databases/bugly_db_-wal
Filesize
88KB

MD5
e33e5b59b82c8248fee242c52a0febec

SHA1
fd02835c44add941cef3ebb5576487f85f7be6d5

SHA256
ef04c29db1cb7a2194dffd613614ff84d76bfc9374fc15f2d0c9b22424ae5af6

SHA512
e46900539f1a6792bbc6a333d2448e67a6f4fab8d268e898990f6998bb8e21697eefdb1ef4fb9ec44f58f77d80a78837c1dab2860000e48bb4aa372882649042

Download Submit
/data/data/wntgq.dcloud.DUSFWHVI/databases/ua.db
Filesize
36KB

MD5
0adda9c85a5e4808f5b1b74c0a8591a5

SHA1
5048107883ab1e345af9cf2e6849ce46e0e612bf

SHA256
1e17860bba2bb4e3e92df3890aa6dddc973d6602c71519a15556d37bb69de2a1

SHA512
646061d3d5849772511bd94e36ca2d775a9a672851629d1812942ec0f0f925714eb7d4ebac44889911320cb6710a2f586014f6b1e126739cab653c4f8deef2d1

Download Submit
/data/data/wntgq.dcloud.DUSFWHVI/databases/ua.db
Filesize
24KB

MD5
dbf85737548c7bb5a124a299384ea796

SHA1
e8f3edcc9aad58091d29fc0955299f604fb488b5

SHA256
8445b2263342117bcca09a4cc453c68c56fb732163a87602e7ade69bd0a84589

SHA512
d174e7794d4fc1fd2e9390cde0cdc9b6a8469ae088800f94a3c5634add0cbe540f8701418e3a375e9b229a6b8a41c8f928514db05688af57a619a8d82e743b78

Download Submit
/data/data/wntgq.dcloud.DUSFWHVI/databases/ua.db-journal
Filesize
512B

MD5
3940799c8da887176c55d9642496bdc0

SHA1
c18a3d6bce7e1b2c803870e87851e8afd52efdcd

SHA256
0477e3166509be9185a7715b86b84bed3705d9768a11e77513cf07d15c343b54

SHA512
fb305c4c97ff29ec3dff3397f756edd2a98a517b966d2e84c513994976d7659a2c70822ad6181d012daff7272de4e59a081e96913d6f7130efa7669a8bb48808

Download Submit
/data/data/wntgq.dcloud.DUSFWHVI/databases/ua.db-shm
Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/wntgq.dcloud.DUSFWHVI/databases/ua.db-wal
Filesize
48KB

MD5
3b18a4adc718add29372fd6c32c7255d

SHA1
24d58595a9b9256ec117a33974e620ce99d715ea

SHA256
074e7dfd8e6816399996f02126e78bfa1b797a96b4e47d4f08c8d6c4e20cb906

SHA512
1ce3d477bc00ea293d13109d627991d57a3cc31b41663249cc62994fa75c159e8803f307a7438683185e4f0bc074349122db2f1a836b3696147e4eadfa960ec9

Download Submit
/data/data/wntgq.dcloud.DUSFWHVI/databases/ua.db-wal
Filesize
12KB

MD5
7665a8cd3eab76b9b82eced3feba108a

SHA1
fe0b43914ecc17a25682424f4b4dcad7722c616b

SHA256
b7dbdf3400b2f3c904c4c3d2c4e65c1ce76fbe667a292a3e4b15e45a5561abc2

SHA512
eef194d82ef4c403f54c92e59a1d31cd186ebdf4b393e643674cf47f7f8d0272a080b4ddcb2b701e844d6a399433ce1f20af7486d945aa120a2d158786556e7d

Download Submit
/data/data/wntgq.dcloud.DUSFWHVI/files/.envelope/a==7.5.0&&1.0.0_1716571196725_envelope.log
Filesize
1KB

MD5
768cb1edeaea4eeb83a929351ad47a7c

SHA1
ec182250aec065ba49f6c2646f23ee48ad0055b7

SHA256
74063e559f6ae2605272eeca42d8b86d4fa0a93892f40636b5bece874668b5e7

SHA512
ad9ce4be7ef09ed65ecc17622bcfafe4aa9aa50d2fac6756d5c0e7499cf4d5e565d5305866f21073686234164cf6ecd85f477d9a68a22b495021f05e2e0162d6

Download Submit
/data/data/wntgq.dcloud.DUSFWHVI/files/.umeng/exchangeIdentity.json
Filesize
162B

MD5
9e85d3183880cf05dbc0569734ca8828

SHA1
ef33d104b0e207f8129996aa746e01fd32bf2cb7

SHA256
049233f7355d2c0981c184f7dfd609b1038ec8fd15477100db297c67adc7b3b9

SHA512
871e123111d17a6c6f2d667157af3261ea6cfe03e72748d3a00974c7a427f2fac9901c1f1fc15adbca5d98dbf6c97174159499f34f993d1a46f273931dbb8472

Download Submit
/data/data/wntgq.dcloud.DUSFWHVI/files/exid.dat
Filesize
57B

MD5
ae47104e6e03648bc92645bcf269a220

SHA1
cdbeb4b59e70e762778ba29ceaec82b1a2bce3c4

SHA256
83aab6b1cbb932f64a4510241f1115201398eeb460112cbe612002b1b31f9a43

SHA512
3892d5555b697250664b0b6ebb80a60a11d7f9bfdb8c9d768076da1cc2cda4f14e68bdc0ddc78744c446a6250c49ee2390b7fe8de8fa5354dbd3b519b0cc40af

Download Submit
/data/data/wntgq.dcloud.DUSFWHVI/files/jpush_stat_history/active_user/nowrap/a33be6e6-5899-43b8-b1bb-098dccfb66a0
Filesize
159B

MD5
d9242f5f3091edb80862c2c697d72ec7

SHA1
cfa3ae2920cd4731fe0095215dcac0490b77fa6b

SHA256
ce0d7ba1027279af65de28b81a1a3b47dc66252f6451c95f88b0275d2efdbf9d

SHA512
3f45d16926062b9ff1643101c9a9fb0f2c756717f370986d8ff6f6fd8647703748a779c0608ae15859eb2d1845d1f8ad21e85cd231964f414e226b9bfbaeca01

Download Submit
/data/data/wntgq.dcloud.DUSFWHVI/files/umeng_it.cache
Filesize
415B

MD5
0d29323cb64727d566acd85c5c7dcbbf

SHA1
6e23b5a9fd6a13ec4499bedb1ed6c7085b866a57

SHA256
a926fcb642a1ef9b3c414e48347a58b483cc1075de6a518ec10b09ddcd4dda29

SHA512
cff57c17e5095a00f411006accc9491a70ab6ecfebd3fa690b197efcd120be41739ee0a46027710d568ea797031fea4a631c6f58357f9efcb5d92745cecefce5

Download Submit
/storage/emulated/0/Android/data/wntgq.dcloud.DUSFWHVI/files/tbslog/tbslog.txt
Filesize
11KB

MD5
8bc48885dd10b3d50a9365a6c058c2ce

SHA1
ff947483f84147dfe690d4aabebe556299a956e8

SHA256
6a4f39b3177f3b7587ec82d0644eaa31b25a04ecc83cbd88a8f5ab79c58cae97

SHA512
132e15e235254d3ee72db6f0d58af28a16db6f9a64b2d984aae8c663d8d8982a14e883371c875808072dcdeff284492c2fa99d2c4e716abccd1d54c9eb36d732

Download Submit
/storage/emulated/0/data/.push_deviceid
Filesize
32B

MD5
b55f706d2bd3efa5a04a22e408cd7fa0

SHA1
088ecf8c25ba708462c2217fac92ff7f0894b39e

SHA256
9dfe5ea3d5ea27a286e7060b871a9471cee7fb6e2ef6a23a8eb44ad67d323636

SHA512
8182b13b6e5103a3e7f108fee2a3573011010badf0b4ee6ed8f6b72e8b419ea02275a5798f1b99f0e44cca97979f7c04a0c8e6a3aea6e361c940fddc8b692395

Download Submit