c5afb68c2b11d77c103208e2b63b84cbe9727cb0c039925ef1136824bdb05659

Analysis

max time kernel
161s
max time network
181s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
24-05-2024 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f8d4b4eb4b96e21146dc24a754181f0_JaffaCakes118.apk
Size

6.0MB
MD5

6f8d4b4eb4b96e21146dc24a754181f0
SHA1

c62141542da9ddcced17704bd465b2e5791dfea3
SHA256

c5afb68c2b11d77c103208e2b63b84cbe9727cb0c039925ef1136824bdb05659
SHA512

f3baa905ddfa4673a52685829492c8f9d58dfd53a440ba7e8ecd55aca1cc95e80c21d1ea3fbbf2c9a14356c5935e95bd21e57d56a2381a17484f40587ae036fd
SSDEEP

98304:SmZcJlkTp9dUNgBQp4hxZYTLKaQJdD8PFDT6nZoT7h9FZPrGyu7NVlwwpy:dmvknagBLhxZY3Ka5KZefZP6yuJVeT

Score

8^/10

discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 3 IoCs
evasion

System Information Discovery
T1426

Processes:

com.dcloud.LMYPEDGTQ:pushcorecom.dcloud.LMYPEDGTQ:multiprocesscom.dcloud.LMYPEDGTQ

ioc process

/sbin/su com.dcloud.LMYPEDGTQ:pushcore
/sbin/su com.dcloud.LMYPEDGTQ:multiprocess
/sbin/su com.dcloud.LMYPEDGTQ
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.dcloud.LMYPEDGTQ

description ioc process

File opened for read /proc/cpuinfo com.dcloud.LMYPEDGTQ

ioc	process
/sbin/su	com.dcloud.LMYPEDGTQ:pushcore
/sbin/su	com.dcloud.LMYPEDGTQ:multiprocess
/sbin/su	com.dcloud.LMYPEDGTQ

description	ioc	process
File opened for read	/proc/cpuinfo	com.dcloud.LMYPEDGTQ

Checks known Qemu files. 1 TTPs 9 IoCs

Checks for known Qemu files that exist on Android virtual device images.

evasion

System Checks

T1633.001

Processes:

com.dcloud.LMYPEDGTQ:pushcorecom.dcloud.LMYPEDGTQ:multiprocesscom.dcloud.LMYPEDGTQ

ioc	process
/system/bin/qemu-props	com.dcloud.LMYPEDGTQ:pushcore
/sys/qemu_trace	com.dcloud.LMYPEDGTQ:multiprocess
/system/bin/qemu-props	com.dcloud.LMYPEDGTQ:multiprocess
/system/lib/libc_malloc_debug_qemu.so	com.dcloud.LMYPEDGTQ
/sys/qemu_trace	com.dcloud.LMYPEDGTQ
/system/lib/libc_malloc_debug_qemu.so	com.dcloud.LMYPEDGTQ:pushcore
/sys/qemu_trace	com.dcloud.LMYPEDGTQ:pushcore
/system/bin/qemu-props	com.dcloud.LMYPEDGTQ
/system/lib/libc_malloc_debug_qemu.so	com.dcloud.LMYPEDGTQ:multiprocess

Checks known Qemu pipes. 1 TTPs 6 IoCs

Checks for known pipes used by the Android emulator to communicate with the host.

evasion

System Checks

T1633.001

Processes:

com.dcloud.LMYPEDGTQcom.dcloud.LMYPEDGTQ:pushcorecom.dcloud.LMYPEDGTQ:multiprocess

ioc	process
/dev/socket/qemud	com.dcloud.LMYPEDGTQ
/dev/qemu_pipe	com.dcloud.LMYPEDGTQ
/dev/socket/qemud	com.dcloud.LMYPEDGTQ:pushcore
/dev/qemu_pipe	com.dcloud.LMYPEDGTQ:pushcore
/dev/socket/qemud	com.dcloud.LMYPEDGTQ:multiprocess
/dev/qemu_pipe	com.dcloud.LMYPEDGTQ:multiprocess

Checks memory information 2 TTPs 3 IoCs

Checks memory information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

Processes:

com.dcloud.LMYPEDGTQcom.dcloud.LMYPEDGTQ:pushcorecom.dcloud.LMYPEDGTQ:multiprocess

description	ioc	process
File opened for read	/proc/meminfo	com.dcloud.LMYPEDGTQ
File opened for read	/proc/meminfo	com.dcloud.LMYPEDGTQ:pushcore
File opened for read	/proc/meminfo	com.dcloud.LMYPEDGTQ:multiprocess

Queries information about running processes on the device 1 TTPs 3 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

Processes:

com.dcloud.LMYPEDGTQcom.dcloud.LMYPEDGTQ:pushcorecom.dcloud.LMYPEDGTQ:multiprocess

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.dcloud.LMYPEDGTQ
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.dcloud.LMYPEDGTQ:pushcore
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.dcloud.LMYPEDGTQ:multiprocess

Queries the mobile country code (MCC) 1 TTPs 3 IoCs

discovery

System Network Configuration Discovery

T1422

Processes:

com.dcloud.LMYPEDGTQ:multiprocesscom.dcloud.LMYPEDGTQcom.dcloud.LMYPEDGTQ:pushcore

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.dcloud.LMYPEDGTQ:multiprocess
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.dcloud.LMYPEDGTQ
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.dcloud.LMYPEDGTQ:pushcore

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 3 IoCs

persistence

Broadcast Receivers

T1624.001

Processes:

com.dcloud.LMYPEDGTQ:multiprocesscom.dcloud.LMYPEDGTQcom.dcloud.LMYPEDGTQ:pushcore

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.dcloud.LMYPEDGTQ:multiprocess
Framework service call	android.app.IActivityManager.registerReceiver	com.dcloud.LMYPEDGTQ
Framework service call	android.app.IActivityManager.registerReceiver	com.dcloud.LMYPEDGTQ:pushcore

Checks if the internet connection is available 1 TTPs 3 IoCs

discovery

System Network Connections Discovery

T1421

Processes:

com.dcloud.LMYPEDGTQcom.dcloud.LMYPEDGTQ:pushcorecom.dcloud.LMYPEDGTQ:multiprocess

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.dcloud.LMYPEDGTQ
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.dcloud.LMYPEDGTQ:pushcore
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.dcloud.LMYPEDGTQ:multiprocess

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 3 IoCs

impact

Data Encrypted for Impact

T1471

Processes:

com.dcloud.LMYPEDGTQ:multiprocesscom.dcloud.LMYPEDGTQcom.dcloud.LMYPEDGTQ:pushcore

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.dcloud.LMYPEDGTQ:multiprocess
Framework API call	javax.crypto.Cipher.doFinal	com.dcloud.LMYPEDGTQ
Framework API call	javax.crypto.Cipher.doFinal	com.dcloud.LMYPEDGTQ:pushcore

com.dcloud.LMYPEDGTQ
1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks known Qemu files.
- Checks known Qemu pipes.
- Checks memory information
- Queries information about running processes on the device
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4349

getprop ro.product.cpu.abi
2⤵
PID:4460

/system/bin/sh -c getprop
2⤵
PID:4491

getprop
2⤵
PID:4491

com.dcloud.LMYPEDGTQ:pushcore
1⤵
- Checks if the Android device is rooted.
- Checks known Qemu files.
- Checks known Qemu pipes.
- Checks memory information
- Queries information about running processes on the device
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4578

/system/bin/sh -c getprop
2⤵
PID:4741

getprop
2⤵
PID:4741

com.dcloud.LMYPEDGTQ:multiprocess
1⤵
- Checks if the Android device is rooted.
- Checks known Qemu files.
- Checks known Qemu pipes.
- Checks memory information
- Queries information about running processes on the device
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4644

/system/bin/sh -c getprop
2⤵
PID:4817

getprop
2⤵
PID:4817

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.dcloud.LMYPEDGTQ/app_crashrecord/1004

Filesize
229B

MD5
e7615f7375b43a8be1323d6e0120752f

SHA1
027f348efbcbf84cd9fa84318873b81f249644d0

SHA256
feb97342a29f0831b0c8867f6e8c075fe529f64fa70d2236d26816d9ed8fcb21

SHA512
c7648ce90bad51ab7f83b9c02356a9fb94cdfb13ad23bfcef529b24892a912e9995c4b8d172d50c9af35cf95e13e196eba67a5d2b6b652064a532d401c6e0dad

Download Submit
/data/data/com.dcloud.LMYPEDGTQ/app_tbs/core_private/download_upload

Filesize
84B

MD5
523d32f851e9a2d5131b3cb5e23f597b

SHA1
30e37be2e1634e18a94739d3d1620580fc18f14a

SHA256
3ef4c4e2e58ea3ca09f4fd46290a81d13db7408df75b9bd43b364c13373a3e23

SHA512
9c3306d0ff3bc4fa8ce11d69ee7870c5d36b2383fea6ae6ca73b61573f62cfa89736717b09ac14a85f0bc5f5ea8e3c35811e8fce81700e375979d09bece23a5b

Download Submit
/data/data/com.dcloud.LMYPEDGTQ/app_tbs/core_private/download_upload

Filesize
84B

MD5
1528c016f04f3fd2f6cebbbc70722a5b

SHA1
b596ab05345f6a0d198413aa605730b3b52d8646

SHA256
dbcd4093b0c9e8da0049cce6d13d1424406770f7f94518cf2f7174ace4b0814b

SHA512
8b611588b2cf2925a35ccf185f9621d7bcd6b946bdff4f94d2f1a65b1f824ede63f98f97f174d082915a43b7eb24f578068c9b615c9cffb82a77b1af1e5835a1

Download Submit
/data/data/com.dcloud.LMYPEDGTQ/app_tbs/core_private/download_upload

Filesize
15KB

MD5
aa5199c950186868e6850a3731f42564

SHA1
281f74e8799572f5316e9501689f4a09744ab37f

SHA256
a24d0380f09049a162f805f52db283f94121c58b7e8c1241cf9d2ad8496b4c33

SHA512
e2c9ad568d4957518d62d90b98235605f9af801e6ea2a80f666a18c77c0fb6cdbf4dfbdbf28a73465f94a0beb3d957ac651e675958a3b8741c1a56f4bd506b71

Download Submit
/data/data/com.dcloud.LMYPEDGTQ/app_tbs/core_private/download_upload

Filesize
84B

MD5
1cac593faad5cba2497f210e1ac4c140

SHA1
3a3a945968bbf94c6aacb6e9c2cd67977b94c849

SHA256
5da06029a86ffa319f295a1df611400e50b916c754aaf923012617320449bd8a

SHA512
c271981ad8db700e7b4860ccd2e36659db07c7b67f350fd31854d6673166abb297e00240a1a27f639f92b7486c71db7e7bd56c721a2c40610293d6e705221b11

Download Submit
/data/data/com.dcloud.LMYPEDGTQ/app_tbs/core_private/download_upload

Filesize
58B

MD5
0d210bfb2a0e1f1b4c082a6a0f79de07

SHA1
bb8ed9e364db79d1d9f2fcde3f15091893222faa

SHA256
988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d

SHA512
536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

Download Submit
/data/data/com.dcloud.LMYPEDGTQ/app_tbs/core_private/download_upload

Filesize
242B

MD5
00ca30138f60304c48fab9968d9664b7

SHA1
2906dc2995a34e0c07660086f91e1d68b172979b

SHA256
85b34027d9c314940c1dcff2e4e9ee4a331ee209109933b48840bd3631a9fd2d

SHA512
b777fefb42aeae3e9dbe1b043e0f12261939b8496cb3fa2bcb8743dc5d935ba6572799e192e7ae5682f9f5e2f531de2e84e94bb9ac7c4f160853f4400087337b

Download Submit
/data/data/com.dcloud.LMYPEDGTQ/databases/bugly_db_

Filesize
96KB

MD5
0c17593a3a8a5ed81eff44c432b6b663

SHA1
557ef8e7278eaafec8f35b5afe2eeb5beb04487e

SHA256
c93efb06aa73de2144fed38746a97ee3b88be4eb49fdbcfb5ba5173f4b275d17

SHA512
558e25b89a7ef6f622b020ec18a6d9f175d809ef56014852b9a75a9d437b203e5c7be02340182cbe7fe54fd1ab056dd45922d328befd2c5a27dd5d792fcb7441

Download Submit
/data/data/com.dcloud.LMYPEDGTQ/databases/bugly_db_-journal

Filesize
512B

MD5
b9dcce5100c77169ed7d8727e8514e14

SHA1
7fa0691922a6d7eafe244f42d57cfdf3a3882ed5

SHA256
5c9b301906833ce6430eb640f5765e6ab644a1a140913b09d2ba88d96dee987d

SHA512
6ecba95a949dee0d71ac40f89a28b9a87929544c253aa11c957b2c81bd3ed9a5bc8347a7bb0509df2e4d762e699c4f9ea9ebe21119773d9cc361980daa48b2f9

Download Submit
/data/data/com.dcloud.LMYPEDGTQ/databases/bugly_db_-shm

Filesize
32KB

MD5
4e8994d4beda752e9d28c1d44f678185

SHA1
c358a00bc95882ef1d86ae8eceb90cc81a69ebae

SHA256
b8930c6adcfbcb867f6b5217c15eaa296c8f685e4273919b87994cc42a016611

SHA512
e19af09d8031e1a224e6da57bac1105a3987c59e06d9c81f8d6a1a18311b083fe525426cb96dc2f87632c8cbe3d18cd46e239bc7d548ada5126aeb0008ea0263

Download Submit
/data/data/com.dcloud.LMYPEDGTQ/databases/bugly_db_-wal

Filesize
72KB

MD5
4550aaa0d56b180ebc0879c6d5d80a9d

SHA1
a661afef74f3ab854b99b6afd07c5725650183f6

SHA256
e18bb9d44eb9221a14eb1c6ce8440e2e4f611a8bbadaed7f76ba25b8740f9613

SHA512
75c4a61764024e80d35a7b082a5d14cd5843c9d8c16d47676c8b0c24ea581d08350138369f17bead017be1e9aafea29eb47098d7007f294b441e306eb27011aa

Download Submit
/data/data/com.dcloud.LMYPEDGTQ/databases/ua.db

Filesize
36KB

MD5
0adda9c85a5e4808f5b1b74c0a8591a5

SHA1
5048107883ab1e345af9cf2e6849ce46e0e612bf

SHA256
1e17860bba2bb4e3e92df3890aa6dddc973d6602c71519a15556d37bb69de2a1

SHA512
646061d3d5849772511bd94e36ca2d775a9a672851629d1812942ec0f0f925714eb7d4ebac44889911320cb6710a2f586014f6b1e126739cab653c4f8deef2d1

Download Submit
/data/data/com.dcloud.LMYPEDGTQ/databases/ua.db-journal

Filesize
512B

MD5
ff950331de718dd35795a30cc5b34401

SHA1
7cf782221f6489f7d434d38dafd7eeec590f5b68

SHA256
8b838a7239e0a37eb33f72d9ca0668e43e358b092b2b7f09ecd7e64c8bb21332

SHA512
2784f15fdbce112edf156183fcd9da0c83a9bd05fce5532001b4f816fb4d4290394ee35ab0342f6d3f9760a420acba850bb7f80838a7ea6a31938dc6bf14f9f1

Download Submit
/data/data/com.dcloud.LMYPEDGTQ/databases/ua.db-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.dcloud.LMYPEDGTQ/databases/ua.db-wal

Filesize
48KB

MD5
23efa07cfbc5731d0183985a7aa44523

SHA1
e723ee9ab7acf85c88f849bd1b51797e961ef782

SHA256
775fda2dd1c0098dfcf3e57938b33d085f8153624a01d9a42095356c412f7f9c

SHA512
7bff7fb0d350e271757be78ccbdef41d67c38f98e0695e3bda9caf201121621f22101334f059cffcb7bf4bd4d525d7ad2d5646e2ee79a5a26561bca7b0f506c9

Download Submit
/data/data/com.dcloud.LMYPEDGTQ/files/jpush_stat_history/active_user/nowrap/27d8014e-81ea-4ece-8095-6f9282f7fd55

Filesize
159B

MD5
1692d57f968145aea014af356c101ce7

SHA1
dd5f4ddc74d59067f9c1f736829643f9bcb328bc

SHA256
e2cbd8d64f41504225448a87ee6ad611f2079dfaf836a194f7fce500992ab169

SHA512
f5ef113ea538c8508c5c1b493351a4d3e0369ca4931ee0f6b164acbbb900c1f5e35f68299f81f375cdb49da04b9660cb801b2edb61091fedc473ebb66640f964

Download Submit
/storage/emulated/0/Android/data/com.dcloud.LMYPEDGTQ/files/tbslog/tbslog.txt

Filesize
12KB

MD5
3a03ec6094399297832195b4d4e19d62

SHA1
07414a5664537b99049c4154c94134e3e3eabdcb

SHA256
ee448b5fd0d4982207350395fff8d9b1c570da0cf375e59e17c9a6cf348ca589

SHA512
210563b4e4d6f01c0b4c97ad36391f848ef1da47b6b7764b4c28e64767ab7c477530cfe91b2a8dccb56bd816f8868812634f4a6f41aba7c6cf96e02f01e93a25

Download Submit
/storage/emulated/0/data/.push_deviceid

Filesize
32B

MD5
959dcab62ba9543be831c9a88c57a494

SHA1
8b8f53ea31143a2228d1ca06cb0b253e7e6a8648

SHA256
df97f18bcc963bd00742a0093d8dd60e67ae1ff89fecb666f53a35a415b9f0f8

SHA512
632a275eea8dc8af12d0300e92e94e5202755f9a45ca429c213b99ee8ea5a6a9cee973bc48bb09e675f45417697fb4b56738eba1519c08e93dcd21e74510adb7

Download Submit