31cc19df16995af1ab100caad371166002bbb79160507d06bc26f1b4cda53ee9

Analysis

max time kernel
177s
max time network
182s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
01-06-2024 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

894015828ab74e0f16316bf2234c54f6_JaffaCakes118.apk
Size

30.4MB
MD5

894015828ab74e0f16316bf2234c54f6
SHA1

e6a468a7cf893c267be287f1eaf91746acfc9757
SHA256

31cc19df16995af1ab100caad371166002bbb79160507d06bc26f1b4cda53ee9
SHA512

eca53a8705c00233d83eefe9a375404575d48c49ccdff89b222621897a0ff94e2dcf68b3a4d9229a8f27cec50ecd65981e327ce210cdc9b2afdca1569bb42a47
SSDEEP

786432:J8hvjjtkvOW1LHm5H85TwPDv4bL9BskWNj:JCvjjtkmWdHm5H85sPDvwZlU

Score

8^/10

discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 6 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/app/Superuser.apk	com.zhihuielectric
/sbin/su	/system/bin/sh -c type su
/data/local/su	com.zhihuielectric
/data/local/bin/su	com.zhihuielectric
/data/local/xbin/su	com.zhihuielectric
/sbin/su	com.zhihuielectric

Checks Android system properties for emulator presence. 1 TTPs 7 IoCs

evasion

System Checks

T1633.001

description	ioc	Process
Accessed system property	key: ro.bootmode	com.zhihuielectric
Accessed system property	key: ro.hardware	com.zhihuielectric
Accessed system property	key: ro.product.device	com.zhihuielectric
Accessed system property	key: ro.product.model	com.zhihuielectric
Accessed system property	key: ro.product.name	com.zhihuielectric
Accessed system property	key: ro.serialno	com.zhihuielectric
Accessed system property	key: ro.bootloader	com.zhihuielectric

Checks CPU information 2 TTPs 1 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.zhihuielectric

Checks Qemu related system properties. 1 TTPs 7 IoCs

Checks for Android system properties related to Qemu for Emulator detection.

evasion

System Checks

T1633.001

description	ioc	Process
Accessed system property	key: ro.kernel.android.qemud	com.zhihuielectric
Accessed system property	key: ro.kernel.qemu.gles	com.zhihuielectric
Accessed system property	key: ro.kernel.qemu	com.zhihuielectric
Accessed system property	key: init.svc.qemud	com.zhihuielectric
Accessed system property	key: init.svc.qemu-props	com.zhihuielectric
Accessed system property	key: qemu.hw.mainkeys	com.zhihuielectric
Accessed system property	key: qemu.sf.fake_camera	com.zhihuielectric

Checks memory information 2 TTPs 1 IoCs

Checks memory information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.zhihuielectric

Loads dropped Dex/Jar 1 TTPs 9 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/data/com.zhihuielectric/.jiagu/classes.dex	4283	com.zhihuielectric
/data/data/com.zhihuielectric/.jiagu/classes.dex!classes2.dex	4283	com.zhihuielectric
/data/data/com.zhihuielectric/.jiagu/tmp.dex	4283	com.zhihuielectric
/data/data/com.zhihuielectric/.jiagu/tmp.dex	4351	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.zhihuielectric/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.zhihuielectric/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
/data/data/com.zhihuielectric/.jiagu/tmp.dex	4283	com.zhihuielectric
/data/data/com.zhihuielectric/.jiagu/classes.dex	4389	com.zhihuielectric:mult
/data/data/com.zhihuielectric/.jiagu/classes.dex!classes2.dex	4389	com.zhihuielectric:mult
/data/data/com.zhihuielectric/.jiagu/tmp.dex	4389	com.zhihuielectric:mult
/data/data/com.zhihuielectric/.jiagu/tmp.dex	4389	com.zhihuielectric:mult

Queries information about running processes on the device 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.zhihuielectric
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.zhihuielectric:mult

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.zhihuielectric

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.zhihuielectric
Framework service call	android.app.IActivityManager.registerReceiver	com.zhihuielectric:mult

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.zhihuielectric:mult

Checks if the internet connection is available 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.zhihuielectric
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.zhihuielectric:mult

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 2 IoCs

flow	ioc
34	s.appjiagu.com
57	b.appjiagu.com

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.zhihuielectric
Framework API call	javax.crypto.Cipher.doFinal	com.zhihuielectric:mult

com.zhihuielectric
1⤵
- Checks if the Android device is rooted.
- Checks Android system properties for emulator presence.
- Checks CPU information
- Checks Qemu related system properties.
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4283
- chmod 755 /data/data/com.zhihuielectric/.jiagu/libjiagu.so
  2⤵
  PID:4326
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.zhihuielectric/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.zhihuielectric/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4351
- /system/bin/sh -c type su
  2⤵
  - Checks if the Android device is rooted.
  PID:4520
- sh -c ps
  2⤵
  PID:4654
- ps
  2⤵
  PID:4654
- ps daemonsu
  2⤵
  PID:4679
- ps | grep su
  2⤵
  PID:4697

com.zhihuielectric:mult
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4389

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.zhihuielectric/.jiagu/classes.dex

Filesize
4.5MB

MD5
be77b4d4087df029c8605285cdadee93

SHA1
608cadf5afb10a630cd0cc5c33cd0527004e68b2

SHA256
d7222e629fded7139d392239a9edaba77cdb34bc54dbdd4b0f043bb53269f81a

SHA512
28d1698d6c337d8c2b49a5aac54cbd6680af0329bc06e4819f2918c4e6b706e071b112f327570fa364cd9a26e19e45c82b9e242f18ab8f00c05fe661cbfc3e26

Download Submit
/data/data/com.zhihuielectric/.jiagu/classes.dex

Filesize
6.8MB

MD5
732ad3a3bbee7ef7efab19fbb1691d77

SHA1
849895de2d44a4309542de2814b0182d77c8b422

SHA256
fa21d912046e5c33b812f208622ac7ee7c7e7958db8b89ff7a1e62acd808997a

SHA512
5e8d92adbb335cbfe1c6395b8b01bf327e40e0aeb616d1ab825aa8ba06c1d77ce65c494cbb7d34812c6c99954e909422e91ad21c2d1670317336029a47ef0447

Download Submit
/data/data/com.zhihuielectric/.jiagu/classes.dex!classes2.dex

Filesize
1.8MB

MD5
2da7b01eb6b5b4b57d2307d2e1580c13

SHA1
2786297b172ea30ab5775e92d7439207a6c09416

SHA256
8c496b53f6aae9f07cef792320f7ad027fcdc1c08fa5813b1ae72b4dbdedeb15

SHA512
2e8fdb96981891c8cd457702225785488a4a6f1b3ecd7491275fb2c0097dc2758bc1e413df53d653072059e75738a0f8d99ebf057a620be2c329ae3244de2892

Download Submit
/data/data/com.zhihuielectric/.jiagu/libjiagu.so

Filesize
455KB

MD5
e5a53000766ebc433b27d6a66ec4f555

SHA1
2c8f53f1c03aec2005bcad67d731f07261dabde0

SHA256
78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e

SHA512
370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d

Download Submit
/data/data/com.zhihuielectric/.jiagu/tmp.dex

Filesize
80KB

MD5
30f0f3846d1b831aa4c6dcff4a5d4673

SHA1
3bff96df6581978299f5ea0234987adcbbf013a0

SHA256
9e409cdbd6cccd8600da70ec308f4f35c7a3f4fb62332bd78269d8b1c6876ce4

SHA512
29d5dfc2536e288cbeb6fe747469128744f56b9814e9b0f45ede892fa4b319dd5d95798e61cd37da648c6451a8b7f26509573c8e996168d5ae58deeeff193724

Download Submit
/data/data/com.zhihuielectric/.jiagu/tmp.dex

Filesize
284B

MD5
f1771b68f5f9b168b79ff59ae2daabe4

SHA1
0df6a835559f5c99670214a12700e7d8c28e5a42

SHA256
9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

SHA512
dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

Download Submit
/data/data/com.zhihuielectric/app_crashrecord/1004

Filesize
227B

MD5
21f287e4f17e91c1041d3c0980a92bf1

SHA1
cc590f56d4a1201416897610f2da8fa6a5bff131

SHA256
6b4d36ed2c9bfd4226cf3ccc1d4ab77c5c50f4c0906b1965db6cbf51a09bcabb

SHA512
24ab716656601b6ce4cab4ffc7111fb876d01e15ce40f63ceef34b510ab45cd05c98e986702c442795690c0e5b7cbdb65f0d93e5d2f4623677aa7fd268de508c

Download Submit
/data/data/com.zhihuielectric/app_crashrecord/1004

Filesize
58B

MD5
0d210bfb2a0e1f1b4c082a6a0f79de07

SHA1
bb8ed9e364db79d1d9f2fcde3f15091893222faa

SHA256
988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d

SHA512
536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

Download Submit
/data/data/com.zhihuielectric/app_crashrecord/1004

Filesize
232B

MD5
40b610a4f64ae06b078140b8669cef5f

SHA1
1498222ef5d1248bf3de00cc587119dd20247b93

SHA256
3dd34f48c45d2250b5f20173e226cfe464dc963d208302b1357e18894383a570

SHA512
162d6f9ccb65711d21b95614e662ec16f318273ce99f0d55644be32e4436880eab5a4c648b57a2a5024d6bfe00ed9ad40390b636a57681979316256fcf102ef3

Download Submit
/data/data/com.zhihuielectric/databases/bugly_db_

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.zhihuielectric/databases/bugly_db_-journal

Filesize
512B

MD5
54e3cc055433094b7dc6f6aed8e9cf2a

SHA1
e35986652e2414e545c4d48bf340f0e0a2f27c9d

SHA256
f67795c34819fbb633af77ad0a01853a7c20eead407da5f1d5dcca0fb2a0939e

SHA512
7f0045ad6d6d19535ad57f6dc11b88ad0f00a1352bde101a92a5781e56d218085aa7e8b685e7b89cb28a13ed5f61772f8312425e5b546d8746ccfe1efee70ea4

Download Submit
/data/data/com.zhihuielectric/databases/bugly_db_-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.zhihuielectric/databases/bugly_db_-wal

Filesize
76KB

MD5
7aef667008206e0a07c19c97612b7431

SHA1
b0ee2bde2f1439586a7216a6c739fb0a0ed1c0b6

SHA256
055bceeb7878e99801538a7d2667c59754253914b48fcb400cdf98aaecc83332

SHA512
94628cfdbd081438a8b3684b8692d8912572a8112bd8915e4abbfd6ca21ee1b2f6d3ec2fae20ed10f6d882e8995e6deb25a0ca0a4e4b7f7ef122707bca548deb

Download Submit
/data/data/com.zhihuielectric/files/.jglogs/.jg.ac

Filesize
40B

MD5
0dcffa022bc659e2fabce28c1b74109a

SHA1
fa2b4bdaf8a02746fa152065cc6b06f6e92c32f9

SHA256
a7ec2f1c1b4edff42f1fd24e8a5c1f4bbb48efff75ffb6b12115e6a5ac58dcc4

SHA512
9bbfe81c0706f2fc66dda91a91023ea0df264be04ac321eea2a839158afd5a6c5542c7780272ef38a342d3903873067fb51d93cacd34859aca02d23d31cd7b08

Download Submit
/data/data/com.zhihuielectric/files/.jglogs/.jg.ac

Filesize
40B

MD5
1e30fcd57f6b28b0e031062d322d0fd7

SHA1
23bcda47e97ddb410a365e59db0ab2d5bc7c3b9d

SHA256
035db4ad81f7c4ef5517c932227e49d993f713858a0ad4336556fefeebd1878a

SHA512
e9b7f3ae65f69a444d5a83775014a0823f9afadd72d8204095ff264e41b2f072363d9918086727c9123b10acf25c70231f54479266e4d8a7ca161d39b0730e7d

Download Submit
/data/data/com.zhihuielectric/files/.jglogs/.jg.di

Filesize
340B

MD5
1c85c9f59c51d85fd9d1f9c476cab96c

SHA1
8c7970ecaad3c96957f8aebb48ee64aa5266fd38

SHA256
498aecefedb24cdba7af9bc0338839e0dc79ba95a593e59caca8bf5f6eb369a9

SHA512
bd0046047cd9e39ca16bf95b57aa2ac18f9ceea9a629e0223ff62a12dc0c26ab12e92192996487c78d032f62c593de819d5734d8b7df08586b509635570490c6

Download Submit
/data/data/com.zhihuielectric/files/.jglogs/.jg.di

Filesize
340B

MD5
cc3d8aad2c2d28ef7332233d02c8e8a9

SHA1
48b3cb776badacc56e11e4f9eb0c6d69c4af8908

SHA256
fd38325777a5706c0f79b758ecb3406d8f949365b3e2355dbb11e23d525597da

SHA512
038b719a19e24280ce03461c5e11f6958a4f215f25733093523c680e99503a6a425d3fb431ec543aa3f56e3f7d2f2128306338a7f2e53e498d020bd91ee88f9a

Download Submit
/data/data/com.zhihuielectric/files/.jglogs/.jg.ic

Filesize
40B

MD5
9a0ca5c23adaa3e04efd1a44537315c8

SHA1
e0b74e64ac47231f1a2f0f7067c008d87d837136

SHA256
7890f6887e2281d6273481c2b4980db5b362a2fad8c2b28ccfd666ab4dbf4252

SHA512
7936f1e7a7293f5df87792d35aa2373f37da9ee0a20e88347c5bb9d8ec98ae97577aea885c58273c709a04f5ba04cc4ede7978c707e321992ada799ac16013e1

Download Submit
/data/data/com.zhihuielectric/files/.jglogs/.jg.ri

Filesize
314B

MD5
e6bfa3ff733867acab9162d87200bbeb

SHA1
b57f758826a08a789ce580de215d800b822b5e03

SHA256
620fbca73307712fe97e2ae9a11c3a8387a036e20a770ca23f1c7c9bace57af6

SHA512
d3ae86817a89f543abed22b98c2f961aae791d56489715b0ab707784ac55b385df36815e406b19d77305abe7d736a1d58c5d8eaaf83829f1b76504439cffe0d0

Download Submit
/data/data/com.zhihuielectric/files/.jiagu.lock

Filesize
27B

MD5
c984d8a893ba175ce7481df0b90e7ab3

SHA1
23103fed9223f458cf9e75a217787c21bd4cb7c1

SHA256
1877d7da4628bf1b1a2f094c47d2fc3dfecc174e57d7da06f116ab834debe11a

SHA512
fd9096157bf618033b6866caec7f8899d424ee319f0582e46815ad29d57d8d32e3689cd25cc8f16590318607132cd65c3d5082df345ace89b20d1f15cc46a80e

Download Submit
/data/data/com.zhihuielectric/files/libcuid.so

Filesize
129B

MD5
31d55b6a92870c25c242c31191ab5f04

SHA1
9d1c0391b179359320242b342041c8706362769c

SHA256
998a5fa4810c639db9eae4431e8fb782593b9e0bde7ac64a6b0c5d39b3a58270

SHA512
9cafcd22fc675381fc27a3e298af8c0b44c81dc1702a52bf4f2cd33e3f830b5c301c1d7d48a0dae1945dcb4349468895bdd9533f29023892ea6c8f2d5a6b8a5b

Download Submit
/storage/emulated/0/360/.deviceId

Filesize
48B

MD5
1d8d16c4e3b19ebf18988530d9b9a757

SHA1
bc94c1cce05cd848a53271ecb9c5311e27ffebf5

SHA256
abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7

SHA512
4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

Download Submit
/storage/emulated/0/360/.iddata

Filesize
32B

MD5
b7a8b37a74c9d80a77dd2463865d6572

SHA1
f50b360baf9206a526858a9b8c827ffdb0c186a3

SHA256
f45330251eca106c72203eff0fd2524c5990ab1d00fed2cfeefb465ba9780660

SHA512
67424e0757a2725fb90fcdee01239ca0f1e40ed2c9ca18c8a356acf21cc2607457dba4f90f332571765a52a996d26b5e8ac8f6a72b5f812ff3a2996baecc5be6

Download Submit
/storage/emulated/0/data/.push_deviceid

Filesize
32B

MD5
9d2abab2171f60f292823de7ef752069

SHA1
bc68ed36fcc6dfaf4c7c4ec09509d8cd80e39a12

SHA256
2c5c0059ba671ab4c96aee6f0e112c8752017350bb0fa42940ce9b00606f7947

SHA512
e16bb70215c7c64616a52608734928640ab5da422e5017be7007e06f32dee3b1eae667a9a6c63d2e9c809ed8e8ca1026505599d73146fd1fabd4cbaa7ade2a2c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads