Analysis

  • max time kernel
    55s
  • max time network
    175s
  • platform
    android_x86
  • resource
    android-x86-arm-20240514-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
  • submitted
    02-06-2024 08:01

General

  • Target

    8d6346731b68f41af2e69f11d93e24fa_JaffaCakes118.apk

  • Size

    26.5MB

  • MD5

    8d6346731b68f41af2e69f11d93e24fa

  • SHA1

    374c8dffc3fd80fc531e6f4468e84bc133bf0a6f

  • SHA256

    32222772e81d03ab733bce47fa0348e7cda65020a2c9fce95220a12936d847c5

  • SHA512

    06e284cff6c5d5460630988709e9f153e642d4de00377209f092823094b99529de7a13f7bb2aa17c1e6b6d12fe89923d372de2871cb43351551fa94f7b6e16d5

  • SSDEEP

    786432:4QcW79bfAHziywLUEdrvu+jh7evTTEXAogoqEfIq:xcybfAGL1drW+NKbTEAfJEfh

Malware Config

Signatures

  • Checks if the Android device is rooted. 1 TTPs 1 IoCs
  • Requests cell location 2 TTPs 1 IoCs

    Uses Android APIs to to get current cell location.

  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

  • Queries information about running processes on the device 1 TTPs 2 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads the content of the SMS messages. 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
  • Acquires the wake lock 1 IoCs
  • Checks if the internet connection is available 1 TTPs 2 IoCs
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.incooltech.xsyd
    1⤵
    • Checks if the Android device is rooted.
    • Requests cell location
    • Checks CPU information
    • Checks memory information
    • Queries information about running processes on the device
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Reads the content of the SMS messages.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Acquires the wake lock
    • Checks if the internet connection is available
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4265
  • com.incooltech.xsyd:pushcore
    1⤵
    • Queries information about running processes on the device
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks if the internet connection is available
    PID:4299
    • cat /sys/class/net/wlan0/address
      2⤵
        PID:4460
      • cat /sys/class/net/wlan0/address
        2⤵
          PID:4486

      Network

      MITRE ATT&CK Mobile v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • /data/data/com.incooltech.xsyd/databases/cc/cc.db

        Filesize

        36KB

        MD5

        5d7ea1a23af19b4340cc8d90f28297d5

        SHA1

        4cfe95b23a9e98378d69c4290af81b51fbe76aea

        SHA256

        474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da

        SHA512

        33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

      • /data/data/com.incooltech.xsyd/databases/cc/cc.db

        Filesize

        36KB

        MD5

        ce6135aa1b1fe4f2c2db2a546d2a5558

        SHA1

        79b59582154017aadab783dc266fcb158c252940

        SHA256

        7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c

        SHA512

        2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

      • /data/data/com.incooltech.xsyd/databases/cc/cc.db-journal

        Filesize

        512B

        MD5

        f470fb85e614e630bdf0625e27f4d139

        SHA1

        bc63ac736b80a29a83b2cb6f0ee135aa473f09ac

        SHA256

        a75a492789cb9a4b69c2fcf0ceb01e3e16741341f132b1d62760ca74c387df61

        SHA512

        8edbe50ff8bbaa84f0c2cad937937fc334b2cc459b4d7ddf71606333f3c9ffb469325127a3475c5ee0a42a423ad74bc805e90d36a9e02e2d0d5dac5a0e2df4d9

      • /data/data/com.incooltech.xsyd/databases/cc/cc.db-wal

        Filesize

        48KB

        MD5

        822685c1d57121ef1bdf90ce4c0e7fe2

        SHA1

        9325d48ae54e320498604ff8e49adb528d2f0efe

        SHA256

        98cc67caca3b99ea61ffef63c5114aa5bfc0a91c05e1c44f9472cb59148639f3

        SHA512

        7ddb03df33125fb20c2ba29cf64965f0b5dce9837c3b5e27947b47802c766027acc57c2165b4e54a53a376d7b726349446ca786f4de484189913295edeadd5d9

      • /data/data/com.incooltech.xsyd/databases/cc/cc.db-wal

        Filesize

        16KB

        MD5

        00cfcf1bb8e4fef555a320f473cfac5a

        SHA1

        f45feffe6bfd0a3129c5e30ca4a270bfdb43c770

        SHA256

        d29d67b74dcc5b8bf3512c122a7c77c9f4824077d75555f8f9bfc140b38a11c8

        SHA512

        7ba3a6a7295faa70e4a3c71cebb4f6071eaaaaca7482fbe27f8ad91f1b01354c61d1db64cca220ab4549c1b7565dfa7c6c876099f6592edfbcc82122ae361701

      • /data/data/com.incooltech.xsyd/databases/ua.db

        Filesize

        16KB

        MD5

        55ebeefc745c0a3a81b964fbc318a176

        SHA1

        ae1d22cd030f99603813af4b572f8bffa784b964

        SHA256

        d450e328a26a748a2760fc1952b148b78a4500a76dcd6af1b379893e462ff5df

        SHA512

        7e7105753581ae1bc549a012137953d8e531f5318e8b924070e9ef3a86a2ca0fa2532cb9c530f607237c347c016d09dc565290176e7f7bfe05e56e5516a9612a

      • /data/data/com.incooltech.xsyd/databases/ua.db

        Filesize

        16KB

        MD5

        03dac5531f6bd4129f0c32a9bb9e74e4

        SHA1

        6666e7a3bcf9d7a428fc3254f25c19b716b7b411

        SHA256

        937584515066666a9ddc46527179bd8e1c0132a463802bfd83319dd58b9375df

        SHA512

        bd69e3046774a43bfb4ab53df12deb20f12a8f0fdda8791313c90c97eebe3ffdf390c429fcb25276d0bac88f234f640f9a5ce40438113b6ae06ee7d106ca0a1e

      • /data/data/com.incooltech.xsyd/databases/ua.db

        Filesize

        32KB

        MD5

        d604a3bf1f8d992cc320ea5b1f7609bd

        SHA1

        247f88df0b55c7d523ea5398637711a0e4a483a4

        SHA256

        329940b4d46326d58e73c842dd099704061d0ef7338777bf31ad895f29013c17

        SHA512

        67e28f6713cb5c238a9664df128f01a89a2efb7c8c9330c1e45bc0d40ebab81fa20df5166743d84d81dc0386a89ff0329f022281c098339baa2e851ff0a1e1ab

      • /data/data/com.incooltech.xsyd/databases/ua.db

        Filesize

        32KB

        MD5

        efb8a79e4122d40377a74e3cb5db2507

        SHA1

        7834215022042586dae7e68ce27f81c70f88e344

        SHA256

        b20c81f8c15e53393025fce7652314e0d961437e97939118802ba4534a20ca51

        SHA512

        66e55a74dda0bc3b35ca3b44980f5ca2219a1abefffcc49784c01f03eff07080770d6487052cfca86430eb5696ea2349e9772ae35ee0b4680fbffeeec90ec695

      • /data/data/com.incooltech.xsyd/databases/ua.db-journal

        Filesize

        512B

        MD5

        5cba01063bb754b7987aed33ac31df5c

        SHA1

        1c2b823bd6f6671e135c2ccfcf21b3822b5acc3e

        SHA256

        489cb0bcfb76f348df95198ddbeff5c0152e5070424eea8a92173295ca55f8bf

        SHA512

        d7f275391bf46ace3d1e05a98500148bd1aa0612298a7cab12d587db623ec0e7dcaa7e4ddcfda770fd077d89152a37fccb0cf531f333212022e8e1f2544fc2f0

      • /data/data/com.incooltech.xsyd/databases/ua.db-wal

        Filesize

        4KB

        MD5

        d8341200d0fcaada372a622d6f01013b

        SHA1

        be7df5d5ac7a2cc01885a67807ec4b9e6a606c6a

        SHA256

        8d8eeb1e1b9998e8fdec4a37579d5ebf5b41061a1957d9b3d4a50966486f7bd3

        SHA512

        35f16735939ffc51bc82800a5aca38f24f04ffca4a01b20fe8626a2aabd2ba4f06be585cab85e4a4b1795640337d925ff993b3adf06de6eb2af86574a17cf6b6

      • /data/data/com.incooltech.xsyd/databases/ua.db-wal

        Filesize

        4KB

        MD5

        50d054849f9521b14650a02a25ef8486

        SHA1

        d7ad4d86f8f12f016bf1f3c5ec87d681b9758b3f

        SHA256

        4498dbc78562c3242cfa2400ed74f3f286c3a539f32c69c6dca92972b294c7c5

        SHA512

        e85bbf0650ffcb760002a4f1549fe3fde869a13966c01f3257f2e2c55679efbbf470bee4f437bdce2b42ddb3f0a9e7fd026ac3a5126ce598bcef4c0c393084ee

      • /data/data/com.incooltech.xsyd/databases/ua.db-wal

        Filesize

        8KB

        MD5

        c7cb0d8c2de621ca4750766d6c386652

        SHA1

        cb15f85e72133e995dfcce46fbe279b221ca7905

        SHA256

        bd1c4c1f2b64431a64b4ec8c2ceafe0c4c79fd4ce291a7581f818612e8d2a47b

        SHA512

        3b816e31fe31d74ee8c36c39329146ad174367a60720941fc4a46ba02dbc2b3549fbbe8865aec887f2a6c1aa7061e97b837a0b98ae8d9846d0dabb37afc561c5

      • /data/data/com.incooltech.xsyd/databases/ua.db-wal

        Filesize

        56KB

        MD5

        bdeda1baf396b2f3421a2e04205dd9c0

        SHA1

        9e00abea17621b6c89542041facbf7ac51fa3f46

        SHA256

        cb1519942abacc70b1ef8cf1ba3820cf27e3beca403d71b5670b323ca8978386

        SHA512

        9084ea15aedfe46cb7b5b2c7262dd5a241860d0440fe9a271af4427c35b20ef7e053edf67b5205aa310536b4ff65cb1332bbba982b20a187c4f9a18ac7c4d3af

      • /data/data/com.incooltech.xsyd/databases/xsyd.db

        Filesize

        4KB

        MD5

        ab999a08654430a869d29846d4bc09f4

        SHA1

        d649d2a2fa7a3e38f8d09d98c24e5f4cedcf7b5e

        SHA256

        c646aa1f4e26737a122261fe0cc4d5899bdd953b56d630c5b4ca7b00d48291b9

        SHA512

        4bf08cef7b600fe036920d38f8424814a495e35d3dccd05af734ec26585a356cddde9e6f4f16c20839d21b6729ef146345903c02bf3d66595b5a4a4a45e6985e

      • /data/data/com.incooltech.xsyd/databases/xsyd.db-journal

        Filesize

        512B

        MD5

        f56dfbb32246957a1c992d1e7dd18724

        SHA1

        d1fff9e3e7bb9b2d69c5e16ffba5e11c025ff318

        SHA256

        a437422baee8ec9e7ce90ad9810958091680d449ed80534e318056c57d69b72b

        SHA512

        0d083d09ffcce815c1b9c3550c8a640ddd484741269a6712532dedf294c9e5a3b379b46d0beef3086646ad71bd22d8a46c251a439744ee96b9787b690c51f4a5

      • /data/data/com.incooltech.xsyd/databases/xsyd.db-shm

        Filesize

        32KB

        MD5

        bb7df04e1b0a2570657527a7e108ae23

        SHA1

        5188431849b4613152fd7bdba6a3ff0a4fd6424b

        SHA256

        c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

        SHA512

        768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

      • /data/data/com.incooltech.xsyd/databases/xsyd.db-wal

        Filesize

        64KB

        MD5

        4fe861e9cba7723bda75c13129a473db

        SHA1

        c2659be240cfa4037396fae33e995f1c455da49d

        SHA256

        da079eb215d1f3939514b1eef034bd527cdfedb2162ea24491927ee3f152f1f2

        SHA512

        755972504dd42572452bb594e082c7b42fcaeade29cd9b4922e1a666d72744065fd68bbbecd5d5f5ab19dc352422d19b084ca1033ccbea4fc6e0f3fe507b75f5

      • /data/data/com.incooltech.xsyd/files/.umeng/exchangeIdentity.json

        Filesize

        162B

        MD5

        fbe7238e1c23a7038e64e6443ff38136

        SHA1

        7e3ce6f6617829731f25a5476a477f0f637a2c44

        SHA256

        dbfb729f0a9da4462bf451d1bf141a28e3bb475d84f24fa5e47c51a33a80cf0f

        SHA512

        15283624ad817e977635e3105c843e346a4f83deaa64bf34af3479637eddc6e575c31d2a204e3c58f254c1a16215aa7d8536e54e59de9a7aa7c4798c727a9468

      • /data/data/com.incooltech.xsyd/files/exid.dat

        Filesize

        61B

        MD5

        c7539f9280b210d74c3d91d9472cbc03

        SHA1

        09adecc3d5a51c92f22df462d3df3ef11cef3ad3

        SHA256

        120d578f7c7c6fab440603d116b605c539e590abe2c93cad236c31cab7e4ba6a

        SHA512

        02f0884ed535f0762aa59606a6a60e5ec0c1587067c1a61f4167e66fff08b368375c69f280488cbd3d7c9c7c039a6f0ce485d8847d8b60338aaf25485b54bbe3

      • /data/data/com.incooltech.xsyd/files/jpush_stat_cache.json

        Filesize

        134B

        MD5

        6a79c599d510ca9ed1df2863d65072a6

        SHA1

        6f1549f18ff862861d9f10b731677388dab8dbff

        SHA256

        20291c9e3d2b9831edb6a1f6e53a85e697ecf086b72b30a69053bcbe64f15fd9

        SHA512

        43fec660ea574cea4ea30d8c94cefc39ce113a714ee4e775a5a94d3c0e4a2131037e2e4e21eee5d2511ba1d1041d4234e1eeeeee9b5f2ccc17c69d8884d7ac05

      • /data/data/com.incooltech.xsyd/files/umeng_it.cache

        Filesize

        413B

        MD5

        f1d2fcd05440fc5fe8a7e4353b9785c3

        SHA1

        72db5092aa7f98f7ce56889a1406fe38de6d57bb

        SHA256

        d5ff12ad647215e1f84c03a2f03ec588291e8704431b795c6e911fc968c90cda

        SHA512

        6cd8399c23b74271698ce25ab25eb91563de051af4991f9ca15b2ec700f77c12c61c9cf10689ed99b3eac6e0a4335df32d882b8e4b69e7b40760744e375a39d3

      • /storage/emulated/0/DCIM/Screenshots/._config

        Filesize

        36B

        MD5

        7c45bec709cd80286218342a09024c6c

        SHA1

        7ce4fe6a158b3deeff2072424953f1b005262e1f

        SHA256

        d1cbacd25908a24a829defe41f11469289d03c5d8d63ea4c6b8a1ce885096044

        SHA512

        05d52be2c9bc86125358c95d22f787ff72828fb6abe76a0e731af0b82921ac46c0c4ffef5d4397a5689e40044f468ffe48d9252ee4ba4484f8cf045c68c1470e