Analysis
-
max time kernel
80s -
max time network
182s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
02-06-2024 18:38
Static task
static1
Behavioral task
behavioral1
Sample
8f0777fa51f297002fb0a616e5e43edf_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
8f0777fa51f297002fb0a616e5e43edf_JaffaCakes118.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
8f0777fa51f297002fb0a616e5e43edf_JaffaCakes118.apk
-
Size
31.2MB
-
MD5
8f0777fa51f297002fb0a616e5e43edf
-
SHA1
92f33910d5748f2fabc913a87867647e60b3d923
-
SHA256
c5dc5f69df98c947622482c6f427cb947385e0736a3d3892d763fc6108a853e6
-
SHA512
e73fc37437a665f558775497e0f8debd3adc760640f8feaecf7c42091fec86e6cb8880fc1c0d6fd2fb96296091687a407c3ed7dc3738005053938fd7078ecda3
-
SSDEEP
786432:LYEBm8WXo4Bf1MPlE3H+sFx6Nq96VRx73jIO:0em8WXjBNMdE3+Mx6NBWO
Malware Config
Signatures
-
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
Processes:
com.zongxueguan.naochanle_androiddescription ioc process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.zongxueguan.naochanle_android -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
Processes:
com.zongxueguan.naochanle_androiddescription ioc process File opened for read /proc/cpuinfo com.zongxueguan.naochanle_android -
Loads dropped Dex/Jar 1 TTPs 19 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.zongxueguan.naochanle_android/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.zongxueguan.naochanle_android/.jiagu/tmp.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/data/com.zongxueguan.naochanle_android/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&com.zongxueguan.naochanle_android:corecom.zongxueguan.naochanle_android:pushcoreioc pid process /data/data/com.zongxueguan.naochanle_android/.jiagu/classes.dex 4299 com.zongxueguan.naochanle_android /data/data/com.zongxueguan.naochanle_android/.jiagu/classes.dex!classes2.dex 4299 com.zongxueguan.naochanle_android /data/data/com.zongxueguan.naochanle_android/.jiagu/classes.dex!classes3.dex 4299 com.zongxueguan.naochanle_android /data/data/com.zongxueguan.naochanle_android/.jiagu/classes.dex!classes4.dex 4299 com.zongxueguan.naochanle_android /data/data/com.zongxueguan.naochanle_android/.jiagu/tmp.dex 4299 com.zongxueguan.naochanle_android /data/data/com.zongxueguan.naochanle_android/.jiagu/tmp.dex 4335 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.zongxueguan.naochanle_android/.jiagu/tmp.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/data/com.zongxueguan.naochanle_android/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=& /data/data/com.zongxueguan.naochanle_android/.jiagu/tmp.dex 4299 com.zongxueguan.naochanle_android /data/data/com.zongxueguan.naochanle_android/.jiagu/classes.dex 4413 com.zongxueguan.naochanle_android:core /data/data/com.zongxueguan.naochanle_android/.jiagu/classes.dex 4368 com.zongxueguan.naochanle_android:pushcore /data/data/com.zongxueguan.naochanle_android/.jiagu/classes.dex!classes2.dex 4413 com.zongxueguan.naochanle_android:core /data/data/com.zongxueguan.naochanle_android/.jiagu/classes.dex!classes2.dex 4368 com.zongxueguan.naochanle_android:pushcore /data/data/com.zongxueguan.naochanle_android/.jiagu/classes.dex!classes3.dex 4413 com.zongxueguan.naochanle_android:core /data/data/com.zongxueguan.naochanle_android/.jiagu/classes.dex!classes3.dex 4368 com.zongxueguan.naochanle_android:pushcore /data/data/com.zongxueguan.naochanle_android/.jiagu/classes.dex!classes4.dex 4413 com.zongxueguan.naochanle_android:core /data/data/com.zongxueguan.naochanle_android/.jiagu/tmp.dex 4413 com.zongxueguan.naochanle_android:core /data/data/com.zongxueguan.naochanle_android/.jiagu/tmp.dex 4413 com.zongxueguan.naochanle_android:core /data/data/com.zongxueguan.naochanle_android/.jiagu/classes.dex!classes4.dex 4368 com.zongxueguan.naochanle_android:pushcore /data/data/com.zongxueguan.naochanle_android/.jiagu/tmp.dex 4368 com.zongxueguan.naochanle_android:pushcore /data/data/com.zongxueguan.naochanle_android/.jiagu/tmp.dex 4368 com.zongxueguan.naochanle_android:pushcore -
Queries information about running processes on the device 1 TTPs 3 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.zongxueguan.naochanle_androidcom.zongxueguan.naochanle_android:corecom.zongxueguan.naochanle_android:pushcoredescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.zongxueguan.naochanle_android Framework service call android.app.IActivityManager.getRunningAppProcesses com.zongxueguan.naochanle_android:core Framework service call android.app.IActivityManager.getRunningAppProcesses com.zongxueguan.naochanle_android:pushcore -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.zongxueguan.naochanle_androiddescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.zongxueguan.naochanle_android -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
Processes:
com.zongxueguan.naochanle_androidcom.zongxueguan.naochanle_android:pushcoredescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.zongxueguan.naochanle_android Framework service call android.app.IActivityManager.registerReceiver com.zongxueguan.naochanle_android:pushcore -
Checks if the internet connection is available 1 TTPs 3 IoCs
Processes:
com.zongxueguan.naochanle_androidcom.zongxueguan.naochanle_android:corecom.zongxueguan.naochanle_android:pushcoredescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.zongxueguan.naochanle_android Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.zongxueguan.naochanle_android:core Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.zongxueguan.naochanle_android:pushcore -
Reads information about phone network operator. 1 TTPs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
Processes:
com.zongxueguan.naochanle_androiddescription ioc process Framework API call android.hardware.SensorManager.registerListener com.zongxueguan.naochanle_android -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
Processes:
com.zongxueguan.naochanle_androidcom.zongxueguan.naochanle_android:pushcoredescription ioc process Framework API call javax.crypto.Cipher.doFinal com.zongxueguan.naochanle_android Framework API call javax.crypto.Cipher.doFinal com.zongxueguan.naochanle_android:pushcore
Processes
-
com.zongxueguan.naochanle_android1⤵
- Requests cell location
- Checks CPU information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Listens for changes in the sensor environment (might be used to detect emulation)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4299 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.zongxueguan.naochanle_android/.jiagu/tmp.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/data/com.zongxueguan.naochanle_android/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4335
-
com.zongxueguan.naochanle_android:pushcore1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4368
-
com.zongxueguan.naochanle_android:core1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Checks if the internet connection is available
PID:4413
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Execution Guardrails
1Geofencing
1Hide Artifacts
1User Evasion
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.1MB
MD5f0cd5bd2022286ce34c3ce4ce82dc629
SHA1fd304dda0545d8fbf1221266f9049054ed9f4895
SHA256f4b7c7202afbd6c88c772ef964e636e896736d2af10b1e281a76d190f858ff05
SHA5120e2905d04e59611fd3bd033af6c0ae1f4c6c392a99c69019445a7e84c6d4de90b62af62dca55b1f57f7ed3f330507e2b21e8865b15369b4028993df29fea22b2
-
Filesize
6.1MB
MD536ace6020c58cfbc4e5f57438f2a8c63
SHA1345c013037bfc0da6bde5603643bf9d8b208b301
SHA256616ce3d84ea7b4424d04ca98f5bcd1b4453b19c768e258d00f7c3a9847932cae
SHA512493b58c6d93412c614a1d10401a58f8c9b26d67987dfa4b67bd8441d428b315ba40eae4adcd090fa27afe4e19f327c0625e46a490012edb099f2f105c4510090
-
Filesize
5.7MB
MD5d032bdc646cc63c2c6a2a4db02d9a07c
SHA159af272d29990751f998998db2493536b3c0fdef
SHA2568e23a93bc9469594efd7ac506f28991f4089154364168ae4f0b752d7edbade8a
SHA51206c554f1017be1bc1f75a2b3d72a33188ab4d6f9dd77a0df40e2573944003611aafcc51874aac4465ef3d10c72f2e4244fd7be7fed5ab57e79bade765d5f5794
-
Filesize
1.2MB
MD56442450755d6ceeb065a34956e06d22f
SHA1c02ea6834719dda4f0296acf90a3f4dbd272be09
SHA256e127dd108290cad9d6178f70ebf74aaa4dee1f211fa734db93fa8ddd9fdd4b4b
SHA512b68b38d4340ec9535a7e5d161bf1fbb9e1dfca65ad43224d89b0bf1be311d5efd945b1e7df257a5656cef57789a98451195f61fb80c85c8238c400ed55be991d
-
Filesize
487KB
MD5610a895c4a71bbeeaea16eddb1422bbf
SHA19f919de42ed1e80bfadfef48f8202b202166f869
SHA256baa349e9b5a47be21b6ea00ef2e0c0c5dc203c0e4c391dac46df07ca9d333217
SHA512ef4173ba32309ef1257b75bcff28fd44ab14398577b4fb3b6b95323035c964201ed39546cda3b7115ba5025781f3b9c018443e7932edd50a25b1be60359f80f2
-
Filesize
284B
MD5f1771b68f5f9b168b79ff59ae2daabe4
SHA10df6a835559f5c99670214a12700e7d8c28e5a42
SHA2569f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d
-
Filesize
307B
MD5ef1b7bf68d290c31426bb73ffca011c6
SHA157d5699cae48d2b7a15873f6212f2c08dc53d771
SHA256dc6c140df650de370fcf1a1072329793366b85352a063fac9cc92b00b2aeeb87
SHA5126703d349bb7dbc7960b5b721d1080ccedb997277d14e4ce07c7188c17354632fdac2fe25079e2e305bdfef936c3e812f6fd3d0ae9b2352f707b160b63b175081
-
Filesize
363B
MD525a0f3995cdfd2364fe0552d6a9255f8
SHA186f5e34f6d3655e757f9e6df19dccc7705039bca
SHA256cdb5043d53c97753e2f1177dabea6c662447d9de9e127f642e6755803b78c82d
SHA512dde0c5f79f31d98ed8c38b9a5fa7a0c8ad5656acc2990e6f1b03ae02d38818006fdd8fe9faf6595b05dcf5f9d2c9817a7df08825e8387dfc12878d2f626eb1d0
-
Filesize
73B
MD5309e86d7037fd16a8817721868aa2bfa
SHA1b687a24e54e907a5854de46e24ff00167dab0ed8
SHA256e1353e8366260760ec427718a27ac80906b64613f556522976e2037342bf4e22
SHA512be6aa251ef30eddd7ffca2632e9c6db3a1464b398d8dae12350945944bfc40239e9842641c9cd2efbea4b96b0ebb03f63609f2ece4ad3e701a596879740db741
-
Filesize
181B
MD55df841e5901ace0a5332e46df239dbdd
SHA111f31fd6f98cd837f2201000472acb0107facabc
SHA256380b7185e9671402423c8b34d05c7493f1ca60058869383fd2c413e6430b0b50
SHA51284f973fa9fff23321e7a7d004b27dbe1d45201cfe0fc550f5086640883d5a8e536ce6e7d4a7b6cecbccf47b38979d0f1c1f24f020b45b8f105451ba83f6ec46c
-
Filesize
45B
MD59f282669c6e7468a989bfcde26077779
SHA17eb5ac0c6a1270d2c03fbd3799a4f7a769f9e76f
SHA25641a39be58cdbbf8dd29d0f2ec27314f310679dde168a789f4c415f615d0d2746
SHA512a1107c938dea49c414aa16a77aee22bcac759c0719fc2ff32f91693e89a86ad8d33cf7a92dc27aadad6529bb6670061deb5ebbd5dd0f05a0523e858eea736a19
-
Filesize
86B
MD523c91d3d090ea40ab522f6296d9fe527
SHA1d52f83df020cacbb3ba9bbb2c83cf9a3acb8823a
SHA256d2d67fd8aa704cc6ad97ad7a423551ef06cdcd944d7ef1eec781853511a14c82
SHA5126d4b30061df02715142490ce9a5e5bc02605f57566035c5f3a090ce730489f2f9886435b2ad9994dc91debc6c0a79769d5f33f99fc787c980ef98de3f62a84a3
-
Filesize
172B
MD56a8479e8dfca7d3a358c074d4337a365
SHA149ac1ed8702b1232c0ffe894b906fa8df8cc89c7
SHA256019fcfefebf70c88f9237882c05dfd4fb7ef4f46755ac38429bea7e240784b0d
SHA512ef9de30363b1a14483a8088c9b690babbdec8e2a0c37670d317d04a4173f6b755cd16e5a2e3d7845158fb0d64dc104c3ce018b8f09cc5ee235fa476ba4c1760f
-
Filesize
96B
MD58dfd1f56b03c5257c1c91e72378d543e
SHA1f76565bda4a56824cf751ebde5c00e46899f93e5
SHA25696147644330fcf76b7fe3a4d629583b2e38de5c1115a66c92233d98f125a0ae6
SHA512c664195b91bf153766fa49043b300094383f00642215d4158aac0822937daffb211d981d673358630ec9363a0eb5779e2a644b77e62e6e3e8ae989dc9e2e62a4
-
Filesize
94B
MD55297153f27100669a6d617eaf059836d
SHA14cf42dd8a86de806f8f63e277e108517d830b576
SHA25654967fddcb94520d53c0d82bef4f3c4d72c5057ed12e76fc606f2e0e99e8dcb8
SHA512ff652ef2287b4b8efac353e6a9ef64334b41d5bf2407af82f6ac436b9b098a48e99403663aa617a0cc64bed94cb1ee3fbb13ff9af79e94ee4c0a0c6e738f7fca
-
Filesize
79B
MD57040d13353f8ffe1f52315f25484df10
SHA11ac1369816e356210c03fae7482b1aeee36be1f0
SHA256d87efd1e0004d824eea00d9e0723745a62d7d87eaa7d5160ce37632b6b36b206
SHA512a4014df26beca4a49feb90b2d6feaab7e2c2eceb67daf448891cec9c109166f648b548ebaf7d8d4824b69ff719e2daabf4b9d46628e7de4897570c82351803ac
-
Filesize
155B
MD5aa1f4e0a90efa7a66d1527d730e2e790
SHA1b5e79e3770c152397563ff6c0bfb8671755c58dc
SHA256600d0c57a34b02b715c818f8b9d47ce7119e9dcbb17647ea96b998054978c0d2
SHA512a4ad44f39836e75d12c588b5e637c5054161847f72380ef74dcb84d22dee430c720068d6a48bb527296a9f77ab536c5b4aceeac192ec422a29625526dd54eb49
-
Filesize
158B
MD5fb0177fd85eadd6ce89ff09b3dfd1c6b
SHA125dcd0a075e4e381d46d7005944c8db9817cb830
SHA256fc2cc7d0942650b59fcaf665404dedc730d039ff78293e93cc59b9dda6e9d03e
SHA5121dd03f46982c642eb58e60511416be41cfce44888e671d7209bf1cd54593fa14aa60981ec3d75f473ed7d2f39889f2cc04d311fbad52273d79e88f3810fa7acd
-
Filesize
45B
MD5d0ea0f61c216a82bad03152e185a00dd
SHA121e236ba52bda42f54965a4ec665624c8ab916f7
SHA256a8d959e11d0f9c19a238873f85cd11041df9b08841808c6a2a0ed00280096c0a
SHA5126748034c4cb0a6b883c328eb944c924f1a5d533e88ce2bf3de0251c4fdeebd39c87f626a33993d225f623328bab7544f0e43dd5f2a2e6275eae044ed2fcead19
-
Filesize
59B
MD526f9c81816b3aff7db827eb48ce7ab40
SHA14818f5533350e0cab029bbb0da0e24c09445e4aa
SHA25609ee8069f117a7304f2760eef390c77c718d4ab6a65d0e220d802b87c06ab1e2
SHA5126f45fcc9b67b15e044598e4ae6c4d6230433f26ce51c9025d413f435ba60e0197dc1d88f591fbdbd0aa0cafe936ed3d1c5fe001c541e79408076ac8ab11bc298
-
Filesize
90B
MD5ebcde6b689a7ba9cd42f64b1aec1915b
SHA100c51dbeb2ada1bbe6b1b6fa95ee9f0ef5c7e4d6
SHA256e832e45d8dc85512b96b0a47d8087e877be3253bea1f17e6a33e36a9a5e95531
SHA5122278750ceb5a40a93d792eb920fbcfcb3d2b45e0c5af910f49384609e89593217e09265ddf1d68c8927f730ddb5bbcb27b3336eea60d78403d7f1ef5aa483ff9