Analysis

  • max time kernel
    179s
  • max time network
    189s
  • platform
    android_x86
  • resource
    android-x86-arm-20240603-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240603-enlocale:en-usos:android-9-x86system
  • submitted
    05-06-2024 07:32

General

  • Target

    977ba1a844d36c328bc9e71c8f3a0cb7_JaffaCakes118.apk

  • Size

    15.5MB

  • MD5

    977ba1a844d36c328bc9e71c8f3a0cb7

  • SHA1

    1e2de120de9bad740b5d6cfb347e8edf494045e6

  • SHA256

    b9b5551db376a25c6d5831aa29415da1d5af915d7085b9f70fc629909242b9db

  • SHA512

    957509225b09a1ed285cca2b4b825371d2c679680e0a5c17f214f2321b1b689e9f83a7bf96f70eb0e97713b3a94c4c1d05e73ba9fbe4bc0e5e5eb14971d31bd8

  • SSDEEP

    393216:YeUrFw0Tkmvh03sMdHMfYppickkSLg/izIYu:YeqPgmvS3scsUHBygu9u

Malware Config

Signatures

  • Queries information about running processes on the device 1 TTPs 2 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Requests cell location 2 TTPs 1 IoCs

    Uses Android APIs to to get current cell location.

  • Queries information about active data network 1 TTPs 2 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • com.yxxinglin.xzid8996
    1⤵
    • Queries information about running processes on the device
    • Requests cell location
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    PID:4215
    • ls /sys/class/thermal
      2⤵
        PID:4296
    • com.yxxinglin.xzid8996:pushcore
      1⤵
      • Queries information about running processes on the device
      • Queries information about active data network
      • Registers a broadcast receiver at runtime (usually for listening for system events)
      • Uses Crypto APIs (Might try to encrypt user data)
      PID:4244

    Network

    MITRE ATT&CK Mobile v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /data/data/com.yxxinglin.xzid8996/app_crashrecord/1004

      Filesize

      58B

      MD5

      0d210bfb2a0e1f1b4c082a6a0f79de07

      SHA1

      bb8ed9e364db79d1d9f2fcde3f15091893222faa

      SHA256

      988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d

      SHA512

      536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

    • /data/data/com.yxxinglin.xzid8996/databases/bugly_db_

      Filesize

      4KB

      MD5

      f2b4b0190b9f384ca885f0c8c9b14700

      SHA1

      934ff2646757b5b6e7f20f6a0aa76c7f995d9361

      SHA256

      0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

      SHA512

      ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    • /data/data/com.yxxinglin.xzid8996/databases/bugly_db_-journal

      Filesize

      512B

      MD5

      a74cdfb6257ea3c7af5ffe6aaf6cec5e

      SHA1

      190924bf84384da17f5b0fe754c5f521d1256ef3

      SHA256

      938cd1c1dbffb46ac878842f2f88042ada0366dd5cf2c3eac863321fbbd94710

      SHA512

      d12582f8870252e19c004a4217f76dd42d0e7701ffca3a33172660275c12fe6fafd4f22801a3f2c248bcaf84185252ccd860ad0fbe8886a25f8c9409f4a163bc

    • /data/data/com.yxxinglin.xzid8996/databases/bugly_db_-shm

      Filesize

      32KB

      MD5

      044ed5b7dea1a9a18b765e35a02c236f

      SHA1

      3587ddfa8417d9ccf263d0c56c2dd91edd001f91

      SHA256

      f2714e208f907ee29337d6fb4b5896a50dec470bb35bbc3df63f74ea03021a47

      SHA512

      25714bdfda5d16dd5c171da5bf2fd138160d7368aeb43c6d8006f3368fe628ffd3accbe295b06724063101598c716861b396e068c891471ff234543f34ac766c

    • /data/data/com.yxxinglin.xzid8996/databases/bugly_db_-wal

      Filesize

      64KB

      MD5

      c8aa708cca1cdbfa7726ad21ecdc7de9

      SHA1

      5c21b296b9fdd677712df0f592d17a82883287fb

      SHA256

      4bac00042ffe499370620cb1cdb984a1f3f09e0434783d385950825a811869f9

      SHA512

      bc0c21e2d57571b678c28897acfdf647b479d490b7761780d276dbd55fb42eb9ded97cf7c24e4e54ce16e66194669cdbecf76452abb967a84cb405e6b62b93fa

    • /data/data/com.yxxinglin.xzid8996/files/jpush_stat_history_pushcore/normal/nowrap/a1f2ab35-7b26-45e0-af67-31a5337c01c3

      Filesize

      202B

      MD5

      68a714383f11e8350cf2e5430a15cd2c

      SHA1

      83aab0fedb98e595116a77e03e417e80d861d2b3

      SHA256

      5309a5157d5f355964b5b4585c1e50b461df7538f391a29d8174f808f3134777

      SHA512

      d07bb406af479783f954e74848d3463a188ef5aea4f1bfcecea2e0218ef711f3e41e5c54825d50fdea080bf6c99ad2a006aabe21561132d004d6da2979107643

    • /data/data/com.yxxinglin.xzid8996/lib-main/dso_deps

      Filesize

      238B

      MD5

      2430eceb2943542658a8410edcb145c3

      SHA1

      6c723f9a98e773c6dea626464bfd4901897ba7a5

      SHA256

      cd56d0a0f37a8244b6bb21c5d7049133f67a9abda32f9f1dfd58a50872921d95

      SHA512

      a7f3e12d2a4b2160041532167907f556a2776473edf5302ebeb46bf10bf00aa718d4bfb577d2c563ceb20bbd46970d580a4a42422ff28ebea08a329cf4372af7

    • /data/data/com.yxxinglin.xzid8996/lib-main/dso_manifest

      Filesize

      5B

      MD5

      c06857e9ea338f3f3a24bb78f8fbdf6f

      SHA1

      c5a0a2529d2deb60fec041b4fbd722a2ebe31702

      SHA256

      957b88b12730e646e0f33d3618b77dfa579e8231e3c59c7104be7165611c8027

      SHA512

      29f61516876c25379a7bf4faa2b3ca6f6b53eac90e7de47671fec4a818d51441b4025cd7909f7c0a0d113ab6c5ff00cb3700c286bac7319185b77905feec4fb1

    • /data/data/com.yxxinglin.xzid8996/lib-main/dso_state

      Filesize

      9B

      MD5

      8b47abc8b3a7f0f4ca2024b96ba6f36a

      SHA1

      c47a7ab010b6858de0f49c4c8c1dc0b0ada92f9c

      SHA256

      e751c30de7afa746e90b92dd491d80c327cd67ad1ab4f3cbcb562e52715d48a8

      SHA512

      5c280798149ea1fd795aaebe65de733626e5dd1b48389e970e61c7377832e7d4675603a2e472c0c016bed07cb619f8d49f8d9a31a5a4b36ebf4851c2f2e3cbef

    • /data/data/com.yxxinglin.xzid8996/lib-main/dso_state

      Filesize

      1B

      MD5

      55a54008ad1ba589aa210d2629c1df41

      SHA1

      bf8b4530d8d246dd74ac53a13471bba17941dff7

      SHA256

      4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a

      SHA512

      7b54b66836c1fbdd13d2441d9e1434dc62ca677fb68f5fe66a464baadecdbd00576f8d6b5ac3bcc80844b7d50b1cc6603444bbe7cfcf8fc0aa1ee3c636d9e339