Analysis

  • max time kernel
    87s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20240611.1-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
  • submitted
    12-06-2024 23:56

General

  • Target

    a30759feac44f4b571dd3ae82f7aeb8b_JaffaCakes118.apk

  • Size

    9.2MB

  • MD5

    a30759feac44f4b571dd3ae82f7aeb8b

  • SHA1

    ca543fed648e2d0cb74a2e579cdf686e44c3e4e7

  • SHA256

    f022bfbccbc5cec1a00ff5b459753efaf13927ef68794b314b5e2d870e32f041

  • SHA512

    85a757cacf08a14cc2bfef4cc6853392d76f0d6de8dcaa56e1770a48eaaba7f5c21b39caef97067191f9fb7f04c431ad5d40b8775771b5530617819dfde09087

  • SSDEEP

    196608:idHEzVMj1++81QH+U/Ah4tcmiQrIn79kud50yYyb:EGVMj1++H+dh4tcmAn7muz0Yb

Malware Config

Signatures

  • Checks if the Android device is rooted. 1 TTPs 4 IoCs
  • Checks Android system properties for emulator presence. 1 TTPs 7 IoCs
  • Checks Qemu related system properties. 1 TTPs 7 IoCs

    Checks for Android system properties related to Qemu for Emulator detection.

  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

  • Requests cell location 2 TTPs 2 IoCs

    Uses Android APIs to to get current cell location.

  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 2 IoCs
  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.yghys.doctor
    1⤵
    • Checks if the Android device is rooted.
    • Checks Android system properties for emulator presence.
    • Checks Qemu related system properties.
    • Loads dropped Dex/Jar
    • Queries information about the current nearby Wi-Fi networks
    • Requests cell location
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4273
    • chmod 755 /data/data/com.yghys.doctor/.jiagu/libjiagu.so
      2⤵
        PID:4299
      • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.yghys.doctor/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.yghys.doctor/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
        2⤵
        • Loads dropped Dex/Jar
        PID:4321
      • sh -c ps
        2⤵
          PID:4415
        • ps
          2⤵
            PID:4415
          • ps daemonsu
            2⤵
              PID:4441
            • ps | grep su
              2⤵
                PID:4459

            Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • /data/data/com.yghys.doctor/.jiagu/classes.dex
              Filesize

              3.5MB

              MD5

              8fa88efa13f592e38a4904c4fb3248c3

              SHA1

              a10b7a7b0fe18450bf8217a7cbe256762ef1be75

              SHA256

              d114c5dd531cbbdcef50763c51bdd3c9f972ccaea9b89d409f27cafad6b836d4

              SHA512

              2ae90c4d007c2d6427a7b81d2e728c6386504ce9a9882a54d8b31f27dca290fb84a1da5d88c201c06a3d439f9a7fe8dd79b1e1dfe7ea6e2c87718d8c1b1cee58

            • /data/data/com.yghys.doctor/.jiagu/classes.dex
              Filesize

              6.4MB

              MD5

              5ce8c72a6acb4dea0b907f31c71f1638

              SHA1

              c32fd2d1f50b23e2504fbefd282e255ef7694dca

              SHA256

              3d0d1b7969ea11bf1cb8edd2fcf315556a3fd989cb09f5d31c5f4c755b2a404b

              SHA512

              d84494057ae4f337aab1f315e84e1e4bbf5cfd6cf3585f19b12151c3181d71bdd12c4866abc5ff9172b00de6497ca4a55268bf54f9ac90fef05c96b42a892c3f

            • /data/data/com.yghys.doctor/.jiagu/libjiagu.so
              Filesize

              456KB

              MD5

              7e7125a1193cfa8a696c1b8a6d2a103e

              SHA1

              af193df6127a47f455ebb7d5b792d2e982f4e004

              SHA256

              707cbb7d210699b111f050a382224f04ba2dbf72ecb4ee8f420d5759b6a23681

              SHA512

              91a62f00c2a9dc3c28348ef512ca56ab44d999e11dd806d565109159e79f25833c9141023ad639c7f5132acb8038ca0d7cc049ca2118534570d3ef1b36798b03

            • /data/data/com.yghys.doctor/.jiagu/tmp.dex
              Filesize

              284B

              MD5

              f1771b68f5f9b168b79ff59ae2daabe4

              SHA1

              0df6a835559f5c99670214a12700e7d8c28e5a42

              SHA256

              9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

              SHA512

              dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

            • /data/data/com.yghys.doctor/databases/hmdb
              Filesize

              12KB

              MD5

              3fe30614d7e0d11db870b4624f6c50e0

              SHA1

              053ff0fc621ab40f2afeddb3e7b4a73ee41ec533

              SHA256

              67c532f0324228dd33b445cd399c1426e3a0e0cdc7b9358c66b402c5d40a838d

              SHA512

              c7c09e97a408e88aacaf8099ad4d1fa604d58113393500a384eb3c2eb7c3c105af41314934b86eca2f088045cbab5a20d768bbb295448dc1ae6cb6c3f59821ae

            • /data/data/com.yghys.doctor/databases/hmdb-journal
              Filesize

              512B

              MD5

              568e6fc42ab583c4cd3205e2b67c1046

              SHA1

              d2e84c319944efc82d3e6c67b53a319c368a81c0

              SHA256

              f69687c980c430c398bea03e7c93241fa573b5b1fa12cf7c3bf0065d53b84cbe

              SHA512

              8a3619ed83922f5f25a1cca3ca1f8fefafe04b934ce7e60321d6d673d31715c68c957e3f03cdb0c648af5b5c5389dbd8835154c30b3181e4c7f3d0ebb16073b4

            • /data/data/com.yghys.doctor/databases/hmdb-wal
              Filesize

              16KB

              MD5

              1efe779e355b3d1f22e268fe16598cb4

              SHA1

              51414f90a2e829db44f0178eeb6fe647e0e4ec7b

              SHA256

              61cff3692173cc769acdc68113dc80da9ed9d0eeed81bc7f78afd9e84ab0f672

              SHA512

              849f94ef8a48150d3cfdfe14b81744415c846d616df34c374154ba0c0dbb0943a253a5e3c0f955b157abac413ff1ae8ef5ca8561a74d36fb86dacc77785e9ed3

            • /data/data/com.yghys.doctor/databases/logdb.db
              Filesize

              36KB

              MD5

              a7b5debf648af8527d38065f285c6754

              SHA1

              ad8513c878ca1483a2472c7f8dfc8a416418517e

              SHA256

              0d8f1987d41b042ee7aa1ae97d1950a40884ff4ed620fd02371017160e50eaf5

              SHA512

              c879b912d723e9c382e547f605dea4d77830d9300c3cdb1a14c2758cf4e895000c7ba2afe37584ed2fb94a9893e8ff47bdfda4dfbf2dc47aca75efc5d28984e4

            • /data/data/com.yghys.doctor/databases/logdb.db
              Filesize

              20KB

              MD5

              46b79f26c9230f98561376eefc08fc7e

              SHA1

              54c2c21e59375190c602180acf41fca8e3d1320a

              SHA256

              a555ac6ce81ba7ce41d5f83177848bf15fac43ac0ae4d0d24c554e259eb5499f

              SHA512

              49b9575368ef9b0fc29b730bb6e3be3d03f8f9604566c2383dbb0ce0cb50d4063278c8f79343b2c1b384ee0cc03214576c126962b3847376faefeacdfcc6278b

            • /data/data/com.yghys.doctor/databases/logdb.db-journal
              Filesize

              512B

              MD5

              28b8aef0984eda8509b0af424e1e995c

              SHA1

              1520163a9fa335fb2b421a79ca81f6c924eae1ee

              SHA256

              d7fb27f511e44c0faa99e778c53aea33c15b56db183f8395021f8d068586d3a9

              SHA512

              f0a348fe19ada44f7ac0ba584d1dd3751a3fc47988273dafb92c1e92c1062b6f268e49a8fbda55a14487b634080b7abdaf73d298ed718795b84a6848c23cd809

            • /data/data/com.yghys.doctor/databases/logdb.db-shm
              Filesize

              32KB

              MD5

              bb7df04e1b0a2570657527a7e108ae23

              SHA1

              5188431849b4613152fd7bdba6a3ff0a4fd6424b

              SHA256

              c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

              SHA512

              768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

            • /data/data/com.yghys.doctor/databases/logdb.db-wal
              Filesize

              48KB

              MD5

              6b76b007a39a0dfe74357a9d6b7e472e

              SHA1

              6e0a5ade61891e051278f7f3aba75bc45e0ee74e

              SHA256

              483bb23c95417c6bf9cc219046b7689684e729ffb1be3844131880be71489b19

              SHA512

              7f4a992f95cf918e072afd8f6a6b8fe34c690a71cfa49020781947b591f12a5a1143f56cc4b2c3cdd6d1246c55731460b1f8ebabca4181536abe3c16d07e9ba7

            • /data/data/com.yghys.doctor/databases/logdb.db-wal
              Filesize

              8KB

              MD5

              dc41680d9e089209c84318339a20ae25

              SHA1

              29279d44916911118d65a91be49962aa6278ef88

              SHA256

              6db6c29cdb33666bf4dfe2ba52c8cdb8aa02e2329d61783e60c12e0d0780e83f

              SHA512

              9ff4686191fb9ce98b72834d32fe006af3af112ef32803c0833aea1389043ddeabc90f2342b90036a15e0dddb0576a969606110f5d29e3c70e5c8228141baad0

            • /data/data/com.yghys.doctor/files/.jglogs/.jg.ac
              Filesize

              40B

              MD5

              1e97807150d46ebb5a26e479b98d1d27

              SHA1

              517ccac0293bacdce708717a9bd8c72ad6fd844e

              SHA256

              638a8e25da2400fb2ffbe5c63bc2325ad9d307b56054a26d6264fb61187b5576

              SHA512

              24038807a1b0d4f3ea2515a56f5a7784e722b4dd32fb734369ff05f49cee66a3257fd71c5a3092f7a9aac1099838c1ed1f1f1b2ebb9d2ff71b870b692672a6ab

            • /data/data/com.yghys.doctor/files/.jglogs/.jg.ac
              Filesize

              40B

              MD5

              25228da03bce961c6a26c65c3b67d1e4

              SHA1

              91a013dd07e27dbdb408be0cedefb79659f2402a

              SHA256

              9e30a17ba8afecb3e3f0bbb0fe102356bca9d9ebdb68ed026c9aa9a99f3588be

              SHA512

              6e6c34b71c38df4446d67b7a78a88a4fcb4be0ba5134c440815ece90fdbd6ad6af9326a0f2ce9250b1db504bf4c5e4f713b201b997f3bdf8d74d9451d8935f35

            • /data/data/com.yghys.doctor/files/.jglogs/.jg.di
              Filesize

              340B

              MD5

              1b2de5ea119556cb256073f642608b2b

              SHA1

              fe29b38904488f5de63a1f6131e2c05d9dd040a1

              SHA256

              e375a867939af21cd2c3600a352bfcc1872ca102745cb43a26f8fc535b240335

              SHA512

              0c447d7daa3dbedabce3d74b696c7b578064a43b6ebb9e48954d66c9c8b8e450de0dd0ce6be5f5390ab21320c4f8ac0ce642e6c958ee9fab559fb064ea2a2bf3

            • /data/data/com.yghys.doctor/files/.jglogs/.jg.di
              Filesize

              340B

              MD5

              04b472287d2fe36da545cfc2bb28ca52

              SHA1

              09e37ed6e9d8dd153da39daa222f7544d579a384

              SHA256

              408e0f903041f868f7a920c9962ee20a0aa935e0be4f05f37396cc65f8804b6a

              SHA512

              93977085f442052d8b99ebc3086da73cd2c534fdc0080727926f53c59f732c73441a5a1a1b40cfe70bd7ffcc9512febf1ba78ae7cda809f1a2d1fc993760472c

            • /data/data/com.yghys.doctor/files/.jglogs/.jg.ic
              Filesize

              40B

              MD5

              aae085fd882690f574e23d72b498fc45

              SHA1

              36acae4729cb4a9412a21768ac2fb32a439e2026

              SHA256

              08c0aa0943c5f35a70c8557c7729b3894192cbeab658b67e3fe981f605549249

              SHA512

              29740a1e5827b6a72c7d1cfbe1ce9b917369aba96cbdef351dc10b258d8f0798f071ae192e3bdb58afc51227252060f48ea099a4975725933ace178d0f00fe67

            • /data/data/com.yghys.doctor/files/.jglogs/.jg.ri
              Filesize

              314B

              MD5

              a2e9c91c9b51e7437c07e770eac40e9e

              SHA1

              33d4aa344566bf6af4cd4971d075348f32d46f29

              SHA256

              dfe6e5dc33d0c9052eee7d05633c78b8e798404f994e949adfc1bf9b9430b5a3

              SHA512

              3c7df32da81e09c7e97d8e6ddba473b806d58d9148c2caa72bdb2a9c10e9f4c455870c2e65cfac3d49e7d688ffeed4614775da057bfe577ef560d5d85da5102b

            • /data/data/com.yghys.doctor/files/.jiagu.lock
              Filesize

              27B

              MD5

              d0f3dd39fcad68f5cd9d8329b9d38c51

              SHA1

              32360e72962ba4775e27871bdb9c7fefe18c9de3

              SHA256

              4b4f290c82ed0a483ae497fc3c48812a25050be44919be5fb89df4f265ca466d

              SHA512

              065154fa0f3762ce729e7eda1498076999c89ff8f82088825b97adb492017a9717e82cd710c90c686b104c59e077c0e8d00f4f885ae3899227e916700969ea37

            • /data/data/com.yghys.doctor/files/a/b/302ba74a656c04e34a61632854136ab2.0.tmp
              Filesize

              567B

              MD5

              f61b010134c90d8e98f43113de4e2905

              SHA1

              412836948526497ee0720586644b775b1e76c590

              SHA256

              4b3589abde03155ee128fe212225a8ca29caf2078997d1176d47d8ad5d3093c5

              SHA512

              a052ddb40da3b9e49c111dd8e6c01e33a40b7b00f44893dbd227f05fe34074fb3180ca7117fafaff1c8aa0a36f32aabb862b6553f0b9de60682da82af91d0df0

            • /data/data/com.yghys.doctor/files/a/b/4c984fe24161907e5b5b9423ecec3163.0.tmp
              Filesize

              567B

              MD5

              60930797c9b80f505e1619737ad9befa

              SHA1

              cb1a2cb2704e9c4ff99b67583f177215b9aa6ae7

              SHA256

              572b3312207b2a69e2b4e03d7485223a4a1e2871fec0c1944cfce131b668b9ba

              SHA512

              33a8f0f1baf8cf79a568d1c1dd34e996ca246d428dcf82a9f7e9dd460734ec629f300a0407dfd13919db29eaf1272192f04723c290e99e72c403eadbc38a8984

            • /data/data/com.yghys.doctor/files/a/b/5ad6cdbb45b4a14283563bba26a5e0b7.0.tmp
              Filesize

              567B

              MD5

              59f8d3561572d950886482bf834128cf

              SHA1

              f92e3ba1297d5b78eeff0e7fbfadb96ea166814f

              SHA256

              8affe5879b68d61a3b5606adfab4d7bb15e87f55c71099ee56c6a824125ba682

              SHA512

              41bd3624e362248dfbdbb20b7d95b69c0323d3d53f94fbae925ac926c2f0ba4e800dc7b7bf3068c1b863c6f5367952ebbeeb53d15197551064864b6199cf8802

            • /data/data/com.yghys.doctor/files/a/b/journal
              Filesize

              113B

              MD5

              0cf77f36c527abcba3e91da23011c1bf

              SHA1

              3bd240ceb6e24c9ceb3e2ac8cbaab6cec10cdfdf

              SHA256

              a6bb2d97757402adee9ec84cd2497f9e23a9408d3ac4f09f2d8fd23066cad0b6

              SHA512

              6e6e40d6ff7a2e539b81246e9176b4ee18937c9f7884592a91b7613f4eaa754c54c97dde39c6c7c81fbb6901231c3136a288c801bd3c654e58bf24a29112cca4

            • /data/data/com.yghys.doctor/files/a/b/journal
              Filesize

              195B

              MD5

              71f6d92ab0c026c080b146fd16205b3e

              SHA1

              860ef123417c3005d31e8ec22e7e3ec70e07e132

              SHA256

              a8eb1409fac1aa8351b7b137f30d664099b47db7318f65cec4c9793bdedbc304

              SHA512

              5685625ceda7a46a35859bcc863fea11687d586dd197dd70cfacafbc9f898a2d50822056ca40e43f8a4063e028f8ea2a6455fb62bd9d3d834bff06c81ff5f3d4

            • /data/data/com.yghys.doctor/files/a/b/journal
              Filesize

              277B

              MD5

              a31fa9a297e892a3cc42f29907d78dd4

              SHA1

              748071d2117fbbe331810c89823211c099a981de

              SHA256

              67866ae64faa6c1696fc4710a8771d6ded9acce66f2f32292495a8d7ba192a73

              SHA512

              2feea36281e462ee7609acb59499819ea339d0b050391e7b6563b14b516b3f9e66d0171da87c106db761d5f7c4b1d3ca4e0df61979a550ffb9f694e174118d99

            • /data/data/com.yghys.doctor/files/a/b/journal.tmp
              Filesize

              31B

              MD5

              8c92de9ce46d41a22f3b20f77404cc1d

              SHA1

              8671a6dca00edb72be47363a7071be65cf270373

              SHA256

              68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274

              SHA512

              30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

            • /data/data/com.yghys.doctor/files/a/k.store
              Filesize

              32B

              MD5

              21b24d3cea3aae90c2466a189a6cdbdb

              SHA1

              7357cef0927fe48bbb0af40a7bc42acc50e652a4

              SHA256

              5c95b879c50a971d168a9347075eda8093b65ed50c47354a2ada45ebab60ffed

              SHA512

              e0e28c6eba12feb8b973d632ec0d2125c8656c45d4374c9418a0e1a238b0cded865f4ea12ae3f7a5f52b095f7131cef4402185d913bc55366feaf4b122592ecb

            • /storage/emulated/0/360/.deviceId
              Filesize

              48B

              MD5

              1d8d16c4e3b19ebf18988530d9b9a757

              SHA1

              bc94c1cce05cd848a53271ecb9c5311e27ffebf5

              SHA256

              abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7

              SHA512

              4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

            • /storage/emulated/0/360/.iddata
              Filesize

              32B

              MD5

              6f0772a051314af5a711ec1b6e72f5ec

              SHA1

              a3c7d02a96f92e29d037a4e56c1ee7ecf89dbda6

              SHA256

              e10089131de56ed9426e2233e3af340b180b3a909e73a0f0271da402cffcf0d3

              SHA512

              d19eb6b4e2d8519d4fdac500e151e52bc4cbcb835ad3f64e55917065fc1fb0c691aba277f7e5a8efa72b4e7aba920466fd2aecc8c37cda545c6f8004b86b21ab

            • /storage/emulated/0/amap/openamaplocationsdk/alsn20170807.db
              Filesize

              20KB

              MD5

              731fba9d21f23915576ea5dc2ea3ffb8

              SHA1

              d1fdbc209db8b71d1b4e5341e75b8cc88647146a

              SHA256

              87510194f38897a04cd1f80bd6fffc3344fa8ef21baa61de020a2e790a7268ab

              SHA512

              b643177cf3a30543342d3a521a2dcfce70df4ec450b040e2b61d8692bbed4b3cde2f9f304cbf496869b89455e3cc6a501e8ff720edbdf0f6898e6a5f31fec25d

            • /storage/emulated/0/amap/openamaplocationsdk/alsn20170807.db-journal
              Filesize

              512B

              MD5

              5e9a7d4d18916dd9b6b599f4cb4c17dd

              SHA1

              ff23ba75bac3bab6c3350988e467880cb004a5a3

              SHA256

              73fe831f2b51d99e5cb1f4282a9481d318aec92b4fe19b3189fa01a69a9b011a

              SHA512

              afc5a2cb6b3e87981f92edd380832119526f4aee01d46daadffe094ccc21317bed053638c033dd1861e90e41cc5dad178201b1e79ce4fd087659cde396205225

            • /storage/emulated/0/amap/openamaplocationsdk/alsn20170807.db-wal
              Filesize

              32KB

              MD5

              25bc3eb6fc349c19d637073dd7b1ffcb

              SHA1

              ed3b24f696b94c8bafefbd2e5c4a8c1f2646c300

              SHA256

              f192632e3c1f225c2e1d96625680ed13a5442861c5e702221c42f61ba4e210ec

              SHA512

              cac84b0ecd9d5fc5914f84525e85fd347b4911207167a00066d21ba70b733749cf6224a5ccdd2df0dbdba996321cc54768567485fd985fa7423ccc626f27303f