Analysis
-
max time kernel
170s -
max time network
184s -
platform
android_x86 -
resource
android-x86-arm-20240611.1-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system -
submitted
12-06-2024 12:25
Static task
static1
Behavioral task
behavioral1
Sample
a0a8c2c4ecb10586562d43084bb4554f_JaffaCakes118.apk
Resource
android-x86-arm-20240611.1-en
Behavioral task
behavioral2
Sample
a0a8c2c4ecb10586562d43084bb4554f_JaffaCakes118.apk
Resource
android-33-x64-arm64-20240611.1-en
General
-
Target
a0a8c2c4ecb10586562d43084bb4554f_JaffaCakes118.apk
-
Size
17.9MB
-
MD5
a0a8c2c4ecb10586562d43084bb4554f
-
SHA1
e9056828f3f2493139d249739754ee839585b2d3
-
SHA256
d5fce18f90dfdecbca27ed4c7549163f2b4ce2bae98f1815eb05e81c80d07046
-
SHA512
880b23ce5c666323ebf55d37689149c0395d452faa69663f03ab3f67e8e6e4303c9d1029039b241a5dac752671d640accbe561220d50d83e9084289224dace70
-
SSDEEP
393216:ZONPXBL3FFxnm1ucDS+N6cP+r2tF9Y83E7gf/dgmRYtjj:ZO5xpm1dbNLF9RUc2mWt/
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 11 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.xgbuy.xgcom.xgbuy.xg:pushcore/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.xgbuy.xg/.jiagu/tmp.dex --output-vdex-fd=41 --oat-fd=44 --oat-location=/data/data/com.xgbuy.xg/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&ioc pid process /data/data/com.xgbuy.xg/.jiagu/classes.dex 4217 com.xgbuy.xg /data/data/com.xgbuy.xg/.jiagu/classes.dex!classes2.dex 4217 com.xgbuy.xg /data/data/com.xgbuy.xg/.jiagu/classes.dex!classes3.dex 4217 com.xgbuy.xg /data/data/com.xgbuy.xg/.jiagu/tmp.dex 4217 com.xgbuy.xg /data/data/com.xgbuy.xg/.jiagu/tmp.dex 4217 com.xgbuy.xg /data/data/com.xgbuy.xg/.jiagu/classes.dex 4352 com.xgbuy.xg:pushcore /data/data/com.xgbuy.xg/.jiagu/classes.dex!classes2.dex 4352 com.xgbuy.xg:pushcore /data/data/com.xgbuy.xg/.jiagu/classes.dex!classes3.dex 4352 com.xgbuy.xg:pushcore /data/data/com.xgbuy.xg/.jiagu/tmp.dex 4352 com.xgbuy.xg:pushcore /data/data/com.xgbuy.xg/.jiagu/tmp.dex 4485 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.xgbuy.xg/.jiagu/tmp.dex --output-vdex-fd=41 --oat-fd=44 --oat-location=/data/data/com.xgbuy.xg/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=& /data/data/com.xgbuy.xg/.jiagu/tmp.dex 4352 com.xgbuy.xg:pushcore -
Queries information about running processes on the device 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.xgbuy.xgcom.xgbuy.xg:pushcoredescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.xgbuy.xg Framework service call android.app.IActivityManager.getRunningAppProcesses com.xgbuy.xg:pushcore -
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
Processes:
com.xgbuy.xgdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.xgbuy.xg -
Queries information about active data network 1 TTPs 2 IoCs
Processes:
com.xgbuy.xgcom.xgbuy.xg:pushcoredescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.xgbuy.xg Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.xgbuy.xg:pushcore -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.xgbuy.xgdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.xgbuy.xg -
Reads information about phone network operator. 1 TTPs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
Processes:
com.xgbuy.xgdescription ioc process Framework API call android.hardware.SensorManager.registerListener com.xgbuy.xg -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
Processes:
com.xgbuy.xgcom.xgbuy.xg:pushcoredescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.xgbuy.xg Framework service call android.app.IActivityManager.registerReceiver com.xgbuy.xg:pushcore -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
Processes:
com.xgbuy.xg:pushcorecom.xgbuy.xgdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.xgbuy.xg:pushcore Framework API call javax.crypto.Cipher.doFinal com.xgbuy.xg -
Checks CPU information 2 TTPs 1 IoCs
Processes:
com.xgbuy.xgdescription ioc process File opened for read /proc/cpuinfo com.xgbuy.xg
Processes
-
com.xgbuy.xg1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Requests cell location
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:4217
-
com.xgbuy.xg:pushcore1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4352 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.xgbuy.xg/.jiagu/tmp.dex --output-vdex-fd=41 --oat-fd=44 --oat-location=/data/data/com.xgbuy.xg/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4485 -
cat /sys/class/net/wlan0/address2⤵PID:4521
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Execution Guardrails
1Geofencing
1Hide Artifacts
1User Evasion
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.5MB
MD5bc7b7cec4c2313b65f6d767a77164dd0
SHA1f0a2fb5db284bc60f424c2084984c830cf4d2ca1
SHA25684906c5a9b057b44e0df1fb8030d13110748ba30ef7a8017abdd3157ef349ffb
SHA512379bec4a7a82a83c32e93cb3d5d0e0622d78ec79a5e17861f9600069283ffeac13340003fd2323c884a114bd45102034b3e5e609b3390ce099db6ef71a144432
-
Filesize
6.5MB
MD5f1e1513c1caa393fe8e9a3f9fff03e7c
SHA1db053d40d0ead70c10b229d129359601a8b5debd
SHA2564e81f36348e9d21ea9121450a9c68817efadedf40bf365af9d54a6033b363934
SHA512e9c0cb206d14c55f3bf375fddd0d1edcf2e4540c24ac5df6e1c4884e87be9861a87b4fa5a49162fd054bafac7ed223e6f79686ffd71224f64f7336173298c03b
-
Filesize
2.0MB
MD5e0cdaf1a37a325beb335128a913ce71e
SHA11b4f9eda9ff72406032655f7a7f97e361d90bb2f
SHA256444121cbd8f09a2461d84bcdecea5c61c0a5bc7b0fd3671d6a1ba5a91281cbba
SHA5122f24d69d48c4cf889db9b6d2d5c867b8ea758663e0e83ce1e7ecf650a6b5850669d35d46df3355a643bb2732b590d4609eabbe4aa74d4a4b076c3bb8e8a17d8b
-
Filesize
485KB
MD5015df5724b50b4fbc6dd0caf7ccb817c
SHA1980780e98c9958aec97ab7a0de8d28a4c5fd9429
SHA256183990718a96d742bc6f1bb04c313e04db6dc62d445ecb294a7f15babd3281c6
SHA512fda8f5343cac8102aade5f1aeac7c5b028ea5d8c92e3d12de92e1ffce30bab47a446f215c9cff7dd1e1bb88980ee0d27b5241e856719fcc1f6a5c25e062e9d40
-
Filesize
284B
MD5f1771b68f5f9b168b79ff59ae2daabe4
SHA10df6a835559f5c99670214a12700e7d8c28e5a42
SHA2569f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939
SHA512dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d
-
Filesize
512B
MD57e27048b9843eb8ee2864bdcb71965de
SHA15d136b2bdcb4d8db9cc7778c2a190e204afd3f9d
SHA2564cf29414fdaf385172556e2c3ce9b801f8852bb7630c108f3312b868474e65c8
SHA5125fd31745398ea8856a45001625a03c3b04792c614e1977ab8bdfd9e1bf74ab19f754b4b4843dbeec9063e68e5a2b5c54e50fed72b7ffa3320508397c6e29ed01
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
112KB
MD542a91b8c65c4e3dae56b06bbf42a838e
SHA1d618949f51b1773e4d1d908eee99d54b7cdf8f58
SHA2560a6d710e299b70288d66964f4d613d29d36cdc43b535932b20735b30cfcff2f7
SHA512bbb7169ab063d19e948fc4febb2e5c49ea21f8532e0f589e621f6a3019d72bf99982824d0e950dee00e6dc38e3c3564f28eeacb923a6f9603b0b9498b080d750
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD527b16d83c11004128f7cdd339bba3066
SHA1fa2b420d8d210b1927675295a34e8989c52790f5
SHA25662db79e621bfa15d0dee904b5115774cb829fe80fcb46382e142d8adcec42ea6
SHA512b8d481b49a4b25cfccf97e4ee35c30829aedb1360d4f34a2ec77b4b6834d79ba93037bae74c4299e8d7edd923828aa845bfe51b8b1726d49c29734b90b443705
-
Filesize
16KB
MD5fd7e7c06da28b66625794306f6e5eb68
SHA103f6007a59aea531a84f0276fd75b12e8090c66c
SHA256450e562deffff8fe055b1a5f54b4f3d0ce988e140f985084b3de4253ba28ce5e
SHA51275aa55ddd5037f1201e54beb0d1b164998241fd22de0b8c7d7286a070bed82277f44b46899dcc9fbd780313d61d31cf692edef4846a3784614cf8db8ee5f225c
-
Filesize
32B
MD51264f30db5bc978090c891fc9ba97820
SHA122a1664ca5bac8af36bdaf8e4098c02c7fc9c1fc
SHA2566383110e70c2cf20a67539bbf759d99229ac2dcd214cae6a3c5de840497bab2c
SHA512f3ec53223344ea4763479b39ae62a3dde4b83e0db05d4707c9e2c914725943063706c6c53e6fc043ee13640ac98242775c901b84ec76eb3edf11615bd0084488
-
Filesize
340B
MD5f8b90bbbe8dafd132d61971702713007
SHA1b0218e3a752661b2f7db0721bbbf31e85f5e995f
SHA256e8108d9b07062e69eee94d1fa3cf702143b6a23bc9404bbb79d4a92aa8739e6a
SHA51278982401f1c6388319cee97a53180d40d9d703daa3a4bbba1fbfa8182b5b72490b0f4b80755afdbd7652770262fd04546ab73d192e1ad3b902920e76b27baf8d
-
Filesize
57B
MD570a42cba408700f9a6c01c7941a8829e
SHA1eab01cc2c0671538795fb0b1146017dc099d0984
SHA256499576707ce2623293166979e59c832be5b8636c64ad39aa63ebcf961910c35f
SHA5128900d4dc8eed0430babbacb72942401bd22ef7fe5430cad90d3ce0c2c53010220d666aa0e2eb1026f3ec81d574c7fa12585b49222a5f15b01637f6ba134fe70c
-
Filesize
100B
MD53c03799d3c1c27f4d60e83dae14468cc
SHA1f7be43bf86f5f72798ce1c75ca4789beabcc4e71
SHA256d01fddee228a0e8c965de70de8f3a2f491f083bd32d7e605df050e941d999f80
SHA512fe4b988ad1226f8a114bd5b660d48a5f4f2666996a341ee6d092a5f601eddcfaefef192197fa07e3a648ceb867da9b6a30d25029e650ce53a9c3f0f75fe1f2a5
-
Filesize
73B
MD51a5d276d1e61ef6ab8262f83cc23eeb4
SHA1d0979b7b2304f4a8540b132a87ce728637359431
SHA25654b74f17e1010d576783577bcc52009aeaae6f9c58f3b29f6becd0bbd248091d
SHA512dc3ab8cdd7c8b549601253ecc5612c6efbd8bddd0fc26f7a463e94eadbea5c8c42e531996a3826bfa6760fd9676f5ece376d8020dda0896f024cd5427fa62f05
-
Filesize
314B
MD566db60f4ce13da6a6d8d794ddbdc8be6
SHA16b7b1932696a9da002d93302f4a33d1592cccfc8
SHA256312684aaf6623368477c222f6e50fb4170f94ee59a13edf87322beb42c6be473
SHA512ba879d50e3076a745720baa7e1623605611d851dbb7890c795ee9c336f2b7230f42e5d5b626fe81b5df995799efcc2ecd7b8466fb67f32a41e288682f04b4036
-
Filesize
27B
MD546ab1fce613d6f2a78e36d7998c30892
SHA14550a5b8d6d98971b2dc9d3544408ff532af9df0
SHA25642bf5a12623cbbb0daf9a933a68486bcb56171ad857bff712b9b627bf006a6f6
SHA5128498b3a92278dbea6fc3480a494f40e046ff5ecf81d9710e712acb9e7b9e5a54c92276cfc2c40ab6b99aa3a66be7e6060d4d04aea3298b62ad25836d09f58301
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
23B
MD58e24e79baab91c4d0604eaa9006a0cb3
SHA1e427afc94a4b957a7096f73e395a10ea404c076b
SHA25665ee797326cb9d94a4c8b13fb114a7273d80af9ae547496bf56556c479f75e4d
SHA51245bde5e1b5da5e54f7f5baf24cf4d9158ccf5813f0babc05677437bfedf1d54c4707090a1c425089e8f9582a85fed80b25c1e1f30ec2051afc6fe68bb8a76bae
-
Filesize
48B
MD51d8d16c4e3b19ebf18988530d9b9a757
SHA1bc94c1cce05cd848a53271ecb9c5311e27ffebf5
SHA256abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7
SHA5124562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82
-
Filesize
66B
MD519402718bfb1c685a726b4e1d846ad98
SHA102a7e30044a67085f2f1da24e16e4ecfede65b72
SHA256079f790e6a1934a94542559f53a89a824aafd3173d956b6019291955aeeb33d0
SHA51225254318c22cfd301c8bcd479f45797d502b6ab5f14265dadfa3d87b4dd1942a629d3cbc2f0b600cf73b4fe910e3773432f56a0a7b4343e280e20c5a6af0320b
-
Filesize
57B
MD5acc2a2f5cb76c41d2e97e0d409b53bdd
SHA1ed06f22ff10e0912f50d53bc775ed2ae70f85d5a
SHA25612ee2ab25175281fd1efab755eb5a5b442e91d263646c52118e6b1e97856f448
SHA512faed72411dfb1546a82a302b6aadf921bf66a09aa4641a6d1d523e5b58c063d5210089ca2d7dec8aadbe1efec4748a8abb36ab9fe1ab18539a92b76730b85419