cb935716f29af4136d449825baab47a79984011807ca0e6dca466e9d6eeffb1f

Analysis

max time kernel
177s
max time network
185s
platform
android_x86
resource
android-x86-arm-20240611.1-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
submitted
13-06-2024 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4b23fa77a1b406c9026ba2b1d5e3f03_JaffaCakes118.apk
Size

17.7MB
MD5

a4b23fa77a1b406c9026ba2b1d5e3f03
SHA1

a0781bf4a4ad092f590e19cb41324395ba4dc4bd
SHA256

cb935716f29af4136d449825baab47a79984011807ca0e6dca466e9d6eeffb1f
SHA512

4cb71e292321c96f1ea8151c6e528f7e97db75011e054787d99345f11e6e0a26ce5296f831180e2e729402883b16db005c56b8720562e64e4cdd93fa0be332a9
SSDEEP

393216:nCFebgK7SZonxcgXWL9m1V0FZGGQLVVH62BYwgux3:Wel7SmnxcgW8HM+LvY7uh

Score

8^/10

discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 4 IoCs

evasion

T1426

Processes:

com.gezlife.qianrenzhang:pushcorecom.gezlife.qianrenzhang/system/bin/sh -c type su/system/bin/sh -c type su

ioc	process
/system/app/Superuser.apk	com.gezlife.qianrenzhang:pushcore
/system/app/Superuser.apk	com.gezlife.qianrenzhang
/sbin/su	/system/bin/sh -c type su
/sbin/su	/system/bin/sh -c type su

Loads dropped Dex/Jar 1 TTPs 9 IoCs

Runs executable file dropped to the device during analysis.

evasion

T1407

Processes:

com.gezlife.qianrenzhang/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.gezlife.qianrenzhang/mix.dex --output-vdex-fd=57 --oat-fd=58 --oat-location=/data/data/com.gezlife.qianrenzhang/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&com.gezlife.qianrenzhang:pushcore

ioc	pid	process
/data/data/com.gezlife.qianrenzhang/mix.dex	4264	com.gezlife.qianrenzhang
/data/data/com.gezlife.qianrenzhang/mix.dex	4330	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.gezlife.qianrenzhang/mix.dex --output-vdex-fd=57 --oat-fd=58 --oat-location=/data/data/com.gezlife.qianrenzhang/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&
/data/data/com.gezlife.qianrenzhang/mix.dex	4264	com.gezlife.qianrenzhang
/data/data/com.gezlife.qianrenzhang/mix.dex	4264	com.gezlife.qianrenzhang
/data/data/com.gezlife.qianrenzhang/mix.dex	4264	com.gezlife.qianrenzhang
/data/data/com.gezlife.qianrenzhang/mix.dex	4357	com.gezlife.qianrenzhang:pushcore
/data/data/com.gezlife.qianrenzhang/mix.dex	4357	com.gezlife.qianrenzhang:pushcore
/data/data/com.gezlife.qianrenzhang/mix.dex	4357	com.gezlife.qianrenzhang:pushcore
/data/data/com.gezlife.qianrenzhang/mix.dex	4357	com.gezlife.qianrenzhang:pushcore

Queries information about running processes on the device 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

T1424

Processes:

com.gezlife.qianrenzhangcom.gezlife.qianrenzhang:pushcore

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.gezlife.qianrenzhang
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.gezlife.qianrenzhang:pushcore

Queries information about active data network 1 TTPs 2 IoCs

discovery

T1421

Processes:

com.gezlife.qianrenzhang:pushcorecom.gezlife.qianrenzhang

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.gezlife.qianrenzhang:pushcore
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.gezlife.qianrenzhang

Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

T1421

Processes:

com.gezlife.qianrenzhang:pushcorecom.gezlife.qianrenzhang

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.gezlife.qianrenzhang:pushcore
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.gezlife.qianrenzhang

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs

persistence

T1624.001

Processes:

com.gezlife.qianrenzhangcom.gezlife.qianrenzhang:pushcore

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.gezlife.qianrenzhang
Framework service call	android.app.IActivityManager.registerReceiver	com.gezlife.qianrenzhang:pushcore

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs

impact

T1471

Processes:

com.gezlife.qianrenzhang:pushcorecom.gezlife.qianrenzhang

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.gezlife.qianrenzhang:pushcore
Framework API call	javax.crypto.Cipher.doFinal	com.gezlife.qianrenzhang

Checks memory information 2 TTPs 2 IoCs

T1633.001

T1426

Processes:

com.gezlife.qianrenzhang:pushcorecom.gezlife.qianrenzhang

description ioc process

File opened for read /proc/meminfo com.gezlife.qianrenzhang:pushcore
File opened for read /proc/meminfo com.gezlife.qianrenzhang

description	ioc	process
File opened for read	/proc/meminfo	com.gezlife.qianrenzhang:pushcore
File opened for read	/proc/meminfo	com.gezlife.qianrenzhang

com.gezlife.qianrenzhang
1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks memory information
PID:4264

sh -c getprop ro.yunos.version
2⤵
PID:4305

getprop ro.yunos.version
2⤵
PID:4305

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.gezlife.qianrenzhang/mix.dex --output-vdex-fd=57 --oat-fd=58 --oat-location=/data/data/com.gezlife.qianrenzhang/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4330

/system/bin/sh -c getprop ro.miui.ui.version.name
2⤵
PID:4622

getprop ro.miui.ui.version.name
2⤵
PID:4622

/system/bin/sh -c getprop ro.build.version.emui
2⤵
PID:4647

getprop ro.build.version.emui
2⤵
PID:4647

/system/bin/sh -c type su
2⤵
- Checks if the Android device is rooted.
PID:4677

/system/bin/sh -c getprop ro.lenovo.series
2⤵
PID:4695

getprop ro.lenovo.series
2⤵
PID:4695

/system/bin/sh -c getprop ro.build.nubia.rom.name
2⤵
PID:4722

getprop ro.build.nubia.rom.name
2⤵
PID:4722

/system/bin/sh -c getprop ro.meizu.product.model
2⤵
PID:4749

getprop ro.meizu.product.model
2⤵
PID:4749

/system/bin/sh -c getprop ro.build.version.opporom
2⤵
PID:4795

getprop ro.build.version.opporom
2⤵
PID:4795

/system/bin/sh -c getprop ro.vivo.os.build.display.id
2⤵
PID:4821

getprop ro.vivo.os.build.display.id
2⤵
PID:4821

/system/bin/sh -c getprop ro.aa.romver
2⤵
PID:4845

getprop ro.aa.romver
2⤵
PID:4845

/system/bin/sh -c getprop ro.lewa.version
2⤵
PID:4870

getprop ro.lewa.version
2⤵
PID:4870

/system/bin/sh -c getprop ro.gn.gnromvernumber
2⤵
PID:4896

getprop ro.gn.gnromvernumber
2⤵
PID:4896

/system/bin/sh -c getprop ro.build.tyd.kbstyle_version
2⤵
PID:4920

getprop ro.build.tyd.kbstyle_version
2⤵
PID:4920

/system/bin/sh -c getprop ro.build.fingerprint
2⤵
PID:4945

getprop ro.build.fingerprint
2⤵
PID:4945

/system/bin/sh -c getprop ro.build.rom.id
2⤵
PID:4972

getprop ro.build.rom.id
2⤵
PID:4972

/system/bin/sh -c type su
2⤵
- Checks if the Android device is rooted.
PID:4996

com.gezlife.qianrenzhang:pushcore
1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks memory information
PID:4357

/system/bin/sh -c getprop ro.board.platform
2⤵
PID:4405

sh -c getprop ro.yunos.version
2⤵
PID:4421

getprop ro.yunos.version
2⤵
PID:4421

getprop ro.board.platform
2⤵
PID:4405

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.gezlife.qianrenzhang/app_crashrecord/1004
Filesize
242B

MD5
b79f193c8019ad1b73d28828bf1b44f8

SHA1
8d2273b39060079e29481f7b376c70f2dbc203a7

SHA256
6c916dd45f2839a86374a2fa01a656fa5cbf3e6abd6412a903fcd76c27cb50ee

SHA512
7fa8c98ff42702a82baf29c2239e42de41a3ff4bfbfd9ed1f304ae4a7f26e3a215e402219e8d33c4aa78a1517a72243008e5cc8d59a136235183892c75a1125d

Download Submit
/data/data/com.gezlife.qianrenzhang/app_crashrecord/1004
Filesize
233B

MD5
f708ac11c8221c9e911a006ac3e68e15

SHA1
f99a4d24406ce5417b25855b01d5a2fee4e2f8ef

SHA256
81dd4f2f0923d7f85bf6508d5bdaf5267d9b3fd85db39fd778659fbbf2d0b881

SHA512
29ffb1dba3bcffb961e8b8fa5b4e8cf3ee40f7ce4dd27b7c618e64f5eff6dd56caedd59f29c2ceca3b1bb51fdf11c5cd2ae04d6e07495b0acf121b3691a5c062

Download Submit
/data/data/com.gezlife.qianrenzhang/app_crashrecord/1004
Filesize
58B

MD5
0d210bfb2a0e1f1b4c082a6a0f79de07

SHA1
bb8ed9e364db79d1d9f2fcde3f15091893222faa

SHA256
988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d

SHA512
536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

Download Submit
/data/data/com.gezlife.qianrenzhang/cache/cache/journal.tmp
Filesize
36B

MD5
37e8e716e0e2f4a0b05cd9571d95b84d

SHA1
f8d068f6931707bddb8cd69f706f2224ad1fea3c

SHA256
7080cb592d5149c858b206d3fd0d5e3e7d601f120af00b2616bee928ee1291ca

SHA512
e62b850901835fdb73fa6224618422f721dd765861d42f6bc2dd013413e96bd910ac5313afd9b4f63da74beb12a15fac81b5157456c9caa3031862dab84423f6

Download Submit
/data/data/com.gezlife.qianrenzhang/databases/bugly_db_
Filesize
4KB

MD5
aa99281ce0cd69a9302f8b64b918ad75

SHA1
ccafc0e5fb16198e466b209a888301f4100fafe8

SHA256
a3cde8388c50e78c7b3c8dab1d0c46c64c375248031adbb6a5802e3da65bb431

SHA512
a8b80f09a555652d3e4b9775b6aa58341dad7fb120509e128df417533ba361353b19530306e8691f1ce5fc0c69f1a89d29bd2eb176291a5e85b945d14c9eb085

Download Submit
/data/data/com.gezlife.qianrenzhang/databases/bugly_db_-journal
Filesize
512B

MD5
d09f0208b12612a0aa2401e43def8787

SHA1
7b33fc57ab4858ac2b78d28eb20caaaf9167b882

SHA256
b20e314610f490c1b14499590476e1866e6ee9d570eee3cb698f159542ca1b13

SHA512
2e7d7666e2d40c8de71074e55b604767d809aaa4916056f197cca6e9d1be4dac784fce0c5a9b3b8b4b73e7763d7b6e6b8023748a700ddb05c73772121c985b08

Download Submit
/data/data/com.gezlife.qianrenzhang/databases/bugly_db_-shm
Filesize
32KB

MD5
707977ef50ebff785d8587fe66074a2a

SHA1
94132c9aedd58224809465fa57038eedb4cace6e

SHA256
786013e1a4cbf6c7bbc38be3d63814865297f90f9b1a3f0b958fead6fb843c20

SHA512
99d991912a4df4d2be6d399321d7866a799cb3757e29c02bf7c82243fa3be30d2ca8d555b96219a4272b17afcc05b7cbf0b23959ac3ddfb4b6e127d998bf25ce

Download Submit
/data/data/com.gezlife.qianrenzhang/databases/bugly_db_-wal
Filesize
84KB

MD5
9b8a2f765cfb5b73d668e0b46b19362b

SHA1
e3cc09d3acf994f9c0c97c4bac9007ed82acfd92

SHA256
da90fd507b4ff4a2f2bc9bfaec378cd8b983dcbf80718d2748bfd5258f3c2d06

SHA512
f92ef5a27edfdc833177909ffb69bdf2267fecb1d9ccbc51a582878212c0e9bf1d647b26552aa9ecc94f5159ab2cb7e794c52047b8534d84da7ef02aa0f88a27

Download Submit
/data/data/com.gezlife.qianrenzhang/databases/bugly_db_legu
Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.gezlife.qianrenzhang/databases/bugly_db_legu-journal
Filesize
120KB

MD5
7230d7d287afd2c899c1cbae3c50c94a

SHA1
98638c3b601510ea2d882560c6d2a28911368a25

SHA256
13f9595a5d4defcf54c95085c34246cb7a4073ba902b298173ec1c9cf58e651c

SHA512
e53eede8f2b500a4085f1bcfcde7ada2559e07fdbf1b8978e896cef9a2e6961323401079ed56125d6084acd232cedefd668c2338c634a1727a885cb6565bca02

Download Submit
/data/data/com.gezlife.qianrenzhang/databases/bugly_db_legu-shm
Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.gezlife.qianrenzhang/databases/bugly_db_legu-wal
Filesize
169KB

MD5
024d70024b2477d0b5b4ff471f038b70

SHA1
ac5364724cce4926b67706aa0be7baf3b1aecd13

SHA256
1232e501447189353a83edcccc1dacf240926617f31c9ba3b249da9d22a2518d

SHA512
c046830b6fbb4d047def6d6ac81c158a07648e82507712131ed990777781b97f801319d8e819fceed8148042b4285dfe34e842e0a58fb1ca700901b402df2a66

Download Submit
/data/data/com.gezlife.qianrenzhang/databases/qianrenzhang.db-journal
Filesize
512B

MD5
f01be6ff68b2a42e9c876efcb74aeeb9

SHA1
28c8416da6f653b30ef46e2752e0e49ebdf0296a

SHA256
de60c036a40c84419cb845565dc255ba60e6441df3917a69fe027777f4a46498

SHA512
fc6ff342e43a344aaaa39a216de25a7238858debff2c9caa786cdbb53ae69c04d842c3d61a138fb03cffe308e4b37d338364c1b4f7cfe677959b39969bd66604

Download Submit
/data/data/com.gezlife.qianrenzhang/databases/qianrenzhang.db-wal
Filesize
72KB

MD5
e53426a1cdba7cc3c276e1e4967b76dd

SHA1
c80247ffe3ecc41df5dd2ef779943590a8cf556b

SHA256
2cd558f9d113604dd46ae5937f4d285874f5cc240b715f7d826f0cd85796c72a

SHA512
87a45d19122c3e14d639226423862cb2ee60087b344d22509dc6f0112be42a5ed6bb42faeeba6ce4c7d8d25f94cade31b198471a06a6755612edf0aa4daa51bb

Download Submit
/data/data/com.gezlife.qianrenzhang/files/jpush_stat_cache.json
Filesize
119B

MD5
b4e1b05d784ba7c82d74a8b046695c24

SHA1
0ce0b02c2fb0adc4cac43540e9dee50e0600e6ef

SHA256
a83fe679357dc7addab381760ff7105fb6be54722d20e8657342a3da950bac5b

SHA512
acaf191d789214f101ccbd3bc70ff9b9cec0d7e5ea505cfbfca3c6216254a7160f4b11d074f64269d79953d387de8f83d723372beb4943d5c2ae3291eff338d8

Download Submit
/data/data/com.gezlife.qianrenzhang/files/jpush_stat_history/active_user/nowrap/26c941fa-0352-4c44-a446-5ba511424d1c
Filesize
159B

MD5
582a17f41ca36d9099b97c857fb59b63

SHA1
a111771d51f82337295149afb2da26b9e52f5929

SHA256
a84e03fc414b4d6ec9b1b8620f485ea63a141ff8c81048bb02845c25c979b52f

SHA512
dd0c3f538ea82fadb6d5586183d0c5e4a02e78b782346fc933d46e94c2c627e0c33b41530662ee9cd3ccde4d76ae02689392a3ff56099f9ab774a300a89c10f7

Download Submit
/data/data/com.gezlife.qianrenzhang/mix.dex
Filesize
292B

MD5
63f77f99bd2c2b772a479923bde11974

SHA1
c7632e7d301e4463fafce85f84e9c3d7da3fdbbe

SHA256
4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615

SHA512
3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

Download Submit
/storage/emulated/0/data/.push_deviceid
Filesize
32B

MD5
5e902931be874726b42d46b3a83bd7f0

SHA1
b8e9b2cd9065908556aa293500f70e24870187f3

SHA256
21f83c552460badd48a5599f492d4b708befc69d1428a3b3fd9fa2091d4af3c7

SHA512
dff80d22615d152d1bbedb4fd336de44225f93fc36ee5913aafbc342aa5b93db02a4c0ec8c34181716dc46c70e91c237162acdd50c0a04eb98d59686d3d384fd

Download Submit