Analysis

  • max time kernel
    10s
  • max time network
    157s
  • platform
    android_x86
  • resource
    android-x86-arm-20240611.1-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
  • submitted
    14-06-2024 08:34

General

  • Target

    a8c2249bcb3b74db9d777dc2567cb05c_JaffaCakes118.apk

  • Size

    6.9MB

  • MD5

    a8c2249bcb3b74db9d777dc2567cb05c

  • SHA1

    cc1dc505cf6949800ef92e1a471846c554479a4f

  • SHA256

    b9ffce66df35d35ffa83d15473d834e279ae1c8fe2f8e96d19299a164059b3bd

  • SHA512

    dafd91ed5cc668732830ff0184dee8e5d248cccf1cb523bee9c21b877500758b3747c95ced754a52c8e5a987da5df68b231c8e40e114cd434503801e427a2624

  • SSDEEP

    196608:+hyzOLUTzVfGrBoA+BJHYUeH0GeKXyNUljDyc5LC6YQJHEpVuq:+hyzOLBrBeli1mUljDyc5LC6YQJHqAq

Malware Config

Signatures

  • Checks if the Android device is rooted. 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

  • Requests cell location 2 TTPs 1 IoCs

    Uses Android APIs to to get current cell location.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • com.app.zero_syb
    1⤵
    • Checks if the Android device is rooted.
    • Loads dropped Dex/Jar
    • Queries information about running processes on the device
    • Queries information about the current nearby Wi-Fi networks
    • Requests cell location
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    PID:4257

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.app.zero_syb/.jiagu/classes.dex
    Filesize

    6.3MB

    MD5

    6eb92ccf823250024f17be90ee653586

    SHA1

    b1cf7a5a879298a1781a23d31379c0db97629c70

    SHA256

    f07cc3aa2b8c41692ed7ef879f5ee47b253ec92e479c98ad7477a8c6d84952e8

    SHA512

    4bc7d8dc7db3a20d4b4f9706975aba77922766ff62df75166e607065eb9ff01b0d8b333dc88a0ad50b6767d463ca39a21045cf834296d78cce89d358c3d2726f

  • /data/data/com.app.zero_syb/.jiagu/classes.dex!classes2.dex
    Filesize

    1.7MB

    MD5

    ab96f9aaa662b304d027ceee8b40d614

    SHA1

    f4bdea5a0593a81581e76f15104faf1847739968

    SHA256

    7b981fb5ba32a98f3045d1a3928f51cca83d3d0fa2c4131270e081330c6e0696

    SHA512

    73948c8493dc3f1878973703ecfe31fcfd603767d49767bdca1caa90ae7afa7d5c19576c37e7f8f8c1c1ea3c1ab35cf4b77c6680ec74a64a2bfb93ec61fe353e

  • /data/data/com.app.zero_syb/.jiagu/libjiagu.so
    Filesize

    477KB

    MD5

    39d77dcad8e2a44dd7226f442b3a6c92

    SHA1

    6560fa96c6b5a038abaeee5f139a16e46088d9d7

    SHA256

    99cba035cae818dbdef989e70e738463798528b8ca52dbf38d2b8a72152680c0

    SHA512

    7ddfc6c05839160813e58e8f8c50d2dcda7e7b5e7f1d27cffb802ee91de4bb664bc5c257137d39152ed6e8cad0d3c1b067bf8aeb7e53f884893887b54480a5e5

  • /data/data/com.app.zero_syb/databases/bugly_db_
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.app.zero_syb/databases/bugly_db_-journal
    Filesize

    512B

    MD5

    ec2c7b3a8e55464257756600513a5bf6

    SHA1

    ee88f919b8a292a9c2a06ac60ed10d8b8d6dd8e2

    SHA256

    bcd10edc8058e8c0fc061807124a248da0eb7e394eccaf31154f49a5880f0e7e

    SHA512

    cb56fa120fba99c7acba80fff89a2f19d4ffb09541b03c38d99b756bcf62506a2a764bd4593deb3355f44230fe380602db75a7b00c9fadd70b14da3485ce7130

  • /data/data/com.app.zero_syb/databases/bugly_db_-wal
    Filesize

    16KB

    MD5

    3e718e6ec2e2600ee0ed0f1ebc27f493

    SHA1

    2360ab968fa0022fafb280329b673922c89f478d

    SHA256

    5f23af436f0533b3325f88cde30cfb4efcba33adccaed38232392902ebb78b6b

    SHA512

    6c5a72d1934d0ee552fda5a7e373aedde2f1794ea1b512439b99c157ff98bdcd0bf79726f64ce89ccfc86be47a6406e9ddc1e599927bd5345431d9b517274d12

  • /data/data/com.app.zero_syb/files/.jglogs/.jg.ac
    Filesize

    32B

    MD5

    d6cded37a04422fbcf11d3ceda3998a0

    SHA1

    695201cab0d380c8d30488b2edd649fe6f045416

    SHA256

    07f8d416456527e0a65ab6e1c433c54a8dd1a66ac1d29462f537eaa1299611ad

    SHA512

    e290903488e19ed9d3fca55513780f046a3d74769c4993d866342e1880f0ed3bde6d05793036abe3f29d5a36c72c9345a2d4651468f9b8468dccfbbd2667ffba

  • /data/data/com.app.zero_syb/files/.jglogs/.jg.ic
    Filesize

    32B

    MD5

    e4b19f253aa91a0e968b53227535e2a2

    SHA1

    d5fe0f9fd8cdfc9cb0bbc9ca861e8629ef56dfcb

    SHA256

    ce7002e3b649712f1801152cfb9a433898de075e3199a1d561ff6fd6e7df02f9

    SHA512

    114def9d5b6ed7edd65bf0039b2f996cc6b45233f0f38f5811556bdf2ff3f52fff246d95773e4c07254caf6d4aa3ed5eaf45649dd53259282dc0f1a20b7a2303

  • /data/data/com.app.zero_syb/files/.jglogs/.jg.pk
    Filesize

    32B

    MD5

    a44f5113a8816080e1b2e3efbff8f98d

    SHA1

    008518053b6854959055be1f7dbd9ad4996a15d4

    SHA256

    5ef40840192b1d297add507b8129eb0511e6e23264bafe8d00a9bfeb3ccee9e2

    SHA512

    1b8a63fb6ce5eb0743ac0c34c534255f3ac0f641533a267a96e9affe72e9f22b7eb331cc1745e2c80237ded6d42576c664dc02ed2749bf151c374b8063cc515a

  • /data/data/com.app.zero_syb/files/.jglogs/.jg.pk.h
    Filesize

    64B

    MD5

    a2c924e708404bb4fed5cd7d346bf1d1

    SHA1

    85884235845db8b137b252be261d51b9c72a4280

    SHA256

    275c18cf31d3cdc86be1c159e53d94f57b511378c1e3d3e3e47569737b706ea7

    SHA512

    16c392672436741464c898f365c173999fd6dd2beb990718215acbed1f0fbab9ed84896960fec34febafef35d9518791824b524012ced78b0ffb88cc9bf1baa1

  • /data/data/com.app.zero_syb/files/.jglogs/.jg.rd
    Filesize

    73B

    MD5

    6b2d97b39ae378b25a6079fc5e5bcd40

    SHA1

    80aefa19fdc7c1410482b82a96738fa251c9a5a9

    SHA256

    d5fd13a2614b8635ba962c81fbfe4552cbaf84c07650778e6c712e14651a73f5

    SHA512

    02fc5e7d181e27fa4e40eec2ec63775fb91b64bfda63251d8a01c09bc8b0d981fb8da440b398e28faa8528b2cedb6a6265d07ff76a7d429f79da0ee4f5c57c90

  • /data/data/com.app.zero_syb/files/.jglogs/.jg.ri
    Filesize

    307B

    MD5

    db60b4ee9f82666250b9540f5dcb3b4a

    SHA1

    288c72e3b5b1235f93ce2bc66bf6c6cc604c01c4

    SHA256

    57c3e7b1e02a88075d2a766c5396d79b81a818fbe37ce82a0ea646b23176b3ed

    SHA512

    a5e79a2362b1d38ca4e719085bb67135307fa41204b7e028921fa5263748aeed3b896f183f3d113394b0e57aa4a02617537c68b205752fad7ec6b7f42733f60c

  • /data/data/com.app.zero_syb/files/.jglogs/.jg.ri
    Filesize

    314B

    MD5

    4e740f7f951c716807d3fa2e9ec7c87f

    SHA1

    8f4a68e6c1182b514b035da11850816707b035c6

    SHA256

    155f464f78512b2833f3dda5a43250e559c3f591f46eeaedcdb974b79355b4b2

    SHA512

    e948424b12baaee553e58875f271b22b9141d90610bf52fbfc3e539b928ee5620534d8434909f8b2eb824521088a697a99cf44f4ccb1d685ff50fdbe5bd9ac85

  • /data/data/com.app.zero_syb/files/.jglogs/.jg.store.report_pid
    Filesize

    32B

    MD5

    219b2ee2fddba0eecda6949ee0b1fa88

    SHA1

    ac3f3548f7c54f1c911a34278ed0015826e982a5

    SHA256

    3b174890db11c1edb68c4ca391c33a14e1e804bd1fdd1deeb2ab419b03407bdc

    SHA512

    d92476e1d07f93f5e0ba05536e25cc01b87452943955cca9d7efec1ee08533f39a644e4eb5a3bb40c8e9f4f10fb7f5976bfd98f485a1ec133d6b1cd1a45fcd56

  • /data/data/com.app.zero_syb/files/.jglogs/.jg.store.report_pid
    Filesize

    54B

    MD5

    d21fa4f3dc0c01798baa12f61514a752

    SHA1

    cbb6be424c013fa0cbba84fb94ef7b7ac645c941

    SHA256

    1a6a65848ead284af1665b92b9b9b44ea515f546549695fb7d7f60028bb11325

    SHA512

    474f3b7ddb9110b745907499edda325129e71a34d6f9b8a8b584805ee426bf2815a2a75ea50957ba3e309ce9d03183dd77d435b3046e62d2826ffb2f511e2ed3

  • /data/data/com.app.zero_syb/files/.jiagu.lock
    Filesize

    27B

    MD5

    2ed4728120f61d318503e46049a62dac

    SHA1

    bc2ba03cd1b65ee155e27f7fdb217ed013031a90

    SHA256

    a267761ad65ec797b64cc540ef6caf2151e9d3b2f2cf01ff718323aed0c227a5

    SHA512

    1a0d9252bbb6ff5c151b3569267cb9798e8c51b6c6da7884094da4647374693c1cd0bdd96996654301298abbd80f1517d0d6664956711d9d95f93545f891e5fa

  • /data/data/com.app.zero_syb/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzU0MDk2ODk3
    Filesize

    1KB

    MD5

    2d9b42f3da9e2204b4cb0e6a6d565981

    SHA1

    2ddb9dea70173650c0f7b7a6f26b07c2ef713fc6

    SHA256

    da7b576b7aec404243c7f80a16bf7ddbf374296e818e53e3ab909a41cdf07f21

    SHA512

    8351fdb39babd1e0ddf9a1febe2a57846bdb5a2e7801db35581d3cbe6f4e2adebe523af973193ddbdbe113c4c4ba7c5abc277403357e76ffdf88f0e56e374855

  • /data/data/com.app.zero_syb/files/umeng_it.cache
    Filesize

    415B

    MD5

    dfd0d62e017e3eb92d3e08caa4300e90

    SHA1

    db762d8a097b11a136bbef262681fbfbdb6952cc

    SHA256

    04b4d29759d9fc1cb40496304175f902bf652a435734171bea6ab8b5a77cdb07

    SHA512

    8dc83c099c33b1900c4762847254476c8771489a70142e7c86c9ac7f124640f9959ae0114f84bc18ed816da828d0f21fb4eb7afc43de6177ec8ab3f12a56b213

  • /storage/emulated/0/okHttp_cache/journal.tmp
    Filesize

    36B

    MD5

    37e8e716e0e2f4a0b05cd9571d95b84d

    SHA1

    f8d068f6931707bddb8cd69f706f2224ad1fea3c

    SHA256

    7080cb592d5149c858b206d3fd0d5e3e7d601f120af00b2616bee928ee1291ca

    SHA512

    e62b850901835fdb73fa6224618422f721dd765861d42f6bc2dd013413e96bd910ac5313afd9b4f63da74beb12a15fac81b5157456c9caa3031862dab84423f6