Analysis

  • max time kernel
    179s
  • max time network
    186s
  • platform
    android_x86
  • resource
    android-x86-arm-20240611.1-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
  • submitted
    14-06-2024 08:42

General

  • Target

    a8c920c1274e23d3e3b7f86ae178e289_JaffaCakes118.apk

  • Size

    30.8MB

  • MD5

    a8c920c1274e23d3e3b7f86ae178e289

  • SHA1

    24e3b2b130535df83a444016da23ca98d91f4e5d

  • SHA256

    30fb8863fe9ab35917deb1041000ca54d37b24dc9e6b9969a78ec587b1aba9df

  • SHA512

    efb8c46e0047e2fc6a4bdfe505ec44026492eb702d1e5d34f6fa925149939ef713962e6132f0c176349501949219a5f7d65c3dc80a37f6453c5c47a1c6b73e65

  • SSDEEP

    786432:2Z1UsthU6A7GlFTUb4QU8Tw/sat1+T9+2ZI:2Z+eFTQU8Sz+p+V

Malware Config

Signatures

  • Checks if the Android device is rooted. 1 TTPs 4 IoCs
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries information about the current nearby Wi-Fi networks 1 TTPs 3 IoCs

    Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

  • Requests cell location 2 TTPs 4 IoCs

    Uses Android APIs to to get current cell location.

  • Queries information about active data network 1 TTPs 3 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 3 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 3 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 3 IoCs
  • Checks memory information 2 TTPs 3 IoCs

Processes

  • com.ynxhs.dznews.yuxi.tonghai
    1⤵
    • Checks if the Android device is rooted.
    • Queries information about the current nearby Wi-Fi networks
    • Requests cell location
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks memory information
    PID:4324
    • /system/bin/sh -c getprop
      2⤵
        PID:4381
      • getprop
        2⤵
          PID:4381
      • com.ynxhs.dznews.yuxi.tonghai:pushservice
        1⤵
        • Checks if the Android device is rooted.
        • Queries information about the current nearby Wi-Fi networks
        • Requests cell location
        • Queries information about active data network
        • Queries information about the current Wi-Fi connection
        • Registers a broadcast receiver at runtime (usually for listening for system events)
        • Uses Crypto APIs (Might try to encrypt user data)
        • Checks memory information
        PID:4359
        • /system/bin/sh -c getprop
          2⤵
            PID:4423
          • getprop
            2⤵
              PID:4423
          • com.ynxhs.dznews.yuxi.tonghai:remote
            1⤵
            • Checks if the Android device is rooted.
            • Queries information about running processes on the device
            • Queries information about the current nearby Wi-Fi networks
            • Requests cell location
            • Queries information about active data network
            • Queries information about the current Wi-Fi connection
            • Listens for changes in the sensor environment (might be used to detect emulation)
            • Registers a broadcast receiver at runtime (usually for listening for system events)
            • Uses Crypto APIs (Might try to encrypt user data)
            • Checks memory information
            PID:4449
            • /system/bin/sh -c getprop
              2⤵
                PID:4545
              • getprop
                2⤵
                  PID:4545
                • /system/bin/sh -c type su
                  2⤵
                  • Checks if the Android device is rooted.
                  PID:4595

              Network

              MITRE ATT&CK Matrix

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • /data/data/com.ynxhs.dznews.yuxi.tonghai/app_crashrecord/1004
                Filesize

                238B

                MD5

                6f0e28a2f99e5005398eec0ea6e11299

                SHA1

                2bf6d79003d4255be27066d694443dbccbb37cbc

                SHA256

                e4becc7729121ffeb4d95ac273ef5ce50f7a1519186cf3400effb3e809369fe1

                SHA512

                aea8870462ff0971cc87289c04c93555fbb3fc852b622c46e79e81bee7dc733dd7886ee187fea28ae6935152850ca211c545b1eac7d6207eee88b51727238558

              • /data/data/com.ynxhs.dznews.yuxi.tonghai/app_crashrecord/1004
                Filesize

                58B

                MD5

                0d210bfb2a0e1f1b4c082a6a0f79de07

                SHA1

                bb8ed9e364db79d1d9f2fcde3f15091893222faa

                SHA256

                988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d

                SHA512

                536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

              • /data/data/com.ynxhs.dznews.yuxi.tonghai/databases/bugly_db_
                Filesize

                100KB

                MD5

                05c9edc48ebae0942e3309d6a4106d92

                SHA1

                408fca0187936e58c84cdfad3ef643aee35794fd

                SHA256

                9bef24a8a288037124c6f7cbaf6cd859d66246c8b32d5bb8cf4de39b7df90d4d

                SHA512

                484e0d01340f2092141234c028b2dba03c59d262326b7566049e04b6f72de5ef97e40025bcb2669837ce0213a7db8ace1e99062a3e01bb094edd8fb6059a010a

              • /data/data/com.ynxhs.dznews.yuxi.tonghai/databases/bugly_db_-journal
                Filesize

                512B

                MD5

                0fab1817aeb6122d5798ce57fa1626f1

                SHA1

                0114e1292a4312f56b6d84041a9f5dd867f1f544

                SHA256

                ea4d1f6ab37fd41e7ec0145d941b0bbc5e78164475f9da9429c07829927c5dfd

                SHA512

                a67da4c899a403b5752b568b322d68ba13eb239f715077bb79c304be95a0cd1718c50db09c2512e3beeb7a83f121db4a00286ab76e47ef785863baf12a720d50

              • /data/data/com.ynxhs.dznews.yuxi.tonghai/databases/bugly_db_-shm
                Filesize

                32KB

                MD5

                4c126487d8842995f2921e023311364a

                SHA1

                458694bc8d4ada4cd88a5215b2f695eb662bca5a

                SHA256

                959353e946aecd9ff366bf4b8d57e04da937961386012c66e9560f79dd42058a

                SHA512

                bee5635ae8530981898cdf0f994be5b64296cc333eaa91e57b2b4f90cc5e0d081fa69af94726920ce4341391b1d1b4b1bf1a098ec4b333d0f004cd329f960ea4

              • /data/data/com.ynxhs.dznews.yuxi.tonghai/databases/bugly_db_-wal
                Filesize

                92KB

                MD5

                cc2478672c53da7ae5b65dbfee2195e9

                SHA1

                1b92e98cedd257709c89070c0f7d436e016808c6

                SHA256

                45c1a725eb1c1ae6d2d0377394e3df181606d2826f4a7166395d9e2d5cab7efe

                SHA512

                491329d31927dd528d2e32b6d105eecf3b24bece996b3d8f14d7e730699242c5c5d4c530758bf5ccf670e868e7923190549f9131bb410dc90faf893cb0bc3246

              • /data/data/com.ynxhs.dznews.yuxi.tonghai/databases/dznews2_yuxi_tonghai.db
                Filesize

                32KB

                MD5

                99e9a62a1835202247c787a646782ec4

                SHA1

                6879005aeef3095ec255442165ebd1bf676af662

                SHA256

                0d3309f481f7ab003b8bf93e4d347b09321b468e41b366908b253e53023ac773

                SHA512

                1c35e5682203a517c1758f6074c6a22444ccda6e7726ef20f7a5d2e396a9a486440ee12af9001ab5a3c7d1909997b120166b1a17f921019e4a2c77da8b996639

              • /data/data/com.ynxhs.dznews.yuxi.tonghai/databases/dznews2_yuxi_tonghai.db
                Filesize

                24KB

                MD5

                b876092ff49038dfd83e6d77f9d322cd

                SHA1

                13e920aa7b019a46c0378211770b46c96d008109

                SHA256

                33b1de0981153cffed59ce474a8a16d51decff027e7ad851f737dbcfe2dc0f52

                SHA512

                dc431b0d7c8d5f786b632cd305b70f9e8575f22e224ca927385bd2451cf319ac2567add1fee6bf8707259a1ba96b24b5a0c1933e18d2f9dbbb04c90ac61da937

              • /data/data/com.ynxhs.dznews.yuxi.tonghai/databases/dznews2_yuxi_tonghai.db
                Filesize

                36KB

                MD5

                82aba2d427f63af05eb3c3c0682a7f8b

                SHA1

                a9307781219f84687bc4578037ad3b11f12f3132

                SHA256

                e15dda3058f439a41bbe7ac89b8018d3b40933fa760bc3e6c20ea2294bf4ccba

                SHA512

                f2f0de4df31446b0a656967c5bda350772532ac4dc318be9b384258763e467798207949a4d8db16d47a0c2297c9a2f650c413dc73fd1aee05e3cda7165a4f850

              • /data/data/com.ynxhs.dznews.yuxi.tonghai/databases/dznews2_yuxi_tonghai.db
                Filesize

                40KB

                MD5

                9092f116349504a93bf24ad216956a8c

                SHA1

                9b8d0b8356d72425ce55eb430bdc9c9d97f67824

                SHA256

                bb717dd6ae8bc2e722b06efd9a72fcb4c202fc9291febd20fe65558120058487

                SHA512

                0737e5b359d5181fa666dec030bca71c087f602232be79126d9d405957d43bc40c35ab34882164fea924a9d07909ef226a79b399e155ad06c00cb646220ef351

              • /data/data/com.ynxhs.dznews.yuxi.tonghai/databases/dznews2_yuxi_tonghai.db
                Filesize

                48KB

                MD5

                ea04d3f4c66f4f554cb961591826518a

                SHA1

                5b7ace9ebb17d1f0044e19b1d6d25377c08cbb84

                SHA256

                b2eddf9d02c61bf9fb4a4741b462f1ba3332c84f16c7e2d10fbb440135fa79a7

                SHA512

                4e51a02cd46090894ddfbd6efa526c65a0059e752f1a1c5b536ee1eed91d73ee9fc672b1077648cdc96a3bcfc0daacbbb71ab72be341170bcd77bde42c27833f

              • /data/data/com.ynxhs.dznews.yuxi.tonghai/databases/dznews2_yuxi_tonghai.db
                Filesize

                16KB

                MD5

                a6215828de4f6363118596ff463e0bfb

                SHA1

                19b83ade551b015b8ccc7b25ab2ecd5274fd27d9

                SHA256

                e89bea04361e43b9ed37bd5e25418e6412c366a8f54ed6f03b6223a2c0b2c756

                SHA512

                461636e17fe3e38c5b62ce066a282386dd7071291c3185de2c6b4c296df19247addf79493b4f455fbdf54928741d44864701659ac2aa0a2bc64b03bc796969c6

              • /data/data/com.ynxhs.dznews.yuxi.tonghai/databases/dznews2_yuxi_tonghai.db-journal
                Filesize

                4KB

                MD5

                f2b4b0190b9f384ca885f0c8c9b14700

                SHA1

                934ff2646757b5b6e7f20f6a0aa76c7f995d9361

                SHA256

                0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

                SHA512

                ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

              • /data/data/com.ynxhs.dznews.yuxi.tonghai/databases/dznews2_yuxi_tonghai.db-shm
                Filesize

                32KB

                MD5

                3724eb4070b68db936b7b50fa7c0efcf

                SHA1

                39026fcc4ca9ee670adf8e9ef7eb5e4bdc5490dc

                SHA256

                810856e6a32131a59f547676ce70292778fbc7fd15236ebc51d960ac7940aced

                SHA512

                a440c1fecd39a1bda348a730a181275e33ed1a4e49c6f73d0d0bb5d2a4f1092e731ae019e41ba1ca7d87116850ea2293dd3f9a46cb822ed6828571444eff2877

              • /data/data/com.ynxhs.dznews.yuxi.tonghai/databases/dznews2_yuxi_tonghai.db-wal
                Filesize

                185KB

                MD5

                972725fb7349476caeceec0661c9201e

                SHA1

                3c44801fa73c30536158ccceddb968d1015e1e0b

                SHA256

                f61dfcb7040e5fd23773c788e9ac79a6e3ea73689242b41af2781eb0bbbc4378

                SHA512

                b1925c1f93d36d3a88b0172e065c4fe91dbb0221932d35c0e0160a0417a14e706c2779046cd39dcc4280278e1b3a47b7b4effbe00a0df633b34c87afd164c826

              • /data/data/com.ynxhs.dznews.yuxi.tonghai/databases/dznews2_yuxi_tonghai.db-wal
                Filesize

                12KB

                MD5

                fd53de3b7931da8e30f5db7c088dc924

                SHA1

                346cb8898a6fe92d22edbadcee615684d1d01642

                SHA256

                9e61716440fc0e6cc0857004b91595b554c8013ce3a4ebc42aedc072c2cb17c8

                SHA512

                4557c1f1f836ca3a4b5a1bb97f492944db698dfde154aebf56ef5658270957db9b35077170fccdaeb0c342a3b6f3360f96f97abd38ea6a079ca3168c6635a5d8

              • /data/data/com.ynxhs.dznews.yuxi.tonghai/databases/dznews2_yuxi_tonghai.db-wal
                Filesize

                20KB

                MD5

                37afbbd1e1c34065c814447d5c6a1425

                SHA1

                de13339706d4eff802cc761251f987f5c434e452

                SHA256

                255bfbba3d5fe8562fbae42cdb3c08cc8d3d206cd9763742e1bd840560f36e88

                SHA512

                6feb200844cf63e9eee07f278c945cfd1ea1827dbd31ede22a68a84dff29ac67ee6e8c583ec27353570ebe00c9ee4a230bf1e6afc57906023cfc018996b0f1e3

              • /data/data/com.ynxhs.dznews.yuxi.tonghai/databases/dznews2_yuxi_tonghai.db-wal
                Filesize

                20KB

                MD5

                f6ef3c14460a54eb46fcdece105b53ee

                SHA1

                8dcf8aeed27e534d92922a642c1f3627c3590897

                SHA256

                d1714b5270f8d0f2f2c9f7ad98268d282c52cb1f420cc150568b8effb3f21c2b

                SHA512

                8a1c5cae2f2921915f21b60d036e511596a7934eb71e411e4c66aac2ee82780ac08bab980defc743e2cd16acd3ade58f3f59a682ea8636a19a25a119d602dcf6

              • /data/data/com.ynxhs.dznews.yuxi.tonghai/databases/dznews2_yuxi_tonghai.db-wal
                Filesize

                20KB

                MD5

                5b6de45f86ea96d74dcffaf15f50bf43

                SHA1

                bd77e6b57046278def0aa7f7f66ef795d86810ff

                SHA256

                29c1da68eec6d5e7202946ce28a2467fa28fa2d9f19e7cd09b356be5c6431d10

                SHA512

                ee35c8ea3a02d70996dbab4c32a94e677a711ef77dbd02acaa0cc8872d608c036f6593c322d029fbf787148e4c363b7251aeabcf498f27e0c0ec2132b4a2748f

              • /data/data/com.ynxhs.dznews.yuxi.tonghai/databases/dznews2_yuxi_tonghai.db-wal
                Filesize

                32KB

                MD5

                a89091c153d6f69d5310983dc0c7c118

                SHA1

                06841e4d51a76090a88269853e9f2531b182482e

                SHA256

                a9bc352874448bdb59151361859903cb37ae51d098d7c189338a9e97b4c7c76d

                SHA512

                945eb6e69bd97aaeb5c477dd7a7b3eb73b0323541ef38b5f62a5c0f6378efb0f7251d1fab397df6a476446e0b102f91eeb6ae9d4eebcac9813e079019debe553