Analysis

  • max time kernel
    10s
  • max time network
    134s
  • platform
    android_x86
  • resource
    android-x86-arm-20240611.1-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
  • submitted
    18-06-2024 09:59

General

  • Target

    bb57dadf7fe0fa3c7dc37cc913af429e_JaffaCakes118.apk

  • Size

    19.1MB

  • MD5

    bb57dadf7fe0fa3c7dc37cc913af429e

  • SHA1

    f0adae0270c2fe983d12615a635eb318a8a21d3c

  • SHA256

    2a341703b9ed7bbd8f91d9a46857773996effa7346913ee66f90075fd6cd167f

  • SHA512

    28c3b075b4e8839f5c583cf5dc9110a73a4a523485755a86c37e9efb085df550fd3a315fed92b6744a306d4199d8f9bb3bd175ffea6e5d017663606d61f3eadc

  • SSDEEP

    393216:Cbr3McEuuZmrVJWLgwcxQmfXV9wom1zKTZwM3tnm+dZnuTddg:ecVmrbeXmfVSoo+TP3A2nuTzg

Malware Config

Signatures

  • Loads dropped Dex/Jar 1 TTPs 6 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

Processes

  • cn.nemo.video
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about running processes on the device
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4268
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/cn.nemo.video/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/cn.nemo.video/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4301

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/cn.nemo.video/.jiagu/classes.dex

    Filesize

    5.7MB

    MD5

    6bdb8a6ae2e7080f11a78ebae416f259

    SHA1

    107edddf6e930be10ac34a4da64b508f0f90a823

    SHA256

    e948e189fdb4b455b564209a2992b075d3d6457482ad23d9a5d34f33aefc6d9d

    SHA512

    a88b6d143cda0e6812eccb269a6120c060d5d0030bc4b8c5e6c64d6ebb4bd713e068f1fbb63a393b984c9185f2e2cf5fb8dc341a6f8b2a6d15bf744c45fbeab3

  • /data/data/cn.nemo.video/.jiagu/classes.dex!classes2.dex

    Filesize

    6.0MB

    MD5

    c75c8b35441e2c758c26784420d65528

    SHA1

    3cc3b2d553acf10426e9a554878370aae93d1aaf

    SHA256

    381f7a1e8f6d0ca1e97bfecb7fcd68e2d10edf5b990a621a62aa448ed75688a4

    SHA512

    3fe026fe8901ad66d9220209f7550440ecbd0be3f3ee0c9df21bc17f542a00e56902ceb5222040132e2a7a040e585158fd8bf92d7157e58b856451662443b0db

  • /data/data/cn.nemo.video/.jiagu/classes.dex!classes3.dex

    Filesize

    2.5MB

    MD5

    9f570d08e489ab7baac6f0a2282391c3

    SHA1

    8d0158c012f87deced934989760bce1e77e7412d

    SHA256

    9736f47d880b6ba1a30e3921c2796c54a82bd9116d79f65f75d51f34491be46f

    SHA512

    89793409caa7de063f42b07ba327ca193cc3876e5aa4e738e926e7d4141b70cff6ad2139fa97076369d95734c6758f3c011bc622ba474f5db5fef8dbf0c0ecfb

  • /data/data/cn.nemo.video/.jiagu/libjiagu.so

    Filesize

    475KB

    MD5

    f0f9ef36b67807a253b5932f865eae7b

    SHA1

    6a8d66c6efa2750b54cb763f4ad044bba4154e0d

    SHA256

    646dcd8290a30e992553186392239da39ce7c8e7c2fd87b3d6a880551782db75

    SHA512

    e7ea65467e557e4992e746d808cae3e2d16b42187b1a94326c47c689cef9fe21a2a9d2b312c60c8ff40e128dacbde84cd6b93a191ae38496584a45fe60c04548

  • /data/data/cn.nemo.video/.jiagu/tmp.dex

    Filesize

    284B

    MD5

    f1771b68f5f9b168b79ff59ae2daabe4

    SHA1

    0df6a835559f5c99670214a12700e7d8c28e5a42

    SHA256

    9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

    SHA512

    dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

  • /data/data/cn.nemo.video/app_crashrecord/1004

    Filesize

    222B

    MD5

    87a750ded08309e398aa58e5fff7cb3a

    SHA1

    ecc4d1ffd2f89ac04fd4e7209236f76ab3cc0220

    SHA256

    ddd912705b726a4b4f7a5fb2c59f6e548968f6c86aba2de11a3ea6c84f75e86d

    SHA512

    940b0f178f0f142af240bf619f5f27d0b0a50e7df481db9edb093270c2b1456ca721b82ead556e6971542cab61ed4dea6d239db695b989398b7b7907540d5c88

  • /data/data/cn.nemo.video/app_crashrecord/1004

    Filesize

    58B

    MD5

    0d210bfb2a0e1f1b4c082a6a0f79de07

    SHA1

    bb8ed9e364db79d1d9f2fcde3f15091893222faa

    SHA256

    988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d

    SHA512

    536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

  • /data/data/cn.nemo.video/databases/bugly_db_

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/cn.nemo.video/databases/bugly_db_-journal

    Filesize

    512B

    MD5

    065f344ce9fa043ad436fc4e3f6232e2

    SHA1

    d463acf6a6b516e187c6eb7211dcda3084e2e15d

    SHA256

    647fa01d1531536bed3a1dba8914df097300d76fe856be4c330706231c750328

    SHA512

    e23ff6f9f73ce2cab055268e0cf1c2e6576aceeda10f32ea94beb764886b5653b06a66d0aa7937b38b65360b8b52ee6deb3f7df42cf7b212a1f36dea4f952519

  • /data/data/cn.nemo.video/databases/bugly_db_-wal

    Filesize

    68KB

    MD5

    f5429f48a4fae354089bef25be48f66b

    SHA1

    e80c69e3333bfe5cde455cf98c79ce8500178d6e

    SHA256

    7eaf7436c31816dffc0c5a113928e379f7574fab48750aae2751c503faf122b6

    SHA512

    c638800fec82e7c6d4b1e8c2dafddad26033acf678628e2de99a234fbf7fc7b867c45972f47e0b7915fe43c8110efdaf50650323e047016978780b46f797e1c0

  • /data/data/cn.nemo.video/files/.jglogs/.jg.ac

    Filesize

    32B

    MD5

    c827813d03100a06126d2c96c281628c

    SHA1

    80b891050eae61521e51245b39431e2f4b560355

    SHA256

    b10695dd25e6dfb188e5987930b68b4de6f82de38dd5ee0d1757024f87e8fa34

    SHA512

    9c36308db5cc11be1ca631a8912c6720b791d7e155fd51c8a0e51da3df44c26b7cd865143a5f2a3e82ecdbc96c84fe3ac98947e1fad88e89b1ea9196dbadd3fd

  • /data/data/cn.nemo.video/files/.jglogs/.jg.ic

    Filesize

    32B

    MD5

    997c17c78b8044e1f246e94b177fa433

    SHA1

    202d324da949bb65d90b4c269338735bb8148ed8

    SHA256

    83dc5a3b75b6aa9826ef48b760910f0a0b5388f9aadb98b11521e345e5d27d2b

    SHA512

    555cf6b2cf404189668d21866668da76fb3f17de981744cc2298a9bef40d74d5a7e621301220624a62f2b2df353046e8378b3a1c640f5197bcbff8a696792d94

  • /data/data/cn.nemo.video/files/.jglogs/.jg.rd

    Filesize

    73B

    MD5

    e9dd5724b89823f0d18fe0559da47015

    SHA1

    4255013aa9c6f2ce471d54f3e75d6e234b0760d5

    SHA256

    6933ff556876c098ec931a83192d924bc47ad9b7cde221eba40a401cdfcadb99

    SHA512

    7de25d23ef036aeae8f32e8255639730e58094d3908ce4fbba38d681aa02f40356a8036845f0a916cc8824f6bc3e2e1675d71ca006f6fb21dfb0429e0dc3a1c4

  • /data/data/cn.nemo.video/files/.jglogs/.jg.ri

    Filesize

    307B

    MD5

    f7bc4918c40bacc811a3952104e6f3f9

    SHA1

    bf2963dc4508e123d51af8990be45b43918c3a8b

    SHA256

    d0dc6345709523c671b806b7e23e7c1c3616353af786f7cc76c1ddda5956155f

    SHA512

    ffe43402a5f80418165a0fc3b13688dc36baa6c45918489a75114c22f41d0cc7d4206aa5ffaa4a56e8eaa511c78be3da7538550a90c858d89bb9322e3aec0e40

  • /data/data/cn.nemo.video/files/.jglogs/.jg.ri

    Filesize

    314B

    MD5

    bd35185e77531fbb4617d61879c76d59

    SHA1

    3de1b46a911ae928c3fdeff83e64773269d10e6b

    SHA256

    0c147f8b67c53c69270cd45e96390ccbd97ab33792c230fe5b602910d7c732bc

    SHA512

    91c521dec94ce2616f042ade62688b8b3c2a1c897156ffb783ae424b11f4c291dfc26d9737cd74dc6b1a2e60f88988b8cb05c590cf3278aca537f780d60acbe2

  • /data/data/cn.nemo.video/files/.jglogs/.jg.store.report_pid

    Filesize

    32B

    MD5

    58abb42959f81635e0633dc003aeeab8

    SHA1

    8f1b845cc7153a04536ae5389a30777fa5c201bd

    SHA256

    a81b9386a1288e9f5188b9ef09835f15f26de198f13dd186e373a87d724bf8c9

    SHA512

    fcea0cd494d54453d268fefff606264b87f29c553593b74e90d86f2a7219f4d7b7b1130c62360030fa99170a628a4bce71746fa5ccf1e7a0bf52f60b5a06c938

  • /data/data/cn.nemo.video/files/.jiagu.lock

    Filesize

    27B

    MD5

    746467234bd4a46f9b19fb2db9a136ac

    SHA1

    ccf366a166cdce24a28f65c2da01295ed3f668a2

    SHA256

    169f6b8ac05ba555ae8fdf20258b2396096268dd283fd45226c64e44877adf75

    SHA512

    1c2b858fc2953a23437fb136b6c9cca55f09f8789accf042990a747bba108ede4393930deda59ff697b318fd8aa86c9e58ea9492ea8ec504489a106ae8442a63

  • /data/data/cn.nemo.video/files/TDtcagent.db

    Filesize

    32KB

    MD5

    a64ed0db240d3914f2690223fd92d8ad

    SHA1

    05611a85274356de18c74747de7f30df7f286ba1

    SHA256

    a0a6b263087fa8fb9d8d85ace11c0391b7cf399da8b4471c62c8b05cab975813

    SHA512

    2ea50db3f02da45df15f983b0edc5ff060468f250293d09bd1bd9cb5ea37cf282a57cb69cbb6638dfbf5a161dcb002438895449364b636fa7849e5cfc883da13

  • /data/data/cn.nemo.video/files/TDtcagent.db-journal

    Filesize

    512B

    MD5

    2b440a80e43498ea014f805970ae1c71

    SHA1

    77a656d0200f367913d05b17760d90c458a15a2d

    SHA256

    fa3dcd1ef6d7ca858c774a9472ee8000971ea4da62b2399a064e272c6b166330

    SHA512

    a583d729a6b9aba9a79a9de2724f2b9223b6157646b5fd25dc8500719ba82dfb9e8b99b4322976ab56e161bcb931d7ebba56f84aaf9970b2d4f0dd9de275d073

  • /data/data/cn.nemo.video/files/TDtcagent.db-wal

    Filesize

    72KB

    MD5

    e4af7ae316831d5524a64386b5519cc1

    SHA1

    1d190f77486909d595373ffe73a641845c0317c3

    SHA256

    c2ec9857d7e319a456edc2205971283ab9248fa0dfc77dc8d4914f7fc0809ae0

    SHA512

    dd1ab8bf85abc681791d0d8d18a1d2a8c498b311c25b4407c329cb21daee40d5277c46808c4379498e450f14be37a697bd9b08757e1e569f9220a20afac4a2b5

  • /data/data/cn.nemo.video/files/plugs/GDTUnionSDK_QY.jar

    Filesize

    56KB

    MD5

    60676ddd81ca171fe877178ebc276785

    SHA1

    8b215665227943f07fa57d39c096c1c1e081b57a

    SHA256

    09f41bd9b4647e87d2886cdaa6d6bfe45bcd91ae8e80a73907cf74e11f41a7c5

    SHA512

    35a4941fd0343b5ba6060fca872e5c110107d13a37ae223ae90930abdd94ec545a7a3f0a49604807132e7e455a8c022dd2339768f07e3b817456a96461fdce4f