2cbe88c058c7448ab8d6ffea5b10a3b519ed701fc4654a21b04cbc4df4835c15

Analysis

max time kernel
157s
max time network
180s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
27/06/2024, 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2CBE88C058C7448AB8D6FFEA5B10A3B519ED701FC4654A21B04CBC4DF4835C15.apk
Size

16.5MB
MD5

037e5e0569f620dd3bb547269e550825
SHA1

822131aac128cb91d9ee3d1662f9ad67dc5bc504
SHA256

2cbe88c058c7448ab8d6ffea5b10a3b519ed701fc4654a21b04cbc4df4835c15
SHA512

d041dfe14619bbb7c40800d9d9fafea681d73aef5435d016e6513e7fd2e40c09a2c2d5e6f0b235598566997eaca69b6af7c20bc6230490acc5d58dded0897826
SSDEEP

393216:IZycCurMWY3reP73bpvopJhO+1n1OCeN+6XyWeIi6cW:I8gm7wD6ozCe+ey6cW

Score

8^/10

discovery evasion

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 1 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/app/Superuser.apk	com.qrsplit.followers

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.qrsplit.followers/.jiagu/classes.dex	4348	com.qrsplit.followers
/data/user/0/com.qrsplit.followers/.jiagu/classes.dex!classes2.dex	4348	com.qrsplit.followers

Queries information about running processes on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.qrsplit.followers

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.qrsplit.followers

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.qrsplit.followers

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.qrsplit.followers

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.qrsplit.followers

com.qrsplit.followers
1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
PID:4348

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.qrsplit.followers/.oabugaij/.fsgkea

Filesize
1B

MD5
01abfc750a0c942167651c40d088531d

SHA1
d08f88df745fa7950b104e4a707a31cfce7b5841

SHA256
334359b90efed75da5f0ada1d5e6b256f4a6bd0aee7eb39c0f90182a021ffc8b

SHA512
d369286ac86b60fa920f6464d26becacd9f4c8bd885b783407cdcaa74fafd45a8b56b364b63f6256c3ceef26278a1c7799d4243a8149b5ede5ce1d890b5c7236

Download Submit
/data/user/0/com.qrsplit.followers/.jiagu/classes.dex

Filesize
6.3MB

MD5
caa4752abf9a882033a771e240e87fb7

SHA1
3b5ec22d9296bb6d4345e093975f4f8383780353

SHA256
3db274222b728c4a37f835b9bd44d2831fbd46b1c0e272121c2f2595e52e1834

SHA512
769e60d1ef8361acad1ad6da22976efae6c778307ee77a458732feeaa202eee5b6e8b845516cc7a5f2fc012dccc7188072d258ee503fea4967d6223ed07310f2

Download Submit
/data/user/0/com.qrsplit.followers/.jiagu/classes.dex!classes2.dex

Filesize
2.8MB

MD5
f7fa067fe8e1861b515de107f069a9e8

SHA1
4938bbfeb01dd34c5e6057c1e769fbf4d2f66498

SHA256
50b07c2f90786ffa74b1889673b26c58fc73a65273df863f8ca37b0a7803f7a9

SHA512
7d764e93a61bb888a4b028bc2cf8020b14fe07843cd325d3ac14e0e4e20f8e7e95e9e0ecb6f8b900c69d1905b495060346a475c91cf2beffcb786778324f2c0d

Download Submit
/data/user/0/com.qrsplit.followers/.jiagu/libjiagu.so

Filesize
495KB

MD5
de685970891708f6edfd18f03c6557ba

SHA1
ac50f88327652a72df73d43e9260faf169283c34

SHA256
b3124a6f192e562313f1e2d24b292852d4eb87cbe95dccd1d94b3a0540c0c11e

SHA512
cd56aa34265252c1457e28f442872dfaedc897607b816526de7e76c88ea00c24feb3542c21be7dc587b58df8ccbb1e045d3533741981212eac4d704143bfffe0

Download Submit
/data/user/0/com.qrsplit.followers/.jiagu/libjiagu_64.so

Filesize
526KB

MD5
f3f377aff0413b6667306b3ad51a032e

SHA1
0e03658be45eb84be83a147329b82885da1b4702

SHA256
78bf69f4b3eea98355f96ae381547380263beb136fe29d630e2e3216780fdac8

SHA512
a23a89fb8721736f4c82f779f515fc2f702c0d98d696911802d57600ba4066762ade878535abdff7ba529e167d035f7b97e829dc3e1b7d04825b00d31f7d3b0b

Download Submit
/data/user/0/com.qrsplit.followers/files/.jglogs/.jg.ac

Filesize
40B

MD5
272ac07dba469d1810f583279ca23e94

SHA1
e340b1fbc67d7d33533cbd1a7a72ac6c89420fd9

SHA256
f1d8f4dad33ada036177150313da386a316a608088c0bc2d510bd7538860385d

SHA512
91898f399e97d3e7d0c34ccb36be8d537cffd046208d55c2fb7486f89712ec57bb8349f626cf3915bc8c48e36b457306f8faa8c45590a327b8d18d845f990b76

Download Submit
/data/user/0/com.qrsplit.followers/files/.jglogs/.jg.ac

Filesize
32B

MD5
ced79a1ff24fd8c9501181ddbb9a268e

SHA1
82bf4ce72edd5a84750d4c5798118e66b250a68d

SHA256
a42e9cbefef0fa895867b84c4caa16229a0792d60d1ed3087481d46ff4aeae25

SHA512
d3600c33a0946240ebf031dc98ebcc8e67ceb0030890aa55dd8b02b0fc0849533fbdc8b0b510fec625b975c132d2ae2fc14ccf5f2aaddba3e37f4232453fcc76

Download Submit
/data/user/0/com.qrsplit.followers/files/.jglogs/.jg.ic

Filesize
32B

MD5
8c93ab67e700a98000751d6c9eb35fdd

SHA1
ba8b17a0c928a1e62b61aa5d11e6406b1ddb0296

SHA256
112b518a2e2901310d1d5a7526bc3270dd710ac8b13ada08fbcbd4ff68a79dd0

SHA512
8e12f605b28b1c580a50298fd1671582033cbf543757668823d4f9cdf241909f16210e6fbf6f3b711ff4fc52438fa51aa863774421db45e0290b578d84e26f01

Download Submit
/data/user/0/com.qrsplit.followers/files/.jglogs/.jg.rd

Filesize
32B

MD5
acdf9d4467d1931b55a6b3d6a7c3865f

SHA1
0d29651bacbe98f2a1673b9b54aa8ad2c44e52cd

SHA256
b212c1b7ca560ffdf472a29c8a4cb08146cbdbaad77a544790ad4fd6d77ac370

SHA512
6b1c7a30aa245362f15101609747a423ecf9d7dc707a984492ead99221ea8267d8c93dc1e139057c4771301c4dc18d029a260a193e3a0e64142e9837525c4ef2

Download Submit
/data/user/0/com.qrsplit.followers/files/.jglogs/.jg.ri

Filesize
307B

MD5
dfe000ca02ad018b96751c0e51d3547a

SHA1
f04520224087cfa13148ff7141d810d6b520d4ba

SHA256
406bfd47128506451239f6e73e3af1b66e701886ac1def35e4ad334d2ab4b686

SHA512
2b3e334b6ccf69331278df86568e4f9d7d334420ebcab770dc79c10ff04f98779718146869be4a097d88ef5021486a0a13b4e0d4498590c411896bad383dcbc9

Download Submit
/data/user/0/com.qrsplit.followers/files/.jglogs/.jg.ri

Filesize
314B

MD5
0391a1ebb9d0189c0c21c1c384b0f9f3

SHA1
bd90a24737faea6877510381a357b2b206c6e748

SHA256
e40d1ca5e662433e2242728afcf793383d0519b4d500519c8659bbb82dd79657

SHA512
bfb540f6e4d59820bf5be16edd04e3c8bef505725fc6e47139132b3830e9233ddd8fe3d8677f0fc0d88654829ba17b78fdf5f73f79af170e875e31d3813570c0

Download Submit
/data/user/0/com.qrsplit.followers/files/.jglogs/.jg.store.report_pid

Filesize
32B

MD5
3e91f7b26a90200e90def0171f5879f0

SHA1
0c5e6843f0e70758ad0e49afda7ca02e80f627ec

SHA256
a66e35e640ee265e07dd5b0b37f22263b6237a0e7fe0301ba71a029d0d6b4ac6

SHA512
0c69910336eff01f7a11f40b3af3fdadba15a8bc58977692a801f1da5dbaf0b4bbf680edbbb8bb1e4a4b921413d468619608ac93e3a8bee84c8f45fa6b1f5d7c

Download Submit
/data/user/0/com.qrsplit.followers/files/.jiagu.lock

Filesize
27B

MD5
664cc763c71cc81f0eee1acd586c2ce3

SHA1
b218fb4788b8d143382f8cd416daf2fd05b39280

SHA256
49c55305ac4c96b603a46642453cff4c97c00ae6d19748520cbfcb645587f4ae

SHA512
c4f21d132d7b1a04292c0920ae9b974713e784619c8b4d16b349291c08a0f21025df330ea34352529055a5d809d9c8cf4260ed5954604f0c235afac622fa261a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads