489e8db9a95c39dfb4b713df9b40e1a4ecb9a174403671b5e9defd198d8648b0

Analysis

max time kernel
179s
max time network
184s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
22/08/2024, 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6281583bb67bf6c9394f563a9b4fa13_JaffaCakes118.apk
Size

22.7MB
MD5

b6281583bb67bf6c9394f563a9b4fa13
SHA1

19aec4a969f57b52bb208ac0ca91154fe8e7de62
SHA256

489e8db9a95c39dfb4b713df9b40e1a4ecb9a174403671b5e9defd198d8648b0
SHA512

53fff2f34500751deec5215838625527932b19c499c404b319972aeb59b8f1ab4e6a524ce4cf88720d1634bc2df21c4cdf86adebe90b44739a22c6eba2e15026
SSDEEP

393216:2hP4sKydOubz6MdMrPK4P1pEpNFwol0Os1CIyX8RjH5gmrOjLIdc1Kf+XE4mWdMx:2hP3Tkubz4PJw2ole1akjHrrOjse1Kf3

Score

8^/10

discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 1 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/sbin/su	com.hz.xitu.app

Checks known Qemu files. 1 TTPs 3 IoCs

Checks for known Qemu files that exist on Android virtual device images.

evasion

System Checks

T1633.001

ioc	Process
/system/lib/libc_malloc_debug_qemu.so	com.hz.xitu.app
/sys/qemu_trace	com.hz.xitu.app
/system/bin/qemu-props	com.hz.xitu.app

Checks known Qemu pipes. 1 TTPs 2 IoCs

Checks for known pipes used by the Android emulator to communicate with the host.

evasion

System Checks

T1633.001

ioc	Process
/dev/socket/qemud	com.hz.xitu.app
/dev/qemu_pipe	com.hz.xitu.app

Queries information about running processes on the device 1 TTPs 3 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.hz.xitu.app
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.hz.xitu.app:pushcore
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.hz.xitu.app:core

Queries information about active data network 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.hz.xitu.app
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.hz.xitu.app:pushcore

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.hz.xitu.app
Framework service call	android.app.IActivityManager.registerReceiver	com.hz.xitu.app:pushcore

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.hz.xitu.app
Framework API call	javax.crypto.Cipher.doFinal	com.hz.xitu.app:pushcore

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.hz.xitu.app

com.hz.xitu.app
1⤵
- Checks if the Android device is rooted.
- Checks known Qemu files.
- Checks known Qemu pipes.
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks memory information
PID:4213

com.hz.xitu.app:pushcore
1⤵
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4284

com.hz.xitu.app:core
1⤵
- Queries information about running processes on the device
PID:4336

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.hz.xitu.app/app_crashrecord/1004

Filesize
224B

MD5
6a52bc72dedd0fc51c17be144e636dbc

SHA1
8f4774a88d318774269933aec20d5f7b4a8d020e

SHA256
168750da768b3ad98b285e48efd4c231c7e0acc74938933f165e3fa8de9c87ca

SHA512
44f2b337097ff264cc815d48c6d3c2babda599a273e2d3182e1ee5c77ee8a4765759694340767a0a46deb43fd8b6ff38013aa78f38934fa75037e6349e11816e

Download Submit
/data/data/com.hz.xitu.app/app_crashrecord/1004

Filesize
58B

MD5
0d210bfb2a0e1f1b4c082a6a0f79de07

SHA1
bb8ed9e364db79d1d9f2fcde3f15091893222faa

SHA256
988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d

SHA512
536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

Download Submit
/data/data/com.hz.xitu.app/databases/bugly_db_

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.hz.xitu.app/databases/bugly_db_-journal

Filesize
512B

MD5
e50927f5c8e15ea6a492768b775b4654

SHA1
708aa1be02cf48ee5924c51a055b963d6526933f

SHA256
a080abcccc24b04d277611266c8b1ec6196bfefd38409bad4d52ed77ce0249ef

SHA512
89e6a6f28da9a8a005a677f39b75b96d1fb173390482116371b55316522c5a7ee03f3ae57cf33625121ad69d2a029b80098929b2f4c4730d1184c95af436ba4a

Download Submit
/data/data/com.hz.xitu.app/databases/bugly_db_-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.hz.xitu.app/databases/bugly_db_-wal

Filesize
72KB

MD5
5a929f8238704ab76b0c7c045a0ed9c3

SHA1
254f84eed98205914fa4f62ad6ebee28830fcc72

SHA256
bc5278bf25bc44a545d6e21db6c89d9ef36cdebfa30d87db05892deddc27a423

SHA512
f9e6505e21f23c5c0b315ded908b4542525b25d15b129637438656494767dc65f2d76a50f3af340c032622000305cb65f69d24e7b4958e018ffda6c4594baa88

Download Submit
/data/data/com.hz.xitu.app/databases/shop.db

Filesize
64KB

MD5
fcd6bcb56c1689fcef28b57c22475bad

SHA1
1adc95bebe9eea8c112d40cd04ab7a8d75c4f961

SHA256
de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31

SHA512
73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

Download Submit
/data/data/com.hz.xitu.app/databases/shop.db-journal

Filesize
512B

MD5
b4f10a8db9a1d6363c8dfed2a3a3fcad

SHA1
6084fd70ba03b6bf4af0d1ada8aa8002aa0d159c

SHA256
4c39db9b6889f019bcea9dcf3956d626a056610f0a64e917828f9a0290f70b8c

SHA512
ecce729f899d503cec5485aecb73a5e9a90686e73011fad8bff9e0f92b2ad48b88d20347884bbb0cd456eb442b1d58b3b5ed79a1affcec04ca2ed46c2947d9ae

Download Submit
/data/data/com.hz.xitu.app/databases/shop.db-shm

Filesize
32KB

MD5
3493cec7a2b9f363a971ee1710158508

SHA1
47fa725cffd03a7b49c6012274639b0f8d3563cc

SHA256
5e583165033afb2da95c784f558e7cb2f792cfe9b61200e08e3acbd23b26a97a

SHA512
3c3a6eda12622bfebe6d977c1cba1cb50e643e93acb058e9eb1231effdc3b75574ef6c759c218639c9bc4ecc66ee165e2326f44e76abefdcb799d2893b96e5d6

Download Submit
/data/data/com.hz.xitu.app/databases/shop.db-wal

Filesize
28KB

MD5
e8ce132c6b00e7296a407eb44b9a4182

SHA1
bc40dde7625fe0ffbc134a5c7d7186b93a5aeed9

SHA256
770649282f77ae3f4d383c1b97171fd73fbe74577b9575f3d19f1d391dcd44c0

SHA512
47ee23234cc4db82d2241f01cb145eff0b8b53b1b24a2152bdd0791a8721859d5eaed838f0e1d7644e1bc64c2f2221f315327afe6e704319736796412eadc003

Download Submit
/data/data/com.hz.xitu.app/files/jpush_stat_history_pushcore/76621ca2d324fcea8b250484/active_user/nowrap/079ed580-b434-492e-b659-7c84f2636016

Filesize
159B

MD5
520453d86928d4be5cea0d1b6b012623

SHA1
56a08ecb418ea68c554b09cee245a70122659908

SHA256
f9101c896080b1fb39bd542a1b7408e8519896f9d9d03367c8a0c1fd0ea6979d

SHA512
19c2dbb031bf6fe51a38f00d7d345c182ab72f2083ea7364ff72ebaa301e4fefe513738082125d3100273268a2c8548d84bc3b1ef919b6ac95058b4e1190efc5

Download Submit
/data/data/com.hz.xitu.app/unicorn#cheese#

Filesize
3KB

MD5
ccd7068b0e10f781dabbf86db0fb24a6

SHA1
0fc2b6ec50c2aa4e6ef5b3669d4e90f2b6997847

SHA256
7a445223a42f77c39ac5471366a83ba26d0ab490000420b87ef6ce531c8230e9

SHA512
a7768223617c0ae243274ce7418524c8ecc06040a62854aa4929e0279cf80e276c61b8dea94ddab4098d4c318b8bb3ed3b589810ab97e02e6400ff7203da4f64

Download Submit
/storage/emulated/0/Android/data/com.hz.xitu.app/files/tbslog/tbslog.txt

Filesize
8KB

MD5
716cf5b324020345a8d26b0ecbf59850

SHA1
a76348da541d2117231afe11575b0f4688ed64c4

SHA256
8a2bd75684864819f756788b5c3a106136868a77f3dfcba594519dd0cd73cf86

SHA512
66d803ebc3ec56e5904343422ebcd497762a49056935429d95d999ef6408ba0f82212182628b70c92c74e8ca8ffdee16f5a3a3c1e7f406ac61fe724339fc37ff

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads