35d37aa360e9f88a720988f954bb1d8aa748bc6c9e8e34ed42cc73052336d991

Analysis

max time kernel
138s
max time network
151s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
13/09/2024, 16:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

de840bf8bf34aca77062ab623b2e3028_JaffaCakes118.apk
Size

11.0MB
MD5

de840bf8bf34aca77062ab623b2e3028
SHA1

fc8c119040df097bd36fa92e547efb0ddb88c870
SHA256

35d37aa360e9f88a720988f954bb1d8aa748bc6c9e8e34ed42cc73052336d991
SHA512

6586c5deb8094b630eb32283db65909ff4e9ff8650af8b25c3211fbd6f445e37981c9224e3a7e5be96b46cda19fe20f8261fe06bbc6443e2debc05c72a47f7cd
SSDEEP

196608:U2EdDOQoutjoFMlu7zO3pYcV0PoL3S3RSkIivA+3SGQ8tMxToV6UgutmZwPqYPeY:U2dCqz3en0PaNXiv/3W8m26UguIZwBeY

Score

8^/10

discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 2 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/bin/su	com.gt.gold
/system/xbin/su	com.gt.gold

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.gt.gold/.jiagu/classes.dex	4253	com.gt.gold
/data/data/com.gt.gold/.jiagu/tmp.dex	4253	com.gt.gold
/data/data/com.gt.gold/.jiagu/tmp.dex	4302	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.gt.gold/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=44 --oat-location=/data/data/com.gt.gold/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
/data/data/com.gt.gold/.jiagu/tmp.dex	4253	com.gt.gold

Queries information about running processes on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.gt.gold

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 2 IoCs

flow	ioc
19	s.appjiagu.com
36	b.appjiagu.com

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.gt.gold

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.gt.gold

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.gt.gold

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.gt.gold

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.gt.gold

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.gt.gold

com.gt.gold
1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4253
- chmod 755 /data/user/0/com.gt.gold/.jiagu/libjiagu.so
  2⤵
  PID:4278
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.gt.gold/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=44 --oat-location=/data/data/com.gt.gold/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4302
- /system/bin/dex2oat --instruction-set=x86 --dex-file=/data/user/0/com.gt.gold/.jiagu/classes.dex --oat-file=/data/user/0/com.gt.gold/.jiagu/oat/x86/classes.odex --inline-max-code-units=0 --compiler-filter=speed
  2⤵
  PID:4410
- sh -c ps
  2⤵
  PID:4430
- ps
  2⤵
  PID:4430

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Process Discovery

T1424

System Information Discovery

T1426

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.gt.gold/.jiagu/classes.dex

Filesize
3.2MB

MD5
71f161d3db148853ab250d476a9cb2b8

SHA1
b3f2565362d458ba3f635f7c736f32fa6de84be8

SHA256
c6591be6687d8cab0b0a6b11fc745b39f510e6c881c6c44f39ef8b86e3ad0118

SHA512
e8bb4f94023357642beb6a83d3311c8c4b14ad0ba26125d50bb8599ecbdc65e26ae8cc147ea7345adb7bbc551f3dadac98a3702ff27393fb9fd451e741bb15ef

Download Submit
/data/data/com.gt.gold/.jiagu/libjiagu.so

Filesize
382KB

MD5
aa01dd97609092ce310e17bf791069ce

SHA1
f000840a8f68ea7beb2e29ea466088daf55609db

SHA256
e432c191f918053ce368e1b1f155b2e1f9e84379611b93aabec0106172b73aa2

SHA512
766c120a06215d0950aae32026fcde3eafed8d18ae0de7bc8135a7378a9055c8f0040d61574d9af67fe2b5b90eeae64c62d787343858ae375bb6658df8afe7b4

Download Submit
/data/data/com.gt.gold/.jiagu/tmp.dex

Filesize
284B

MD5
f1771b68f5f9b168b79ff59ae2daabe4

SHA1
0df6a835559f5c99670214a12700e7d8c28e5a42

SHA256
9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

SHA512
dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

Download Submit
/data/data/com.gt.gold/files/.jglogs/.jg.ac

Filesize
40B

MD5
1f07a4971bbcc9a0d3a10ac8f68bac22

SHA1
b4a820848a8ddda60c10eeebe0630bf006101a1a

SHA256
4ad06d995749a6938f498c00f7903cf7b6d55ddfb070959547ca196a7ff98f0c

SHA512
222b4cf668186531c4288e358cedf21cfbd5f24d7207067cdaa7352dc0087c965f8425fd208a6f509cef4d46f282590c5d25770c0b3f8d29e171a62d057007a4

Download Submit
/data/data/com.gt.gold/files/.jglogs/.jg.ac

Filesize
40B

MD5
a8d05438d7939cd47fd58fcd0b25f111

SHA1
66c5db679bbf097b095ef380b9b2fd704fc6fcb6

SHA256
438b7a36e7bb00c3e180a93b918fb24806bdd8317e4018772fcbe89449e84370

SHA512
8f8b2039532b64018d2adcc654ef2a9286bf7f539d078c0f77a6ac589719bd95cd4b2b681d2add22a62407f7ad9223599a349501960c97c4f10baa54be33da46

Download Submit
/data/data/com.gt.gold/files/.jglogs/.jg.di

Filesize
340B

MD5
0ecc155f5f3f95c3ad38ff99b0b194e4

SHA1
ffdabb1498c31610fde2192a605f0f771f62d323

SHA256
7aa2e392477f303a930497ec78df3eb3f9e0361108cc76690c17dcbfe3927fa0

SHA512
0b43b55fffb9e68d619dd052df956c6c7338df44c83a835b62446af67b1c9d93eb02e4bb1c28d311cd1fc56c15b67fc973d5a7fd2bae53a0c3ba02264bf432bd

Download Submit
/data/data/com.gt.gold/files/.jglogs/.jg.di

Filesize
340B

MD5
38420176887e2f3ba599273ed0b26404

SHA1
bf5b4e46971536aac239d1e434689fca13be94d3

SHA256
0e2082ee91f242c68ea03bd934a784d787cae5643490e3150749864981b74565

SHA512
7ef1cc3cc3324dd1515a3e4fb8bc1d00742b8560d4cb517ea305cd0e4473549c09a018a3a9d9cb3240751d99a0ff473f36ae9ba20a2c1f849b94cbca7b13861e

Download Submit
/data/data/com.gt.gold/files/.jglogs/.jg.ic

Filesize
40B

MD5
386b1b361707cbb97a72d20ea2e7f572

SHA1
d35f88a48ca194a9490d81cf4b94e9d8dc22c642

SHA256
63a15ac859961495bbbd30a2ecd20da57cf611c0773cab7f8b3b503e437eb68b

SHA512
2c64fcc4c1ec5bab1a4d4ee3f180acdd3b48c2c78121a9b0d14905351e49e30e7dd814fc5d8934ed4d3b16bb2e08947836a987c9951f94aa124e10517bd9f975

Download Submit
/data/data/com.gt.gold/files/.jglogs/.jg.ri

Filesize
314B

MD5
f26ec65924ff844ce88534905e2a7d95

SHA1
5adf4c938f48cd878030cac7beb2c38cfe3c5606

SHA256
63d46eb66f2a2bc84b0edeb30bbbe55f96ff81b001c11a732fcda89c9c99f6d8

SHA512
0849e0e58b611598db889842fbb7b03f87da11c5e765b35198656d95dd4b6cebef727dc3f888edc923f65fed91e413f539d143c20c4ac66bf75ed310e388511d

Download Submit
/data/data/com.gt.gold/files/.jiagu.lock

Filesize
27B

MD5
82f56d784841605807d31bbc20d407f8

SHA1
cc9c661b8b20996c048392f84a4faa29911ff736

SHA256
82b8e46f98c136135a5dbe1237b9257addabc70d2122bdbd2b2c2d2c99d1994c

SHA512
2acb93613f57423e0c5036ba5b642463b69af4254597e0cb99dcc60740ba532adcb752c9c3f73b9dba51fa192a00c9dbd7d74b6778fee77cc42050cfb485ce43

Download Submit
/data/data/com.gt.gold/files/jpush_stat_cache.json

Filesize
119B

MD5
6971f5e44578cae3d44eea4b92b374ab

SHA1
14b6271165dcff16321a0b7043976f538af2c240

SHA256
d6b8bedd8be306aa7ce59ae1ee7ef389515dba179dce19530ac2c4a12a746204

SHA512
a4f8139df959b0a600d703cd300e880a3179a4056e98df4ca9d59f8823252b5f49e405e2ac9d3cee46e2ca5672b69273f60e9913267495350290fcd9e5481236

Download Submit
/data/data/com.gt.gold/files/weibo_sdk_aid1

Filesize
46B

MD5
4028c8b91f544d6bd51a266683ff791e

SHA1
d8bacd93b5724c8500f66cc46632704115635afd

SHA256
7cda4149bb95d3c082f01b19b365228fd339ce4fcfa02969294e13bdae41270b

SHA512
a8fdcbe785c7f9eabff76f227db4e8c1d099dc8adc81a41283f8fbf118fd0fbff93be1aaacd3c966888f30f247215125317efa56495f022486f5262cd2cc3831

Download Submit
/data/user/0/com.gt.gold/.jiagu/classes.dex

Filesize
5.9MB

MD5
776cedbca040aa3d39a2d0a8bd5d7826

SHA1
3a7f77db36258aae80f4d170f916006e453a0a9f

SHA256
8f38e65a448637f92b14c299bd35944bb01df701fb71873113e1cd15427691a9

SHA512
84b0c24308537299a5b494b979c3608523eec778383d10573130646d6ce9ab2d6b321f822b43c941ef13c9e9e416400343cd2d49a9ab3b126623d7cc713dda36

Download Submit
/storage/emulated/0/360/.deviceId

Filesize
48B

MD5
1d8d16c4e3b19ebf18988530d9b9a757

SHA1
bc94c1cce05cd848a53271ecb9c5311e27ffebf5

SHA256
abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7

SHA512
4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

Download Submit
/storage/emulated/0/360/.iddata

Filesize
32B

MD5
f5f6d8fb1abf477541acae6f687187a3

SHA1
a7f97572011ed9ada509ae382f10323f3ebd1132

SHA256
a16de7b59ed5292a1418a4a5d5ef386a8f89ecee7fba61812d47d3d96c7453df

SHA512
a9f618d8b4c134cba4c22d596db7846cd2df06892dafd246bd432a1826305d25bec679e438ff23336ebcf331d8e6296a67396d66a3be6c203f67a157947ba6b7

Download Submit
/storage/emulated/0/Android/data/com.gt.gold/cache/uil-images/journal.tmp

Filesize
31B

MD5
8c92de9ce46d41a22f3b20f77404cc1d

SHA1
8671a6dca00edb72be47363a7071be65cf270373

SHA256
68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274

SHA512
30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

Download Submit
/storage/emulated/0/data/.push_deviceid

Filesize
32B

MD5
0e5a0fba6663f16e63a16d14235d4b68

SHA1
6567e24799633cd629954933cb8611d7bf0a750b

SHA256
b1baf551ba8d45af6e17347a6cd189fae115455aba46a1f6646077ebba37fd06

SHA512
abf9eb9f7379c7a2459466da14ad4e1b3ff50e27a354981d3a7d3d1cf0e2a2c7c2332add1f2d1df3c34a186320c18a83e2c5d2a471e156f56160bc0f95580a97

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads