4b8895c2faa57c4b3e806bda8237009176e2c15658c5d34116d248c9f535255e

Analysis

max time kernel
104s
max time network
155s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
14/09/2024, 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfbc71240bad96780b4cfb45fceaae74_JaffaCakes118.apk
Size

13.4MB
MD5

dfbc71240bad96780b4cfb45fceaae74
SHA1

8131ce4f61552f7c2bc5eaa73b90015f2eab225a
SHA256

4b8895c2faa57c4b3e806bda8237009176e2c15658c5d34116d248c9f535255e
SHA512

5f26244a49e60426d877fca7fe52645c9d526614437efefac37a231c1952a0fedafd5e8f0e83d006b54fd08c690efcaa483acd62ea4705248155c92f98d8a236
SSDEEP

393216:PJPRIAJFeQevaZVNswbzjwExXR2eMAumNP7F:PJWAHZzDzRxM1mNjF

Score

8^/10

discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 2 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/sbin/su	/system/bin/sh -c type su
/system/app/Superuser.apk	com.zhizun.zhizuntianxia

Loads dropped Dex/Jar 1 TTPs 5 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/data/com.zhizun.zhizuntianxia/mix.dex	4259	com.zhizun.zhizuntianxia
/data/data/com.zhizun.zhizuntianxia/mix.dex	4359	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.zhizun.zhizuntianxia/mix.dex --output-vdex-fd=50 --oat-fd=51 --oat-location=/data/data/com.zhizun.zhizuntianxia/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&
/data/data/com.zhizun.zhizuntianxia/mix.dex	4259	com.zhizun.zhizuntianxia
/data/data/com.zhizun.zhizuntianxia/mix.dex	4433	com.zhizun.zhizuntianxia:push
/data/data/com.zhizun.zhizuntianxia/mix.dex	4433	com.zhizun.zhizuntianxia:push

Queries information about running processes on the device 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.zhizun.zhizuntianxia
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.zhizun.zhizuntianxia:push

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs

flow	ioc
10	alog.umeng.com

Queries information about active data network 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.zhizun.zhizuntianxia
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.zhizun.zhizuntianxia:push

Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.zhizun.zhizuntianxia
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.zhizun.zhizuntianxia:push

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.zhizun.zhizuntianxia
Framework service call	android.app.IActivityManager.registerReceiver	com.zhizun.zhizuntianxia:push

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.zhizun.zhizuntianxia

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.zhizun.zhizuntianxia

Checks memory information 2 TTPs 2 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.zhizun.zhizuntianxia
File opened for read	/proc/meminfo	com.zhizun.zhizuntianxia:push

com.zhizun.zhizuntianxia
1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4259
- /system/bin/sh -c getprop ro.board.platform
  2⤵
  PID:4286
- sh -c getprop ro.yunos.version
  2⤵
  PID:4307
- getprop ro.board.platform
  2⤵
  PID:4286
- getprop ro.yunos.version
  2⤵
  PID:4307
- /system/bin/sh -c type su
  2⤵
  - Checks if the Android device is rooted.
  PID:4340
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.zhizun.zhizuntianxia/mix.dex --output-vdex-fd=50 --oat-fd=51 --oat-location=/data/data/com.zhizun.zhizuntianxia/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4359
- logcat -d -v threadtime
  2⤵
  PID:4499
- /system/bin/sh -c getprop ro.miui.ui.version.name
  2⤵
  PID:4555
- getprop ro.miui.ui.version.name
  2⤵
  PID:4555
- /system/bin/sh -c getprop ro.build.version.emui
  2⤵
  PID:4612
- getprop ro.build.version.emui
  2⤵
  PID:4612
- /system/bin/sh -c getprop ro.lenovo.series
  2⤵
  PID:4671
- getprop ro.lenovo.series
  2⤵
  PID:4671
- /system/bin/sh -c getprop ro.build.nubia.rom.name
  2⤵
  PID:4696
- getprop ro.build.nubia.rom.name
  2⤵
  PID:4696
- /system/bin/sh -c getprop ro.meizu.product.model
  2⤵
  PID:4721
- getprop ro.meizu.product.model
  2⤵
  PID:4721
- /system/bin/sh -c getprop ro.build.version.opporom
  2⤵
  PID:4745
- getprop ro.build.version.opporom
  2⤵
  PID:4745
- /system/bin/sh -c getprop ro.vivo.os.build.display.id
  2⤵
  PID:4771
- getprop ro.vivo.os.build.display.id
  2⤵
  PID:4771
- /system/bin/sh -c getprop ro.aa.romver
  2⤵
  PID:4795
- getprop ro.aa.romver
  2⤵
  PID:4795
- /system/bin/sh -c getprop ro.lewa.version
  2⤵
  PID:4821
- getprop ro.lewa.version
  2⤵
  PID:4821
- /system/bin/sh -c getprop ro.gn.gnromvernumber
  2⤵
  PID:4847
- getprop ro.gn.gnromvernumber
  2⤵
  PID:4847
- /system/bin/sh -c getprop ro.build.tyd.kbstyle_version
  2⤵
  PID:4872
- getprop ro.build.tyd.kbstyle_version
  2⤵
  PID:4872
- /system/bin/sh -c getprop ro.build.fingerprint
  2⤵
  PID:4897
- getprop ro.build.fingerprint
  2⤵
  PID:4897
- /system/bin/sh -c getprop ro.build.rom.id
  2⤵
  PID:4922
- getprop ro.build.rom.id
  2⤵
  PID:4922

com.zhizun.zhizuntianxia:push
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks memory information
PID:4433
- /system/bin/sh -c getprop ro.miui.ui.version.name
  2⤵
  PID:4485
- sh -c getprop ro.yunos.version
  2⤵
  PID:4513
- getprop ro.miui.ui.version.name
  2⤵
  PID:4485
- getprop ro.yunos.version
  2⤵
  PID:4513
- /system/bin/sh -c getprop ro.build.version.emui
  2⤵
  PID:4576
- getprop ro.build.version.emui
  2⤵
  PID:4576

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.zhizun.zhizuntianxia/databases/UmengLocalNotificationStore.db

Filesize
4KB

MD5
f5ae32aa1d107b065c2b758b7d8cc54e

SHA1
6f4c6201365aab1b4d6c1a1669213db716eaa1c1

SHA256
d96bd17a72f054221436b1e049350c1a11ad752a4e2dda89019394efd248979a

SHA512
35f7148afc30d4766733709af5daafe22c32039f358d2ef24cb9a1462e960141153ae95905b0516a15eb04c6f380445a52c381a0883e8f591f0711f3b7c6a6ea

Download Submit
/data/data/com.zhizun.zhizuntianxia/databases/UmengLocalNotificationStore.db-journal

Filesize
512B

MD5
90b3895db4ecc0196b6c8c0fc0a4c246

SHA1
ad010e6a940907d3c4567853ccf21c48be3dd54f

SHA256
c593c51252dea59e73d58d398b8107a5c575b6266bfec2a2b5cbf67f95887d22

SHA512
12c12bda749070cce36c15683c2f8c3ece3703ac5262a2a1be579089ca178e2019300ba691ad249c3df67c8dc62b5c4af91fdcf6b83cbdd59974e4f1e4d54de6

Download Submit
/data/data/com.zhizun.zhizuntianxia/databases/UmengLocalNotificationStore.db-wal

Filesize
40KB

MD5
afae0e04944764f5a16848ab3635b73f

SHA1
bdb1507f55fdda79c3ab02774689da1a72ed725f

SHA256
8a17f87b557bb737a8d2f34a96b3eaed7461529e43c658f6a85c5f42d4a98925

SHA512
5b5523406ee70add7f93f29d59a3f8acc882621026c9edead628a1d9fc2b649371f4a0d66105436690c3781dd6cfc907aaf8b611bb93a9c201664013aab1e7db

Download Submit
/data/data/com.zhizun.zhizuntianxia/databases/bugly_db_legu

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.zhizun.zhizuntianxia/databases/bugly_db_legu-journal

Filesize
120KB

MD5
97dd5e8721dafe1bd16e2b75509ed0de

SHA1
32d5b333644ce0de3ec8fcc5f1aa47164ff4b3ca

SHA256
a2e234fc134dc69cd35e64db1a86146f08294a430b6f5a14aeca98afb1992226

SHA512
da9b38636a09eba2ecff74ed7ad72c3b5a7fd6d3cf9d12ff19f7e0594afbd3e9546b9c870906a874c02809b0a2205b9a57b6ed113af03640f494da566047a38d

Download Submit
/data/data/com.zhizun.zhizuntianxia/databases/bugly_db_legu-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.zhizun.zhizuntianxia/databases/bugly_db_legu-wal

Filesize
201KB

MD5
65aebbfd105113d45ee0ff0bb7abb655

SHA1
d8270687e4f0a0ead1174198401579a137d40af1

SHA256
3b729d828952c40717b1dc9697fa1fc0caad3ec957a114f4e750346acf722b38

SHA512
3e5f3e850858448bec20ce2571e66e49db97fa39eff031e790e6b5a4c79db75d3d007bf01c33e20e2a4d07d08af3b2f5157ecb5c87066385096fa60d829ab555

Download Submit
/data/data/com.zhizun.zhizuntianxia/databases/cc/cc.db

Filesize
36KB

MD5
5d7ea1a23af19b4340cc8d90f28297d5

SHA1
4cfe95b23a9e98378d69c4290af81b51fbe76aea

SHA256
474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da

SHA512
33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

Download Submit
/data/data/com.zhizun.zhizuntianxia/databases/cc/cc.db

Filesize
36KB

MD5
ce6135aa1b1fe4f2c2db2a546d2a5558

SHA1
79b59582154017aadab783dc266fcb158c252940

SHA256
7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c

SHA512
2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

Download Submit
/data/data/com.zhizun.zhizuntianxia/databases/cc/cc.db-journal

Filesize
512B

MD5
633653bd9fe13f3413f470e83a68bde5

SHA1
dad52206a765c8cdbea23b4b499a56b644300ecd

SHA256
dd5d470a2498e88257f00d5346785f249755df7df544550e2b7eb07ac02f8093

SHA512
099b5b891111088a642c8b8e071d0f25fc23f71621b41fa35b3f02577fdd0190c80e432cd830fe973ac218499f15df277e2342b9a47cfdb09c920d7724f4e08d

Download Submit
/data/data/com.zhizun.zhizuntianxia/databases/cc/cc.db-wal

Filesize
48KB

MD5
878d7f6bc4bd7b474c275ee873302298

SHA1
69705558e43ce690d71c443bf6163afc4db3e258

SHA256
2cb3fc16063f23c77c5470edd6a55e951c34899d1bc9a69157006363a0a1cf5e

SHA512
2171f5e763e77f7b8f5645bf113c070817f47e4350fa52105d1de468a330541b9ec704b6e2da86efd40d3330135fdbd78373b72566ea667dd9cd984fa3790ad1

Download Submit
/data/data/com.zhizun.zhizuntianxia/databases/cc/cc.db-wal

Filesize
16KB

MD5
b921a2a374eff394eee0c2d8b347390d

SHA1
e5aa7a92cddff00c16e8843b3a1e5c446d93eb23

SHA256
001b98d3afa03018a2fd46e4bf5d2862c4c7c8d3d6076410bb27d8c103e484f9

SHA512
9419a293d62a85f3cf5c4a6916e97345178645085926e0116083ca9f28c6cc8a45ebbff6811d1af0697833f1b4f1382c2f34fa09e914c5f933fbde7504296128

Download Submit
/data/data/com.zhizun.zhizuntianxia/databases/kanqianjinrong.db-journal

Filesize
512B

MD5
658dd0e58d05590d390508684b1d5983

SHA1
55e74d45984339fcf7f95bad587d31e87bac271a

SHA256
3b78ea7fcb30b52c172ae94e1f93b4f23cee60bf47177cbf276c9c1ce01fc0ba

SHA512
1ba567cd1c0ca7010745cc0e804b6625d75995cb198896d9d4ac573cd7ce3a685d6dcc11132bd8855060806eb3d274dba95bbab26f79f2b1d4c5a290e931433e

Download Submit
/data/data/com.zhizun.zhizuntianxia/databases/kanqianjinrong.db-wal

Filesize
20KB

MD5
516e2e066322fdf2a212e16dbc7cf0d9

SHA1
a6251cffdd96656a8fc08907fad368bb4833488b

SHA256
6e499390d6d1500c5e148b8e5bed3abb72ffa043cbc87f51b044d11840592162

SHA512
d7e6f36067f9fac3cf971774e66cab71f04bd0967e997a2ed24fff6e6a8adf08ce95a3a53b22eaf941cb1b8eb45c989be2280b76dcc04308a22e7f419eb27bfa

Download Submit
/data/data/com.zhizun.zhizuntianxia/files/.um/um_cache_1726298851305.env

Filesize
1KB

MD5
fdca412a5fa03cb5cd3c1a873d05126c

SHA1
f197ed297438680d9761091d4ed3e12cf773e1c8

SHA256
87d0bf63442ec388c477c159a0c580c969b7932fe54ca6d40c0cd71588a664cb

SHA512
dedbe930ff4d947628b09e2ac9b23401d51cedec0796cc9e6c4e545a8414daee5d88d5b5bdffd7fed4791af3b5b421b1b069f6585a168b5fce0043eff44fb71e

Download Submit
/data/data/com.zhizun.zhizuntianxia/files/.umeng/exchangeIdentity.json

Filesize
162B

MD5
22e24ff126543412a153f4b544a4390f

SHA1
3e9c66df6944668362824cbba0a5c08bd34ab1fd

SHA256
8d51300e848873e2ab9bc632fbc0b9b185d2b13837a34de06752e4b9747ac1ac

SHA512
64ca7bd5278113a5a254836fb2ff08975ca583318db8a3db3147e78069d23703bbd3895f6af357d04bbd672bd7431785d430dcbc1832f4732c35a5f54c255d88

Download Submit
/data/data/com.zhizun.zhizuntianxia/files/mobclick_agent_cached_com.zhizun.zhizuntianxia1

Filesize
2KB

MD5
b0c78c0ff8ba95c477cb27301bdd7932

SHA1
fac84e1b9df0c4766f7c76794546afa05e5377e3

SHA256
577fb3b26a8532d05581e091b38e3d32e8d463d314b6450da0478797affdf8ff

SHA512
baba855e19b6d02fb7ef69aa8cdaa007c230358ebd360bf3ab4bf6c808401ca31841854cc35ba3189d0ecca674f74af9616b3ca112397fbf616e5f3b7d9816e8

Download Submit
/data/data/com.zhizun.zhizuntianxia/files/umeng_it.cache

Filesize
415B

MD5
b4969a3c72ac163d4bedbb7f4b964e30

SHA1
64363eaba82125f034b6831ffebbdc8eca672960

SHA256
4d536a270022816633d05e166dd284d73d14449e23bcb5283eddd221c38bf393

SHA512
d58c37a51757ade5e81758913f3dcfb74fe4ad1df7a969504852d3738ac177519d5071c28058043dccf20ea159e8901acefb8b836489bac96bbbbe1c52e84952

Download Submit
/data/data/com.zhizun.zhizuntianxia/mix.dex

Filesize
292B

MD5
63f77f99bd2c2b772a479923bde11974

SHA1
c7632e7d301e4463fafce85f84e9c3d7da3fdbbe

SHA256
4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615

SHA512
3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

Download Submit
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

Filesize
65B

MD5
9781ca003f10f8d0c9c1945b63fdca7f

SHA1
4156cf5dc8d71dbab734d25e5e1598b37a5456f4

SHA256
3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793

SHA512
25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

Download Submit
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

Filesize
111B

MD5
ccd11f061710117e10ca6d04697c1671

SHA1
2607ed2590b3b770fcc447b7d89b5aa15dcf2cdf

SHA256
4f3163b0b5ed4b06e6857ded9a88424ce608fc3218356bd9fe1b63f1c9a5d580

SHA512
36e77e61986010a5de22bf4c3b4f622abd3c994c54f5bc8e64703ffd315253eacf073eaeaaee1e275afb003e35d1a34cba941169e302ef9d8a4284768a3db3a8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads