Analysis

  • max time kernel
    14s
  • max time network
    130s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    17/10/2024, 16:54

General

  • Target

    52b859941aeae463735336b3f243ccb2_JaffaCakes118.apk

  • Size

    19.0MB

  • MD5

    52b859941aeae463735336b3f243ccb2

  • SHA1

    29c0c6fd81f191cf73e539d7fe0c4fccf83a6b0b

  • SHA256

    abf89b6c6e932dd3c580b43aee510008b933b8eb0283d386814345ded146440f

  • SHA512

    d44390c4e8aeac793607bddaa415ab89cf28fdfe8b3d7ac18e89aa01f7c481e602477d6f4ffa9a84f1213be1398c474bbf03bf0c943bcb0d3afe4180aa6f46f9

  • SSDEEP

    393216:1sQ3nJGc8Kvf16RLnzpeFFUS0HqmKnNeQ9O5ql20CParw8IXdxxtHcefjxBzvS:WQ3nJGcXvNULNe8zHWzI5f/Parw8GAWs

Malware Config

Signatures

  • Loads dropped Dex/Jar 1 TTPs 8 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • cn.kdqbxs.reader
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about running processes on the device
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    PID:4250
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/cn.kdqbxs.reader/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=45 --oat-location=/data/data/cn.kdqbxs.reader/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4290
    • getprop ro.miui.ui.version.name
      2⤵
        PID:4342

    Network

          MITRE ATT&CK Mobile v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /data/data/cn.kdqbxs.reader/.jiagu/classes.dex

            Filesize

            5.9MB

            MD5

            b56a9cc7959c83320d8959410536a0cc

            SHA1

            4f53d0315f423388922f92519d098c80eb6ddbfd

            SHA256

            1f222e7bb3dc330a61f92b4cac80c33b1bada95ac056b4c03fdcea4669753cb3

            SHA512

            e4021001775a04f1a68c9bccdebba69a296092275c3fc69c3efcc29843301f875ea1ffdc0f03c0a23e23bedff9ebc9a397c1ee9709f6e2aed8c15a26327fa8af

          • /data/data/cn.kdqbxs.reader/.jiagu/classes.dex!classes2.dex

            Filesize

            6.6MB

            MD5

            997d48c2ba922daf248d77bf26d7542a

            SHA1

            58a331ef595a2c45b4095de79c9fba8999a03da0

            SHA256

            e807cec8c47d423ac8f8a2b940f9838aca2ea211643a5e31466a0c14575923ed

            SHA512

            cc61f976647c0c0eb6cc20a42985f35e4788d97c00ea770658c4f0754614e945088de4ea446c004b863ffcecc5c1dd467e67adc3b541c81e01bd960380a7f832

          • /data/data/cn.kdqbxs.reader/.jiagu/classes.dex!classes3.dex

            Filesize

            6.5MB

            MD5

            dec515f498ba570f8f7e30fafc2359a2

            SHA1

            0d9407fe32c8a73dce7e3c25922892afc9ab16f1

            SHA256

            2da1291a90a02db081e8c160f3396f91c8894daefc33b76414430077d6a72f7f

            SHA512

            836dae94edd4f398a980b9b97ef604332ed6368d579b66429fcaf1fb7891033b65fc173fdf34aeee07e8072bb20efda491496f0fddca0934f111586bbb5e4968

          • /data/data/cn.kdqbxs.reader/.jiagu/classes.dex!classes4.dex

            Filesize

            5.5MB

            MD5

            56a527f3e94a53ae0f021d0185496655

            SHA1

            be9db47d587baaeabc9b725d5bcc0f4f91cfe0c8

            SHA256

            7069314535348a22f5ae2956967d9f208a974012773430b8d5ef02ee316f3c22

            SHA512

            481ed46130f5fc83d9685891bc53e6f2585c3f9c51c2def8a7970f738ad3614af3f062069f2d712936d44e4ec926d61001425486fa07db2d36ca6e33545ec869

          • /data/data/cn.kdqbxs.reader/.jiagu/classes.dex!classes5.dex

            Filesize

            453KB

            MD5

            9fa85329d3ebf6f29973463360e91caf

            SHA1

            536749548ba5b5697feb596bba8f9eefde9d478a

            SHA256

            062c3998177ced6c5f7c033a408bf0d3b14577cfe7ce97da9a0e421956074de2

            SHA512

            88ff3f07795515c2f3d854d27fb6b3e19ea0a6b86e43a1d06188bc332f9d3403dd98f8e93787dea7f3df52a8cd7343bc792b93a975bfb155d7cef99d06e896de

          • /data/data/cn.kdqbxs.reader/.jiagu/libjiagu.so

            Filesize

            487KB

            MD5

            610a895c4a71bbeeaea16eddb1422bbf

            SHA1

            9f919de42ed1e80bfadfef48f8202b202166f869

            SHA256

            baa349e9b5a47be21b6ea00ef2e0c0c5dc203c0e4c391dac46df07ca9d333217

            SHA512

            ef4173ba32309ef1257b75bcff28fd44ab14398577b4fb3b6b95323035c964201ed39546cda3b7115ba5025781f3b9c018443e7932edd50a25b1be60359f80f2

          • /data/data/cn.kdqbxs.reader/.jiagu/tmp.dex

            Filesize

            284B

            MD5

            f1771b68f5f9b168b79ff59ae2daabe4

            SHA1

            0df6a835559f5c99670214a12700e7d8c28e5a42

            SHA256

            9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

            SHA512

            dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

          • /data/data/cn.kdqbxs.reader/databases/MessageStore.db

            Filesize

            4KB

            MD5

            f2b4b0190b9f384ca885f0c8c9b14700

            SHA1

            934ff2646757b5b6e7f20f6a0aa76c7f995d9361

            SHA256

            0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

            SHA512

            ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

          • /data/data/cn.kdqbxs.reader/databases/MessageStore.db-journal

            Filesize

            512B

            MD5

            889d248709f303d9de68f70e1d3f8129

            SHA1

            dc1742144d4597e70705bf528f916a7331867891

            SHA256

            3ab9f7efafea3ae2f9db45133b408f705c7dc0e279bbc7b25e67cc562ee3ceb1

            SHA512

            a772c3a1383fd91b6b4ec6e02d780986f79283273e440741ab5f64af5d06a2a08404907dde92dbffe249a806574ba8f0feb055a59b251528e82457f2d74effa2

          • /data/data/cn.kdqbxs.reader/databases/MessageStore.db-shm

            Filesize

            28KB

            MD5

            cf845a781c107ec1346e849c9dd1b7e8

            SHA1

            b44ccc7f7d519352422e59ee8b0bdbac881768a7

            SHA256

            18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

            SHA512

            4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

          • /data/data/cn.kdqbxs.reader/databases/MessageStore.db-wal

            Filesize

            48KB

            MD5

            77fe8b60d6c112e325e67be43712521a

            SHA1

            ea92f1048beade12154400a2fe7e1d5760937d48

            SHA256

            04b7add4615211deddf929c1ef6248c6a263e121dbc3e00c05e9633f15709b85

            SHA512

            be537e103c66174ba028fcf60254a657e57aac0d7bf8518df2dd1c6e4cd52e14995ec0d777a44a8f10be7041419fff19f1ac835eb9bb88659caecbe3bbc864e3

          • /data/data/cn.kdqbxs.reader/databases/MsgLogStore.db-journal

            Filesize

            512B

            MD5

            bc664bba47a9b239a5bfe7538c320ba2

            SHA1

            88f5a8335e3f27b67863fb37ee5593acd7d76547

            SHA256

            bcd2d420a1387af3c4cdf6659f1eaf9b0c45170a6b5783a713e7e22c89720397

            SHA512

            22cfd78ef53e9ef3ffc7110a81ea12d16d7b2a17df5a084e85689b9ca707f52dd37186ebd1a6155d0c13dc10a6e73646d2f4b57b29cab36530ffba245de683dc

          • /data/data/cn.kdqbxs.reader/databases/MsgLogStore.db-wal

            Filesize

            68KB

            MD5

            4f77a8f4b68074247c864253c428558b

            SHA1

            1f2408333e35b7ee025227fa050067d8d0b0cc32

            SHA256

            9a07bac52dcf04f13984ab7894962c8de614ca26b1e4746ea840fa22dd82fe74

            SHA512

            d75a6a9981b309e32c444825f15f002cd5320f84dcb4e08ffc28a699cc3684a2d79872373e353eb6e6729c5970e75380132880c34f0c234510f227a9c7df64e9

          • /data/data/cn.kdqbxs.reader/databases/kdqbxsBook.db

            Filesize

            52KB

            MD5

            c671ade807411a8430bd4cf1c9014f28

            SHA1

            79710e2afdf672fc59e80112ecd0d2813069de41

            SHA256

            7e2f32b9bcffc68be31f2b187c9358d87b1544090b2429272cc59170412038e8

            SHA512

            2db470d0c67979235eacd7e504b6e93cdae1b6c186b98c396cf6ac6bb132bed727fb4b8dd8c4d0e9e6bff292301e07015e7690af92fe4526c20361f10ab82bf0

          • /data/data/cn.kdqbxs.reader/databases/kdqbxsBook.db-journal

            Filesize

            512B

            MD5

            a388e4104b74236bc25ed2125f9cb595

            SHA1

            0c34320c9bc5620f9ae70fc80cb2a6ca80a3511e

            SHA256

            f75fb6745a8f07456224f08e3b15046a9aa8c6f8b0d0a00412ecd2bc1b277541

            SHA512

            e5d44ffa1eeddfd9ff60fa3be4ddbbb0ba54d119ad28c55ef6e07c1233f8726412b2846ae4804433c96ddb1556d8849fd2b6a22aaaff2756775e953925e2f007

          • /data/data/cn.kdqbxs.reader/databases/kdqbxsBook.db-wal

            Filesize

            64KB

            MD5

            c1baf2a1fdcdf45d61ebf7fa7901cf58

            SHA1

            9201d72dadbf78f8e7b3f3cee446074224b00bdf

            SHA256

            e9d9025d5f801221a1519128d2c6e25f7d884e5fd9e1cad715b080ff7d904cc3

            SHA512

            705f69efd9ccb80893f96470efc6fd7efc13e5ae93028dd62878d4313cdfbfcb0794b7d96159adb25755d777969273bac322a37e464e12caa3a6d2cfa4bf87e7

          • /data/data/cn.kdqbxs.reader/databases/log.db-journal

            Filesize

            512B

            MD5

            9c3ce5870f83a7e354dca9476f15ca7d

            SHA1

            2b16cdd86ff5557943ea1554d9aca923ee016064

            SHA256

            e8eaf121b33c5fcba20cdb766a6e107572b75eff8bfdacb0ffe6d2753206e30f

            SHA512

            7f2f2a55c18ddf0dd430d367e988b9fa1caf30f6059ee31b8646022c2e24d67eff29be89e0026be2ca3757da65849d5994bf23ffcc3dea964e2f889493c18382

          • /data/data/cn.kdqbxs.reader/databases/log.db-wal

            Filesize

            16KB

            MD5

            8e5e2a0932dc917928c99406eecb8213

            SHA1

            646d19708734ce5ec7dbf77be0d79eb16ba3d285

            SHA256

            46e4ab3829b54884841f1d97ab7659d0f03c8ed66c4546ac1f6eda4d963e8ada

            SHA512

            bda4cbc2f32a831180d0510b25d90bb476fd87fe10f9ae071126bd55839fa34be4bc4cc50e3119e63e647f62c78d6a43c16b30cd2e22e2669bb946a271c07f19

          • /data/data/cn.kdqbxs.reader/files/.jglogs/.jg.ac

            Filesize

            32B

            MD5

            9e4779dd8be3db6e1922d8989548a2dc

            SHA1

            f71feb15ba0ca843701e49c2607aacf2b97096d8

            SHA256

            b903967369c088093df68e7e1bddccf0b7d14b3e9a2d9378f949e9cab73278e2

            SHA512

            c960363480ec228affca748855271de2613f1453994dfd938807dcc4752c4343c19dc0e7cbfa9b9bd4109de2011d3b44454c813dd02b726385769359e33f0ce8

          • /data/data/cn.kdqbxs.reader/files/.jglogs/.jg.ic

            Filesize

            32B

            MD5

            9fc813a8c45c1f55f38093aaa52f2bff

            SHA1

            c4d6e80d1378a563a2f2b06b6e3147a327edae38

            SHA256

            368569eb5be82b89e7e74b7ea7815d4f0f2f94d90c2100bffc22eac3e152681b

            SHA512

            c66cfe113a055a10c84d79f1313805c62e0dcecab1042239b59043b4cb69bdc493b9eacdc1a1220a864a77bfde58d2eabd350c92b1560c009195e88e38615ab2

          • /data/data/cn.kdqbxs.reader/files/.jglogs/.jg.rd

            Filesize

            73B

            MD5

            681ee7fa67e3fa26a4557a1e89b0fc42

            SHA1

            15a16058032d96b958d9d1a570c48f35f574eff7

            SHA256

            e9de3db4ce237fa4086aa0260551917437ebd0289f7d7eee52e7d015e631eb8f

            SHA512

            4fbde098423fce3e43a974b3e06b5d60e9d4580357a141cf1deb34425a603dc740878564165fa20cf4bdc74d897df5d74f3f86e90e0ac2c25d29b37f7a2120c6

          • /data/data/cn.kdqbxs.reader/files/.jglogs/.jg.ri

            Filesize

            314B

            MD5

            e9377267430ce8e367e1cc5e16e57a78

            SHA1

            cfbba6c0e652bb99abc7530a001ec03e0a0923fc

            SHA256

            d69b6bddbef70700efb55f74a3fdf93dac3df89c7a5328382134b55ebedeb063

            SHA512

            8f86dee2771dbad0b2aa780342f80405461076340a1ac8c227e2a16eb40b02d959c0bff095f4e5033514258476bd1f6f84727c23b2905b33cbc67b6c8c239b4b

          • /data/data/cn.kdqbxs.reader/files/.jglogs/.jg.ri

            Filesize

            307B

            MD5

            e4775d8c2f2677d3ae2f503e75830f18

            SHA1

            35c47904eeff0db9705a908dca7c008e09ff6d5d

            SHA256

            ab2d2778956e533f629b1d45aed5b00596e9a126c92e7b5614afadfc344248a6

            SHA512

            d30fa6a9f16bfb3727585f0a71a7922f9479b2f18b1d709693334a6c494efdb51f4eaeb33ebb474f92985628d4c1ca8463d35121d6198d65f28f5b6349bd10ca

          • /data/data/cn.kdqbxs.reader/files/.jglogs/.jg.store.report_cf

            Filesize

            54B

            MD5

            ad46e889b9e9a71187d2d2dd22bbec3d

            SHA1

            1bea5bca0c200e29353148f452b333e1ed830160

            SHA256

            629c196194e33bc6a373fbb2664b2d66739f37f0816acf85b312b901173dcba3

            SHA512

            568dbb953a6aa571d7b9f1eff877c3ca8121f267f44497c48c11e320ae7ccbdce3266906d7862a73d34b4ba09f91d39fe43952835b7ce4e0da453f817043772d

          • /data/data/cn.kdqbxs.reader/files/.jglogs/.jg.store.report_cf

            Filesize

            32B

            MD5

            4fcc5b6271584282e78df0b93a0b2e24

            SHA1

            fc13b87ecbf1c3dba06bbd9a2cb0896f84a33300

            SHA256

            842faeaf8fe448b98bd976f4924b8cf4067ad818607bc8d5bfc131a9b9d0ecb4

            SHA512

            824272eeb15c53a78ce5a1d05cbc7b0082b69ce4fc14b15665a01b1a1ff4fee76bd3faab2f617ed82d5a1df75e4682660491e336698e66e186b80c31b6916c7d

          • /data/data/cn.kdqbxs.reader/files/.jglogs/.jg.store.report_pid

            Filesize

            54B

            MD5

            96184b863cac97e8792e5a8cb8e36004

            SHA1

            4256f7cfb44857404d4a65d1376c4bee1faf50cd

            SHA256

            ea96c5deee3b5195840ddd485fdb1a1e4522ffd40d21ff3a7b070dc12a6cd868

            SHA512

            2b5139bcb687c350330b09c0fe8b919d4bfea293f3e99ffa3ab4042f5a6863078a0e3a9a212304fa513f33da6230c4fcf60b6e4288951eae6c490d4f58ee94f9

          • /data/data/cn.kdqbxs.reader/files/.jglogs/.jg.store.report_pid

            Filesize

            32B

            MD5

            75002e4a4ba837ecc4ff778aa07da527

            SHA1

            fd19585b8ed955d204693a037ebcf2a063a9f31c

            SHA256

            603a877e8b09f0fe1380d45d335a63d8cffb7bc9b0a6b19c06f4f08c0e4e9c63

            SHA512

            3a1b9d7488081b3f362d2b27bb5ef07b08640af6b26693a31de63ec4e190e4148b1c68566cad7408580e4c2acd039b22a6aa156cd72d97b352265c9444a1f8fd

          • /data/data/cn.kdqbxs.reader/files/.jiagu.lock

            Filesize

            27B

            MD5

            e32cf1dd56dd5060214bc850f6282731

            SHA1

            3c55fc0b96db118b4e7a6cdac7db90bc29c01c92

            SHA256

            c639c626207f67228a8cf527c401102bea6f33180f2c3b05cdd0c2782fa194bd

            SHA512

            9d525d2a0b04c1028871202975972fd6c110596109bf6e9304782e44c1b74162b13be67498ec67db8f6e7e90b87983825838f63dec26bad7515ef22d06ee7e3d

          • /data/data/cn.kdqbxs.reader/files/libcuid.so

            Filesize

            109B

            MD5

            10996a33bbf4a5047ccb9df222f00858

            SHA1

            e7ee91f18de17d2a20750deb4bdb88b8af4ba1ad

            SHA256

            309d2ef12c6e1e3cc157616608893f99233bc86b78f76c73f2db1752eeb4a85a

            SHA512

            98a39f04da842581ede4d213f702ad042c86a516e23aac77afd5a2d32b00e4d5982dfc93c5fa6b52d9e8b9ae67c6124aa6bfe4a5358663186b574e0dbf83fc59

          • /storage/emulated/0/.idf/.IDF

            Filesize

            32B

            MD5

            3e0d16da939a6209bc179dca066a851a

            SHA1

            c01d679f7d436db98bb92130e6bd23bae031df0a

            SHA256

            711a5c9ef2ca0cd2af4b8c70568111d109d525212e4d254f62a5f97d8cfe11cf

            SHA512

            2374ec898a706b5afcd66bceda86a8818ce180ab89df0fe656d425d3d7d7b0eb5698d5e178ea524070b530468b784b61f01740f9f7ae0a853c077a5d0068d4cf

          • /storage/emulated/0/dy-sdk/udid/storage/emulated/0/kdqbxs_book/cache/uuid.text/sdk-udid.tf

            Filesize

            32B

            MD5

            72f78481dfa00bcb442f4c73c873d952

            SHA1

            6c3d2738d0517912d5693dfbfd9ea68363e3e71d

            SHA256

            2d971e1f45690e03c870d7e95a1970752e5de4b637754953981ce2d31afb949c

            SHA512

            fac6a9c3ac7bef5226f81567ef75f07c150a2e4ea8e371c8a832254ef837be99f8fafdfbc590d34d42d3c43db1c554760e184d6da4898668f0d9861edc22b94d