joker | d4a068fb20501d18a5d55c7ce5aee30e4130e380cba8c9fc0e969d701f46bcbb

Analysis

max time kernel
47s
max time network
129s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
03-05-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ffd4124786d4eef3eb4611b217d19a8_JaffaCakes118.apk
Size

29.2MB
MD5

0ffd4124786d4eef3eb4611b217d19a8
SHA1

a7af2714c43fa52a3634cfcd8b120d3e9567110e
SHA256

d4a068fb20501d18a5d55c7ce5aee30e4130e380cba8c9fc0e969d701f46bcbb
SHA512

b883b1dd9adb4e1ca84c9a0cf6c81c167f9d290ee7047d155afaf1306a7d0482f53d6c1c183d578f234f70cc35eed44e6079ae2327c58ce285a7cb7ec32833dd
SSDEEP

786432:96Q07tmga9twC3Ct//up/WUt3FkmM+oe2n:96Q6totwC3Ct//+/9rkmMBn

Score

10^/10

joker discovery evasion infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Loads dropped Dex/Jar 1 TTPs 5 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/data/com.jiaming.ko/.jiagu/classes.dex	4318	com.jiaming.ko
/data/data/com.jiaming.ko/.jiagu/classes.dex!classes2.dex	4318	com.jiaming.ko
/data/data/com.jiaming.ko/.jiagu/tmp.dex	4318	com.jiaming.ko
/data/data/com.jiaming.ko/.jiagu/tmp.dex	4353	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.jiaming.ko/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.jiaming.ko/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
/data/data/com.jiaming.ko/.jiagu/tmp.dex	4318	com.jiaming.ko

Queries information about running processes on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.jiaming.ko

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.jiaming.ko

com.jiaming.ko
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4318
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.jiaming.ko/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.jiaming.ko/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4353
- /data/app/com.jiaming.ko-j2Sha3CwP5ocTX0tlwhzyg==/lib/x86//libweexjsb.so 55 56 1 /data/user/0/com.jiaming.ko/app_crash/crash_dump.log
  2⤵
  PID:4392

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Process Discovery

T1424

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.jiaming.ko/.jiagu/classes.dex

Filesize
6.0MB

MD5
0f70acb31553f711af7b8795290c4b4b

SHA1
a2683ef85dc044e8f4d5522e16445632a28119b5

SHA256
2485518dc22d657184fc19e54c292d738cce375d5076e663474a6596678d942a

SHA512
9d76a157eee354acf9c9e072bc1fab0964b560fc4ad26cb62421ac4e29f02986eca62c5aa9e7e7a700bf0a0f67aeef2870918532d4ebd634e64c1651edad3d5b

Download Submit
/data/data/com.jiaming.ko/.jiagu/classes.dex!classes2.dex

Filesize
5.1MB

MD5
85bfcb34106441e320cb9668bd63cead

SHA1
a017af11d75bec9cd1cec7197fdff29eb73bfc15

SHA256
0ec053f123e1d99772856a802c68aa1267c2c75d407a43d1a00a049508bc21db

SHA512
2e76c9837a3e11ef91b48eea3f2cd6109d7d4267e599713e74cc77766fd82bc3108c2998a8eab5dda7a60b8cd181df6aba1eda40b9628558b6e1c5cd01fe338f

Download Submit
/data/data/com.jiaming.ko/.jiagu/libjiagu.so

Filesize
558KB

MD5
98736de515958ae37ae93a0a0e997098

SHA1
72d0f9d43f7c9bdc9f19d13834c0872f5652c0f9

SHA256
335091dfc73a9f792cb720389c5d94eb6642764a38d70d4b6b7a8afd34038421

SHA512
cc4974ce398bf7f4a20160ad30e4c4b5821ff0d7f2cc9fa0aead73ddc036585266edf429add276b53d6db8dd24a344d709469b9c839451deead6b621e70c92cf

Download Submit
/data/data/com.jiaming.ko/.jiagu/tmp.dex

Filesize
284B

MD5
f1771b68f5f9b168b79ff59ae2daabe4

SHA1
0df6a835559f5c99670214a12700e7d8c28e5a42

SHA256
9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

SHA512
dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

Download Submit
/data/data/com.jiaming.ko/cache/weex/libs/weexjsb/x86/libweexjsb.so

Filesize
6KB

MD5
9bb067cd33b490d30f2c88054c732574

SHA1
d95a11e2be5c7a1fab9820e34cdd9e482523ea86

SHA256
fb993dc086feddf19af9700c7428386e3e4a5c67f273711c371ff4460a830ae9

SHA512
0b721c51332313c50ae466fff1b4bdb48a71791bca67ee83d2882a19e8abb59dc1406ed15d6dabbcd3ba922167fbf68a3828fd82edf4b2270ff0191b8fed0dbc

Download Submit
/data/data/com.jiaming.ko/lib-main/dso_deps

Filesize
272B

MD5
0e85b9e549a43653b7d962b358bf724c

SHA1
178b5b1a3417aa07f8784ca9e8e972c3688da2f0

SHA256
67d1fad5f5d27ead65777873ecdcc62f82dbe329169ac640edbacb481a3e2817

SHA512
4fb4e91ba63fb58e619e61863ebe8f922b492aab8c2fd08fb1dd57592e88fa22502d1b625329dcd01e7378d2fdcacfe7576e6d062ce8f8b1284fb7a0263272b7

Download Submit
/data/data/com.jiaming.ko/lib-main/dso_manifest

Filesize
362B

MD5
b384268280bf9da4cef70db405923eae

SHA1
c9dd9e67ce2aad163424f1b0ac3419e94b1be8e1

SHA256
49f92518c56b9a75e4c9de311738b3fa5d60459c68da885dd6f411a195d0c7fe

SHA512
28d02fcd000366e2fcc4411279ad655aaffe026c93f5cb4d25560974c0801a16c4cb1edca32cb39ee9b945aad7e048ef977d34c7b90af6f509652149f958f9d7

Download Submit
/data/data/com.jiaming.ko/lib-main/dso_state

Filesize
1B

MD5
93b885adfe0da089cdf634904fd59f71

SHA1
5ba93c9db0cff93f52b521d7420e43f6eda2784f

SHA256
6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d

SHA512
b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

Download Submit
/data/data/com.jiaming.ko/lib-main/dso_state

Filesize
1B

MD5
55a54008ad1ba589aa210d2629c1df41

SHA1
bf8b4530d8d246dd74ac53a13471bba17941dff7

SHA256
4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a

SHA512
7b54b66836c1fbdd13d2441d9e1434dc62ca677fb68f5fe66a464baadecdbd00576f8d6b5ac3bcc80844b7d50b1cc6603444bbe7cfcf8fc0aa1ee3c636d9e339

Download Submit
/data/data/com.jiaming.ko/lib-main/libNativeUtil.so

Filesize
21KB

MD5
a5dae3912a5a4f66743e9b6a02385059

SHA1
1a1555d9103410f29a289237b6f3b49278060775

SHA256
f5a134aa6241058cf47103710fa93a1cc9a32163669271a5ae485367591320ab

SHA512
c85f0b9b61914b972bdc3a3582d9f76e2023747f3cdad3e405419be4bd6dd6b7c34c87e865bd0d01b8c2f6b162308c2b5d18ff90113ff6fd70a37dead07f85d9

Download Submit
/data/data/com.jiaming.ko/lib-main/libutility.so

Filesize
29KB

MD5
031a7b4ea21484caea064a1e8f12cbf7

SHA1
2d78aa57abfb396e928257d2ee630d9eadaa9f63

SHA256
95174a6389dd46aa848433cec80bd58cef4fe371a6d525a78b97e620ce56c8e9

SHA512
d82eaf6ed1d2fb0a870010d7726e0eecbda86d967b91fd010f3e0295e7ab15c85ba9f8da4b0a5e5f8e433168aa9cac2b5cde314f65d33aca7176d1abc7771f8e

Download Submit
/data/data/com.jiaming.ko/lib-main/libweibosdkcore.so

Filesize
21KB

MD5
b07c039c9b31590ef75c32bda8e432c8

SHA1
701c4e1106480d5ffb8cc664b20d6fc044ceceb0

SHA256
ed419bb2248afda2e6990f26e944b7c30c18a97c16475001d5fca2bcab177699

SHA512
e4acf837af985998f143e5d945e86ed948f6776351cf68a6c0becfdc328b99797525e14bacfbda35d2429846206a5fd5bb57ccd2e2a61a02ab3db97fa570a350

Download Submit
/data/data/com.jiaming.ko/lib-main/libwind.so

Filesize
33KB

MD5
04b6dba3efd02ee63209d15edc5c57ef

SHA1
0bbc0fbbf06b969e53fc2f89097d4db065fad922

SHA256
3bb22bef3be3db53a5cc9e0a518b1bdfe9c6df85b0b5023eb47f6848d0a00db1

SHA512
ae3b969a8975414e2ef163b4191cfb57cb365a722c267c1e55360550ae0cb8fc77a58f3e47b90292b4c41fbc4e4b7271e57466d9a7a42b4bc4a265efa03e8915

Download Submit