Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

6

1007c2561c...18.apk

android-9-x86

8

1007c2561c...18.apk

android-10-x64

8

1007c2561c...18.apk

android-11-x64

8

Analysis

  • max time kernel
    115s
  • max time network
    146s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    03/05/2024, 07:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1007c2561c3bef9d7ec27365e550dff5_JaffaCakes118.apk

  • Size

    2.7MB

  • MD5

    1007c2561c3bef9d7ec27365e550dff5

  • SHA1

    01354f7af002d4aa22106d378b838a0e3d51e47f

  • SHA256

    86c8a6b7589dee4accf3561f75ab61e0414c68a3fbc9b5d827bfd8d297007e15

  • SHA512

    a9120d6354b7831bed18e9c028fedf916964e1c21a7d939eec6400645ae8ba7cd16a3553f8984351873236319fcc7b803f152aa16f1f97a2ae517c561d4db98a

  • SSDEEP

    49152:sDswxLJF48ZBj6ZIx9mxuYZWaY33Xwosx8nbCt46kQjOVRzXjh/x1DWQJT4dtMq:sD9ZXjhbaY33AoFmB6VRzXfPBOf

Score
8/10
collectioncredential_accessdiscoveryevasionexecutionpersistencestealthtrojan

Malware Config

Signatures

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

    evasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Requests enabling of the accessibility settings. 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Checks if the internet connection is available 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion

Processes

  • pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Removes its main activity from the application launcher
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Requests enabling of the accessibility settings.
    • Acquires the wake lock
    • Checks if the internet connection is available
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    • Listens for changes in the sensor environment (might be used to detect emulation)
    PID:4270
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe/app_DynamicOptDex/FJmoZd.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe/app_DynamicOptDex/oat/x86/FJmoZd.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4297

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

3
T1628

Suppress Application Icon

1
T1628.001

User Evasion

2
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe/app_DynamicOptDex/FJmoZd.json
    Filesize

    1.9MB

    MD5

    b9bca0f72d45a3a7e1aff9e60d1abbec

    SHA1

    9b7c5a59b56c7b6f47a407de6b7af621450b3a63

    SHA256

    531c3de4d5ea9ded038b36446749e53db1ef6330bfefa40c6a7a50aa61a2a20f

    SHA512

    3d4c97ae55eff2260365e9a16903a951ab43080109694787fa387c2df746a3150ede1aacc0741c556040278f6bcf4c7c8952c1a6e8a2364ec37a2033c88814b4

    Download Submit

  • /data/data/pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe/app_DynamicOptDex/FJmoZd.json
    Filesize

    1.9MB

    MD5

    11edc9b16beea04bea73ad0d60bb6088

    SHA1

    a65da654f252d6e4b2deca769410a56b07d06c60

    SHA256

    83b4999f7cef130c0c3d56a4a592a0e832b463c5553974eef6abf37c5b60e8da

    SHA512

    a48d2d24a359eeb0d18af1d7c4a15a6cca1d61596e01c9655693cb418f4740da01b760ab09cbdd387b5d37b378adcf381d0664e9d12cde93a14558764571de82

    Download Submit

  • /data/data/pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe/app_DynamicOptDex/oat/FJmoZd.json.cur.prof
    Filesize

    439B

    MD5

    2546e7ccaaf6ddf5f0e14c3a92931bb7

    SHA1

    1f193c20801d6d48d7906b5eb7deae9043d5db7c

    SHA256

    5f97251eca0e8074b1cdebf1200fb86227a9cd1f719d23faf12fe641bb28c7a5

    SHA512

    81c4941394159ffae7ee347ef37994d6b2df7c95c3ca1214db485df890a59821a49b7b0c72435542c4b8553f6013621a5ed8aecf458936f5a3c7a8b6993d25ba

    Download Submit

  • /data/user/0/pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe/app_DynamicOptDex/FJmoZd.json
    Filesize

    1.9MB

    MD5

    e2b8bf9ee6e7961358633252bb93c821

    SHA1

    dbde45c2eab3b1e4e73874c2a8eca141b5882ab8

    SHA256

    24ad3e9cb9726be8ed5bdf1851f19c9de28c8adeedc056cf5d5ef3cb4ccc040c

    SHA512

    6c121d9b6a68f9cb3f1c5776c34be1bc0bf1184aa4753d8d0093e7f942a80fe0f587defa3a1e844f00c1d6a3409198d720cb4699235377398e57eee047826918

    Download Submit