Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
146s -
platform
android_x86 -
resource
android-x86-arm-20240221-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system -
submitted
03/05/2024, 07:56
Static task
static1
Behavioral task
behavioral1
Sample
1007c2561c3bef9d7ec27365e550dff5_JaffaCakes118.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
1007c2561c3bef9d7ec27365e550dff5_JaffaCakes118.apk
Resource
android-x64-20240221-en
Behavioral task
behavioral3
Sample
1007c2561c3bef9d7ec27365e550dff5_JaffaCakes118.apk
Resource
android-x64-arm64-20240221-en
General
-
Target
1007c2561c3bef9d7ec27365e550dff5_JaffaCakes118.apk
-
Size
2.7MB
-
MD5
1007c2561c3bef9d7ec27365e550dff5
-
SHA1
01354f7af002d4aa22106d378b838a0e3d51e47f
-
SHA256
86c8a6b7589dee4accf3561f75ab61e0414c68a3fbc9b5d827bfd8d297007e15
-
SHA512
a9120d6354b7831bed18e9c028fedf916964e1c21a7d939eec6400645ae8ba7cd16a3553f8984351873236319fcc7b803f152aa16f1f97a2ae517c561d4db98a
-
SSDEEP
49152:sDswxLJF48ZBj6ZIx9mxuYZWaY33Xwosx8nbCt46kQjOVRzXjh/x1DWQJT4dtMq:sD9ZXjhbaY33AoFmB6VRzXfPBOf
Malware Config
Signatures
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe -
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe -
pid Process 4270 pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe -
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe/app_DynamicOptDex/FJmoZd.json 4270 pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe /data/user/0/pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe/app_DynamicOptDex/FJmoZd.json 4297 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe/app_DynamicOptDex/FJmoZd.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe/app_DynamicOptDex/oat/x86/FJmoZd.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe/app_DynamicOptDex/FJmoZd.json 4270 pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe -
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe -
Checks if the internet connection is available 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe
Processes
-
pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Removes its main activity from the application launcher
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Requests enabling of the accessibility settings.
- Acquires the wake lock
- Checks if the internet connection is available
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4270 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe/app_DynamicOptDex/FJmoZd.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe/app_DynamicOptDex/oat/x86/FJmoZd.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4297
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe/app_DynamicOptDex/FJmoZd.json
Filesize1.9MB
MD5b9bca0f72d45a3a7e1aff9e60d1abbec
SHA19b7c5a59b56c7b6f47a407de6b7af621450b3a63
SHA256531c3de4d5ea9ded038b36446749e53db1ef6330bfefa40c6a7a50aa61a2a20f
SHA5123d4c97ae55eff2260365e9a16903a951ab43080109694787fa387c2df746a3150ede1aacc0741c556040278f6bcf4c7c8952c1a6e8a2364ec37a2033c88814b4
-
/data/data/pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe/app_DynamicOptDex/FJmoZd.json
Filesize1.9MB
MD511edc9b16beea04bea73ad0d60bb6088
SHA1a65da654f252d6e4b2deca769410a56b07d06c60
SHA25683b4999f7cef130c0c3d56a4a592a0e832b463c5553974eef6abf37c5b60e8da
SHA512a48d2d24a359eeb0d18af1d7c4a15a6cca1d61596e01c9655693cb418f4740da01b760ab09cbdd387b5d37b378adcf381d0664e9d12cde93a14558764571de82
-
/data/data/pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe/app_DynamicOptDex/oat/FJmoZd.json.cur.prof
Filesize439B
MD52546e7ccaaf6ddf5f0e14c3a92931bb7
SHA11f193c20801d6d48d7906b5eb7deae9043d5db7c
SHA2565f97251eca0e8074b1cdebf1200fb86227a9cd1f719d23faf12fe641bb28c7a5
SHA51281c4941394159ffae7ee347ef37994d6b2df7c95c3ca1214db485df890a59821a49b7b0c72435542c4b8553f6013621a5ed8aecf458936f5a3c7a8b6993d25ba
-
/data/user/0/pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe/app_DynamicOptDex/FJmoZd.json
Filesize1.9MB
MD5e2b8bf9ee6e7961358633252bb93c821
SHA1dbde45c2eab3b1e4e73874c2a8eca141b5882ab8
SHA25624ad3e9cb9726be8ed5bdf1851f19c9de28c8adeedc056cf5d5ef3cb4ccc040c
SHA5126c121d9b6a68f9cb3f1c5776c34be1bc0bf1184aa4753d8d0093e7f942a80fe0f587defa3a1e844f00c1d6a3409198d720cb4699235377398e57eee047826918