Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
38s -
max time network
142s -
platform
android_x64 -
resource
android-x64-arm64-20240221-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system -
submitted
03/05/2024, 07:56
Static task
static1
Behavioral task
behavioral1
Sample
1007c2561c3bef9d7ec27365e550dff5_JaffaCakes118.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
1007c2561c3bef9d7ec27365e550dff5_JaffaCakes118.apk
Resource
android-x64-20240221-en
Behavioral task
behavioral3
Sample
1007c2561c3bef9d7ec27365e550dff5_JaffaCakes118.apk
Resource
android-x64-arm64-20240221-en
General
-
Target
1007c2561c3bef9d7ec27365e550dff5_JaffaCakes118.apk
-
Size
2.7MB
-
MD5
1007c2561c3bef9d7ec27365e550dff5
-
SHA1
01354f7af002d4aa22106d378b838a0e3d51e47f
-
SHA256
86c8a6b7589dee4accf3561f75ab61e0414c68a3fbc9b5d827bfd8d297007e15
-
SHA512
a9120d6354b7831bed18e9c028fedf916964e1c21a7d939eec6400645ae8ba7cd16a3553f8984351873236319fcc7b803f152aa16f1f97a2ae517c561d4db98a
-
SSDEEP
49152:sDswxLJF48ZBj6ZIx9mxuYZWaY33Xwosx8nbCt46kQjOVRzXjh/x1DWQJT4dtMq:sD9ZXjhbaY33AoFmB6VRzXfPBOf
Malware Config
Signatures
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe -
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe -
pid Process 4685 pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe -
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe -
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe/app_DynamicOptDex/FJmoZd.json 4685 pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe /data/user/0/pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe/app_DynamicOptDex/FJmoZd.json 4685 pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe /data/user/0/pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe/app_DynamicOptDex/FJmoZd.json 4685 pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe /data/user/0/pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe/app_DynamicOptDex/FJmoZd.json 4685 pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe -
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe
Processes
-
pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Removes its main activity from the application launcher
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Requests enabling of the accessibility settings.
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4685
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe/app_DynamicOptDex/FJmoZd.json
Filesize1.9MB
MD5b9bca0f72d45a3a7e1aff9e60d1abbec
SHA19b7c5a59b56c7b6f47a407de6b7af621450b3a63
SHA256531c3de4d5ea9ded038b36446749e53db1ef6330bfefa40c6a7a50aa61a2a20f
SHA5123d4c97ae55eff2260365e9a16903a951ab43080109694787fa387c2df746a3150ede1aacc0741c556040278f6bcf4c7c8952c1a6e8a2364ec37a2033c88814b4
-
/data/user/0/pefxyoqegqwtr.gzdpycagaibsukmbanztuxepele.pyiipzohcilxrfiiuxe/app_DynamicOptDex/FJmoZd.json
Filesize1.9MB
MD511edc9b16beea04bea73ad0d60bb6088
SHA1a65da654f252d6e4b2deca769410a56b07d06c60
SHA25683b4999f7cef130c0c3d56a4a592a0e832b463c5553974eef6abf37c5b60e8da
SHA512a48d2d24a359eeb0d18af1d7c4a15a6cca1d61596e01c9655693cb418f4740da01b760ab09cbdd387b5d37b378adcf381d0664e9d12cde93a14558764571de82