1f304e6a90279802b9a66cb4a42ddce4d78992e5d3443b3ad3b04b149e7a1f61

General

Target

2b6d075d13eab66acdb33bf56ec97de7_JaffaCakes118.apk
Size

8.7MB
MD5

2b6d075d13eab66acdb33bf56ec97de7
SHA1

904a14ca6111a30ec2d60de56248a0ad01a9ec3f
SHA256

1f304e6a90279802b9a66cb4a42ddce4d78992e5d3443b3ad3b04b149e7a1f61
SHA512

ab0b77bfe6bcffd0aba8d26a35327fc5c3f4a6c5d918a3a0f7846a03d9181e3ee963d2eb5c460dbd363cbb6123b9bd54af6d7666ef3fc61cd92b338d10881e97
SSDEEP

196608:ixnK5fwnmMoY5Or5MaTnxyNa4+BrsrwJ45/J9gYBM3/zbIF30YB62+wG+:ponm8OrxTx7RBrs8JYh9gYa/zbIF30fi

Score

7^/10

discovery evasion impact persistence

Malware Config

Signatures

Loads dropped Dex/Jar 1 TTPs 5 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/data/imymobi.com.myapplication/mix.dex	4252	imymobi.com.myapplication
/data/data/imymobi.com.myapplication/mix.dex	4353	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/imymobi.com.myapplication/mix.dex --output-vdex-fd=56 --oat-fd=57 --oat-location=/data/data/imymobi.com.myapplication/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&
/data/data/imymobi.com.myapplication/mix.dex	4252	imymobi.com.myapplication
/data/data/imymobi.com.myapplication/mix.dex	4588	imymobi.com.myapplication:mult
/data/data/imymobi.com.myapplication/mix.dex	4588	imymobi.com.myapplication:mult

Queries information about running processes on the device 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	imymobi.com.myapplication
Framework service call	android.app.IActivityManager.getRunningAppProcesses	imymobi.com.myapplication:mult

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 3 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	imymobi.com.myapplication:mult
Framework service call	android.app.IActivityManager.registerReceiver	imymobi.com.myapplication:mult
Framework service call	android.app.IActivityManager.registerReceiver	imymobi.com.myapplication

Checks if the internet connection is available 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	imymobi.com.myapplication
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	imymobi.com.myapplication:mult

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	imymobi.com.myapplication
Framework API call	javax.crypto.Cipher.doFinal	imymobi.com.myapplication:mult

imymobi.com.myapplication
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4252
- sh -c getprop ro.yunos.version
  2⤵
  PID:4328
- getprop ro.yunos.version
  2⤵
  PID:4328
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/imymobi.com.myapplication/mix.dex --output-vdex-fd=56 --oat-fd=57 --oat-location=/data/data/imymobi.com.myapplication/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4353

imymobi.com.myapplication:mult
1⤵
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4387

imymobi.com.myapplication:mult
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4588
- /system/bin/sh -c getprop ro.miui.ui.version.name
  2⤵
  PID:4634
- sh -c getprop ro.yunos.version
  2⤵
  PID:4654
- getprop ro.miui.ui.version.name
  2⤵
  PID:4634
- getprop ro.yunos.version
  2⤵
  PID:4654
- /system/bin/sh -c getprop ro.build.version.emui
  2⤵
  PID:4685
- getprop ro.build.version.emui
  2⤵
  PID:4685
- /system/bin/sh -c getprop ro.lenovo.series
  2⤵
  PID:4758
- cat /sys/class/net/wlan0/address
  2⤵
  PID:4785
- getprop ro.lenovo.series
  2⤵
  PID:4758

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Credential Access

Discovery

Process Discovery

1

T1424

System Network Connections Discovery

1

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/imymobi.com.myapplication/databases/bugly_db_legu

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/imymobi.com.myapplication/databases/bugly_db_legu-journal

Filesize
148KB

MD5
801071564d3a9453346040d6bfc9443f

SHA1
58b01b95ba93b9f25c31d2c158dae10353101fa6

SHA256
7660bad2e7da51e520d525c280a02470aeb18b6274068ad8563a5c48f8320605

SHA512
33028a19419ac8e9414d97ee63cd6a2e5a166964ef1af3f251a9ad211f28888c751f6e9fbf968ad1cc3f48160af1fd8d2325b645dad240cba535b3f0cb89890f

Download Submit
/data/data/imymobi.com.myapplication/databases/bugly_db_legu-shm

Filesize
28KB

MD5
cf845a781c107ec1346e849c9dd1b7e8

SHA1
b44ccc7f7d519352422e59ee8b0bdbac881768a7

SHA256
18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

SHA512
4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

Download Submit
/data/data/imymobi.com.myapplication/databases/bugly_db_legu-wal

Filesize
92KB

MD5
ae5fde4e3aaeb32bd92454d9144897a3

SHA1
3ce49d5fed815103a9e64463fe5305f1fcda225f

SHA256
4247ba45612ee7fe6e3a765d3f81974d41114611199d89022b32189ebbc0f714

SHA512
103a7eff3dbe8341a6dff3614aae5b86feae012d8c35e2aed0216d3c74ddd715fd78cad9dc1b50f87f3d922e8967a5e63bbcc8a8416cde64f82c20f9a0d31e13

Download Submit
/data/data/imymobi.com.myapplication/mix.dex

Filesize
292B

MD5
63f77f99bd2c2b772a479923bde11974

SHA1
c7632e7d301e4463fafce85f84e9c3d7da3fdbbe

SHA256
4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615

SHA512
3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

Download Submit
/storage/emulated/0/.mn_410185822

Filesize
82B

MD5
e8be01a3d651b9f955cbb28d7fe2f623

SHA1
04010f8b539c2e98c8d7b7752e9879547aa9dc0f

SHA256
97f36bba6fac1a853fc47a62ed426b46325a58a209d20a7c232641ffba4e44f4

SHA512
19eb61bf037bcc667e6a19773beee13011faffc9a5f8efffebddeb5e27e017bc47f26e143de5e9f471668bdd9eb445fb85afda410b065f0d3ae323169ba4b34f

Download Submit
/storage/emulated/0/Android/data/.mn_410185822

Filesize
82B

MD5
6f2bb94fa74d4f34fb3587bef00bef92

SHA1
a3e3447cb0f5aeb8456a045345fb82e9d37c45f5

SHA256
5166306efcef49f0a934dc29167fe216faa65d3f045cecfb621b561eaf89605d

SHA512
725c26e708911644d5e2cf9af04c46996b2456c5adc293146223e6352950d5768bd9cd5d792c3019d84fb59b8084b003eb49dd83862d146fac6184266335afb9

Download Submit
/storage/emulated/0/Mob/comm/.di

Filesize
57B

MD5
70a42cba408700f9a6c01c7941a8829e

SHA1
eab01cc2c0671538795fb0b1146017dc099d0984

SHA256
499576707ce2623293166979e59c832be5b8636c64ad39aa63ebcf961910c35f

SHA512
8900d4dc8eed0430babbacb72942401bd22ef7fe5430cad90d3ce0c2c53010220d666aa0e2eb1026f3ec81d574c7fa12585b49222a5f15b01637f6ba134fe70c

Download Submit

Analysis

Sharing