0764d827c03a76a82d8cd263c4cd78684247eb1f0d9d8d0599a4f1f18fb32b18

Analysis

max time kernel
3s
max time network
131s
platform
android_x86
resource
android-x86-arm-20240506-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240506-enlocale:en-usos:android-9-x86system
submitted
14-05-2024 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

423275acf0ed96c26ed3d108fcf89644_JaffaCakes118.apk
Size

9.1MB
MD5

423275acf0ed96c26ed3d108fcf89644
SHA1

cc8a00f93f9fbe09da7ae1427379ea1e8ddbda1f
SHA256

0764d827c03a76a82d8cd263c4cd78684247eb1f0d9d8d0599a4f1f18fb32b18
SHA512

44c4694e4bc1d1655554deccd2dceff1bcb3baf1353398f6a711e76aea3b7061bd3d419e5c0808d691b3ddee805a6106d855689817c9aac14084537f71c2a1ce
SSDEEP

196608:3FhhHFAVUEF2WoQf37pI94BY3tkxilKyuVwi1rnodRccb+nQ+20v+dvKDsj29lzG:VzlAKkVdNAttGUuVn1rnoHccD+20YCD6

Score

7^/10

discovery evasion impact

Malware Config

Signatures

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.baidu.zuowen/app_push_lib/plugin-deploy.jar	4327	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.baidu.zuowen/app_push_lib/plugin-deploy.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.baidu.zuowen/app_push_lib/oat/x86/plugin-deploy.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.baidu.zuowen/app_push_lib/plugin-deploy.jar	4276	com.baidu.zuowen

Queries information about running processes on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.baidu.zuowen

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.baidu.zuowen

com.baidu.zuowen
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Uses Crypto APIs (Might try to encrypt user data)
PID:4276
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.baidu.zuowen/app_push_lib/plugin-deploy.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.baidu.zuowen/app_push_lib/oat/x86/plugin-deploy.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4327

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Process Discovery

T1424

Lateral Movement

Collection

Command and Control

Exfiltration

Impact