Analysis
-
max time kernel
167s -
max time network
182s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
17/05/2024, 15:43
Static task
static1
Behavioral task
behavioral1
Sample
503cebbbec920e1e7c2b6b9629963fe8_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
General
-
Target
503cebbbec920e1e7c2b6b9629963fe8_JaffaCakes118.apk
-
Size
19.7MB
-
MD5
503cebbbec920e1e7c2b6b9629963fe8
-
SHA1
4cf2990698331351c1fdf52878fea7ca7128d663
-
SHA256
52f42759b12eadd13a2c13e3b3746a1faed3c8a5eb1cd5079e3bc4fc37dfd7e4
-
SHA512
fefac369e49a3c15d305b78b14fed2a02a113aebffc8e71113cbf164b478d7750d79fb2cc3810036d8988189e88f87dc9c1b34f87550aad44745f26698362f35
-
SSDEEP
393216:VnWRr+NQRdQJiNvwvw8F5LWZhMvwvwDyCzQaG7gxCKVSWxhpxn0JkgaOi7Q:VorSM+iNvwvw8F5LchMvwvw2CzQaPFD6
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 4 IoCs
ioc Process /system/app/Superuser.apk com.jingdong.pdj /sbin/su /system/bin/sh -c type su /system/bin/su com.jingdong.pdj /system/xbin/su com.jingdong.pdj -
Requests cell location 2 TTPs 2 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.jingdong.pdj:guard Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.jingdong.pdj -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/cpuinfo com.jingdong.pdj -
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/meminfo com.jingdong.pdj -
Loads dropped Dex/Jar 1 TTPs 5 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.jingdong.pdj/files/hotfix/rocoo_0.dex 4323 com.jingdong.pdj:guard /data/user/0/com.jingdong.pdj/files/hotfix/rocoo_0.dex 4351 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.jingdong.pdj/files/hotfix/rocoo_0.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.jingdong.pdj/files/hotfix/oat/x86/rocoo_0.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.jingdong.pdj/files/hotfix/rocoo_0.dex 4323 com.jingdong.pdj:guard /data/user/0/com.jingdong.pdj/files/hotfix/rocoo_0.dex 4474 com.jingdong.pdj /data/user/0/com.jingdong.pdj/files/hotfix/rocoo_0.dex 4474 com.jingdong.pdj -
Queries information about running processes on the device 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.jingdong.pdj:guard Framework service call android.app.IActivityManager.getRunningAppProcesses com.jingdong.pdj -
Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.jingdong.pdj:guard Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.jingdong.pdj -
Queries information about the current nearby Wi-Fi networks 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
description ioc Process Framework service call android.net.wifi.IWifiManager.getScanResults com.jingdong.pdj Framework service call android.net.wifi.IWifiManager.getScanResults com.jingdong.pdj:guard -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.jingdong.pdj Framework service call android.app.IActivityManager.registerReceiver com.jingdong.pdj:guard -
Checks if the internet connection is available 1 TTPs 2 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.jingdong.pdj:guard Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.jingdong.pdj -
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.jingdong.pdj:guard
Processes
-
com.jingdong.pdj:guard1⤵
- Requests cell location
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4323 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.jingdong.pdj/files/hotfix/rocoo_0.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.jingdong.pdj/files/hotfix/oat/x86/rocoo_0.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4351
-
-
com.jingdong.pdj1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:4474 -
/system/bin/sh -c getprop ro.board.platform2⤵PID:4505
-
-
getprop ro.board.platform2⤵PID:4505
-
-
rm -rf /storage/emulated/0/log/2⤵PID:4535
-
-
/system/bin/sh -c type su2⤵
- Checks if the Android device is rooted.
PID:4564
-
-
/system/bin/sh -c getprop ro.miui.ui.version.name2⤵PID:4593
-
-
getprop ro.miui.ui.version.name2⤵PID:4593
-
-
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq2⤵PID:4631
-
-
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq2⤵PID:4650
-
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Execution Guardrails
1Geofencing
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
233B
MD5d2dbef03d0e9a5a327fadc520ba9ce97
SHA1dc63c610d544e769f074e0d5f3920c938763f712
SHA256512777f2df858c4a56ca9b888e6741b46b0e11ef5c529686c3339f6dabf4c627
SHA512dca52dc718126315d96b01db7e4bc7a42b0a18a39916f47d4513fc039127ed0d9aa4e582d3f8f766849880c82d11b0c94a10dc95a8189e9bb47722e6381a6c9c
-
Filesize
512B
MD5bf6144889bdb44c97395633a85f7c008
SHA10d697d00feac57d4721c3dc8d6661f108e1698c0
SHA256676737178fd6ffb3c956a3611283a074920382f927706bb86bc0ef3bf4f162c3
SHA512cf8abf87401b580bdd8ad9710ed0f738ccfc90d19aacef1b3ea16a69278a1a628d0c1b3e5d6d46ee4e8d77f00d329bace71597d5d19c0bc3b11e958e80afb68d
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD52c412bab344ef622116c2742c6a61ee2
SHA103d0d0684ee1f8b43f1dc65e4e4cdd5f27c15ebe
SHA256e0131e3b536e044cd4f2fea92b2f09a6f6abe4170cdbb42fda4e66546d3a8112
SHA5127fac2d7f9efb471f562a28837f7b345027fba240992b64ec6a1ec5f5c4baf099af70ea65afaedab5fb8d266791909031e091c9b4a2ee9d7c29532af21423ab1b
-
Filesize
76KB
MD583e3e0e0c83eb88c571eee3606248e7c
SHA17911eb54608d786cfe8e16da17631d0fac5f84bf
SHA2568517b5841d259cf599a0b5804e69be4930687f870d024f5f45edc9f74d28a221
SHA512b1d7c1006d920bcacffcb8f334748c6349e75f76d0c40cd58d46cc4cf145c0668c6e11b289d28a6b990591c94bd07bd2c4fb4a4cfb34482e0fc1677745ed3036
-
Filesize
4KB
MD5aa99281ce0cd69a9302f8b64b918ad75
SHA1ccafc0e5fb16198e466b209a888301f4100fafe8
SHA256a3cde8388c50e78c7b3c8dab1d0c46c64c375248031adbb6a5802e3da65bb431
SHA512a8b80f09a555652d3e4b9775b6aa58341dad7fb120509e128df417533ba361353b19530306e8691f1ce5fc0c69f1a89d29bd2eb176291a5e85b945d14c9eb085
-
Filesize
512B
MD5c8a2b36335e25a88a066b86f84529c07
SHA17cff924c4f92f7d4c908bf94ad312f0161a5d300
SHA2568f215d93d96cdec8dd4a9fdda0a55a2ceed64e4b4906c2c43dd0d1e9eb57ed55
SHA512bf5fcc919997f82c00b1c81b6fcb66f9ec00d0faee3ec55ac94e23028d1170f5786e772e56f36c077989cf7e592dbbc6b42508c5fcf3f27970de1b20b2297963
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
100KB
MD53a80469fce1ed46531e697f1f12dcb99
SHA1939f17b5ac15c223d775423f85d47ee560491430
SHA256534a270f860702e0d6c4f4e4e4e391e1c3904ff6ecd84c4bc98bea652e305cc0
SHA5127df7fe889f5921dfea27f5614a4f4dadf1ee608bafe52ab1b4b8844771443d73a8c707a7e46a04c4eb31dc6c286ae2cd15d66339fc58f46ba251f93b18ccfb09
-
Filesize
84KB
MD5bdbc265c689eb95c51ca0b48ed9d2ae2
SHA12bad6f2769413bc0d718025b7d964e4bfcba1acd
SHA25606407a9fea14a8aecfcc0cd6c645da7f5015300da271698c7f3a8669c35475a2
SHA512365950a28b43ab8d5dc29dfbfc0fded500bc0cb3d04735be4527e5e206a53b0179e39d591e8e432de8501ea09b1807ec24ec6df7d2a0aaa37a3d7fdfe20bf768
-
Filesize
52KB
MD57f444ec25764c1dd552906beb7ba94c0
SHA104e9343165f267de58e355b4394e602f197ba4bd
SHA2567ecaf449ea28a20ed8770e4c660afccf04e792628cea6d7079bdbf36df04a9f4
SHA512d9a4e6c37ec956595be832e9b59a2a255bc0fc0ec517b75519533938564db2179107b4b3ed03f4cd1dc4b85509574590ef8d268a574d565f0dd5ec63c567aa0c
-
Filesize
456B
MD546744a1aca14068de6e9b1e472d2c05a
SHA1d874561ebfe19828cf1b46d52fc350cefd0e6f4e
SHA256ddef743e2ccf1f205ae953e1899b2587f2676e8ddbe18d10064b91bbc9d46e3e
SHA51259c7e824f117745ec1a51981532bcc92a439dba52cd786ffeba65bdb7682c46bc688282d2219c968f28d9949eb8c0de47fcbe4843ca2ab062ba6954b21c4d9ac
-
Filesize
32KB
MD55cd7df6f0da1041317520d2a213f2425
SHA1c616adc821d873c7967afa9792b4710ae258dd39
SHA2564477667df23eb82d488f2fe19a6be089539ba770eba91cdadd7f497de5093c60
SHA51289c9f1c419875b08f496372b11e73d6d5ca61d81f6b1d2585f9ab2ea579385d0b07535f05948b25b57ae98fb28625afe1dcf923557664363a2d53b739cd0049e
-
Filesize
16B
MD5d86352ca9ec4e4199aeeb584f96de13c
SHA1d6f9d1c2112729dacd06898b5d372c5ee6491530
SHA256ee4706172c9bfd2e5cab7ad96af4e270a07346a6c6db6bbc3b0d3b2b1e525271
SHA51238c4c969e12f738be5d8d9e0edf88a135ed382a5f54490a55a895e141925e102f4ccb417efd21e8b7646d89ee53d49f23dc0e4cf4325ab878cba762dd805682e
-
Filesize
25B
MD5b6d6e45731e85d04945994d952e0ab18
SHA146055a17ce2e302a3330a2412730ac00e50069b5
SHA2569425f5ec8c3f41caea0a46c9eb9b568ace5f707b6b0539b725ed87fd7576240a
SHA512bed70a68c8d6d001dac2d325ec6dd1703fa5a8bc9dedb058f928aefea0c46df2c64083baafb935a4ea63596c830b767f4a6bd2a07d683b0b4f3de04d51d948c8
-
Filesize
456B
MD58ae8a68f62b0a97af7a3ebceb544091c
SHA198fa1f16b1ceb1764c284f5c36c5216360c17691
SHA2563452be53d4ab744d9134a75942a29e09b3001fbbb9d19bf027563823a14593cb
SHA5120090f6be8dd347ad3f8f5ddaa963b2d49f5f60685a485fab0d4dfe87c4b8793a73b2c1b91f903b95571e604f3231b7023c99fb868c3a7a1656ceb910f596e5a9