Analysis

  • max time kernel
    122s
  • max time network
    193s
  • platform
    android_x64
  • resource
    android-x64-20240514-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system
  • submitted
    17/05/2024, 15:16

General

  • Target

    502956d43c093218bd35b3cd6e6a933e_JaffaCakes118.apk

  • Size

    16.5MB

  • MD5

    502956d43c093218bd35b3cd6e6a933e

  • SHA1

    38c7108287d17c8938b7b94ede4aa64f5e408f16

  • SHA256

    9c93f65607c03961c02682c00844000fa4d7ce93b0458188622604ef2bbd92d9

  • SHA512

    a87ba15178719a14a70a68163c8024cff143d251e45b8583ef98383409057d87c5d58159c59479d3b46276d69c826d6549b84f36fc23b5a8f8b585a2ce41d360

  • SSDEEP

    393216:r6k/ZYtJHTLtrQdfYdXRHSxvVqFEQZFsMosGF8Ll3kEmot:ekBYrHTLVcfYdVxFsatRt

Malware Config

Signatures

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Requests cell location 2 TTPs 1 IoCs

    Uses Android APIs to to get current cell location.

  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

  • Queries information about running processes on the device 1 TTPs 2 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks if the internet connection is available 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.cronlygames.hanzi
    1⤵
    • Queries information about running processes on the device
    • Queries information about the current Wi-Fi connection
    PID:5250
  • com.cronlygames.hanzi:remote
    1⤵
    • Requests cell location
    • Checks CPU information
    • Queries information about running processes on the device
    • Queries information about the current Wi-Fi connection
    • Queries information about the current nearby Wi-Fi networks
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks if the internet connection is available
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:6053

Network

        MITRE ATT&CK Mobile v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /storage/emulated/0/.DataStorage/ContextData.xml

          Filesize

          111B

          MD5

          7172aa8fde54d6d710bb1158db818c85

          SHA1

          072f2bb1f5d3335a93d21a0b05de6d73c9d0b556

          SHA256

          cbcf6cd8c9408033d069d6c31e0168397a50f7318c59ec7ec82035ac52f21c35

          SHA512

          1760e29ad7ccebb6a143c3702f45edfa6fc5d260b15d7a2b8c351fa14cd0916f77b6f6d4e8cd7b4b16b8c38375d1ccc35a37fb655a0b30aec95f7f3355a7c2d3

        • /storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

          Filesize

          408B

          MD5

          72190d0555fd739c53e8ac8cf4c32398

          SHA1

          f924f75eeed8e6f6ba39a578a7fd9550022c24e4

          SHA256

          16d1227f4456e4ffed1ca31d934d4e136cb74fc2092cb838cb32c78153e59151

          SHA512

          4167fa87b735798d73434027ab4984bab0c7aa6f3562f240ee19af5f32f24f011a532aff874f645575ce5650ee62be3cb5336f98007024cbeecbd90581249472

        • /storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

          Filesize

          408B

          MD5

          629efbb0788ab9701b0762a664e1e0bc

          SHA1

          ed3bc6c215f225bee08238eeb26169afcac6a077

          SHA256

          2ed849b5c35304a485da14ad130633b4e4f8541d0c906a2fd62e95f041a70d32

          SHA512

          b489a9cd9fb6da78b2519a801014b0caa5a286426395c91ea26f5489d1783852b0e840040cf27e0f8c4888f1fb51f44fc46b9fda9525e45a861f20626b1b3a82

        • /storage/emulated/0/baidu/tempdata/ls.db

          Filesize

          28KB

          MD5

          2cd47ada17ad7a4e3d5e2717cb2762c6

          SHA1

          7cb844672cec4a3bce75c8cf81e80e8ad7cc49e5

          SHA256

          5f266f7cf5a44a3cfcc9bfbba94735081851edc224cb071fa6e650227e214279

          SHA512

          c25229cca649bc8ef54c0770a976034801c0a300d181c107c41879d7f6b7056c6282210c98661428078381032dc6fb0872112dde7e8efb1a9f9b333877f18dae

        • /storage/emulated/0/baidu/tempdata/ls.db-journal

          Filesize

          8KB

          MD5

          0e64c49a1d3a662b8b5429429477dfac

          SHA1

          32f5cdf452271173671fd5366693aab1484b122d

          SHA256

          80cc44d4741c37c8655badd6c2f0391219f463849e7ae2fe7c1d6f76414b05d4

          SHA512

          9804b348862dd970264eac9e465eba6ace9ddcde07dda14ada26252a16cbbdb4fc9a3081059f0247115fc56d0b262aef296581d3e3412151634c474ac161d4c2

        • /storage/emulated/0/baidu/tempdata/ls.db-journal

          Filesize

          4KB

          MD5

          6b5cf7d86689048102904198e294b187

          SHA1

          01dc724b220415b3d6a67e82b1ae0f3e2ba6654b

          SHA256

          fc410250582bbec34284db36adf0cdf3f6b512f4478175ab8a0b94ed438850a6

          SHA512

          7b75ab313000d0425853ab34f595935744f742ae592ba6c188ad590e67bd788d6a03b1c3e8e9707f1f47ac097b2a4df7c7c13886934cfe4af7366bfd37940c26

        • /storage/emulated/0/baidu/tempdata/ls.db-journal

          Filesize

          512B

          MD5

          2472da640eb6780cb015bcc38a3e50a7

          SHA1

          766548232eace7b743b1594a872dca68c28e773e

          SHA256

          1fd40b28966ddafeead81b117c6174f469a5bc70ed27f67286d58a9ce68ef06b

          SHA512

          3fa68b311cd341204c234e4699369ea20ab6af970b93d9da77793c27704a00559ecc4ced56100be249d9db1c689ae735c0bb59a0ce2aa4c711c25f00cef81644

        • /storage/emulated/0/baidu/tempdata/ls.db-journal

          Filesize

          8KB

          MD5

          7f9f62cc98beae86ae6383e11a345c6a

          SHA1

          44cde701dc08ec8498ab459dbf5367b1d201d8dc

          SHA256

          2df7c983c461569507b015feddcd6426e86ed8c6ad0b52211746c34b4296993d

          SHA512

          ac8c4f555037ebf0663c2e197528e3f7e20bf8b98efb8e20e666d55fd75f23e0a0c682ef0ee3425d6ef5c593bec0d4c0dc7bad79b434ddbdd71b7585445817ff

        • /storage/emulated/0/baidu/tempdata/ls.db-journal

          Filesize

          8KB

          MD5

          820ae4ec57c689ff31bb32f968f6ba9d

          SHA1

          a750b20b4938880c6c80ce0853052f0abea1521e

          SHA256

          2a5b5bfcdd4070cd17853c50d7035321517fd730674b962f84428631e47a9a82

          SHA512

          36ffa710af37eb00381ce293c715e05d0ef8521b0a164b1297eccf3b5d9f56635a3910e71a33ff6de533d0db4b3df247cee8f257fcb854a51fd1e4c4f8a89224