Analysis
-
max time kernel
175s -
max time network
188s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
18/05/2024, 07:52
Static task
static1
Behavioral task
behavioral1
Sample
53b1e66a9d2bcd4e0bafc461874191a8_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
53b1e66a9d2bcd4e0bafc461874191a8_JaffaCakes118.apk
Resource
android-x64-20240514-en
General
-
Target
53b1e66a9d2bcd4e0bafc461874191a8_JaffaCakes118.apk
-
Size
28.1MB
-
MD5
53b1e66a9d2bcd4e0bafc461874191a8
-
SHA1
4b81c3fb4428052e2d26e996c39821dec8fdf57e
-
SHA256
ba31e250bd49158eadbbab08f5ee16049706fee59c152340b03b09f9e46bd70b
-
SHA512
53fb5b2c6625638e2935770f360ebb54ec43f5ae613935a3bd46c609f38307d63312d5331a14e6515fb3e536b6ecc05aba9c762da6f85cf5e0a52bc180e6487e
-
SSDEEP
393216:UmFyY/R6QK8sLuD//lPehqKuz6DWi15HRl3EfQMyay3ndKBaSYkeAbSGxv78:V4qczvuj/lPAV7LVEf0d3uaSYISGxQ
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
ioc Process /sbin/su com.everhomes.android.bilinshe -
Checks known Qemu files. 1 TTPs 3 IoCs
Checks for known Qemu files that exist on Android virtual device images.
ioc Process /system/lib/libc_malloc_debug_qemu.so com.everhomes.android.bilinshe /sys/qemu_trace com.everhomes.android.bilinshe /system/bin/qemu-props com.everhomes.android.bilinshe -
Checks known Qemu pipes. 1 TTPs 2 IoCs
Checks for known pipes used by the Android emulator to communicate with the host.
ioc Process /dev/qemu_pipe com.everhomes.android.bilinshe /dev/socket/qemud com.everhomes.android.bilinshe -
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/meminfo com.everhomes.android.bilinshe -
Queries information about running processes on the device 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.everhomes.android.bilinshe Framework service call android.app.IActivityManager.getRunningAppProcesses com.everhomes.android.bilinshe:pushservice -
Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.everhomes.android.bilinshe Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.everhomes.android.bilinshe:pushservice -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.everhomes.android.bilinshe Framework service call android.app.IActivityManager.registerReceiver com.everhomes.android.bilinshe:pushservice -
Checks if the internet connection is available 1 TTPs 2 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.everhomes.android.bilinshe Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.everhomes.android.bilinshe:pushservice -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.everhomes.android.bilinshe:pushservice Framework API call javax.crypto.Cipher.doFinal com.everhomes.android.bilinshe
Processes
-
com.everhomes.android.bilinshe1⤵
- Checks if the Android device is rooted.
- Checks known Qemu files.
- Checks known Qemu pipes.
- Checks memory information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4332 -
/system/bin/sh -c getprop2⤵PID:4498
-
-
getprop2⤵PID:4498
-
-
com.everhomes.android.bilinshe:pushservice1⤵
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4404
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251B
MD50f6c5510b1f284c9d5447794b36f506d
SHA1682772433e02012ebfa66661d1b1e042169930c0
SHA256b9102f341dc7b8b61d677377cd19b987ba70b12ae87ee3b074e77afa837311e3
SHA512471135fb2de081e3be94c77bc7720f250456859bd2a9b6c7f756dc28f9c2369d8f8daaf196cbc42bc47bdf1a3b4d8df2d9f7a2e6629d7ac0c471c626a8b03ab0
-
Filesize
239B
MD5533cc5190c591d25c3243a8c692e8f63
SHA12074124cd8dee4e57f30eaec4b15a5a2ae08d9f8
SHA25694141e1b887dd8d60dd50ac0c0988abbde1f6134ff6fc8353e2502bb15c823ca
SHA512217fe25c74c3ba08c7eaa473fe60b50f3e68e7e3e004d3069eeab756771f57c3b00d559b927ce9b557e74f555b5064dec5bc8b93c45ac2d06c09d9f96076c6bc
-
Filesize
58B
MD50d210bfb2a0e1f1b4c082a6a0f79de07
SHA1bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1
-
Filesize
84B
MD5b4054e26311706eb7157887dd0440b21
SHA1da7e7f747d8f84cdc3496ea22dccab40b6920e88
SHA25604ccd299a46b224c93915b774280ed4c89c121036e7f3c348d94a2a8f50625d1
SHA51244b41d87ed3f03f1ade10db7a78b26b24ef761675a18fcfb06fa573c66f932b31ebd66e72c31d413e3216b7db1d1c5f2a0ad9cd79e72c9b13ddd8816c9e076e4
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
197KB
MD556de9b406406ca205eec7ca40c5295b0
SHA1262cc604e7724cd33fbc7493f383dc3d3e28f607
SHA2567bb40a4f125803696159492b3ea538a11b9ffdd69a83173fd2372158b9caa3ac
SHA51279e882df01db51e3fac47e8ffc2fe417e8214bd59c90543ce6c88ae89f7ed685e43543797aa01aad1103389d19ef6e8e683df1bbfdb32d657675c64aa81df4e2
-
Filesize
84B
MD56249451cee13439c4d5830c3e2a8e7d5
SHA1b72e33ee094410f45580baee9d9c0bb36a46d556
SHA25649c32c52e67ba96d5aede007afd36bc33b2d60c4b20be0ab8d5ed24a88ea8600
SHA512a218e4f8cbfe3a7feaaf7f967ce95c590e99d187c41f16fbc427bc568e08a3e0f336f57464f7bdc5902e4f77e0b3aa8da466e34ee701528ed5c1d993ce12f9ee
-
Filesize
84B
MD5c93d41a45db73b396d974a84285b1d43
SHA1397e0ee05531eaa71a2a27871523891027131650
SHA256f07da4b54a7532eac3e11acca8b5e42b52d7af3d0d2b6a50e2036f001c03676d
SHA5120b0ea5f2f565e7f1c64930cfbdb361ee200a74308b0d3ef5af4648e6c74b7ea5c7fcee42ffa38c08b16a93648378465e23467d5732690cddf4ac44c7546ab3a1
-
Filesize
512B
MD57cd00568735bd047aaacf4403fcdf8a7
SHA19267afc8f5e15bf21288f5ff771ea7fdf0632c37
SHA25671775fc137cd36bd20505eff23b2f81af97ef278fd1f071299d791a7ca0d2463
SHA512cba6541640e3c8dfa18080489d0e119949fb80ba351652f13819138f73f537b1570f680cf4dade73fdcce4763688ec731144fd328c18899a94bf6caa3b71d94f
-
Filesize
72KB
MD51dd3061b87874ba830c2ef7cd9566f83
SHA1f0cc232365446353a6e9a254a877e15f34d6c0a5
SHA256d5e50a0333cc63ffe64d195268bd7a6e1fa12a61962fb3550cfbb7fbf3ddd08d
SHA512882168dd132bf15df9162c12f7066028fd85d14dd8b447425dd50b0d8d04ce320e6277ea555edb65374a0ca8314d6af4a826fa3ca7176627df742ffd57890895
-
Filesize
512B
MD579c4971544889e3b63186dc43c272e27
SHA139d8ab178783fdcd7ddd3c1843766a5020b06e7b
SHA256cb341f489a1eca435c3df738f0311d173e61de0e1f6334225989b63ab8407eae
SHA512880ed66ca78130383541c1157e6358a64266fd414b74884b01616105b893c6cac27e240b981d7440c0f8ac2788fbf2e4dfaca5d48d9e7946bd3ed199c6c1dbce
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
14B
MD557e91431976cbef76bd2f7cb864f1c4d
SHA19a52a4feb6c09bbf2aca1ffb5d0baaf6972c9f8a
SHA256be5a3d38641cf7456b68525b195fbef293b008a14e75f0bd03cb1d4bd710cb07
SHA512f5c06e48ebe3548c1bb42764d69f9bdbb51dfc49f614a7f6024916f7b4ed7f694954d4dbbf9dff020a2394332b1f2dd35bebd3ed1120d4d33bad1297a98e78a6
-
Filesize
129B
MD5f8732a4232ff1eb1e64b061ca82a3f61
SHA1f2d4b88e99049f45b648ca54b480bc9b7b4814c5
SHA2562e5a96b155850b86f972f5ce17c0ad39fb5a535aa1865df2a375bc73d3575791
SHA512154b2fd62be6977f75b59f2955c11d1b61cfd73b8ad82a378bce7cf749fd32d43ad822dfbcacde40593d1ee2fe62a556669114b06fe65fb3dcaa43fe02c04bac
-
Filesize
14KB
MD5d67ee96c768b21f4e9f8439d35445e4f
SHA1fb06dbc9ac5e2374ae20f4919efedf3c6fc7d036
SHA2569b7a5fad2bcfe567f9e4dbc743a62b264166f54fe4a7ef22bc0ae938cd81e9df
SHA512ee430adb4fe0319a0cb0f1e0db7baea8396ffc156e6f0c089b70b8f5f499fd0a380d7e023a1e2954337b46dfdd6b338c7673454db50a586518c67f0cecca8a5c
-
Filesize
20KB
MD5286e9619c2976d0f8f51af94aba39ab3
SHA112b4cd0556e6399d8197d8cebd421249cfecd3f7
SHA2567ad463b8091d2685ba7f55a259c100a38e2107c537b8720dd28e9e99c90835cd
SHA512071b407dc26ff2f5fc53d48107bcfabd366bf008de4a71f6163dc7a63fd3cfcc68f42d4e4cd64824a7451f76ae2f59cf211a9939357cb682ed221feedd13655c
-
Filesize
129B
MD5966f3734117529dc559c3173af20399a
SHA1708da86aa139864b6d7e820edcd97a2a4ec47ae1
SHA256889050c70b046f79baf28e0849c8994f0e64feec040019827a3269b17835658f
SHA512b467ff408089e758995eb06368ba8dda257a7577679cb92b13b111f2ff4a6c987d91a4388f6f0c75bce041afdb8a8d3c760528c5da5b3792edc2266c148dfee2
-
Filesize
80B
MD5ea78dfc8c2b13df96d76f2bc9fdf55e3
SHA1083ce3ed388e2c0b43c7529469f9abcb76f57ed2
SHA2562d1ae5952d764f7b24ebf6abf14081d68386bd52f72fbbdaac848cc032d5e770
SHA5120a9c5902c1318e82c59d3c23977cd3893d4d4c846788462057a508bdad0ad81dd9cc3ea5b142da860c99f46442fab5b854c3c019a22d090da18e39129800060a