Overview
overview
8Static
static
655829bb57f...18.apk
android-9-x86
8Plugin2.apk
android-9-x86
Plugin2.apk
android-10-x64
Plugin2.apk
android-11-x64
dERlZG.apk
android-9-x86
dERlZG.apk
android-10-x64
dERlZG.apk
android-11-x64
dynamiclib.apk
android-9-x86
dynamiclib.apk
android-10-x64
dynamiclib.apk
android-11-x64
tongyu-pay-lib.apk
android-9-x86
tongyu-pay-lib.apk
android-10-x64
tongyu-pay-lib.apk
android-11-x64
Analysis
-
max time kernel
10s -
max time network
131s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
18/05/2024, 15:45
Static task
static1
Behavioral task
behavioral1
Sample
55829bb57f3278139f33e83888fb97eb_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
Plugin2.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral3
Sample
Plugin2.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral4
Sample
Plugin2.apk
Resource
android-x64-arm64-20240514-en
Behavioral task
behavioral5
Sample
dERlZG.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral6
Sample
dERlZG.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral7
Sample
dERlZG.apk
Resource
android-x64-arm64-20240514-en
Behavioral task
behavioral8
Sample
dynamiclib.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral9
Sample
dynamiclib.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral10
Sample
dynamiclib.apk
Resource
android-x64-arm64-20240514-en
Behavioral task
behavioral11
Sample
tongyu-pay-lib.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral12
Sample
tongyu-pay-lib.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral13
Sample
tongyu-pay-lib.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
55829bb57f3278139f33e83888fb97eb_JaffaCakes118.apk
-
Size
6.5MB
-
MD5
55829bb57f3278139f33e83888fb97eb
-
SHA1
95419a2e257e2c87d4f326a4169899404ad32dec
-
SHA256
e5f4468be9bbd0861e250fe534f2bff64d2f7e24d344f28c9a00dea23e713a84
-
SHA512
eb7dd5a474139adb04e91ab32ab6ca530c6eafb2df893e05896c309e668e7ca6c56613fc8e1b5b0837e20b42ad6f201b27d2fb6ca0ebe7fe30b781584c00d36c
-
SSDEEP
98304:m6nCasrximEkX69+SWZmbDekitcvw+6NrvC3fM5/V8SDzm/Jgy6X9dWDdge0E2uf:mNNXg+SWtkuZn53Dzm/JghQ0E1WLII0
Malware Config
Signatures
-
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.jfodfsdfs.YyYm007 -
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/meminfo com.jfodfsdfs.YyYm007 -
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/data/com.jfodfsdfs.YyYm007/pspace/nexor.jar 4279 com.jfodfsdfs.YyYm007 /data/user/0/com.jfodfsdfs.YyYm007/files/Plugin2.apk 4425 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.jfodfsdfs.YyYm007/files/Plugin2.apk --output-vdex-fd=103 --oat-fd=105 --oat-location=/data/user/0/com.jfodfsdfs.YyYm007/files/oat/x86/Plugin2.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.jfodfsdfs.YyYm007/files/Plugin2.apk 4279 com.jfodfsdfs.YyYm007 /data/data/com.jfodfsdfs.YyYm007/pspace/prim.jar 4461 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/data/com.jfodfsdfs.YyYm007/pspace/prim.jar --output-vdex-fd=112 --oat-fd=113 --oat-location=/data/data/com.jfodfsdfs.YyYm007/pspace/oat/x86/prim.odex --compiler-filter=quicken --class-loader-context=& -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.jfodfsdfs.YyYm007 -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.jfodfsdfs.YyYm007 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.jfodfsdfs.YyYm007 -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of SMS inbox messages. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://sms/inbox com.jfodfsdfs.YyYm007 -
Reads the content of the call log. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://call_log/calls com.jfodfsdfs.YyYm007 -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.jfodfsdfs.YyYm007 -
Checks if the internet connection is available 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.jfodfsdfs.YyYm007 -
Reads information about phone network operator. 1 TTPs
-
Requests dangerous framework permissions 10 IoCs
description ioc Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE Allows an application to read SMS messages. android.permission.READ_SMS Allows an application to receive SMS messages. android.permission.RECEIVE_SMS Allows an application to send SMS messages. android.permission.SEND_SMS Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE Required to be able to access the camera device. android.permission.CAMERA -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.jfodfsdfs.YyYm007
Processes
-
com.jfodfsdfs.YyYm0071⤵
- Requests cell location
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Reads the content of SMS inbox messages.
- Reads the content of the call log.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4279 -
/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.jfodfsdfs.YyYm007/files/Plugin2.apk --output-vdex-fd=103 --oat-fd=105 --oat-location=/data/user/0/com.jfodfsdfs.YyYm007/files/oat/x86/Plugin2.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4425
-
-
/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/data/com.jfodfsdfs.YyYm007/pspace/prim.jar --output-vdex-fd=112 --oat-fd=113 --oat-location=/data/data/com.jfodfsdfs.YyYm007/pspace/oat/x86/prim.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4461
-
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Execution Guardrails
1Geofencing
1Virtualization/Sandbox Evasion
1System Checks
1Discovery
Location Tracking
1Process Discovery
1System Information Discovery
1System Network Configuration Discovery
3System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5a0bf18559046e40d9e495afc6f513221
SHA174ba74edcae48eeb0d3f76010407fdd56a5e09cb
SHA25600fc28f30502d212f64ae7d9312f58a4baf5d2075ff7591305ec2ac50a4c22b4
SHA5122167f20d06481bcba268b557dbcc31cd46123e06e437157f3005e167347e266999832290e2e6bebd96f56d6832faa3e75ac4a055932045a8d6ab03455fd1b568
-
Filesize
28KB
MD5cf845a781c107ec1346e849c9dd1b7e8
SHA1b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA25618619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA5124802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612
-
Filesize
120KB
MD54874b67eb64b6474d7b87f91e63a7184
SHA1e4671754cfa4629bc2435ced9b7913799994e64b
SHA256bb0670b5208a54d968e62698170600b2d03bfaa7c982399b0aa1565a621e0742
SHA512f7efb84fb237f24e9d548da38abc0b030a1c1ca6d6bdeb6a536b44b449ce987336b70969c7bac9124080b90ba537f82a50d01e75035215d9a6f6eac620db7bf5
-
Filesize
96KB
MD538e2a484a18765834e721e42df3b89cb
SHA121bb2bc4f29e40abdb103b9d64af815956cb504b
SHA25677ff63fc4125b3c1bf970feb1722e02cf43c9c4d6abeff4b2cccb6a9e55a51ef
SHA5121ad43dbcfdffe2c21649e043ed3e6a61f81f69ac53bac68a9350624b3613be8c249ff0df5b8b7711cb13e030033d23aa71bc3f730becabede1040417f576a618
-
Filesize
27KB
MD5c758bbc508560ed0c2863550a93e6d4b
SHA1864823015e8bca5058eb5dbfb65e00fe95109d84
SHA256a87902916dea4cf3cdb01a3c88f0b0088ca77209593604703c47f7fa7ece7707
SHA5129ed0d4584206b627061af2b1ae88ab8be78b88f3f8fd14a445451da772020a209efe704934c4eb12b1ea740c409b34d68c1bd47596517710f8c5af4547d24475
-
Filesize
59KB
MD59413de5e8bd9fe70e22d82e72b2210ad
SHA10d65c28a7c79dfebe7f96c47174904d6c8b5fe16
SHA2562da935ed0ec68e633729cf4274fede3a87990b17290d52c27b88549f9d2f61ae
SHA5125fadafd90090a6e3cbacd4d3936d5265e310f1ba2d751baa33ce390e82c0c74242ce224db85dfd68e17ba32d3969672a4a6f099a36e80746d7568096925b8bf4
-
Filesize
71KB
MD56c6447d2b8deb7f6ff2dc37ef76f26f9
SHA19f7bd181fcdf0d0abd6665d6c88f567ec8137cce
SHA25673957b6d272645d69ca778eb1a7dc9751b675564bf7f3e1e6ed1af74bb458631
SHA512751f3f2338030f2ab6434aacf1067e29860b55e887b9a8bf4ea4e5f834455635924db5e26886b751908bc7ffcd9d8393c99e72286f1f2c3b999d6d917d3e2629
-
Filesize
164KB
MD5d417923f322b59acdd41fb128da72e23
SHA18a2fbc42c6593a49323ea258f6e0f3841473d145
SHA256e16d6f99d32b7ffb4332ea485df86cfcd7ee4b626cadc7cb490470b3a26756b7
SHA512e7af181f8d543b7f0f08e40d0e2a6c50fc955d436208b200e70b645d482b7dd4f283cc08b63b93598cf78c335bf4f4f1f57725c90f7ec091f15a3adcec35e1b2
-
Filesize
206KB
MD552e90ce3cc1f84fccc81e46706bf338f
SHA13f98d84bead1db6dda6b3c773300787b6677f324
SHA2561f60ae0f7ca558ee9b0a6745881b7123925e603afbb4ec0ea1c973c38e659901
SHA5123dfad621b9df17981eeb9f227176b6b36a144a613d7a07f5b827798fe8b8db1b108ad2404daaa3157261b34ed4435510a0476e4303bb1b52d8e6a1de42524acb