Analysis
-
max time kernel
179s -
max time network
189s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
18/05/2024, 16:32
Static task
static1
Behavioral task
behavioral1
Sample
55b429e4b5ed0d273ecefc0b386d30a1_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
General
-
Target
55b429e4b5ed0d273ecefc0b386d30a1_JaffaCakes118.apk
-
Size
29.0MB
-
MD5
55b429e4b5ed0d273ecefc0b386d30a1
-
SHA1
50e15bc23a28022aa564765adc287ba31494da1d
-
SHA256
8252d6d25ce25cb6464ef1f6a4730c6dc2ab8547bbb1f69f7095610630ce21e5
-
SHA512
1f06a4f1b8b1ae2be192178b416a98568f27c35f19e8c90ccaca67355cfa0e75ca9749dbec7e9ee7873beb06b566649e0b87682a62dcf86f82fd6d032d95dc6a
-
SSDEEP
786432:t6UzJPLe7KbwxBCdGa0ejDjZLzedocNgcq3mF:5JqKkxodp0e3tKo8g5mF
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/bin/su com.wondersgroup.hs.healthcloud.patient /system/xbin/su com.wondersgroup.hs.healthcloud.patient -
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.wondersgroup.hs.healthcloud.patient -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/cpuinfo com.wondersgroup.hs.healthcloud.patient -
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/meminfo com.wondersgroup.hs.healthcloud.patient -
Queries information about running processes on the device 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.wondersgroup.hs.healthcloud.patient Framework service call android.app.IActivityManager.getRunningAppProcesses com.wondersgroup.hs.healthcloud.patient:pushservice -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.wondersgroup.hs.healthcloud.patient -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.wondersgroup.hs.healthcloud.patient Framework service call android.app.IActivityManager.registerReceiver com.wondersgroup.hs.healthcloud.patient:pushservice -
Checks if the internet connection is available 1 TTPs 2 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.wondersgroup.hs.healthcloud.patient Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.wondersgroup.hs.healthcloud.patient:pushservice -
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.wondersgroup.hs.healthcloud.patient:pushservice Framework API call javax.crypto.Cipher.doFinal com.wondersgroup.hs.healthcloud.patient
Processes
-
com.wondersgroup.hs.healthcloud.patient1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Checks CPU information
- Checks memory information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4311
-
com.wondersgroup.hs.healthcloud.patient:pushservice1⤵
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4519
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Execution Guardrails
1Geofencing
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
59B
MD5cc5a0a10604619ffc9f5c2fbbcdcb750
SHA1795d0c001a99e35835c60751b2a8f6e809322dbe
SHA256f3e8e03ff468757132bb8308495841ae6cd11d256b1b68db5ca321de3afb2c85
SHA512b764d3fa0c2c218ac580363888f3ce790e9595a93a4108ee0ee330c724fa23a8527240ef4cf869931467dba8ad384953f71cea92319218f2d5a62255ccbaeb6f
-
/data/data/com.wondersgroup.hs.healthcloud.patient/app_SGLib/app_1716049944/main/libsgmainso-5.4.9901.so.tmp.4311
Filesize771KB
MD54ed88628a38d1079255b4c2bcaf6e81d
SHA1afaaaf2ef14f8db896c3cc0f4f37c95854472d80
SHA256336e61d1ec5c8097424fee02234bc00041e14ffd636f7ff2d0fa990ad73230fd
SHA5121a282256d6aee51086432a8594c66ccd1bfeaddc2f3d74caa9de18361b1c478e479c762fdb08dd4b9964a3a10b266e4a3047d444637f5e3d638ca5f055f4d479
-
/data/data/com.wondersgroup.hs.healthcloud.patient/app_SGLib/app_1716049944/main/main_312768000.pkgInfo.tmp
Filesize197KB
MD576417144b13dd1566b83c2c574ce6dd2
SHA149fadc6bd1ad61ab241d91f16d46e224473cc7fb
SHA2565d7a3b905b5b71c01ce40710a81df37d08605cf05cddfc232c8837d3fc2884d0
SHA5126e088f764f7e846b04b609db7bc482219b86a42b3922b475c14c30acded9e923a222c0a07dbaab3af424a23ac9835cd4786ee00e6dc13b8d013ddc35e69e7eb3
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD565872f73d2e5b177ab65cf540c6162f9
SHA1d122abde2a9b4f30538382737107d75afd91150c
SHA256154074c5652303bb6ee540309e5d18fc01742e5c739be56240e8fa3d301ad67d
SHA512884c5043348168030e410095544a24d97e9a90d59284ed5d89b3d5dbdda949023afa7f668f5b73c15b9e924fb1a388d03272147c738ed0072e0784615f7ce029
-
Filesize
28KB
MD5cf845a781c107ec1346e849c9dd1b7e8
SHA1b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA25618619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA5124802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612
-
Filesize
20KB
MD5152d93ae988386d9dfeaeeff4e1b8bbf
SHA15d0e40c4987fd64663a22bff86a5c57199425be9
SHA256314d28a9e8fcf52e71da0f7503e2d7996fff69371703725719f39247860b2348
SHA512a955a300646916efaa9334f3cda2441d004fd75990b6c3e218858913cf0d9a3742681739a183c4d1fd3fcb0243311aefff56331059942122870913d924380d9f
-
Filesize
647KB
MD5fd1d92a83e08f04b08b49f130c05e7ef
SHA1b475d3589d57e7e93aff5b80b6ff71a0934679bc
SHA2561f14bb7f0b9a082d6293256330ba4e7fd8b11bcf30e1b671a75bfd999aa0b9c7
SHA5124262b60bd23957d8b4463c4f98e34dd6cd0449813f8a6802d8fc2bf88f89eac5ab1cc864cc157ffc1d0de76db34b3e88e3225b8495c7f30ed03261ca06b99e6f
-
/data/data/com.wondersgroup.hs.healthcloud.patient/databases/pri_tencent_analysis.db_com.wondersgroup.hs.healthcloud.patient-journal
Filesize512B
MD5ad925fa26de7568d78ab5ec742bb9dda
SHA1f0b81f716923ce3edc46d9ac4d2d3d7ef49d3c57
SHA2567d7c4d3b80ff7983ddab47abe2c3be239da8c16954fdb864b162b8f29178e21f
SHA512be88a6de21cfcdf27fda99d33acaa145fa5e5fe4327caa600cce07049d714bd81746061bffdc9eb2e2a567bfe3bf31a1131ddf661b48c4ea13c769b917baaa46
-
/data/data/com.wondersgroup.hs.healthcloud.patient/databases/pri_tencent_analysis.db_com.wondersgroup.hs.healthcloud.patient-wal
Filesize16KB
MD5cba7f63129e5760f9cbb800bfe80106b
SHA12226538a6f9a988bb264d1862fab612bb75bb5b0
SHA256bc71bd2464741282d439922614562822f927400791996707010aa9a0a4eb1430
SHA512b32ed502dbf52a7b331855df4e6a01e9d6ebbb0351809a9cb33a1353416ce288ab4427ccdf9c26f78d91889e4cf68edef218f1621f75285afa20905253d62f45
-
Filesize
512B
MD534eef8d138a8d62fb928759302676e6b
SHA1f510b0a78f576e305d6df6e71a1a6c6064359943
SHA2561aa72b21d1ae51ac185cec352ddaa4a3195f1e92a5012dab81c80d4555dc3991
SHA51282fefa61660bd6f8a126bd27785057f2281b2aee632aa8cda9563b95170e32395f90a1e69abaccfc16d62ba321920f52893600c2cd5a4bc428aae585f0a50674
-
/data/data/com.wondersgroup.hs.healthcloud.patient/databases/tencent_analysis.db_com.wondersgroup.hs.healthcloud.patient-journal
Filesize512B
MD527486047480f0d5fbf48046f9e449fb5
SHA1411660551aca5d0342fcdfba6858a70dcb5ade01
SHA2568f15f60e99a659fff88dc8431f869ee00a57df2135a7708ce91d601b210d6737
SHA5126374fcf084b53fc0dae49d425329c3d7a32d8168dc620b1c27faad42c37fa991bdf90605c187a0eb6c4fb00aeb2de9285e3692ce46005023a4dabe69fbb63fa4
-
/data/data/com.wondersgroup.hs.healthcloud.patient/databases/tencent_analysis.db_com.wondersgroup.hs.healthcloud.patient-wal
Filesize64KB
MD5c8ceda7252f243344f8f2a4765afa807
SHA120aa1d3637bd17db528d1252b9165896a15f9030
SHA256e7abb71b99614e328393f193f3ff78661fb403c9e3bc8da159b8b6ec031014b3
SHA512763c750defc9d93b80ef2c0943446310937f65afe2dff3c42564892f03d1633c3acfe7005ba3492dc05ed943250d8e3a5d41e7180bce739208256326715e60f3
-
Filesize
1KB
MD52769b6ce78ef4d03d99290a0ca8de080
SHA1328cf6025588e52a932a4d8acb1daa89fbff4f24
SHA256369b7df839484bd8f08b25a6eb95db6ff987930ae93621711d4447379629f2e2
SHA5126901491541581d85f7c664b94a1d365437b7e9981c2e75648459f1790591e556aaea89700a215caabb1dd175a8dfa6a1129035b5ea4652806f2363d0930b53d7
-
Filesize
45B
MD5498eb3da9510807bef2674c02ddefa72
SHA12da9a404be53830763ce4f8e1003b64ea1d97cfa
SHA256b5df5dd5dbc205b69bc1ad793e31aea3e811b7b3501ebee34094a65b39671295
SHA5121bb42bec71f4504f736214d2f37b40f2f70f2b1970640677085bedbe18e4bcf305bf75b4f62ea85047d54753a75ee8f33b3d269c73e3540853d8da34d5e7a4dd
-
Filesize
89B
MD59655d8f95da8d7b81462b6e3e38c1c27
SHA1b56776a38fc2c9948b66f8a080022c0d0f61866e
SHA256d0d3b3d1f5150e10afb51cd910892a036dae1952d016c3a09993078e5f77b06c
SHA512907e9178f99d69827e4cd0816810f82a745f2d5cd2a12fd3b1168a0e4eae538f5295e3d4e2a34c0bce43baaf4d52303606cc667ddbb4ddb15c3dc68fedbc659e
-
Filesize
152B
MD5b4a6806bcf99901d36f3b58cf640495d
SHA1f2495f402377d72a233598d8960cd5058533e8b6
SHA25688bf74e40295e668e3c13db8ac6267e0b7227cf0e50d0c0d6dd9747393187013
SHA51210bfe99e072998a73711341ad487e1ef2891ada2f45cd8ec33bccaf22bb6bcea3b5b89a6a40c8cb9e235f722c1195774ec8abbf94e4dac0fa66dd79cd5142cc3
-
Filesize
14B
MD558d5c4192472e68a9b6a9275c4336498
SHA13f00a0f0696f8dd10d8f193057be707bacc360c8
SHA2561b9e966f08f3a9b97c3602274458d11089fb5c482fecaabb90779bf755035aa4
SHA512b31a558d020d1a7a519d34573ac58d710f6c27b93cea13aace6c6310eca10d4d745c7fae8eb145054fbbc48e6b27367faa41111fc3d30ff7d690db6d4cf5e072
-
Filesize
82B
MD5e8be01a3d651b9f955cbb28d7fe2f623
SHA104010f8b539c2e98c8d7b7752e9879547aa9dc0f
SHA25697f36bba6fac1a853fc47a62ed426b46325a58a209d20a7c232641ffba4e44f4
SHA51219eb61bf037bcc667e6a19773beee13011faffc9a5f8efffebddeb5e27e017bc47f26e143de5e9f471668bdd9eb445fb85afda410b065f0d3ae323169ba4b34f
-
Filesize
57B
MD570a42cba408700f9a6c01c7941a8829e
SHA1eab01cc2c0671538795fb0b1146017dc099d0984
SHA256499576707ce2623293166979e59c832be5b8636c64ad39aa63ebcf961910c35f
SHA5128900d4dc8eed0430babbacb72942401bd22ef7fe5430cad90d3ce0c2c53010220d666aa0e2eb1026f3ec81d574c7fa12585b49222a5f15b01637f6ba134fe70c
-
Filesize
129B
MD50815ad202092b08764532ee94a6b164e
SHA192bf5d1e242b39c9845b032513bd12f9b008374f
SHA2564928bd35d1056ffe5c683e6b10a7a5ae5d9df44970bfc47b53435f7e099bd3c5
SHA512abccd5e58fe0c18a2a6482a96f9e82c99bea38d60dbe5bbdb62a67f125dcb1652accebc1a8b5c0ec79d5435ff9a106dce3d3c7acd9e7bdd647b901a76a9186d4