Analysis
-
max time kernel
8s -
max time network
130s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
18/05/2024, 16:01
Static task
static1
Behavioral task
behavioral1
Sample
559548207cd91eb06040d5b391ef8c48_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
BDTX140.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral3
Sample
BDTX140.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral4
Sample
BDTX140.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
559548207cd91eb06040d5b391ef8c48_JaffaCakes118.apk
-
Size
1.7MB
-
MD5
559548207cd91eb06040d5b391ef8c48
-
SHA1
a6efc4a111fed82eea61591f8d224a986c8fc571
-
SHA256
d582d7ddc86593e5410fff46bc799ee32089fd52727b84585cc8fdfb8b987356
-
SHA512
2951473197f8bb54cfa65d6e5e5db6ea9ad49c96836d59caecb8b0277592d8f06a5b45afe6ed440a3fe2d009ecfed4565979c4e68251ca8cefe502f3091a073c
-
SSDEEP
24576:x4AEfaaPT8d3W5XwSOn3zVr7AUUAeXJ4hQX7DrR5ARZDj2SzxMhGpUgWN1GBnP87:mP8khWjV7AUI5730DXahXgWNUBnkUa
Malware Config
Signatures
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.ygi.hmwjqf -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/cpuinfo com.ygi.hmwjqf -
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.ygi.hmwjqf/files/rui/fKHUOiL.jar 4317 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ygi.hmwjqf/files/rui/fKHUOiL.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.ygi.hmwjqf/files/rui/oat/x86/fKHUOiL.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.ygi.hmwjqf/files/rui/fKHUOiL.jar 4291 com.ygi.hmwjqf /data/user/0/com.ygi.hmwjqf/files/Plugin2.apk 4363 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ygi.hmwjqf/files/Plugin2.apk --output-vdex-fd=72 --oat-fd=74 --oat-location=/data/user/0/com.ygi.hmwjqf/files/oat/x86/Plugin2.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.ygi.hmwjqf/files/Plugin2.apk 4291 com.ygi.hmwjqf -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.ygi.hmwjqf -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of SMS inbox messages. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://sms/inbox com.ygi.hmwjqf -
Reads the content of the SMS messages. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://sms/ com.ygi.hmwjqf -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.ygi.hmwjqf -
Checks if the internet connection is available 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.ygi.hmwjqf -
Reads information about phone network operator. 1 TTPs
-
Requests dangerous framework permissions 10 IoCs
description ioc Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE Allows an application to read SMS messages. android.permission.READ_SMS Allows an application to receive SMS messages. android.permission.RECEIVE_SMS Allows an application to send SMS messages. android.permission.SEND_SMS Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE Required to be able to access the camera device. android.permission.CAMERA -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.ygi.hmwjqf
Processes
-
com.ygi.hmwjqf1⤵
- Requests cell location
- Checks CPU information
- Loads dropped Dex/Jar
- Queries information about the current Wi-Fi connection
- Reads the content of SMS inbox messages.
- Reads the content of the SMS messages.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4291 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ygi.hmwjqf/files/rui/fKHUOiL.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.ygi.hmwjqf/files/rui/oat/x86/fKHUOiL.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4317
-
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ygi.hmwjqf/files/Plugin2.apk --output-vdex-fd=72 --oat-fd=74 --oat-location=/data/user/0/com.ygi.hmwjqf/files/oat/x86/Plugin2.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4363
-
-
getprop ro.product.cpu.abi2⤵PID:4397
-
-
getprop ro.product.cpu.abi22⤵PID:4417
-
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Execution Guardrails
1Geofencing
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD517b7fe4b0ed89744361706a313cedfe2
SHA10e3155c487ce4f8e311e922b2cba207b581445b5
SHA256f3a41e88dc6f755785bf453434d356c5aa16d15feaa2215eede75380d2b5a9aa
SHA5121ff99854913d5384c659e5e7a3d59343d1ee48e8588dd82d6201e1a2470dbd6b35dfddc9b4f7d87553a2782eee90ff3eca89adbfc3b21b2cd5222021ff9c9a8f
-
Filesize
28KB
MD5cf845a781c107ec1346e849c9dd1b7e8
SHA1b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA25618619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA5124802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612
-
Filesize
20KB
MD5d72f0ffbe332ee8e6e81b6347406ba53
SHA16483f01d48b1586b4837175f4184bd736b3bb009
SHA256c96d2f0c130548a44c5b1432eb8a12f7dbc2f65647209e5c25325c0d873c3d5b
SHA512bb19a9cac79a8a83cde63d10e1fc8e027ecacc5987b50c7cae8f78d408bcbfa6e13652c80b9d2ba0ee823fbeccd34ebaa89f3c17f9330885f885062c7b2703dc
-
Filesize
99KB
MD53d216f8fddb9705a6720a285475837f1
SHA1f053d23b284bfe2faf6e76d353ff052471e2de2c
SHA256de7bf40574754a5144fa5cf3bc5e97f7adc7f5abebb18c41e8f0631917db4c0c
SHA51238be39da8f96abc87109cfd57b2d63ddfa72971f023024a5b4ce1f97cd905a96a94e19eea19ae9b745f28d02c6689a4473627ce57ec85dce2018a77e699620cb
-
Filesize
221B
MD5ff9229f8e7c92d44d48e25206d43b021
SHA1be3d75050c16c5b7484652ba292fdd6510f205d3
SHA25677fc3599be409f7e73e643de843c0ebcfa20662964c498fc59e245c7f5e003a2
SHA512be7b3aa8d670a2873c6b7bfd4ca93121fd2450723cbbc36d9d06d152fafa3ce90451f0a60ab56bc96bccb81cf5aae0167b404073db14dc17b9513ac73d455c58
-
Filesize
789KB
MD571a447564ddfedec2d7ccc09404b50de
SHA1537ca7b2ce9aaf513e217db5560c30add7912494
SHA25615c29239d04d24790b11e9c6f73b9707013ac1f4473ba2d805268479f0495c2c
SHA5127e9a1d1b5a8f7529586fb989247b07e2fdb830808740737353d0abcac9a4b5b10f654d634be228ef01cdb6828857017095f11ee2808f0ef46615e46af7b626f8
-
Filesize
310B
MD5162913de87cf5e65a0188fd94a97c1e5
SHA1cb49d9ad5092ef0a9305ac744d1098ed22c303f7
SHA25603c9bbdc79ae2ca74c2af969b88ffc71f1c1c3b433a04ef9525ea6f628cdea58
SHA5125fe1ef582e91fa4f5fe2605a2736234e9d0c6264074d0be7288cc0a773d0a41be37705693cfe0c02626c2fec623836282920b208ed0f276b6a0dbe20ee98bc81
-
Filesize
201KB
MD5ef019d14367b7346b1ae2419e9d445c8
SHA123d81fcf81f3a9f2a991ba4d0d135fe2a28aa188
SHA2561d83642ede6b16a071676e895f547d056543b5b4622bbc9b9b4ab45e47bf9ba0
SHA512ea582f21c6054c37c679c798e93116c9c18c9544c0feb78fb949bed7b2cd3122c8d7bb8ecef329829c2531764abeb6200f0af49ede97c3b0b7448bdb65a34a60
-
Filesize
201KB
MD52a425e0fae74f20a2c475da937a619a2
SHA14d701c7e6d828aa96ba8a493720e7282c49ec741
SHA2562c61a25f1ad5783bf82eea9faa2536cac4788ed3147bc1864d9ef17ea01be6a7
SHA51244c8d2a837b606de99055badbd4b5e708424ca9809b1583d13aefadc4d4af974658dc3a3f179fc3047eef7167151c638ff66dd6c8d38121b6ecdfb464d2a5a60
-
Filesize
1.9MB
MD5338c4c9ce3fc4648f14fad9b5d23f31c
SHA111a05600a57ea58d3711e049ed35a461335f4ee6
SHA256564b42bf05c402c73dc42edfc75133c2b20ab7178895c2e68c562260fd5ec0bf
SHA51266cefa3d5effbcd64f9c95b957ff2580a2b7858fb08e0193349becaf657c08e01ab27851fc819ebd9a47929bee8ecc52a7ceafb49ad13b63bee52d947e18fbd9
-
Filesize
1.9MB
MD5ea26cf686a381a188cbbd7e1d6ba25b2
SHA1c04fbf5cc016306f6395a81984667e51246ae7be
SHA256eff87c3a9fb2fa80d7b6444f2bbbf60ec418ef043186e362f6256ca6fd166527
SHA512775d33d0a1a3012b4025c6c3e8457fc6fe92a172270db78b177db3cfd21657d545953f5a2f9ca80dcc3882553c77faac392bd4922f0cdf89fb8eac44580e3d99