Analysis
-
max time kernel
175s -
max time network
186s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
18/05/2024, 16:07
Static task
static1
Behavioral task
behavioral1
Sample
559c94a2bb96582e732017e0ca1731e2_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
General
-
Target
559c94a2bb96582e732017e0ca1731e2_JaffaCakes118.apk
-
Size
24.9MB
-
MD5
559c94a2bb96582e732017e0ca1731e2
-
SHA1
0df497ffcf68347baff2939f50696bbca3235673
-
SHA256
9e42e5df2512a52da5176fc9c34652ed6e1e7d52f8ddd7a9fe47ad56422b36e0
-
SHA512
ef6421be80a1c2a5031df30aa15ac21a21ff27a9585eaedd0baffa166cbbf038d810cbd3cd25015a355089d4695a30bc214cf5dd93d55c1999b04d1af8937f59
-
SSDEEP
786432:Qkv22GMQ8xbwxBPG9gjDj8Hedv7FWJwtXc:j221kxZ6g3Y+v5WgXc
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/bin/su com.wondersgroup.hs.healthcloud.patient /system/xbin/su com.wondersgroup.hs.healthcloud.patient -
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.wondersgroup.hs.healthcloud.patient -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/cpuinfo com.wondersgroup.hs.healthcloud.patient -
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/meminfo com.wondersgroup.hs.healthcloud.patient -
Queries information about running processes on the device 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.wondersgroup.hs.healthcloud.patient Framework service call android.app.IActivityManager.getRunningAppProcesses com.wondersgroup.hs.healthcloud.patient:pushservice -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.wondersgroup.hs.healthcloud.patient -
Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
description ioc Process Framework service call android.net.wifi.IWifiManager.getScanResults com.wondersgroup.hs.healthcloud.patient -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.wondersgroup.hs.healthcloud.patient Framework service call android.app.IActivityManager.registerReceiver com.wondersgroup.hs.healthcloud.patient:pushservice -
Checks if the internet connection is available 1 TTPs 2 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.wondersgroup.hs.healthcloud.patient:pushservice Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.wondersgroup.hs.healthcloud.patient -
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.wondersgroup.hs.healthcloud.patient Framework API call javax.crypto.Cipher.doFinal com.wondersgroup.hs.healthcloud.patient:pushservice
Processes
-
com.wondersgroup.hs.healthcloud.patient1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Checks CPU information
- Checks memory information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4307 -
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq2⤵PID:4424
-
-
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq2⤵PID:4448
-
-
com.wondersgroup.hs.healthcloud.patient:pushservice1⤵
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4361
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Execution Guardrails
1Geofencing
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5211811ccac2019019c4e19415dfd9cc0
SHA1738f428b4ffad2b331cedcb93c50d8063ceee7ea
SHA2567d53cbb2b15f9043a00b87d78439ea245ad90bd8c7457fa74ba5ce4e8e8579ad
SHA51268abe21d7699476a432ea1d47b55d057eb6c6b0dfcb2b00649400b82f3266b14b37143e126ebc7196a1d0ef188e543a4102f3ce7af581d9e454b5067a2700d2f
-
Filesize
32KB
MD547e34d7f22f672cd24b93fcf146dd5f5
SHA1fb7c0ea1d01ab4888c6031f1bef9e7df555f7acf
SHA256f2fec17fa8713fc73ca98474ec8dee6642b3ab25ab7c75ed67241cedccc4e0a6
SHA5128faee598dabe9f7e40b285657b43f0f77c1abddf9a9e785a705a7c78313883d58501e44056ea72544fb9d565ad3263d33c9e84e7d63976be28a030aa1b18b858
-
Filesize
4KB
MD5e6242131a071ccf7ebb2cca364a57485
SHA14741ce47e4768d95b07a31678db4a66169b71562
SHA25609f5a184e4f4c53a23b7fa39fc0f907eaf487ef47880722b68f9d7bca82e4b50
SHA512ca0aae789e78b9bd39e8c017644c618f803a1c8d02b7f74338806f3c23635737f7c823ed4d8f03f106a564f7993dae6cf564fc580a0f55bf899600f49690531e
-
Filesize
185KB
MD5c559e1cf8cac0bfa141278dc987a1976
SHA100cd7915fa32d3eec2796571e19ee9b9271aeab3
SHA2562114aad2f15544212c07cd04a36d817a8eae772a0aa0a3acd7230cddf81ebf0a
SHA51231526f5588f30778266b1743a7840d62575f39cf783810194f141469847ac61962e17ff3ba63354128fda99cc480a47328b18680b480589ecb44180674dc575d
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
32KB
MD5a9d6eb85654189c69aa1aa6d7b4e9032
SHA1160bed5adf0fae6195c99dcca9c58371cd4b6be1
SHA256e32f997675a72734b7e61bb64cadcecf17359534b600ec19c10ff5d4abbc0365
SHA5120abce3ffc33ab2cb69ab2cd6cac8dcac7112c19f92e9839af36f75b963e821b9b9be0d91e6a53c47470344b3e3f040b382fd5fdb0efacd4e98f3dcd59fea442f
-
Filesize
4KB
MD5fb94489ed872af1c23994e6303b6bce3
SHA18ec28e9f34b4e2a93ba0cc60dca4f37ce0202228
SHA2566047554b242782e084deb42d7693ce5b3b0a9e56fd69292c20050b17add5151c
SHA51219c3aafd93992f8866821c1449cef4bacf95f5ee1c5764e53d06b6bcd64f70da3237617f14a7b7e0f56772c7d80a3a240c4806df7fb83834a290e95ecf634eb4
-
Filesize
168KB
MD550a46d64496658abc64d837699413be5
SHA1645d83b47c8fefc2a069262bad40f630b2d0d814
SHA25657dc792fe40527ca5237887d06e3a855c4a6ef681ccb68977d759e8c8c0967a8
SHA5123ad2c3c5f0a7adba773138194f1125f2142e46a807fd578b75b308ef9555fd5265240759c6acc1473e0b5e9a4bc6fe7404446898c499c90d18c754c3e88012fe
-
Filesize
4KB
MD5dc807f4fc9b349cf6af302e7931117f6
SHA18a778c4fa0a91af206003f6b04d2b3dc71e25754
SHA2561bd265d938b0e2de1f0509e3d591426d1489def87f435be630803ce8342f1074
SHA5128968dff21934334c7c329a8681e9ac1a4bd0755ef742cca38a7dc3c3686cd60d9bce1c9a6899f00d46840d162788dd5689475a8eefb9257e2117709450acefbe
-
Filesize
24KB
MD5e32a7f84eeef820cd6c216b3d7b7c11d
SHA176162dc140e725df40ec936d84ca09ce14d21d0b
SHA256d9e857d4f6a0f2a243568cff5e57b2037be66bd5811b4a2d534f5ed9e69a855e
SHA51240ed0eb88266dabf9d3e45fd60679f5f019686fcc7e85addbc6d079883a29e40d9a032b4f3cef934882a1e9de128ac3f21b2465e6060e873f220400edf23cf3b
-
/data/data/com.wondersgroup.hs.healthcloud.patient/databases/pri_tencent_analysis.db_com.wondersgroup.hs.healthcloud.patient-journal
Filesize512B
MD58d7652e1280fbe5ed02a6e838dfe4342
SHA195b09ddfc920fef1204d727beb7e20c7326a8274
SHA256ebfdc765466f940a001ffe917dbf3f0f8ac6184b8894ad83e29cd396ffa0e85f
SHA5124675b2a22387c1f22ebaedfbd6ce8ccfc12ddbd67ef38dd6d7449790e9e2771da0cb64ba970b208e1a9326446d1126e403c4f538de9269c36e7f64d0a5c1821d
-
/data/data/com.wondersgroup.hs.healthcloud.patient/databases/pri_tencent_analysis.db_com.wondersgroup.hs.healthcloud.patient-wal
Filesize64KB
MD554c7f313ceb58bf2f88923ef4d326ee1
SHA16739451e00d4ffe93f8dc0bfa2138635135ceac0
SHA2561ce88eadbd60f2af859fa3b9240098472e6c943213bf4e8ee62eaf84da2994e0
SHA5123d1f31ec0440c9e682850689b9ab3447006fcebd1783c6d6e2f66270ef8e84fc02cd0dd2a1aa97851bda6c5458a460cf2728a43da582e863d0511c2cdd6e13d7
-
/data/data/com.wondersgroup.hs.healthcloud.patient/databases/tencent_analysis.db_com.wondersgroup.hs.healthcloud.patient-journal
Filesize512B
MD530fe769c1da03ed0bce9b833ed215927
SHA1caa72aba1a19e3f5876315c5540e12d6712c47b6
SHA2560de797de75cfd2dd2c140d2e19b72d70e547d696fb25cf594759405af47cef30
SHA51265c8ccd762aed43d2a6d8828cd6b36f3dee85957bf724649ec37dcda0f5d5c70cb2ef351368825cf31de12c5c5046137040466ee762d7c930967e069aa382ac1
-
/data/data/com.wondersgroup.hs.healthcloud.patient/databases/tencent_analysis.db_com.wondersgroup.hs.healthcloud.patient-wal
Filesize88KB
MD5420496b639b16db67cd33177743cdac0
SHA1efac6ea7dcdb9ec14f4ad52aaf64b380d5ad16b8
SHA256099a61c476086b4c2213ae3c5fa782d03e2fa99b46e0cabecbcf4c100808f33d
SHA512b3deeb15048f7ece61a9d5c8014285593f5c4b8a79d5db86905240f7aed176deee6e1813f1a953101a2edabd05db882ef3b21ffe4f960c70487cc26b602abc7f
-
Filesize
80B
MD5e0f7d76d07ade18d9d0c9be1d87422c6
SHA12abfcf6c92ee63c4dee91646c9d6e3d49c6024fb
SHA2568aecd796607ec1c3d8598f7ef2c5848a1b08d1dacb1a4d792e812c0f3a20eebc
SHA51239e76def78057e9a50651523db3d2b3e2c148b5c63bc46b86fecfc9e4a5c68ef31553551f8533ddc7e0e64355cc1a658d5d79f76e368c3c3766ddcb1ee3727c2
-
Filesize
82B
MD5e8be01a3d651b9f955cbb28d7fe2f623
SHA104010f8b539c2e98c8d7b7752e9879547aa9dc0f
SHA25697f36bba6fac1a853fc47a62ed426b46325a58a209d20a7c232641ffba4e44f4
SHA51219eb61bf037bcc667e6a19773beee13011faffc9a5f8efffebddeb5e27e017bc47f26e143de5e9f471668bdd9eb445fb85afda410b065f0d3ae323169ba4b34f
-
Filesize
57B
MD570a42cba408700f9a6c01c7941a8829e
SHA1eab01cc2c0671538795fb0b1146017dc099d0984
SHA256499576707ce2623293166979e59c832be5b8636c64ad39aa63ebcf961910c35f
SHA5128900d4dc8eed0430babbacb72942401bd22ef7fe5430cad90d3ce0c2c53010220d666aa0e2eb1026f3ec81d574c7fa12585b49222a5f15b01637f6ba134fe70c
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
32B
MD527e11278f1ad5ea170159841bef85eb9
SHA1c9eef99d176b102d5e614c7dfde3eec770eb29eb
SHA256f2467b897f7539b0050def69eb667969a28a40a9d86848bfe321c3e220f0fd88
SHA5123cbc94ccc003813c16a8150d555e2bac8bfe58d42ea985da414f0a2283b86667ad75e9ba52cac0e61d4397f77d60b5731851c125eb9b90fb8174f6cbf80256b9