6c6740ad4344878c8ceb7df2a88edfbafa530cbd3f2c020408dd572e1aa050b3

Analysis

max time kernel
21s
max time network
130s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
18-05-2024 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55d36a9ea95f5264426b1e225c27cd11_JaffaCakes118.apk
Size

4.1MB
MD5

55d36a9ea95f5264426b1e225c27cd11
SHA1

08f36da845cfa4e78803030918466bb1e8789d07
SHA256

6c6740ad4344878c8ceb7df2a88edfbafa530cbd3f2c020408dd572e1aa050b3
SHA512

b1250de2b1ad7bcc6a7375e7285832db3a93f5d4764cda5d587d17b122d36094dad0f12970720aa6903b9da1e1f7cafc577ded74d353dd359f980dbc7bd222a3
SSDEEP

98304:hBhSDK7VMRDPlepddpf/LU9MiGHNSU9C+76cNvsVZc+oKvDhP:ZSDK5GDtsrVLk4S/+Q+c7hP

Score

8^/10

collection discovery evasion execution persistence

Malware Config

Signatures

Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

Location Tracking
T1430

Geofencing
T1627.001

Processes:

ir.pedar.halva

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation ir.pedar.halva
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

ir.pedar.halva

description ioc process

File opened for read /proc/cpuinfo ir.pedar.halva
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

ir.pedar.halva

description ioc process

File opened for read /proc/meminfo ir.pedar.halva
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

ir.pedar.halva

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone ir.pedar.halva
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

ir.pedar.halva

description ioc process

Framework service call android.app.IActivityManager.registerReceiver ir.pedar.halva
Acquires the wake lock 1 IoCs

Processes:

ir.pedar.halva

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock ir.pedar.halva
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

ir.pedar.halva

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo ir.pedar.halva
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
execution persistence

Scheduled Task/Job
T1603

Processes:

ir.pedar.halva

description ioc process

Framework service call android.app.job.IJobScheduler.schedule ir.pedar.halva

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	ir.pedar.halva

description	ioc	process
File opened for read	/proc/cpuinfo	ir.pedar.halva

description	ioc	process
File opened for read	/proc/meminfo	ir.pedar.halva

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	ir.pedar.halva

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	ir.pedar.halva

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	ir.pedar.halva

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	ir.pedar.halva

description	ioc	process
Framework service call	android.app.job.IJobScheduler.schedule	ir.pedar.halva

ir.pedar.halva
1⤵
- Requests cell location
- Checks CPU information
- Checks memory information
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Checks if the internet connection is available
- Schedules tasks to execute at a specified time
PID:4217

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Execution Guardrails

T1627

Geofencing

T1627.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Location Tracking

T1430

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/ir.pedar.halva/databases/__pushe_base_lib_db

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/ir.pedar.halva/databases/__pushe_base_lib_db-journal

Filesize
512B

MD5
951a1be76fe312f0385045eb8f1eb858

SHA1
8457ebd03f2460bb8dc4766610a2ec3d3754680a

SHA256
363a1c31e599707fc0afd81797ff4c3fc06a747983c958a246efc07a3ddaae85

SHA512
15f909eac2d86334629af731773b4857393587beb9f845c723893f0cb41f072735b3c27496cc888945d13f0e086dc37b6f1d99bbd1d45fdc59d6a1f169fe799e

Download Submit
/data/data/ir.pedar.halva/databases/__pushe_base_lib_db-wal

Filesize
44KB

MD5
3dab151dcb18cda043a02578833d478f

SHA1
ec2de56be3f2e80d15bde2df8aa206d7a756b69b

SHA256
93f2a2233c31a66cf7b357b098475eceb9192deda576afa74871e15b8dc345b8

SHA512
56c98f6ca46d2ac18a2c5d1a6d31bf675ee82b08a7500cd564e3bd3a1d2bf65bf001791d94c4d7682dd07a0454d77af99343569c33948dbae200ad34b9e5507d

Download Submit
/data/data/ir.pedar.halva/databases/evernote_jobs.db

Filesize
16KB

MD5
5bfa42383d4d7732d3bff1d314da7e72

SHA1
f09819abe89ab317bc8a837293613c122b5d6369

SHA256
4846da950ecce67a363757235446b449074fa392d374784899b9948b5b873e3e

SHA512
d4e77b884a1840b45f80c400c3e10952361b3e843ae68f46cbb90d182c7fd81f023889c4702b29015000ce57d8bad33b0594ad96554bd18d8110ff96ca071598

Download Submit
/data/data/ir.pedar.halva/databases/evernote_jobs.db

Filesize
16KB

MD5
39967ed7892504a50c13ea7e9624fb41

SHA1
54d30295690473edddf72610552fff4f0a901a4d

SHA256
81067b1ebfc3fc8743ca86678a656e791d81bedd63bd9729fa75c0948079e081

SHA512
8adbb4d21ac07564fb814d2bc807924b2fa2f06fbbcc2ca50e3a3780829e9a74ec339600643a45df8430602c25dac19c5f491b2f683f15a720700f2ae995f1a0

Download Submit
/data/data/ir.pedar.halva/databases/evernote_jobs.db

Filesize
16KB

MD5
978fdf85b8448e3a7c9015e51477eb49

SHA1
793bb88398dc9457935a4416638d5ed3974baf19

SHA256
8f72919eebbe45ed6d33b7b763d7e45d76a880128aee9aa5c29d28ab79689a92

SHA512
852b2d3e2607c96625e9bcd454c702ccec6a0f07aba3410976d6400ecd2d48ccc92d93c8ce7fcc87a622d04357bd6805a996f11d339ca7fc3eab99c0e991fe38

Download Submit
/data/data/ir.pedar.halva/databases/evernote_jobs.db

Filesize
16KB

MD5
9d8fe4dc42991d2746d7c2776ce67c69

SHA1
e7e22739e2647cc086d9c1819eb8315dedee6b0c

SHA256
974bb1db91d003089f2911e00024cbbeddb0f35133a6db121a4a71df209e6793

SHA512
8949d0b078ee97765bd7b21308eaa7ed67d5a564ef785639bd097d49715e74958b68de9b5a57f08346861e16a0bef576f53d9212ed247e98ce795c1476377cec

Download Submit
/data/data/ir.pedar.halva/databases/evernote_jobs.db

Filesize
16KB

MD5
8cd2605e63c2c162d75798d7796b71f7

SHA1
8cc3e7b5fc1ab5542a1d0ed4c42ae6c6a2018912

SHA256
e975572f676f10cfe69d8960962ef980ed0c4bcfeabb35ca397db7c2f7fab0d6

SHA512
7879759325716ba431dabe0d37054d83cf9f8cd17709b61c3ef295e37c4f53d2cedaa55c0806d59223da4c9e9203e733cc12e4c8b7078ff30bf725ada7e06544

Download Submit
/data/data/ir.pedar.halva/databases/evernote_jobs.db

Filesize
16KB

MD5
96a6b55ff02bfcd4c5425e3be965e3c8

SHA1
ea82ecc2b8b5be550c263af378267eb8e8392e71

SHA256
6d0ffee274f76eaf9576bafc5839ca24cbd2c9f16baf6344a7fd2145b39ec5bf

SHA512
817631034473e6e4684cd5f5ab783f1f77a012ab47caa4894fe6832ffa0c58e935c2a9730522cb31a4e35020bc38035b666bd0c3c1119d798ff490b7cd433290

Download Submit
/data/data/ir.pedar.halva/databases/evernote_jobs.db-journal

Filesize
512B

MD5
729d84333d4eb78c6b23a45f6cf60eca

SHA1
cda1317ca56f4241581acd6f7454d81a38eff709

SHA256
9105ed18395f7457715fb1c6b7955b572cd9d0c960e4c31f2b7712ec8124c35b

SHA512
0c343951adf16590e716a23fd88e32d1b722afe40a754750c79c7b222174ce0bbcedbffad7531ad617e7ff464ca6e08a22c18a7e2ef19a6976abe4c828801edd

Download Submit
/data/data/ir.pedar.halva/databases/evernote_jobs.db-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/ir.pedar.halva/databases/evernote_jobs.db-wal

Filesize
4KB

MD5
f09681ee11914605e63e155cad0c75c1

SHA1
58ed2be8058187923ee561a5187c12315764c342

SHA256
2006dbe4b71f3736e4107a9e12115dbf375100acc0e7e6f58d249de5e1e2a269

SHA512
e81d1f6d17d94604741441edd1ca05b7673ac1a13f786b9b26ee544cc2aa8737e202a68b971a03c90f28124e00b74ebfb0a8be7c64de2539b95e4cf69d7baa91

Download Submit
/data/data/ir.pedar.halva/databases/evernote_jobs.db-wal

Filesize
4KB

MD5
555e63568cdb8b70d233a2061a323a31

SHA1
8794b53c0d917d4701f3e39e7ea1934266e57ed7

SHA256
2ab3ffa55a11016cee8f04a7c9e6714ad0835ada5ff3a42b1409c3f142622090

SHA512
8f537a6639ff478d0166f1a798329c17e76668aa9c8925c8c2fe979197d2bf2d29ce141cf64c4af9b455ff9e214ba37b60f25657f2bfbe91d5e57bded14a0d99

Download Submit
/data/data/ir.pedar.halva/databases/evernote_jobs.db-wal

Filesize
4KB

MD5
573600d0282f8e94611c95a293a7591b

SHA1
5ca64a428def2834b8f2bd40cbae90956fe486d9

SHA256
4eee47e13077da92b4fbe1595ad2f96b507c92aaf6f24df0045745f9f67741c1

SHA512
df94308f8df6c172781ba1b3bbd84cac17135f2415acadb23ff24ede69723d94f0c4e89661d8275a887fe75f3acce6cf1db13db529735b98663ce2bd9ad3f091

Download Submit
/data/data/ir.pedar.halva/databases/evernote_jobs.db-wal

Filesize
4KB

MD5
1d42d19c14915e9a3645571886a598a6

SHA1
df5d3a9f69760b254dbdac5286899e2399bde45e

SHA256
0b6af0342d035cf42b3cf0c3de6ea846721f587c649d36d479a2dce0794335d4

SHA512
2242da504f51e89a4e67e6a48b1a3edfd0df3b8a04efef46625bc6494312c19d25c94b860cb2eb1ed8df4ed88a23743c0fc425020e16a0b1689096ac1307724b

Download Submit
/data/data/ir.pedar.halva/databases/evernote_jobs.db-wal

Filesize
28KB

MD5
6bf891a64f25cf2504d30d45fc4ebc63

SHA1
34d27e8140d7fc31576e3c8b6a3eef36aa87a3b9

SHA256
fd3bb5aabbdec1a175b8bf37fd881713636270de5318e86dcef7c66525875803

SHA512
0c919ab13bca7dff600ff5cbba65e0be4a02a7ec8ebcbd02ac72a92e2c3d4260b738d01302807de1a147c552f6f8ff86bd6302b606f27a52ff6ac161be83468f

Download Submit
/data/data/ir.pedar.halva/databases/evernote_jobs.db-wal

Filesize
4KB

MD5
62cd237ed54914dd3e16e90b999d5100

SHA1
b037ccb5691655520e385f14f9851f5a369cb4e5

SHA256
f632627eabdd99a2be6790635b3535d03cb9808962266dd735a174b59657530a

SHA512
91a928167c880b5b4de5669e4b2b42f57499f77b68c61d4a29c4e501b4ab6f5c2755a6d69153e0a91df7268136da40d4b87977929d5f6485f39c06cfaa979f42

Download Submit
/data/data/ir.pedar.halva/files/halva.db

Filesize
119KB

MD5
ccc0c1eab906f7cc08a6d6b35edabe47

SHA1
9e77c691259d22faa2409b8360eb440479b949f6

SHA256
244c44cbfa632b986e7d9c25eec6013a3e8e29cc32176e478482d7a631863d12

SHA512
e50757582aa3cdb1ee511450bfe576b3c8163d633d99bca7f42f1e33f5bba992c7edd3aa84fbe5aee1488b305c95e214b1a240b68637621e8d479efb47382002

Download Submit
/data/data/ir.pedar.halva/files/halva.db

Filesize
1024B

MD5
3fd7876e74e4e3b117a9d12ef6a19f9a

SHA1
9cd14ecf0916cb6d5fbc3535045a827674bf0616

SHA256
2f7ab51f71cf635876fc8b0d11d5bae683a2761222542ffaed856f1c99cea5a3

SHA512
9c0c15d696cfc6746e833cb439fb6b8ac4a99ba082e0dd9661cc81b89ce1b5edc72ad8e7f9707e3c4115f8b4f3706d2e8294bd85f5e7c7822489e70165a887e5

Download Submit
/data/data/ir.pedar.halva/files/halva.db-journal

Filesize
1KB

MD5
a2a50fbeb8900f844a75d19d09e1900d

SHA1
51b66dcf4b41588a4b900fcdc92e2ce20b76b76c

SHA256
b63f2a4a59663727639393e52ac3088dd5bb5a6d49f47dee6da8b50746a77ef7

SHA512
c35f44a332781282bcc73c9c954ca902eb4153bb9c8687c8eb0c8661d7714b8b8eac13a83a81976c2b25d43adf81b26a2188e96633dd0562fa56374ef862676d

Download Submit
/data/data/ir.pedar.halva/files/unsent_requests

Filesize
58B

MD5
0d210bfb2a0e1f1b4c082a6a0f79de07

SHA1
bb8ed9e364db79d1d9f2fcde3f15091893222faa

SHA256
988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d

SHA512
536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

Download Submit