6c6740ad4344878c8ceb7df2a88edfbafa530cbd3f2c020408dd572e1aa050b3

Analysis

max time kernel
20s
max time network
131s
platform
android_x64
resource
android-x64-arm64-20240514-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system
submitted
18-05-2024 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55d36a9ea95f5264426b1e225c27cd11_JaffaCakes118.apk
Size

4.1MB
MD5

55d36a9ea95f5264426b1e225c27cd11
SHA1

08f36da845cfa4e78803030918466bb1e8789d07
SHA256

6c6740ad4344878c8ceb7df2a88edfbafa530cbd3f2c020408dd572e1aa050b3
SHA512

b1250de2b1ad7bcc6a7375e7285832db3a93f5d4764cda5d587d17b122d36094dad0f12970720aa6903b9da1e1f7cafc577ded74d353dd359f980dbc7bd222a3
SSDEEP

98304:hBhSDK7VMRDPlepddpf/LU9MiGHNSU9C+76cNvsVZc+oKvDhP:ZSDK5GDtsrVLk4S/+Q+c7hP

Score

8^/10

collection credential_access discovery evasion execution impact persistence

Malware Config

Signatures

Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

Location Tracking
T1430

Geofencing
T1627.001

Processes:

ir.pedar.halva

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation ir.pedar.halva
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

ir.pedar.halva

description ioc process

File opened for read /proc/cpuinfo ir.pedar.halva
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

ir.pedar.halva

description ioc process

File opened for read /proc/meminfo ir.pedar.halva
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
collection credential_access impact

Clipboard Data
T1414

Transmitted Data Manipulation
T1641.001

Processes:

ir.pedar.halva

description ioc process

Framework service call android.content.IClipboard.addPrimaryClipChangedListener ir.pedar.halva
Acquires the wake lock 1 IoCs

Processes:

ir.pedar.halva

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock ir.pedar.halva
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

ir.pedar.halva

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo ir.pedar.halva
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
execution persistence

Scheduled Task/Job
T1603

Processes:

ir.pedar.halva

description ioc process

Framework service call android.app.job.IJobScheduler.schedule ir.pedar.halva

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	ir.pedar.halva

description	ioc	process
File opened for read	/proc/cpuinfo	ir.pedar.halva

description	ioc	process
File opened for read	/proc/meminfo	ir.pedar.halva

description	ioc	process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	ir.pedar.halva

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	ir.pedar.halva

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	ir.pedar.halva

description	ioc	process
Framework service call	android.app.job.IJobScheduler.schedule	ir.pedar.halva

ir.pedar.halva
1⤵
- Requests cell location
- Checks CPU information
- Checks memory information
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Checks if the internet connection is available
- Schedules tasks to execute at a specified time
PID:4612

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Execution Guardrails

T1627

Geofencing

T1627.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Discovery

Location Tracking

T1430

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Clipboard Data

T1414

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/ir.pedar.halva/databases/__pushe_base_lib_db

Filesize
24KB

MD5
d66c85906e4bf9c94e062b9e56d3c7de

SHA1
eec36812635c568175a379f982b10c38d6a43a02

SHA256
abfb5dc5723ba72416179a8747184f4ecac372abceaf927e15adea6299dc7453

SHA512
71ed55d477e1e9d2902fd025024d5b9078b5872730220960bfcb7ee627339e6caf0c7228a85a4d7cb871b590bcd9da955d65411428df7680cd7e4cd4f33f63eb

Download Submit
/data/user/0/ir.pedar.halva/databases/__pushe_base_lib_db-journal

Filesize
8KB

MD5
31e025fa66b0eb34ffb297465ab416f2

SHA1
3cabd133a36bd329c302a1790a56d9f10349b76e

SHA256
dcf91885f909d8b784c159173f4209648164c1b83bd3729d059de215a05569b1

SHA512
36d2c54c43533bf8dc0ac8a1c7535ac87fa810e0d0e8f76f12c078ca12f772b26dcdd163a4b716db0b80fa6519a9f24effc8215ef0e6a9348b8954f0e4878b2c

Download Submit
/data/user/0/ir.pedar.halva/databases/__pushe_base_lib_db-journal

Filesize
8KB

MD5
c4efe8c6e7a88c8704953b81504d1e9e

SHA1
ef6381dcf587123839fbb5f48ab5fa835c78ecaf

SHA256
950e4342e37a84240f4c34a10dff9b3bfcfc7f19779c2db73740d2fabb2a458a

SHA512
94de339657ad9d266fb2d1671aea33403ac9578b8518207207aeee2301309442451d5f42782d29be4aae57e9211310cd5b0c023acb6b948b8376a42634df6a08

Download Submit
/data/user/0/ir.pedar.halva/databases/__pushe_base_lib_db-journal

Filesize
8KB

MD5
64188ed55fc08b1aa2572cc4b78885c6

SHA1
c4d677bdf664583b7066d2324a6731cef2fb69ce

SHA256
7833a435f854cb635bf63671ee821e690ea97fb32189ced844b94b0318223cbe

SHA512
e8c6a426097eb575a2b143068007c12feea2a3bcc308f1f4d87f3e537f164d7c7c95c73955b24544abcec46c7e84e283f9d96f2cbdcd47c2e34bb8a804739750

Download Submit
/data/user/0/ir.pedar.halva/databases/__pushe_base_lib_db-journal

Filesize
8KB

MD5
bb51674a10882990bab6527bc15211b6

SHA1
43071fb96ea4ae9f1729b341efb16044ae76346d

SHA256
06838e442fd4383664743e5820691a8c0735809b759057c5a0dda8101f39ab28

SHA512
dfb27a0ea5c7a357f94001f95b901c4ef352bcc261d8a790ceb8dd15abe022340390cef44b405ba0aa334357a2aa18bc5ef22f351d188541cb653d95893df345

Download Submit
/data/user/0/ir.pedar.halva/databases/__pushe_base_lib_db-journal

Filesize
512B

MD5
e669e087092255289dc98a519884962b

SHA1
4b9c36ee0e4dc354cdb75a6216d887936198e908

SHA256
00be7e4f93cfaa6b919b7f502a1decd5186404519a0d8a12a6fae60e76aa35f1

SHA512
dd8dda9d5e795bb4c2ebc77913a2823e6554163ed8a20461fb9e13a9a2df72f87c5916b43eb6f6ea4266219f957df89e833c367c390b38c3f1d2a028e6b7eeeb

Download Submit
/data/user/0/ir.pedar.halva/databases/evernote_jobs.db

Filesize
16KB

MD5
163242409c9a9bfd7a7819760482390e

SHA1
c01212a0c889b133b569946b6f0a28f9a9644b32

SHA256
956585dd6a34a1cdbbb40051ec575716e95dfa00e0d7c82846513dee44a530a7

SHA512
6507f815af0809352b7fc3e50636cf51edd5a2058ca149fa983f22f7059fa74cd0b148f2728d0a0b847f98426db215d63e844d68bd315c0cccdf27c3672e9bee

Download Submit
/data/user/0/ir.pedar.halva/databases/evernote_jobs.db

Filesize
16KB

MD5
1048560c88f79667200751af8e8d37e5

SHA1
82a7bb54fc86d1299c8c9f55ae4016eb5aaa61ea

SHA256
30d233754ea36df55194bf7eb701174add939d9a6948ba0ba837db70d49dc940

SHA512
ca66d5c4fcf4e021deb942e55ad2a09f8ffa7517a2c6b92e1e7d43a71666e8c612c2bb8e7d3e035a945544456b7afee39c835feda6974722728678f838e3c44b

Download Submit
/data/user/0/ir.pedar.halva/databases/evernote_jobs.db

Filesize
16KB

MD5
93d015fa3816a76d9a6bd1c95424bdb6

SHA1
266614ef3bc472127d5738a67671ae58579a0e49

SHA256
e945ed165bb442c83d18abb160daadefcab33d95a8c0d6f1cba4731008ba65a6

SHA512
d649171fc3cd119f97604145508a2d7977f2e6c57af7db40ad87d8d25624a8341759ff4ef8e869c91e1e3ba9497a779bc222fef0646761acd46752732ef9ff5f

Download Submit
/data/user/0/ir.pedar.halva/databases/evernote_jobs.db

Filesize
16KB

MD5
899ed45e88ee81372c73460e5dffbc7e

SHA1
d6287e42e9e66dc6264991ebb0ab3d33c9aaea65

SHA256
92e04c2ac0aa982af4302c3c6eabb0fe4cdedc9bdedc9997b9931f46d81987a8

SHA512
d8d6d9864bb74f56b21d96ad4675710e88b60f84253d23d7d647d3fbf7ba5c3fdd831c37766d75c610fd3bb508b4373104c5b08964c68f1eaa22737073fca7ff

Download Submit
/data/user/0/ir.pedar.halva/databases/evernote_jobs.db

Filesize
16KB

MD5
47080e3bfcf2db9b8620f2faf6c5857a

SHA1
6f63c1851255e0fa99567f047382074b086d38bc

SHA256
dc4f8a73f49d2a6b41ff425fd08b85c1eba5280c438a1a1ff9832e91dfa56cbb

SHA512
e757043d82798926a5ddd716457accf6616894ad1ad79ec832293a1f662910b663239f899bf05a5c8d90fed5bcb093c5529e5bc842fe9003c1d5902f9ed84473

Download Submit
/data/user/0/ir.pedar.halva/databases/evernote_jobs.db

Filesize
16KB

MD5
0384d4a460bc74bababae0ae172a458d

SHA1
5324311c62ac834ca2683c753bfc494e0e8a674e

SHA256
ce6712e1685a6ce66196104cc3a87254c0c0e7610890a4778b9838bde0bea73e

SHA512
71a4e7d58cbec3cf927b0e7d3124328d3923463ade788ef60300e3a3e652c0786f60eae88c577576ec444db3732ba245516288f56a6971958f147fe4c683145d

Download Submit
/data/user/0/ir.pedar.halva/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
1f2039b0f6553f6fc280191b5045caeb

SHA1
3b74f46cfcfbe0deb4c8e103a7313e60b3ba1ec0

SHA256
47b177f45ee7e86b58bf0078ff8a8ce074f8ac9e8da0fe541919130e87cf56b5

SHA512
47a41a7658cc0f84272b11b37a09aa51b76cb3c404fcc5bca687fa5f284ccd41e655d6fab5325e0eaab72ea99a8a1668430870d1d570a3822edb2069a5e9ceeb

Download Submit
/data/user/0/ir.pedar.halva/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
ff2bbc5869418a31a1b6dc2e9e413e6d

SHA1
5593541f9af73d25d5cd602f8aba05c931e5ac6b

SHA256
810a3544a3790f25aa67c4e782b7019d81254a55647e4029ff0c274a70aed19e

SHA512
49b6621904645a1cd7b9dc43946f90a2472d057f09db558b63510361d35b1fcb13d3fe4801126076d6964496da0dd1aa315865eb69f78a14880fae041bfabd1a

Download Submit
/data/user/0/ir.pedar.halva/databases/evernote_jobs.db-journal

Filesize
512B

MD5
5a64eafdc329628f4ab491c755b9c38a

SHA1
63a67ba0bfaec00d0ae6f8b51a78620a6088dc63

SHA256
fde35c0320ae5bda792bc686f8cb12d822af3ccf62b47093cac1e0d0bd36e1e1

SHA512
f0eb3cf1c652ea0d1c5c7741d2874d8d92c96e2076613f308722152f4cb4698963d21b6dd61990da1d41f775d542f4a89744928afffab79f948b015d2ec3aeff

Download Submit
/data/user/0/ir.pedar.halva/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
4ff764d61f792bfe330a76056495e49f

SHA1
ee7c81db2a447c5d589e4c65bfa86118a5b34885

SHA256
a6fb9eb0157b75244389ec3f0b8ea92bc7eb90bec39dc5e914df3ed7eb44b6ed

SHA512
ff7019aa3b0298ccea45e0101a818154423628bce2c925d1fab9df189a35c59a0a8926faa91ad54f77e87cce796229531cd6d8a3201a2254e1280d2115b34afb

Download Submit
/data/user/0/ir.pedar.halva/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
6863d330b0c9f2e7db48c1e9f8bccb83

SHA1
a0c26eee4aa6516b402a6268701793b94a5c418d

SHA256
be82b155047515963907cd0703fc3b57ee54f20d7dbdb11ecf42a96f5537b3b1

SHA512
a183bfde252de2a34163bf920640f3c889d3aeeda3965f164bd27559b8b528af5579b19757dec6328b4e558d6be0d0fed8b01af02e8d90bf8ec8681819934d81

Download Submit
/data/user/0/ir.pedar.halva/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
e01d269d3b034886cf349ea3d3d6d294

SHA1
3961c25c22074024d2223985674f95ceb612676c

SHA256
138c9c2be82cfe973449b273dcb4653c78fc48ecf9fdf580961d880e35ac46fd

SHA512
9b7adce328d7593465e4956a2c8cbe03dc7a08f63cb6b9d54bc83d7aaf513bcbf38bdc7e85c0cdef328f0a64c1bbd53610590896d8075512b321dac21e0566d8

Download Submit
/data/user/0/ir.pedar.halva/files/halva.db

Filesize
119KB

MD5
ccc0c1eab906f7cc08a6d6b35edabe47

SHA1
9e77c691259d22faa2409b8360eb440479b949f6

SHA256
244c44cbfa632b986e7d9c25eec6013a3e8e29cc32176e478482d7a631863d12

SHA512
e50757582aa3cdb1ee511450bfe576b3c8163d633d99bca7f42f1e33f5bba992c7edd3aa84fbe5aee1488b305c95e214b1a240b68637621e8d479efb47382002

Download Submit
/data/user/0/ir.pedar.halva/files/unsent_requests

Filesize
58B

MD5
0d210bfb2a0e1f1b4c082a6a0f79de07

SHA1
bb8ed9e364db79d1d9f2fcde3f15091893222faa

SHA256
988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d

SHA512
536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

Download Submit