b8b9868a24898c8cb39d90c6d38233efabff5b0daf67bbbb54d1e3d0751dd4cb

Analysis

max time kernel
180s
max time network
148s
platform
android_x64
resource
android-x64-20240514-en
resource tags

androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system
submitted
19-05-2024 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58fb8f875f3c9acf0fd0c4ee3c0a002a_JaffaCakes118.apk
Size

562KB
MD5

58fb8f875f3c9acf0fd0c4ee3c0a002a
SHA1

7afd33c865c9c6074fca3ef720fb04c5bb86a3d2
SHA256

b8b9868a24898c8cb39d90c6d38233efabff5b0daf67bbbb54d1e3d0751dd4cb
SHA512

5406a148eb107934f56c562670c4097a1390547634e7636e978e0ac21a4e5fba2908637aaf954b972e3ab6d8a7b1a3555b3fff2589c0ed4993f247aa83fb9cba
SSDEEP

6144:mXnEmVNxM4ReDzUjfk40/tbpZt2ixtxrEIcpnb1tX/LznGPgnYXfx0A1Yy78T0Pj:mXnEEM4cqi1bAixputzzGPgYXvP4lG

Score

8^/10

banker collection discovery evasion stealth trojan

Malware Config

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.loliqkzwuw.oldtf

pid process

5111 com.loliqkzwuw.oldtf
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
evasion

Download New Code at Runtime
T1407

Processes:

com.loliqkzwuw.oldtf

ioc pid process

/data/user/0/com.loliqkzwuw.oldtf/app_dxpvp/humltau.jar 5111 com.loliqkzwuw.oldtf
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

Process Discovery
T1424

Processes:

com.loliqkzwuw.oldtf

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.loliqkzwuw.oldtf
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.loliqkzwuw.oldtf

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.loliqkzwuw.oldtf
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads the content of the browser bookmarks. 1 TTPs 1 IoCs
collection

Data from Local System
T1533

Processes:

com.loliqkzwuw.oldtf

description ioc process

URI accessed for read content://browser/bookmarks com.loliqkzwuw.oldtf
Acquires the wake lock 1 IoCs

Processes:

com.loliqkzwuw.oldtf

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.loliqkzwuw.oldtf
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.loliqkzwuw.oldtf

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.loliqkzwuw.oldtf
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

pid	process
5111	com.loliqkzwuw.oldtf

ioc	pid	process
/data/user/0/com.loliqkzwuw.oldtf/app_dxpvp/humltau.jar	5111	com.loliqkzwuw.oldtf

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.loliqkzwuw.oldtf

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.loliqkzwuw.oldtf

description	ioc	process
URI accessed for read	content://browser/bookmarks	com.loliqkzwuw.oldtf

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.loliqkzwuw.oldtf

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.loliqkzwuw.oldtf

com.loliqkzwuw.oldtf
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries the mobile country code (MCC)
- Reads the content of the browser bookmarks.
- Acquires the wake lock
- Checks if the internet connection is available
PID:5111

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Credential Access

Discovery

Process Discovery

T1424

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Data from Local System

T1533

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.loliqkzwuw.oldtf/app_dxpvp/humltau.jar

Filesize
224KB

MD5
c0de4ca82aea8345ef36d4a527a69e73

SHA1
b104e731b2de1a1c31c0db4436540f31019a4d79

SHA256
521f27d3fb8e95c5e4472077d43404c5f77f35fc273c9576b3b6363a436d0054

SHA512
1348a491fc523a5dd8b7e78aa8803a9c75ffe23b0e65aba513c90448ae895eb0475523f252c7f78a80b7070e2c15b5eaf611f672f10cf0309e615b2bbd09ad01

Download Submit
/data/data/com.loliqkzwuw.oldtf/app_dxpvp/oat/humltau.jar.cur.prof

Filesize
436B

MD5
e895c52c1340a180b741c85cc49c1ffc

SHA1
ac07bf50c7a546a17ab1549d96e4718744955aa8

SHA256
b61cbf03af98c86b1655d6dbe8f0de732bce87ca1b6afa8129874570437f6e97

SHA512
2bfb60dcd8424f6075dc6aabd11610d0082381fc79f94611620a3734225be8e9f6114bef1b1f09be6f3752069ffad6da545fc6717dcc6e875ad9e87a1c8d661c

Download Submit
/data/user/0/com.loliqkzwuw.oldtf/app_dxpvp/humltau.jar

Filesize
558KB

MD5
c32eed2295fa9b67b3fedb648718b8e7

SHA1
c55ca4d640a1a71c93274f672873238ba84761e7

SHA256
9b8407b13048e946d49853d8de2bc529aa3ed1a29f86faf2d227f7e97424ef88

SHA512
0bdd5486e7f2daa0e00091c5af7749219260c2de8ef8cc062c565396780f3f3476b70dc4964f97463916db1a088790cd8737166c575fea7c7beec81e0a367582

Download Submit