d322d9e216c5479453051cc3d96927efc827c8e0ca6de62a6963c2dee4760e30

General

Target

625cb702476486e20e7d86d3616cc79c_JaffaCakes118.apk
Size

728KB
MD5

625cb702476486e20e7d86d3616cc79c
SHA1

46c3e3a4d41ec933169c257b67a77a013f9249b9
SHA256

d322d9e216c5479453051cc3d96927efc827c8e0ca6de62a6963c2dee4760e30
SHA512

5555c3ce8b4fb2478e3e622cc4b8f091ace4fc8cb14137cfb36056220af652671057f4a3821f29f2a9a63e33c6dde96168bbe6c87053ae7e093649a88a8c48a6
SSDEEP

12288:4IxKDEZXz+P96X3a86Df4nUErWZHYbnPYGoPG+4ta6Zv:4IxKU6P96X3pUPHYbnP/Y4v

Score

8^/10

banker collection credential_access discovery evasion impact persistence stealth trojan

Malware Config

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.pro.fla.off

pid process

5104 com.pro.fla.off
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.pro.fla.off

description ioc process

File opened for read /proc/meminfo com.pro.fla.off
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
evasion

Download New Code at Runtime
T1407

Processes:

com.pro.fla.off

ioc pid process

/data/user/0/com.pro.fla.off/app_ttmp/t.jar 5104 com.pro.fla.off
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
collection credential_access impact

Clipboard Data
T1414

Transmitted Data Manipulation
T1641.001

Processes:

com.pro.fla.off

description ioc process

Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.pro.fla.off
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.pro.fla.off

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.pro.fla.off
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.pro.fla.off

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.pro.fla.off
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.pro.fla.off

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.pro.fla.off
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.pro.fla.off

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.pro.fla.off

pid	process
5104	com.pro.fla.off

description	ioc	process
File opened for read	/proc/meminfo	com.pro.fla.off

ioc	pid	process
/data/user/0/com.pro.fla.off/app_ttmp/t.jar	5104	com.pro.fla.off

description	ioc	process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.pro.fla.off

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.pro.fla.off

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.pro.fla.off

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.pro.fla.off

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.pro.fla.off

com.pro.fla.off
1⤵
- Removes its main activity from the application launcher
- Checks memory information
- Loads dropped Dex/Jar
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:5104

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Hide Artifacts

1

T1628

Suppress Application Icon

1

T1628.001

Virtualization/Sandbox Evasion

1

T1633

System Checks

1

T1633.001

Credential Access

Clipboard Data

1

T1414

Discovery

Software Discovery

1

T1418

Security Software Discovery

1

T1418.001

System Information Discovery

1

T1426

System Network Configuration Discovery

2

T1422

System Network Connections Discovery

1

T1421

Lateral Movement

Collection

Clipboard Data

1

T1414

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1

T1471

Data Manipulation

1

T1641

Transmitted Data Manipulation

1

T1641.001

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.pro.fla.off/app_ttmp/oat/t.jar.cur.prof
Filesize
498B

MD5
ebf4daeab1a091c4fd5c8866a1063d67

SHA1
2999607d17c4f8d93ca8f4e41474b89f83490523

SHA256
9491ab984fe92e294e763508c44a896d009e145a9fbdb69e64f7d0d72d94cdb9

SHA512
6a7c14722fea4816995eeb5e069e3ebac786dc4c704f13d43e2204d855ff2f8ad653d99ca6e45bc53d6c8917453e40d2fb330a7bcd102044a3fcafecc92121f8

Download Submit
/data/data/com.pro.fla.off/app_ttmp/t.jar
Filesize
271KB

MD5
f06ab1caa33597d6410dc5edad0bf259

SHA1
5407d16f2d2704565ab532a2f54520fa3c2ec755

SHA256
095b2e7e0a7e3226fb6a43c90d5d0b7db59408e28991f3f7b970d2baef79a9cb

SHA512
e9dd43fea9e081281fc721ff4ceeb7959085cdbd4b8300227a2c2f4300f19ad7ecae4bea552cd95473ab59e347811d3ee1ac1a063a9c90e37839af2ecbbe4138

Download Submit
/data/data/com.pro.fla.off/databases/com.pro.fla.offb
Filesize
72KB

MD5
dc991f7d899dd7fae28c452b20a9d718

SHA1
b01fb5f63b1ccfae46d0e5975eaacf7fdcd31ec0

SHA256
767ccd60308b3bd13637343484d90847eca74e0577f3699e22021696cb25e738

SHA512
074c4547301c2621f75b4f2aea57889c820523d6358aca75ac359d27ec5e8315f5a1239220ee64111d12b76829222dd4e965f573c8f3900704c2690353b8ea39

Download Submit
/data/data/com.pro.fla.off/databases/com.pro.fla.offb-journal
Filesize
512B

MD5
a47a239a30fc715eb06cf278436bd8c0

SHA1
ba2d7fe516b17e4a8c8fa8d918e9e9858df1b2a0

SHA256
d9292f48d0cbf02d73d14a08606a1890b88c75916a50c17bd6f0606de0931f27

SHA512
87c8aae2156b676ab0bebed0a9d94f6fb016e447ca79bc7dc35baaf11a3f06f1abbffc30b6e7de588a5cf4c0ff4caeb5030fb46ab0149164546acce414e267ad

Download Submit
/data/data/com.pro.fla.off/databases/com.pro.fla.offb-journal
Filesize
8KB

MD5
3369f73038be961488612d4de95e8924

SHA1
f054b93974e5960281091f9db863cd8697dd45b4

SHA256
b7e2d7b77cebd8b50fa8958f2c2b7dfc2d99bb2fc7de976c5b873d4122fc4688

SHA512
2e6a133f589c7098ba7589715244f964bfc694cb58bb28614171a6295b31a0cc30c9d684db62a5bac7771b12e9e654c129346b8a34fcff6c51b3d23cba974fdb

Download Submit
/data/data/com.pro.fla.off/databases/com.pro.fla.offb-journal
Filesize
8KB

MD5
227e17a368bd21e33626e931dac4b5fe

SHA1
bb5fe9c84eeb13a4be3dd170abbb64ef4d35d621

SHA256
cd9a90beb5f255a420b41ed25410a825e5bd10236a23f89393cc7e63520b8e92

SHA512
9e768c91198dcbff763eadefc622312ccde8000c989835af94af18f7b9baa757a32adebe26743d917ca4627854d68c6b6603ebcbbf9b9e41d787363cee4f14eb

Download Submit
/data/data/com.pro.fla.off/databases/com.pro.fla.offb-journal
Filesize
12KB

MD5
81ec3e8da2bc2235908261ee4dd51fc2

SHA1
6d8c04dde2f4a0f3c4a0d9061d1bbdcf858378df

SHA256
1df4844c71a8be8aede6268971918538c2f541611cb31f4fba3d4e25861e2ee8

SHA512
7d65a200d98943b26065104fc973e04e4229ae42423cb19b7808121b1e0cf2756191384d48a4ac47b428c31dd31d94576b62e9f11bd706d054d9c4e815a645c5

Download Submit
/data/user/0/com.pro.fla.off/app_ttmp/t.jar
Filesize
575KB

MD5
6a6cdb4b514dcc313ebbbf4677eef772

SHA1
81b1d963a7c7a385193a28cb0001ac0faaa57b87

SHA256
1e706adcc6521f04efabff9d8a2fa193ab6540b88894859320c1f34fdec57310

SHA512
1777ff00aca9205380eb5de58fd40a0133ad44d73286435f7d19c40c3e3bff56349697fd417dec8365ba071e8ebdf1d4e153454076d870efb73fe5bad1054b2b

Download Submit

Analysis

Sharing