Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
36s -
max time network
179s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
21/05/2024, 10:21
Static task
static1
Behavioral task
behavioral1
Sample
62f2c4cf10a84a12dc6c6cdddac12603_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
General
-
Target
62f2c4cf10a84a12dc6c6cdddac12603_JaffaCakes118.apk
-
Size
1.7MB
-
MD5
62f2c4cf10a84a12dc6c6cdddac12603
-
SHA1
49cfd8a262975a7a7586303171b1bc040db86b5d
-
SHA256
a6a746691a7aa6d217a86d0ba6491229148e849db9f5745cbb2c62a0200cf1f8
-
SHA512
a07d48b239f4bc55bfe74f16168f055ffbb26d951a2c29ad3387bd07a38ecc0ec7f19a157b41afb9493dffc211ee411251857b6c000e2be95fcf1ce5d7462021
-
SSDEEP
24576:tPjn0DR/V+YrmBkfNCmIkrMCaxyMs+sRVM7OArTiVxGDj54m4Y0xTCY2I2GsKR:pAr4UMs+OMn3yEDum4TCdUsw
Malware Config
Signatures
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.ynh.elrrxe -
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/meminfo com.ynh.elrrxe -
Loads dropped Dex/Jar 1 TTPs 8 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.ynh.elrrxe/files/xu/eDekqjD.jar 4302 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ynh.elrrxe/files/xu/eDekqjD.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.ynh.elrrxe/files/xu/oat/x86/eDekqjD.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.ynh.elrrxe/files/xu/eDekqjD.jar 4269 com.ynh.elrrxe /data/user/0/com.ynh.elrrxe/files/Pdd.apk 4410 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ynh.elrrxe/files/Pdd.apk --output-vdex-fd=60 --oat-fd=65 --oat-location=/data/user/0/com.ynh.elrrxe/files/oat/x86/Pdd.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.ynh.elrrxe/files/Pdd.apk 4269 com.ynh.elrrxe /data/user/0/com.ynh.elrrxe/app_dex/utopay.jar 4443 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ynh.elrrxe/app_dex/utopay.jar --output-vdex-fd=74 --oat-fd=75 --oat-location=/data/user/0/com.ynh.elrrxe/app_dex/oat/x86/utopay.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.ynh.elrrxe/app_dex/utopay.jar 4269 com.ynh.elrrxe /data/user/0/com.ynh.elrrxe/files/yl_plugin.apk 4469 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ynh.elrrxe/files/yl_plugin.apk --output-vdex-fd=77 --oat-fd=74 --oat-location=/data/user/0/com.ynh.elrrxe/files/oat/x86/yl_plugin.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.ynh.elrrxe/files/yl_plugin.apk 4269 com.ynh.elrrxe -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.ynh.elrrxe -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.ynh.elrrxe -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.ynh.elrrxe -
Reads the content of SMS inbox messages. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://sms/inbox com.ynh.elrrxe -
Reads the content of the SMS messages. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://sms/ com.ynh.elrrxe -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.ynh.elrrxe -
Checks if the internet connection is available 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.ynh.elrrxe -
Requests dangerous framework permissions 17 IoCs
description ioc Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE Allows an application to read SMS messages. android.permission.READ_SMS Allows an application to receive SMS messages. android.permission.RECEIVE_SMS Allows an application to send SMS messages. android.permission.SEND_SMS Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE Required to be able to access the camera device. android.permission.CAMERA Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE Allows an application to read SMS messages. android.permission.READ_SMS Allows an application to send SMS messages. android.permission.SEND_SMS Allows an application to receive SMS messages. android.permission.RECEIVE_SMS Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.ynh.elrrxe
Processes
-
com.ynh.elrrxe1⤵
- Requests cell location
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Reads the content of SMS inbox messages.
- Reads the content of the SMS messages.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4269 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ynh.elrrxe/files/xu/eDekqjD.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.ynh.elrrxe/files/xu/oat/x86/eDekqjD.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4302
-
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ynh.elrrxe/files/Pdd.apk --output-vdex-fd=60 --oat-fd=65 --oat-location=/data/user/0/com.ynh.elrrxe/files/oat/x86/Pdd.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4410
-
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ynh.elrrxe/app_dex/utopay.jar --output-vdex-fd=74 --oat-fd=75 --oat-location=/data/user/0/com.ynh.elrrxe/app_dex/oat/x86/utopay.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4443
-
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ynh.elrrxe/files/yl_plugin.apk --output-vdex-fd=77 --oat-fd=74 --oat-location=/data/user/0/com.ynh.elrrxe/files/oat/x86/yl_plugin.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4469
-
-
getprop ro.product.cpu.abi2⤵PID:4586
-
-
getprop ro.product.cpu.abi22⤵PID:4605
-
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Execution Guardrails
1Geofencing
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD5eb6089c1acfa9f12535e533aebee845e
SHA1165e39ee07dcd9ed00fc2dc1ff466bc1d6b813c9
SHA256b825cde84e3dddfc147c71265d2259c422d51a7e56d1dcdba1321e3119b1df07
SHA5125b1bc26bcbcf05fc331865fb4dd572b673a52650d68ab4d9b028ea15219e0d93c1ec17996953436801913388d78e25c67ea33aa93544d65e96a799eb06cc70f5
-
Filesize
512B
MD5977e8ffcf094d79fe31ee251c9656681
SHA1c5e795df65de9c48629e8f74774e2a732825dcc7
SHA2561bd27075ef4626133a9e286c44eb1600437b2c1b95ca6141940dda5757b1730a
SHA512e288882dd797dbcabec5d2c38686dad98278e33a753f245a502b3b131882aecb2adf222dafb2df1f361d33559537911757f246b6dfbd249eeab4b1016e1cce4c
-
Filesize
28KB
MD5cf845a781c107ec1346e849c9dd1b7e8
SHA1b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA25618619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA5124802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612
-
Filesize
140KB
MD540574ff384294944809f4e21c8f6d711
SHA1432eca1c351d8cd705d94eaccb2409cf61cc9fb1
SHA256915f5e8cb896d71dbc6962487aa346db03efabf858ae587e630cd9f52217f49b
SHA512bf1ea060015e1990e4e9893ee42546d6ea2600f716c4d43470a48c6739b24ce7af562e80d072045db546095eb4f43fdf3425fc6e3275b0330de10d49cc63123d
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD594af55db8e90c9478f36fda77d83ca57
SHA1075d0639ab69a4a1a449be417d260db74ed73b3d
SHA2567010a505ffbd9273c114aabfa4a2d5593374576e57388ee085308351705f684a
SHA512ac4c788c3820dcfe1abb50bb70d5691bba52a323e9678a46c0cc2275b129381f85d9289936bc19f0dc9b4f0f7f2b6e40925259414f94b8da333af1b1f9659b3a
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
20KB
MD5a893e18cf2b2420774aaa9ffeb668cfc
SHA1c608c6a72aa2be527abc5c64e029e25620979641
SHA2563ebe87c30de20cdfecc40207f6c5d567a58c28815c9df1eefc0113ab5a79a01a
SHA512de5703032af5ef2f090f4fd5898040f54e12500f406c6d0eb868eded1434adca338697235613b91a77c8ba15dfb423a930a408c40e30a8db37a0613b6f27b7e6
-
Filesize
99KB
MD5e8fbf92c750dbd6fb316be82a6b7b7ae
SHA12a6ae9568698807cacc8cf4349556446c996b136
SHA2562a3cb93d0ca14a1d0b0820c2a26df502a461fb2546ef4587524087c130553f10
SHA5127848191878b5b8ba2d5020c7be953e70ccc4d392d29e400a65a57cd3731604933125de1d81b3732d251b3450fd4766a814ccd01f3975beda2499a9ba585a26e0
-
Filesize
768KB
MD5d35752d161ca84a7f271a4591114bc55
SHA17e17c2711624f8a1f7b4f2a2db830ce855b163f0
SHA256233045aaee2a2cd9c9cf6a46a1b2297a62618d0564d2d3a8831cfee9e45b2d37
SHA5123763e415e2dd31fbd2af12e8734f6350d12aea3b43ed27e3a670b21e8209454724aabcd028b7df9321dfa4caf11a625e1011e066677b5c6794a4554c156fe25a
-
Filesize
58KB
MD55a4c666b43ee7f2b6995aaf3527e4a4d
SHA1b205bcb022797f3b16635db139c7524c0c388adc
SHA25605eb3e1ca331b8c6a1f60f92abb2bddbac54a7b2c229ac07bf26c756297fe72a
SHA512c84fceddbf9928110fc3b85e0989b9cedd06383007ff99dea5a25096d8f892ab52d30ed9b52b72211449041f1274ead85bb42929ec269b58b6b0e616a8545e17
-
Filesize
67KB
MD53b8bb9a8679ac8c24e8d179fc5bae999
SHA1e6ea7a1095524087f481ba04321c4cb6fd2426f3
SHA25683c996c0d067b5f516897480f427dfffdcfb49ab7654dac9b805376bbd49e1db
SHA512abf1cbed7a8cf4a29d7a32a83f15aa0a6c9e2be8484c2dd8d9bf16a76e337b17b9c05efa0773598806b3d3da4fe3a9217b583abb9aaf5e3dc054dc77b10cae63
-
Filesize
67KB
MD55220524411d0bacd600da60814d1ee9f
SHA1fef7210ff44e757328bc0ff7aae7bb2191cbf634
SHA2566286a800597b845785eb664710253ebd20771737dddd5b80067e0e9d37c804b2
SHA512b2d8af5019c176d682634747d83320e609fb6122ef850f4069a0c78c2415d242087099cf60ecb03039a9ab71902a4e3b22e9cf144de89e506991fb93280f6a5f
-
Filesize
201KB
MD5b91783059376e2bebfd7c24802289350
SHA19e0f855404908f993a3beb146e7a4e83789674bd
SHA25646245d65e1d96038918f77ed8412bcde6a72b513c94a72369a751251f568e73c
SHA512c50af3f34a519fdb34aa9be70128c55c57df169f8112887f17f9dece581a15cd9b6702939ee4f77370bb33a5d2fe449610c42e699008d4233344d406c3563f30
-
Filesize
201KB
MD5a4237ef36f11c2db307f6d9701da0062
SHA15d11008a4b9275034db8904e538f7115a429ef0d
SHA25632f697f7444c79efe23be55fdcdab52c8e6f5cd43474cd1735602675feb5639e
SHA5126921b3cbb4e6a062eb9408c06e46e6d6cd7554f6e485b8f6275d8df3b7a8d23b26220c0cb979d3fe919fb6622d5d49160769b0567eebe61488cc4c7708f3b34d
-
Filesize
2.8MB
MD50b0387b81476090a284f7105fba4129b
SHA18720d05f70aacd247f5bfa83b8601b54a04beb66
SHA256b9871fb8bd0d9b91b2b058da7b73f5904f176a8bae7fcfd812f4774545a8fa5b
SHA51216bc1361f347135364d20162973305375b62166491dda427efcbdd84ab682b32c891c8e23a7aa6b3a2a25a96e9d6c6155d8322ac0b515b717210ed2720e7d4a5
-
Filesize
2.8MB
MD55087284b2c59a2df8c2f6c61d24497e3
SHA13805290096bdb822e2d694e264dca90302b79e8d
SHA256df95c902513c3744ad209e102d1f9e0cd2b2d43d482b1bf6446422301ce12743
SHA5126bd901b7764827e9ac3023550a6bf83319b5570323d2af6588b1260b82cb63a7da4b4cd122eb4708046f6dcee20dfa755d182ac9836f44f1cc32140e4195d7f4
-
Filesize
123KB
MD59fc68c74fcdf2ca6c0252ed39de275f0
SHA184438de24f01ade937d2f1a0f70c797e616b7199
SHA25687751b4f40f3cf03b3e2a1e5eb9ef248ad79a8f47304d2a527939ed634ac8f2c
SHA51210feb413b7a89f92339dd1d1a9538fdb22009279778d985f6649faf0af7cd1d5998adff439cad6b99ec2aade6b235b72385a83d9943e5b5898eb7ecdd7a398e8
-
Filesize
123KB
MD5918890b3fc5a3dc184a57d027ead24da
SHA1c638f375f49bc4731b633bdc001aeeadf9462039
SHA25657d03ac2189851d5069515da6997e12ca307c145aa21679da001477df5f81836
SHA512fd9bfe41ce4041dc8c7db17df2a2164a24ea96372c212399c499f94d1fb7d95d430b8a7eb86041b9b2db88dfca0cf39e53cba2dad1e346aebed29e4ca5deb2ef