Analysis
-
max time kernel
173s -
max time network
188s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
22-05-2024 22:20
Static task
static1
Behavioral task
behavioral1
Sample
68d50271154720e5a9d868892c21f818_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
68d50271154720e5a9d868892c21f818_JaffaCakes118.apk
Resource
android-x64-20240514-en
General
-
Target
68d50271154720e5a9d868892c21f818_JaffaCakes118.apk
-
Size
12.3MB
-
MD5
68d50271154720e5a9d868892c21f818
-
SHA1
d44969715ddde6acc9d38012da21257503428e41
-
SHA256
76300b4b84762786c448cf99fc2f878a7eb013aada0a53b0c7014943989e7da8
-
SHA512
ddcd83f775c778ccde2a0a60ef1da15d902b7a14dfee043642a412ceeffe41d0dc4e99138aba04e097ca451948ac44ecc742431d9a41c121a35ccabe84265e54
-
SSDEEP
196608:+BD26pDmV6zUKX2q5pqN+lqN2KmPPSX6OuwedO/C4Mf4coMBpkhgaN+6L/706ddU:+BHsq50WqhfC4QBpMdT0slTKUTNuOG
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 9 IoCs
ioc Process /sbin/su com.sogou.androidtool /sbin/su /system/bin/sh -c type su /system/app/Superuser.apk com.sogou.androidtool:push_service /sbin/su /system/bin/sh -c type su /sbin/su com.sogou.androidtool:channel /sbin/su com.sogou.androidtool:remote_proxy /system/app/Superuser.apk com.sogou.androidtool:channel /sbin/su com.sogou.androidtool:remote_proxy /sbin/su com.sogou.androidtool:push_service -
Requests cell location 2 TTPs 5 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.sogou.androidtool Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.sogou.androidtool:remote_proxy Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.sogou.androidtool:push_service Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.sogou.androidtool:channel Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.sogou.androidtool:remote_proxy -
Checks memory information 2 TTPs 2 IoCs
Checks memory information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/meminfo com.sogou.androidtool:push_service File opened for read /proc/meminfo com.sogou.androidtool:channel -
Queries information about running processes on the device 1 TTPs 5 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.sogou.androidtool Framework service call android.app.IActivityManager.getRunningAppProcesses com.sogou.androidtool:remote_proxy Framework service call android.app.IActivityManager.getRunningAppProcesses com.sogou.androidtool:push_service Framework service call android.app.IActivityManager.getRunningAppProcesses com.sogou.androidtool:channel Framework service call android.app.IActivityManager.getRunningAppProcesses com.sogou.androidtool:remote_proxy -
Queries information about the current Wi-Fi connection 1 TTPs 5 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.sogou.androidtool Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.sogou.androidtool:remote_proxy Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.sogou.androidtool:push_service Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.sogou.androidtool:channel Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.sogou.androidtool:remote_proxy -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 5 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.sogou.androidtool Framework service call android.app.IActivityManager.registerReceiver com.sogou.androidtool:remote_proxy Framework service call android.app.IActivityManager.registerReceiver com.sogou.androidtool:push_service Framework service call android.app.IActivityManager.registerReceiver com.sogou.androidtool:channel Framework service call android.app.IActivityManager.registerReceiver com.sogou.androidtool:remote_proxy -
Checks if the internet connection is available 1 TTPs 5 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.sogou.androidtool:remote_proxy Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.sogou.androidtool:push_service Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.sogou.androidtool:channel Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.sogou.androidtool:remote_proxy Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.sogou.androidtool -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.sogou.androidtool:channel -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.sogou.androidtool:push_service Framework API call javax.crypto.Cipher.doFinal com.sogou.androidtool:channel
Processes
-
com.sogou.androidtool1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:4312 -
chmod 777 /data/user/0/com.sogou.androidtool/cache2⤵PID:4340
-
-
chmod 777 /data/user/0/com.sogou.androidtool/cache2⤵PID:4366
-
-
com.sogou.androidtool:remote_proxy1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:4543 -
chmod 777 /data/user/0/com.sogou.androidtool/cache2⤵PID:4684
-
-
getprop ro.miui.ui.version.name2⤵PID:4716
-
-
com.sogou.androidtool:push_service1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Checks memory information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4759 -
chmod 777 /data/user/0/com.sogou.androidtool/cache2⤵PID:4798
-
-
/system/bin/sh -c getprop ro.board.platform2⤵PID:4916
-
-
getprop ro.board.platform2⤵PID:4916
-
-
/system/bin/sh -c type su2⤵
- Checks if the Android device is rooted.
PID:4944
-
-
com.sogou.androidtool:channel1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Checks memory information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4974 -
chmod 777 /data/user/0/com.sogou.androidtool/cache2⤵PID:5009
-
-
/system/bin/sh -c getprop ro.board.platform2⤵PID:5302
-
-
getprop ro.board.platform2⤵PID:5302
-
-
/system/bin/sh -c type su2⤵
- Checks if the Android device is rooted.
PID:5330
-
-
com.sogou.androidtool:remote_proxy1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:5128 -
chmod 777 /data/user/0/com.sogou.androidtool/cache2⤵PID:5159
-
-
getprop ro.miui.ui.version.name2⤵PID:5187
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Scheduled Task/Job
1Defense Evasion
Execution Guardrails
1Geofencing
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
269KB
MD5cdd8d3c57ebc612b37044a006fd89c49
SHA10d1f6b5fd6a6df87885f2505918fdf794408907f
SHA256201f67a0ef72b27c18ab8f3ed680d9e0e94aa934427ca32bc697391385d603a4
SHA512005ad54d7a80454e06d28d4b65952fe4872459c985d3d68ea689ced558d658f9943acbc87f514017b9afd5ca6aa0b2d85fd8ad74a4698cfbc94cff5f08edc5fd
-
Filesize
512B
MD5f99514b477cb8a0673163c85cc0bef38
SHA196f82a28ffa01d6ac121e660ee59f20d9bb05009
SHA256f3700f1f7e405457ebb9a73cafed54d312f8105f4cea2ffa0afa554fe18114a0
SHA512f997c5c0865ce22900ba0d3c6f08d689978c8a690e5491cf7c5509e40a27f30ef77ebb9285c5532c9e81ca21d2700cc2df128992abf9db3abe9bfe89759be9b0
-
Filesize
28KB
MD50694589923b47347c494e449bd35c1ab
SHA1ff00683bbb147f787cddf14b54b149e02f707ef6
SHA2560dd8a47bfd7f4703073f653209c2e5d9d1198936268ccf4a28e8fea130960d3c
SHA5123c898a4d30a90f1791be8fe387de7b67263c4b98b08a4883b7e3b98bc95a59db36a0719da18e1e0873bc3c5b94038b86e04b690dd88a838e177d484ed9d0bb28
-
Filesize
48KB
MD516d5c98be98e4da8a0725e5df258428c
SHA1a99f8f2e622fd428cd670736e0e5f3c5a1b66559
SHA256663ec5a954f740bba8278acfe9a64a6532bcf5a32bb03b0b637caa7f8a5f0b94
SHA512481d2ff24a8c67de68a1c5f92841f37285fd5bbaa15293ebca0ba09571cc23e984a59f568160ff7a1c7332ce3366bc9910a4426ace1383eb291cbc86b8e59aff
-
Filesize
512B
MD5109186131a20f7d99ba277e2806bf3bc
SHA1705842e751229011109e3f5ab31a12c0e196ba20
SHA2568c16af21a155df15b1d26e7459cb4ec204ba49ddb7327b6ef425599d34ad78be
SHA51292f8ebf29060adcdf57e32ab2a773abae72ea9d6459b969a7363578f7069f70de10c7e43f96df421370b35ed0ab37379b157bb58bd0bbb6d87a68d13750d11d5
-
Filesize
28KB
MD56120feb87283aa861ec605fb07f0b2bc
SHA1ee7b069cf5589c07d5262864d5c6a3384200803b
SHA256d410bace72e4544b9bcc350d9841e13bb4ea94150812331cf17c3ccb27aa5235
SHA512c9e9d1c9337a7844a7c87850df8d133be6e4cb41cca9c69d15c7f8399e0bda8d92464e4ec049c8bfc1b7d07fd1582f37cba6f027154e5f02584ee1ae07a6cb58
-
Filesize
68KB
MD5acb9184ff323fdb2b37805ae2c18b225
SHA15270523bd2474b154e69e290eb3673e03ec5f09d
SHA256f82fd5f4649f2167e1198de52e321c39a36361077cdc199d0711de2e19b6398a
SHA512eebdab0029554da405e9036038244cc659840201ffa4359bf0de6cc1ace879cd3b26d520c46371b4a7e37bcb12a4e646ac9c5330617df774916a00616b1cffb8
-
Filesize
4KB
MD5bacd55d99ff8618b7241c89df1cd4662
SHA17ca7237bc15706220efb1b8e918c187e15066a81
SHA2567230ba69e9a2ee07760a958328698f4d3c4e3897349d36161f6c49b464fe7ae5
SHA512af4fd62fc62f678970c0f80cb804e8e125dd5cbbbba5ed7bc71fed50242405a26865c721473ee542507575f2dc026760f718e84af92b3cc659889efedebaeaa6
-
Filesize
48KB
MD5bbf4a52007d5cfed1c8c21e6afcd2542
SHA1847e597338f3cb57e39f454c1a68efffb99d46f5
SHA256f961cf94a7184daf8146958f29f940113080cd4645e6eec48c288a35eece2cf6
SHA512aa764304d0026291382a097941cc50edc71cc0d1e16617efbd68eaed6aec5485487de9e0102e318d06e75c1571442b6a527fbbe3b18779387c824b16d16e8711
-
Filesize
88KB
MD5461037d7d49bb222a9b81b82c41e3be4
SHA1743f11efb663cf802a44b4566eaff55da238f7c0
SHA2565023c4da6b7fe9469ab1198b0d5df581654a6be3841303ddd1f59d7ae4b53dc4
SHA512927dd436b6dd8c44778790abe811c7c9b29b2bbaddee2675093d56c150ccb902c0dc9997fbf3fbb01880db6df267e4ad21698d3e6b6194dd42de786ba00e2eea
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD58e7d2d3447f09a4cee7dfef0051202b3
SHA11d2d69cb7c669ba65918e29d41436b14a5b067c1
SHA2566f066358456d4d1671278a29c0b932d42a51ece6013f900d711cc05d0524a1d0
SHA512350b8aa5d038146f598a6c7c8188343f2f846635f5843645ef6cc24d6216767b12f6114987c5cf4011596c4a2ce7d5a829ca49800f1d4028901e822040c38c96
-
Filesize
28KB
MD5cf845a781c107ec1346e849c9dd1b7e8
SHA1b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA25618619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA5124802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612
-
Filesize
40KB
MD59782491e70c9ac501efdc04d2477ea9c
SHA10d3ce7d015d7616ecc26ae31bb8db7e3c59810ab
SHA256f10a89383bd6486752c9db9e0e2fa9a6573b73765ff246c04b22e545368b2c66
SHA512ebd2238ca1f9721b2b6befa408771c5013099a2d78acd946261313d1b15ac4ee08ae351c5c1cddb2fbd070c63d0011b42d2896d63e350b3e140838adb3dc8180