Analysis
-
max time kernel
153s -
max time network
185s -
platform
android_x64 -
resource
android-x64-arm64-20240514-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system -
submitted
22-05-2024 22:44
Static task
static1
Behavioral task
behavioral1
Sample
68e23c251edec78b1388479b3a624c68_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
68e23c251edec78b1388479b3a624c68_JaffaCakes118.apk
Resource
android-x64-20240514-en
General
-
Target
68e23c251edec78b1388479b3a624c68_JaffaCakes118.apk
-
Size
4.3MB
-
MD5
68e23c251edec78b1388479b3a624c68
-
SHA1
61560000b260ef395912d00b42cdfd45c37022ff
-
SHA256
3a15ac97abe33306250c353dda5cb8d6abb3a3dc54ad6b16e58935c8e0b39fb5
-
SHA512
3bf4960d5244b202d997c91492a00831df0df2ead3f4c755c758d682c718fa23aef2e979c9096170c56bfcc6324f406df6466cbd82e03f95c883b4fb7f7ba378
-
SSDEEP
98304:3idjivEO7yThKWzF6TZcEpHt4SzMKcQOZZOg6qpV064mqfrg6nF:S8vEOWThKrT0SzbKD6qj0pL
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 6 IoCs
Processes:
xyz.hanks.noteioc process /data/local/xbin/su xyz.hanks.note /data/local/bin/su xyz.hanks.note /data/local/su xyz.hanks.note /system/xbin/su xyz.hanks.note /system/app/Superuser.apk xyz.hanks.note /sbin/su xyz.hanks.note -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks known Qemu files. 1 TTPs 3 IoCs
Checks for known Qemu files that exist on Android virtual device images.
Processes:
xyz.hanks.noteioc process /system/lib/libc_malloc_debug_qemu.so xyz.hanks.note /sys/qemu_trace xyz.hanks.note /system/bin/qemu-props xyz.hanks.note -
Checks known Qemu pipes. 1 TTPs 2 IoCs
Checks for known pipes used by the Android emulator to communicate with the host.
Processes:
xyz.hanks.noteioc process /dev/socket/qemud xyz.hanks.note /dev/qemu_pipe xyz.hanks.note -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
xyz.hanks.notedescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses xyz.hanks.note -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
xyz.hanks.notedescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo xyz.hanks.note -
Checks if the internet connection is available 1 TTPs 1 IoCs
Processes:
xyz.hanks.notedescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo xyz.hanks.note -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
Processes:
xyz.hanks.notedescription ioc process Framework API call android.hardware.SensorManager.registerListener xyz.hanks.note -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
xyz.hanks.notedescription ioc process Framework API call javax.crypto.Cipher.doFinal xyz.hanks.note
Processes
-
xyz.hanks.note1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks known Qemu files.
- Checks known Qemu pipes.
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Checks if the internet connection is available
- Listens for changes in the sensor environment (might be used to detect emulation)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/xyz.hanks.note/app_crashrecord/1002Filesize
224B
MD595f37c101962a500b472024a7382edb2
SHA10d2da746d643f5f9fcf2735cdca9bb7f710c2225
SHA2567d5a5d76c178530a76f484aa6d3be9aaa5dbb47734e6d2e3573a481623c34058
SHA512cc0d46a9a88e64443cf516507d48c3ddf01afe02b96bcfbc009fd735622439f1cbfc37f32e302bb0fa4ce92b0be890cfe68db2a3f71801ee4676a521ff52ced6
-
/data/user/0/xyz.hanks.note/app_crashrecord/1004Filesize
58B
MD50d210bfb2a0e1f1b4c082a6a0f79de07
SHA1bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1
-
/data/user/0/xyz.hanks.note/app_crashrecord/1004Filesize
224B
MD5fe02c95a763df4b0b74a80ed2a6557f7
SHA12179d4521a4e989b6f89231cc6624778399c945d
SHA25696ebe9da4bb2b19056573d73cd33eb09c7d02251092f43342dff34728b8c06a7
SHA512b46b31f28ee9c18d1052ee0afdf0e434c9f0c2cbc3b10e017ea1b22b5f0d235307669387e8ae68d472ee42908a96d54541d085b527b404ee7ad36404c5f60a10
-
/data/user/0/xyz.hanks.note/databases/bugly_db_Filesize
52KB
MD52b255597a0dff537c3fd7836ffda1e99
SHA10d58517099cef38404bf1349b12a46c7896884b7
SHA2563fd14e9ac16d5b46f774b35a65882215280d19ea69875ca225282766a451abd8
SHA5120056247d8cd411602a7e1cce750ab59f3909d9b59097ed86720435553159060d0f1b13f850b62771f9d86544aa17b6ff5f7480df85213a7f22de4dda530c558e
-
/data/user/0/xyz.hanks.note/databases/bugly_db_-journalFilesize
8KB
MD5b3ed5eaa8263230f7dc329ee8b94fc1e
SHA149073c81aa59d5f359455b854f9df2ea0d440f79
SHA256494dcd20e2eb239914f0e5e9e17ba71e4eb91904c0cabdf4001bb6e98064d4a6
SHA512177dc363a68bcae1fd517524dff65b212ef3c48f50f578d753da4485d8f33a7fe1d2eee53c9fac1f29705a507e3353950f9f25118c0984bc4467ce1f88b7c96b
-
/data/user/0/xyz.hanks.note/databases/bugly_db_-journalFilesize
8KB
MD5b46e3983d138b11807dc2f739474ed76
SHA158702b233ba24156640daa6582686aa32f3dec83
SHA2564c3ef909244c893716cfb337e2ed7902618ca4ab8b8276d3ae8ade41ee180cfa
SHA512ca068f3338c633ee9896f1dd6f599747bfa5ad8e617a39132c14f41ae0dcada38d484a6189bb20d84425249c4303d1454eb82274db877c7bf37ffef01405079a
-
/data/user/0/xyz.hanks.note/databases/bugly_db_-journalFilesize
8KB
MD523b06d5818660bebc64fba1c6250e6a7
SHA14f6beace128c7d6c39ccfa055af6b3f76ad07be8
SHA2565c3a94c5a736deb03c0718d83c104ad6cb60b98b916f05fb14e67c34b1e9e4a1
SHA512d3725100ce9e4c4c9c17979e998e4238d177b3eb8fb23c80a68d86da7c0a3dff4199d01a98c62a12e77ffdff408baf32d452a4cddbc67d6191da308692ea3ce2
-
/data/user/0/xyz.hanks.note/databases/bugly_db_-journalFilesize
8KB
MD5d9fff0bb85a4c1d269dbef458ef4114e
SHA1949da63fa35400729147654a99513b067b88e2d5
SHA2563a65d151d93080395caf7a2d09beff76bcf687cd807e3e110efb9f4f1581cb73
SHA5120d15af7529b93686a7714b4cbc4c0da9309b86f94b52d523c1914627d9b358a74de0398a3850e7354e933b2c965b112d259453aeced035bda16d07943f49a0a2
-
/data/user/0/xyz.hanks.note/databases/bugly_db_-journalFilesize
8KB
MD508fbf204f817f37e50156efcc768683e
SHA1e58a91f87d99c80c2dac09259fad57079a91ede0
SHA256939c143b618789ceed25857869da2f741867accd88c586dcf3ea38407f747578
SHA512037223f83abea85de86ea114693e12aac21558d79dae0f3df64276fad09446c234caff1453f971dc14378931ec06c6272d87d00f2cf0c7c47a38340662ce7210
-
/data/user/0/xyz.hanks.note/databases/bugly_db_-journalFilesize
512B
MD5a0bbf9226da2c720b3ad9e9cb1ead7dd
SHA177f3c0f7057684c33939d13262e3dc4936b7eca1
SHA25681545e0c7b71864b88b4d264107323d8f88d2a772016c35202cb739e4e3390ea
SHA512e33106802f15376ce264e83ee56baa698a84ec87f0bc180bb398a6cab76afccbf06ee3fd307379b955f5fa726f8837e02ba31d0ec0f07fc00f224707286dc56c
-
/data/user/0/xyz.hanks.note/databases/note.dbFilesize
40KB
MD55575adb907584b3a429507d539d9e060
SHA1165b79b6ef53c73ccfb23aef7489ecb112e60c45
SHA256c17a1eeca872d418d4754ad163640c3c24a4070f1ede5c035638eca696c65d58
SHA5124974a3389911e4e45f807d5c57577a9a05f2c759258e88552c94b36e3b165dc3f110a5cfa82de83d90454d8c1e207b9f46a7352928e75180924f129ef57d0d84
-
/data/user/0/xyz.hanks.note/databases/note.db-journalFilesize
512B
MD5f35eeaaa31e91d7e98201d0d26bc27dc
SHA1b29724119add4741856ef790c26dcea8f25645ef
SHA256f854a966f5ea07a8b175ffc05cff72945ca38f7008804fb5c505be22c28bb183
SHA512abf176d2c9ad71784aeabf8b0f00361b3604b26d0ff1494190c322b181cd24645406ecde354007aac4a8217980b929eea66d1483966a3b25a8f18e4866860827
-
/data/user/0/xyz.hanks.note/databases/note.db-journalFilesize
8KB
MD5aa5ed8c05adaba4b868a3797aa6f3f88
SHA10d780a503331bf3973a92a110ef9d3bf3aa7775e
SHA25632c8ca69eca95cc99bf31b23853709f29379c8a822a7a6ff607cd5154df609af
SHA512af906aeeb73a690d28c4fdd60146fe87647af1db2338fd27d937b414aad17dc15dc352d840ffabaf739edab3abc0a17666d1923e005bc6eda6a278b6ff6d4132
-
/data/user/0/xyz.hanks.note/databases/note.db-journalFilesize
8KB
MD5ea2f2f01cce5438b0ed3d31a367e7e58
SHA1361f94f81d2e7eadf5042b06f1c3abd92cf42dab
SHA256733b43b8387e27f4701c5c7d6e2cface0c98bf9dbe963fa1c37e7ecf9452e8d4
SHA5120cdbbd5ff7caba543dc4b8fce96e9feb05a91c354ef9740e313f23e5b69d431505c55eb3e34cef9ed7cedf66fbfa8bb7ef0eac1d5ad28674faca30d2129d6de5
-
/data/user/0/xyz.hanks.note/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE2NDE3OTA2MDExFilesize
1KB
MD5ae71254d75837b36c88d133597bd0148
SHA15e4d466de8b8fecbfed198fab3bded210354503b
SHA256e4a908119b44998617a3f1f773660a5069a156b94a17799cdc79ef2881d97780
SHA512a8dc08d789c2e19b87ce7c740a6bbe6cccac8f0e3cdcc44604b11f81be24f9649a97a003085d762555ae57116e361a6fe572a50db79e63096d6730291696fd6c
-
/data/user/0/xyz.hanks.note/files/umeng_it.cacheFilesize
352B
MD599f6eebf9e1b0127cb5e2c3c59eebe25
SHA1fec8662d23a6b630ffd5c88a7dc2ea76df63a63b
SHA256eb52bd45849f91b5914e7106cf41579b7e0e56354ae6f04a646b86beb65fbaf9
SHA5121263b3bc3740c96120cc5ded799147f91e72f1fbfc3ef15db811984eba06a828a9587c259d7b4ce84ac7c762cc1d5138c4ceb844c03a5a8c89d8b1869343d0a2