a5a62b3cfb4c62d15be22802e4873d62a52472a94b1d972b02f1022f451e7092

General

Target

662dc37e22bc734704718609fd803370_JaffaCakes118.apk
Size

1.8MB
MD5

662dc37e22bc734704718609fd803370
SHA1

be35c7462b472ac8c60964311aef2fa80bf8d18a
SHA256

a5a62b3cfb4c62d15be22802e4873d62a52472a94b1d972b02f1022f451e7092
SHA512

215418d65c1add4f32c13faf70a42b8662848fc1c2b9b5cfb8410c50f286e0b80af12e146a5924e131d70689b0c9af2c05209fd80e7c0e9ae6db332ede099329
SSDEEP

49152:U9e5oh7nATCs83N6g5mmr1fwGoMBloMHXlu0QfF73ZUY:U9e5oh7nUCsmU/Mv5HXlu1D

Score

8^/10

collection credential_access discovery evasion execution impact persistence stealth trojan

Malware Config

Signatures

Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.noodlecake.waywardsouls.hack

pid process

5107 com.noodlecake.waywardsouls.hack
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.noodlecake.waywardsouls.hack

description ioc process

File opened for read /proc/cpuinfo com.noodlecake.waywardsouls.hack
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.noodlecake.waywardsouls.hack

description ioc process

File opened for read /proc/meminfo com.noodlecake.waywardsouls.hack
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
collection credential_access impact

Clipboard Data
T1414

Transmitted Data Manipulation
T1641.001

Processes:

com.noodlecake.waywardsouls.hack

description ioc process

Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.noodlecake.waywardsouls.hack
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.noodlecake.waywardsouls.hack

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.noodlecake.waywardsouls.hack
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.noodlecake.waywardsouls.hack

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.noodlecake.waywardsouls.hack
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
execution persistence

Scheduled Task/Job
T1603

Processes:

com.noodlecake.waywardsouls.hack

description ioc process

Framework service call android.app.job.IJobScheduler.schedule com.noodlecake.waywardsouls.hack

pid	process
5107	com.noodlecake.waywardsouls.hack

description	ioc	process
File opened for read	/proc/cpuinfo	com.noodlecake.waywardsouls.hack

description	ioc	process
File opened for read	/proc/meminfo	com.noodlecake.waywardsouls.hack

description	ioc	process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.noodlecake.waywardsouls.hack

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.noodlecake.waywardsouls.hack

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.noodlecake.waywardsouls.hack

description	ioc	process
Framework service call	android.app.job.IJobScheduler.schedule	com.noodlecake.waywardsouls.hack

com.noodlecake.waywardsouls.hack
1⤵
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:5107

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1

T1603

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1628

Suppress Application Icon

1

T1628.001

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

1

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

1

T1641.001

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.noodlecake.waywardsouls.hack/databases/evernote_jobs.db
Filesize
16KB

MD5
12627a2ec645c4a4bc50dba5903afd59

SHA1
504005c938517e61bcf68b65a055c2faba635c2e

SHA256
f177ffae9650eb4f407c2d9a510bb5a5abe1ece2fdfe24effc62478a1bfa5903

SHA512
7ff69589296e02383a217373399e75d8a82fa17146e4273f4c0eb630f096dd9f394a3324d60858b02f7e5cf177c82c6d966f5cbedb68ae6a98df7cc851b79cfd

Download Submit
/data/data/com.noodlecake.waywardsouls.hack/databases/evernote_jobs.db
Filesize
16KB

MD5
f13351995c2eb7a2effe019baab7d874

SHA1
af116fefd649feab93a1dcbf94061e6093b9cc92

SHA256
8aa2f0e0541dc779f8492d7b7f7a2c24c1f895614441110489d69dedf3f8c0f7

SHA512
506a259fb27d013d080bfd90e3088842c7906aba266c18d132267d2dab10820af19d64e61a5446692918add3e3659f710db0a1f99bb248b88024db76a4281148

Download Submit
/data/data/com.noodlecake.waywardsouls.hack/databases/evernote_jobs.db-journal
Filesize
512B

MD5
d50cf92c3c1f5992d14f47d25b278c3b

SHA1
af1f8df07b12206dcc6ef6aff741211224fe47af

SHA256
dd3f1aa44de9dc4e004cff0cd25f45110bf01a936d1a0c9d908c751a27070aaf

SHA512
483bfec44e971bd01ba48efe2a3b4b051bb3b7f07b242d9f4e9670efa22bda56689d361f690730c06017ee79fecf83121dbdaf0272c87c40c32e31bd9cf3dce4

Download Submit
/data/data/com.noodlecake.waywardsouls.hack/databases/evernote_jobs.db-journal
Filesize
8KB

MD5
120a4216d27999c0cef9609fc4c107c9

SHA1
14790ea6651d9630cb6e340755876c6906b9de80

SHA256
96e0290c07bddee9ab478240296d771f24d78c2ef067bad3fed9bc9c1c19a85d

SHA512
24e308fb78ca8e2ec39e02dd07fff77f8d21a4750486ac02871e06b4eb9153340ca1f132d4622550f2c63588211a6252dd5f3e4178bea0de560f25a0bc795877

Download Submit
/data/data/com.noodlecake.waywardsouls.hack/databases/evernote_jobs.db-journal
Filesize
8KB

MD5
4f03e9ef6ce789954355e804d9ed35b8

SHA1
f5cf090ef1c5d93962b96fdd72c6386b6eac11f8

SHA256
3237f4e1526b374daf2333c2200d336e22c218e000f73cfbd1f9dce0acbb6c93

SHA512
60346dce74e5c1094aacfc12c8bb3f4ae21dfb8effc1790b1cf2e02f41754ff93534d5982b1d6cb9dcad918cce3e1c4960c49d20bb0f171be7e32bf9c4c0c2b6

Download Submit
/data/data/com.noodlecake.waywardsouls.hack/databases/evernote_jobs.db-journal
Filesize
8KB

MD5
e91e68e06d39e56310dbc8d3ebcc36c4

SHA1
d223eb5235514cabf4aa7107bbce1413db6839aa

SHA256
ec795c6e5d7e09250dcb84d7204a8573e669c53a6863b20f6393df5203b9dbd8

SHA512
9085cb666f7407715369660f638a6a2bbc05f7fa48e9253634e943de9da1814547a9530adc1156d960fcefc3925b8669bb0800bd7c17ff8b83b340b676769fe4

Download Submit

Analysis

Sharing