Analysis
-
max time kernel
170s -
max time network
186s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
22-05-2024 05:58
Static task
static1
Behavioral task
behavioral1
Sample
663ca6d8781be948124cfb87703bac76_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
register.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral3
Sample
register.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral4
Sample
register.apk
Resource
android-x64-arm64-20240514-en
Behavioral task
behavioral5
Sample
vending.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral6
Sample
vending.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral7
Sample
vending.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
663ca6d8781be948124cfb87703bac76_JaffaCakes118.apk
-
Size
11.0MB
-
MD5
663ca6d8781be948124cfb87703bac76
-
SHA1
a5d676290429b8e797ecd0e0463930da3c8eec35
-
SHA256
372b3e7a948880fc74bf1ae14b95db94e5f49a54d6183fc88e73472a25387b72
-
SHA512
455695df7257e18b5ca6e5bdb152475f405da2a62cff3c5d4dd355c9d277e610b7bd20a2a8ccbf3feafc0512d95d933332da98367dc5a9d925185ecaf8b18783
-
SSDEEP
196608:M6TmiERf8YP96RNveEzVpwmY8QSSEsW3FV7S1onb7Jpdu0o7ARZRqUbS6J/XbT:M6yhEYPILv5zVj0rOK+97u0eArRqMS61
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 4 IoCs
ioc Process /system/bin/su com.excean.gspace:olle /system/xbin/su com.excean.gspace:olle /system/bin/su com.excean.gspace /system/xbin/su com.excean.gspace -
Checks CPU information 2 TTPs 2 IoCs
Checks CPU information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/cpuinfo com.excean.gspace:olle File opened for read /proc/cpuinfo com.excean.gspace -
Checks memory information 2 TTPs 2 IoCs
Checks memory information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/meminfo com.excean.gspace:olle File opened for read /proc/meminfo com.excean.gspace -
Loads dropped Dex/Jar 1 TTPs 7 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar 4422 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar --output-vdex-fd=51 --oat-fd=54 --oat-location=/data/user/0/com.excean.gspace/.platformcache/oat/x86/kxqpplatform2.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar 4317 com.excean.gspace /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar 4485 com.excean.gspace:lbcore /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar 4533 com.excean.gspace:smtcnt /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar 4708 com.excean.gspace:smtcnt /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar 4782 com.excean.gspace:smtcnt /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar 4877 com.excean.gspace:smtcnt -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.excean.gspace:lbcore -
Queries information about running processes on the device 1 TTPs 7 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.excean.gspace Framework service call android.app.IActivityManager.getRunningAppProcesses com.excean.gspace:lbcore Framework service call android.app.IActivityManager.getRunningAppProcesses com.excean.gspace:smtcnt Framework service call android.app.IActivityManager.getRunningAppProcesses com.excean.gspace:smtcnt Framework service call android.app.IActivityManager.getRunningAppProcesses com.excean.gspace:smtcnt Framework service call android.app.IActivityManager.getRunningAppProcesses com.excean.gspace:smtcnt Framework service call android.app.IActivityManager.getRunningAppProcesses com.excean.gspace:olle -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.excean.gspace:lbcore -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 7 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.excean.gspace:smtcnt Framework service call android.app.IActivityManager.registerReceiver com.excean.gspace:olle Framework service call android.app.IActivityManager.registerReceiver com.excean.gspace Framework service call android.app.IActivityManager.registerReceiver com.excean.gspace:lbcore Framework service call android.app.IActivityManager.registerReceiver com.excean.gspace:smtcnt Framework service call android.app.IActivityManager.registerReceiver com.excean.gspace:smtcnt Framework service call android.app.IActivityManager.registerReceiver com.excean.gspace:smtcnt -
Checks if the internet connection is available 1 TTPs 3 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.excean.gspace:olle Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.excean.gspace Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.excean.gspace:lbcore -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.excean.gspace:olle Framework API call javax.crypto.Cipher.doFinal com.excean.gspace
Processes
-
com.excean.gspace:olle1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks memory information
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4275 -
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq2⤵PID:4353
-
-
com.excean.gspace1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4317 -
chmod 755 /data/user/0/com.excean.gspace/.platformcache/main.jar2⤵PID:4398
-
-
chmod 755 /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar2⤵PID:4384
-
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar --output-vdex-fd=51 --oat-fd=54 --oat-location=/data/user/0/com.excean.gspace/.platformcache/oat/x86/kxqpplatform2.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4422
-
-
com.excean.gspace:lbcore1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:4485
-
com.excean.gspace:smtcnt1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4533 -
/system/bin/sh -c ps2⤵PID:4607
-
-
ps2⤵PID:4607
-
-
com.excean.gspace:smtcnt1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4708 -
/system/bin/sh -c ps2⤵PID:4743
-
-
ps2⤵PID:4743
-
-
com.excean.gspace:smtcnt1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4782 -
/system/bin/sh -c ps2⤵PID:4820
-
-
ps2⤵PID:4820
-
-
com.excean.gspace:smtcnt1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4877 -
/system/bin/sh -c ps2⤵PID:4915
-
-
ps2⤵PID:4915
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
232B
MD5f6dd326826104c177a0f916cb433419e
SHA1875bee416e096960e9249a907d292661a2f4fce2
SHA2568d5e5f1c7660a443fc7659b27e972e579d15cca2bbf269d8d329fd3af45ca2f9
SHA5129ad60cd10cdfffe7c237163323c905dde70de9b4da3610806bf9a2e0be87d6eb1a4903b570113b81bd5bc8323a3697a6954b155dfd635cb81e4512490e700e1f
-
Filesize
1.2MB
MD50f52589f5b807ff4a58fa038c1aabec0
SHA10cfe1e582d58a530838342e7ba564de6ce3c2890
SHA256fcc2e36047fe314f96caee1b2c6b734b1bf420ddfc7fb896ffbe6176028c0599
SHA512849b9afef4487bbdc38b52f53d6e97ca91279357fe26258bce14dd915f3b61d06e77d6f909e046e0200b96b0b308fbb2f5550e23091a86b5b26d47518e069216
-
Filesize
2KB
MD503e198ddc87dd03d06c0d383ad81c905
SHA1b7917dc00f032925ebe0e553a15bdef77420a856
SHA256cf4fb2391c66df249a87e6e269c892cea9f3d2dae6222511ca1797c49a1d6bae
SHA5126bf90832d4f12c6d772d874c7be7f3e5812b8a6bb73f4a13671f672cb271eba1086597038286895d48b74b4078ce9efe3a9f4562a7a433f1a2e6b33163068523
-
Filesize
512B
MD5f1ca9ed8fa958745ff24b99457631bd1
SHA1115a5cb588a50adda5dfd47ec627bafcb193a4bc
SHA256967df474e18ebacbeb931abe793b49884ca026fb183cf318e0f833a061416433
SHA5129e465c868dd3378fb220daf5cd47f7cb3a144e34255d76c58156338f365091d4efed171c498fc6404c33d3da8f05e4836b4c9221b499514e3f25a9fa50369eb9
-
Filesize
32KB
MD535ea7dc7f56e31398d135328e1a96b0f
SHA1293ba80a5c07ca6a975ac7ccd64bac502f3fc409
SHA2568f8ec36ef1746af902512c259be01858287ac48587ffe3804987047c584f61a7
SHA5128e909815849d3b1afbeffe8d7e090f746badd344cda6adad0134d01cb1d63f5ea50428b859293d8b95b541370a2ac4bc60a4529f2ed1d97bafefb0f770a9e8a1
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5229c9187050032ab6be33e07937d2f94
SHA1831fed4b75c4342e5c5ab789decd3e9d11556568
SHA256784fe0f1a3b63f06e59304af27320276f7cbf1b0603d75113216eb1766fd8887
SHA512727e326777785309ad0ba6b50451611761bb4fa323d2fbe125b0846b71b3709df5d8f24cd1a55fb48393561bdd4a4245cceefa118a2c335bcfd09fbf86edfaef
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
173KB
MD5b14651681103fb426cb9de8bb2e8aef6
SHA160d4542c7e44b661e9cf9b4d218eee7be8ebf91f
SHA256356e10d3b65f6b9f88425a37db3e42c56b013b2613854b20521956568e754fdb
SHA51227a3c24cb6acdadf30bac3ef7a63169fe1684aaf1ef75fdc642c0da958654bf9196b2688ea3e909a025a27c77f784d06355a06c9e06b6d64092fe86651c55532
-
Filesize
16B
MD5fb43224c2ef7d4fc01a51357dad58b5a
SHA1191713403ae1e3b1823b7fea401bff92e2648ba6
SHA25684513f60951b5c62dd14d39fc040ef49983660f5632fa0bf0384298bb6235a24
SHA512126e0f4eb7780682cf8163a5a5bd60c50880f04cea31ad5601da89a8cbeabc612959550a925347aabbba449629a81da1f822f103fa9bf61c9ac841adde58c946
-
Filesize
1.4MB
MD5af85f7f299ff59a3a522238744504392
SHA171b89015d03510d6150d50fbb402b4e68394b1f1
SHA2564e02a09b4e46ca00843b00be97ac4af58530659d5e707b2bef0789da881d8efb
SHA512b8a05cd2854c9d0997d426c1bd36d45db78621a44350e2fe232b314e15bdf19d65dc9365d968cd9034215848c12495f52ffe227b4e9fd0c4a147c9ce037cd88b
-
Filesize
1.4MB
MD5e90ba0f2b1783036dbf145ce6a7037cd
SHA15a55273866ee4605cf8a3373d147c033adacdb9c
SHA2564c9c7e5d238a15693b4db78224ae6251ee275f903df4cb5dd460418b3a83f7a8
SHA512d7b8e834f08dd193c7585089f48da12fbc7b6d50aea7099bf89bd2348b3ae8230c994716eb7bda0f321dbac338449aaa19be56bf22763345b0e6e5c2daf0f36f
-
Filesize
1.2MB
MD584cb26e38a0079ed253068d782b2526f
SHA11b981429f797358e0befd13ed832db54210e8f53
SHA256c961882aa490875f9f323c259ef20b9910110da363c1e1090e36d3a8d79f14aa
SHA5124a9f361b2d8f186ed2e3b49018d096c0e635d3356e376bf966e003b9b6435289bf62f13ff93104d4f8da5add81acc08013c6b00cc42e770750af1cecde4ab4d3
-
Filesize
5B
MD5f7fd7d0c50e35bd2fd02ddd47a95dbfb
SHA106f7650c5a4aaa6f060487addd910bac18add2c1
SHA256c9a1bd1ebf889c78126f22d1df2367913469619625ef48e6baae38c7b838df59
SHA512178d0d0b68844d5729f98ac19026f2390b6f8e5b7a61a8fd53e56af12cad7e46c7ce8bbee6328f17fba172b2870377b9a36460d4bd20ab334e8e7f02fefb1004
-
Filesize
1.7MB
MD5c1fd6a45075bd1da5a525d55a6e19fa0
SHA1dbf9482346b8fbefe1a977e4c2458b8f699e149b
SHA256537568e07888c925e384e0e5ab62ea4ecd6680cae3ffeea959a20057b2057992
SHA512d946be291c4b32430367a65760367b12569e99a3ae95f86484c1b1ee7e2e8a504b24910a37ce05d2173b965d0cf7dfcd53b0c29a127925b774f805415ba819d3
-
Filesize
31B
MD590236d6288cae26330e04ee57fad9899
SHA122a73773ce1cbcc03cd518818b2b8f142efa59dd
SHA256e3c535c608375477909d4fe65ddc3593c6414851f11f6537e23fae9a3f55976b
SHA512626f7f6a8f29495b1b37c12c230ee676057b402f815b14ad02a7cf2671c43a69ade245998b081c76f0ac5244ce1de7455fba83246876e8e65f4e9780ab25910f
-
Filesize
85B
MD5f244e3fcabcda1585c0a7efbfb611e0d
SHA12c070bb2152f0650b81bdc220720043c47c30d27
SHA256bb5026f0ff0ea3919c2d996c6a774b976c2d3e858ba619bba68a11fbc5c52cf8
SHA51209f1f781f413cd6a962a9ff0fa6b7e280e249ab3837096408859dc7ecf0fe5515345d68eee331b7c18d5bab54d88eaec5a46525c560f8cbf0f44bbb9ef7c531e
-
Filesize
82B
MD52ec293706741d024fad54968202a1506
SHA1af87ddb2266b289b64f91c0749b6ec13e614763d
SHA256e23bd873e98e53c0ed8b4603e6b255e2fcc1690d25a7fc6c938a2335a38eebb9
SHA512ae783d386f91a4ade7d169149fd3903e48c447558b6e0625afd8738283a5e3d41cc0edb5fde96364bbbb801736f2fa0e07c81a831aaa75510cb49871597636a7