Analysis
-
max time kernel
16s -
max time network
155s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
22-05-2024 08:05
Static task
static1
Behavioral task
behavioral1
Sample
669384b5225de10a147f7359f6b7db6a_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
General
-
Target
669384b5225de10a147f7359f6b7db6a_JaffaCakes118.apk
-
Size
30.1MB
-
MD5
669384b5225de10a147f7359f6b7db6a
-
SHA1
7affb50ec4c8fb5928288d6fba1292319e86285c
-
SHA256
c3060b02ad554a5a8da41b46dc446b054c470e29c1caa0a7060a1ab8e4f36a90
-
SHA512
70899cbcaef49deb3106cddda14f2662b9f9a98235ffa0317baaf16cf3d7a49031cc9e705c067dd3507889d13972531cf8f43faf787f7d38813658617b0b26d0
-
SSDEEP
393216:8h9jR/sY5BRGBUmemqjs9Bs9gynSbiKWjzX3NVUFmjyYIFYwNttx4EokiNokiyzr:5GBRGHDKjnSbXWT0F1Ntlo7o28Lg
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
Processes:
com.tudou.androidioc process /system/app/Superuser.apk com.tudou.android /system/bin/su com.tudou.android /system/xbin/su com.tudou.android -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
-
Checks CPU information 2 TTPs 4 IoCs
Checks CPU information which indicate if the system is an emulator.
Processes:
com.tudou.androidcom.tudou.android:GameCenterDownloadServicecom.push.Youku_PushServicecom.youku.laifeng.CoreServicedescription ioc process File opened for read /proc/cpuinfo com.tudou.android File opened for read /proc/cpuinfo com.tudou.android:GameCenterDownloadService File opened for read /proc/cpuinfo com.push.Youku_PushService File opened for read /proc/cpuinfo com.youku.laifeng.CoreService -
Checks memory information 2 TTPs 4 IoCs
Checks memory information which indicate if the system is an emulator.
Processes:
com.push.Youku_PushServicecom.tudou.androidcom.tudou.android:GameCenterDownloadServicecom.youku.laifeng.CoreServicedescription ioc process File opened for read /proc/meminfo com.push.Youku_PushService File opened for read /proc/meminfo com.tudou.android File opened for read /proc/meminfo com.tudou.android:GameCenterDownloadService File opened for read /proc/meminfo com.youku.laifeng.CoreService -
Queries information about running processes on the device 1 TTPs 4 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.tudou.androidcom.tudou.android:GameCenterDownloadServicecom.push.Youku_PushServicecom.youku.laifeng.CoreServicedescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.tudou.android Framework service call android.app.IActivityManager.getRunningAppProcesses com.tudou.android:GameCenterDownloadService Framework service call android.app.IActivityManager.getRunningAppProcesses com.push.Youku_PushService Framework service call android.app.IActivityManager.getRunningAppProcesses com.youku.laifeng.CoreService -
Queries information about the current Wi-Fi connection 1 TTPs 4 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.tudou.androidcom.tudou.android:GameCenterDownloadServicecom.push.Youku_PushServicecom.youku.laifeng.CoreServicedescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tudou.android Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tudou.android:GameCenterDownloadService Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.push.Youku_PushService Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.youku.laifeng.CoreService -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 3 IoCs
Processes:
com.tudou.androidcom.tudou.android:GameCenterDownloadServicecom.push.Youku_PushServicedescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.tudou.android Framework service call android.app.IActivityManager.registerReceiver com.tudou.android:GameCenterDownloadService Framework service call android.app.IActivityManager.registerReceiver com.push.Youku_PushService -
Checks if the internet connection is available 1 TTPs 4 IoCs
Processes:
com.tudou.androidcom.tudou.android:GameCenterDownloadServicecom.push.Youku_PushServicecom.youku.laifeng.CoreServicedescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.tudou.android Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.tudou.android:GameCenterDownloadService Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.push.Youku_PushService Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.youku.laifeng.CoreService -
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
Processes:
com.tudou.androidcom.push.Youku_PushServicedescription ioc process Framework API call javax.crypto.Cipher.doFinal com.tudou.android Framework API call javax.crypto.Cipher.doFinal com.push.Youku_PushService
Processes
-
com.tudou.android1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Checks CPU information
- Checks memory information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
-
sh -c netstat2⤵
-
netstat2⤵
-
com.tudou.android:GameCenterDownloadService1⤵
- Checks CPU information
- Checks memory information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
-
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq2⤵
-
com.push.Youku_PushService1⤵
- Checks CPU information
- Checks memory information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq2⤵
-
com.youku.laifeng.CoreService1⤵
- Checks CPU information
- Checks memory information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Checks if the internet connection is available
-
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.tudou.android/databases/game_center.db-journalFilesize
256KB
MD5f30a8b2f91273240fea6523a5d8981cb
SHA14ebe6b79f401c6c388e188ff19e8d9434e9ea75d
SHA2564b848581607967d9566a83fa1492d69b21897ecb53de164db76d240cc0cdbe07
SHA5128545703cc58c22081481431cca26e81d132148a9d31ecd0e5298576e1506f00a6d81342b72e200abb8b81abc9c1a5024af51d75661aefbd87db8b321be506dd3
-
/storage/emulated/0/Android/data/com.tudou.android/cache/tudou/video_cache/NA/ScaIHTFilesize
256KB
MD5b5671c6f515e7c1879954480a4c13b0e
SHA15434434064d10b8de9996ea0e877bb0355d6815e
SHA256ed35b25198fdbd6beba243df53d9315835ab3ba561c05feef2cb6d0354dd78b0
SHA512769dc80fc9d78f9381bab2bc047a9691d464d24d9bdbbc9042e532a2ab1bfbcdcd86397085ca00161971730478b50a2fbc288d9f4fc18cd8dec5d24d8b380a8b
-
/storage/emulated/0/Android/data/com.tudou.android/cache/tudou/video_cache/NA/n0DYo0Filesize
256KB
MD5e8a09564f28da18aaa33d1ee114104f3
SHA139faa8b569749d2c3a3c13c4edd13d527b534ef9
SHA256d3555a70d50c2ce28b9c08152fc438487db20eac84bd9c7f9ea81078c11e54a7
SHA512acdc44f2ba369f2cc51e808fa1b45ed30b4d29a46c72393b24b44f65e8f1a38ecafe72c82de1b2389e8be45987ebcdc1ac15c0783ed2d335ed7f89282535952e