c3060b02ad554a5a8da41b46dc446b054c470e29c1caa0a7060a1ab8e4f36a90

General

Target

669384b5225de10a147f7359f6b7db6a_JaffaCakes118.apk
Size

30.1MB
MD5

669384b5225de10a147f7359f6b7db6a
SHA1

7affb50ec4c8fb5928288d6fba1292319e86285c
SHA256

c3060b02ad554a5a8da41b46dc446b054c470e29c1caa0a7060a1ab8e4f36a90
SHA512

70899cbcaef49deb3106cddda14f2662b9f9a98235ffa0317baaf16cf3d7a49031cc9e705c067dd3507889d13972531cf8f43faf787f7d38813658617b0b26d0
SSDEEP

393216:8h9jR/sY5BRGBUmemqjs9Bs9gynSbiKWjzX3NVUFmjyYIFYwNttx4EokiNokiyzr:5GBRGHDKjnSbXWT0F1Ntlo7o28Lg

Score

8^/10

banker collection discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 3 IoCs
evasion

T1426

Processes:

com.tudou.android

ioc process

/system/app/Superuser.apk com.tudou.android
/system/bin/su com.tudou.android
/system/xbin/su com.tudou.android
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

T1418.001
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

T1430

T1627.001

Processes:

com.tudou.android

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.tudou.android

ioc	process
/system/app/Superuser.apk	com.tudou.android
/system/bin/su	com.tudou.android
/system/xbin/su	com.tudou.android

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.tudou.android

Checks CPU information 2 TTPs 4 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

T1633.001

T1426

Processes:

com.tudou.androidcom.tudou.android:GameCenterDownloadServicecom.push.Youku_PushServicecom.youku.laifeng.CoreService

description	ioc	process
File opened for read	/proc/cpuinfo	com.tudou.android
File opened for read	/proc/cpuinfo	com.tudou.android:GameCenterDownloadService
File opened for read	/proc/cpuinfo	com.push.Youku_PushService
File opened for read	/proc/cpuinfo	com.youku.laifeng.CoreService

Checks memory information 2 TTPs 4 IoCs

Checks memory information which indicate if the system is an emulator.

evasion discovery

T1633.001

T1426

Processes:

com.push.Youku_PushServicecom.tudou.androidcom.tudou.android:GameCenterDownloadServicecom.youku.laifeng.CoreService

description	ioc	process
File opened for read	/proc/meminfo	com.push.Youku_PushService
File opened for read	/proc/meminfo	com.tudou.android
File opened for read	/proc/meminfo	com.tudou.android:GameCenterDownloadService
File opened for read	/proc/meminfo	com.youku.laifeng.CoreService

Queries information about running processes on the device 1 TTPs 4 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

T1424

Processes:

com.tudou.androidcom.tudou.android:GameCenterDownloadServicecom.push.Youku_PushServicecom.youku.laifeng.CoreService

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.tudou.android
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.tudou.android:GameCenterDownloadService
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.push.Youku_PushService
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.youku.laifeng.CoreService

Queries information about the current Wi-Fi connection 1 TTPs 4 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

T1421

Processes:

com.tudou.androidcom.tudou.android:GameCenterDownloadServicecom.push.Youku_PushServicecom.youku.laifeng.CoreService

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.tudou.android
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.tudou.android:GameCenterDownloadService
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.push.Youku_PushService
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.youku.laifeng.CoreService

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 3 IoCs

persistence

T1624.001

Processes:

com.tudou.androidcom.tudou.android:GameCenterDownloadServicecom.push.Youku_PushService

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.tudou.android
Framework service call	android.app.IActivityManager.registerReceiver	com.tudou.android:GameCenterDownloadService
Framework service call	android.app.IActivityManager.registerReceiver	com.push.Youku_PushService

Checks if the internet connection is available 1 TTPs 4 IoCs

discovery

T1421

Processes:

com.tudou.androidcom.tudou.android:GameCenterDownloadServicecom.push.Youku_PushServicecom.youku.laifeng.CoreService

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.tudou.android
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.tudou.android:GameCenterDownloadService
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.push.Youku_PushService
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.youku.laifeng.CoreService

Reads information about phone network operator. 1 TTPs
discovery

T1422

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs

impact

T1471

Processes:

com.tudou.androidcom.push.Youku_PushService

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.tudou.android
Framework API call	javax.crypto.Cipher.doFinal	com.push.Youku_PushService

com.tudou.android
1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Checks CPU information
- Checks memory information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4344

sh -c netstat
2⤵
PID:4539

netstat
2⤵
PID:4539

com.tudou.android:GameCenterDownloadService
1⤵
- Checks CPU information
- Checks memory information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:4497

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
2⤵
PID:4677

com.push.Youku_PushService
1⤵
- Checks CPU information
- Checks memory information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4623

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
2⤵
PID:4793

com.youku.laifeng.CoreService
1⤵
- Checks CPU information
- Checks memory information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Checks if the internet connection is available
PID:4634

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
2⤵
PID:4800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tudou.android/databases/game_center.db-journal
Filesize
256KB

MD5
f30a8b2f91273240fea6523a5d8981cb

SHA1
4ebe6b79f401c6c388e188ff19e8d9434e9ea75d

SHA256
4b848581607967d9566a83fa1492d69b21897ecb53de164db76d240cc0cdbe07

SHA512
8545703cc58c22081481431cca26e81d132148a9d31ecd0e5298576e1506f00a6d81342b72e200abb8b81abc9c1a5024af51d75661aefbd87db8b321be506dd3

Download Submit
/storage/emulated/0/Android/data/com.tudou.android/cache/tudou/video_cache/NA/ScaIHT
Filesize
256KB

MD5
b5671c6f515e7c1879954480a4c13b0e

SHA1
5434434064d10b8de9996ea0e877bb0355d6815e

SHA256
ed35b25198fdbd6beba243df53d9315835ab3ba561c05feef2cb6d0354dd78b0

SHA512
769dc80fc9d78f9381bab2bc047a9691d464d24d9bdbbc9042e532a2ab1bfbcdcd86397085ca00161971730478b50a2fbc288d9f4fc18cd8dec5d24d8b380a8b

Download Submit
/storage/emulated/0/Android/data/com.tudou.android/cache/tudou/video_cache/NA/n0DYo0
Filesize
256KB

MD5
e8a09564f28da18aaa33d1ee114104f3

SHA1
39faa8b569749d2c3a3c13c4edd13d527b534ef9

SHA256
d3555a70d50c2ce28b9c08152fc438487db20eac84bd9c7f9ea81078c11e54a7

SHA512
acdc44f2ba369f2cc51e808fa1b45ed30b4d29a46c72393b24b44f65e8f1a38ecafe72c82de1b2389e8be45987ebcdc1ac15c0783ed2d335ed7f89282535952e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads