7851e04754c8797abd29e2e5d2c7f265e0469d33815b0cb70490537631773b5b

General

Target

66c9c2f489654bba512b837783e302ac_JaffaCakes118.apk
Size

351KB
MD5

66c9c2f489654bba512b837783e302ac
SHA1

48f09df77f0b4dc3f748251bf8eae676fd6845e0
SHA256

7851e04754c8797abd29e2e5d2c7f265e0469d33815b0cb70490537631773b5b
SHA512

f382245953514247ce88a1b4cfa5d1ef3c96870656a3574f0b6fe2b337628ea277ef4e1923601746a4dea9631ca4ebe960d2448f07fa0a8342b140e7c7d1b3e3
SSDEEP

6144:PN8rv7l7HNc31/qcjju1Se/tBSDjPvT55E+08VSnQ/kgXSjJjYjSHhXHaQN2R:PIRHiQcjjut/tBSvPb55tVAQ/l6jY61q

Score

7^/10

collection credential_access discovery evasion impact persistence

Malware Config

Signatures

Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

mark.via.gq

description ioc process

File opened for read /proc/cpuinfo mark.via.gq
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

mark.via.gq

description ioc process

File opened for read /proc/meminfo mark.via.gq
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
collection credential_access impact

Clipboard Data
T1414

Transmitted Data Manipulation
T1641.001

Processes:

mark.via.gq

description ioc process

Framework service call android.content.IClipboard.addPrimaryClipChangedListener mark.via.gq
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

mark.via.gq

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo mark.via.gq
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

mark.via.gq

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone mark.via.gq
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

mark.via.gq

description ioc process

Framework service call android.app.IActivityManager.registerReceiver mark.via.gq
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

mark.via.gq

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo mark.via.gq
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

description	ioc	process
File opened for read	/proc/cpuinfo	mark.via.gq

description	ioc	process
File opened for read	/proc/meminfo	mark.via.gq

description	ioc	process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	mark.via.gq

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	mark.via.gq

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	mark.via.gq

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	mark.via.gq

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	mark.via.gq

mark.via.gq
1⤵
- Checks CPU information
- Checks memory information
- Obtains sensitive information copied to the device clipboard
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:5098

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

System Network Connections Discovery

2

T1421

Lateral Movement

Collection

Clipboard Data

1

T1414

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

1

T1641.001

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/mark.via.gq/databases/via
Filesize
28KB

MD5
8b22ddafd73d169b9accb6e2b3d6a354

SHA1
c34800e45fe81c27f044ae9cbbb3ef5466c361a4

SHA256
4376bc40d06dd0f0db476a6ddae1e441308cb84684aba476626ddf535e4845ad

SHA512
55492986a32bd68df7f05c60d96ba35ddfe494dcc8854e114d3fdee21e5ff579251bc47235e6e596ef5845b39da2065ea8d82aad476870efe0eac642f795b96e

Download Submit
/data/data/mark.via.gq/databases/via-journal
Filesize
512B

MD5
cefb357f3947566c272573fe75c54de7

SHA1
81a527d30cabe93c126f51f7c55115a82a56ff20

SHA256
fea8066fc58f05902f4b5a314c42293d1712af5d97d39a7ea6fd06f12d4a50aa

SHA512
6f3dde1b8900da18389b1c1a13da635c9068ab56e831748f75a6bb2079ff9ce139fee9022103c1373e7b86a37682762be3a082072b8e24649edcd1c02cc32ae9

Download Submit
/data/data/mark.via.gq/databases/via-journal
Filesize
8KB

MD5
aa377d37ab5fed330671c8ebedac822d

SHA1
e6c6f00aba49cfab5a21e0a644e48b872e1d25de

SHA256
27ce2c859e30835e111afbc05cb4fe62eca8c1c4fd68c4ab0283ec2c34e5aa35

SHA512
2ca039a74054ff88c43e422b4ece8aae6595426c3dbb2c9d0c3c5019101209129e21af7960e51eb9865666fbf9b0b8ba895328f7d48aa90adc50be4d63d4cb39

Download Submit
/data/data/mark.via.gq/databases/via-journal
Filesize
8KB

MD5
5d48303c828e2d3aca62ec7647192514

SHA1
8acbb74ba2735e7a904a771e632c0b6c1fe7f5a1

SHA256
4d36efc253809a0f1608281e3779b1aae64943b6cb7e35c58180943f7c683d70

SHA512
8054ffe41fb8d3c4c423d42d8f2e4ddce12b20a22c196bc4cafbe92c27102b93832a397a656e6dc5db15f60695d99a669314e4d9eb57c93a0f81600357cfc199

Download Submit
/data/data/mark.via.gq/files/about.html
Filesize
1KB

MD5
f3ac5c210c5ee1b39ffc192f5ddee887

SHA1
fcdfc269f609b9434a83f473ad5eaa44a7faca12

SHA256
1623f8e485b5be3591c5e97abd6525e1c3d5d66ebd71906aa2afec38594c9eaf

SHA512
e70053d6994f18e86721cdc8edd9107c7893365340872184b4663a885e20295dbbde2af6ba8a6fdbca2f3f54d86032cd360f4b972ede51f13f11f4b7d600521a

Download Submit
/data/data/mark.via.gq/files/homepage.html
Filesize
3KB

MD5
d48ccc02f532e4727897bd39d5b40ef2

SHA1
b507f56e90860728224f2f327ca8ba28d250911e

SHA256
dd585710bc352eaad39344010cd11a10d8754828c419373248210a5fd87568b0

SHA512
3f2e28e19284099a7011fcd2477b9bb48cd2f50846bfa1c23a9a28643381b45f3add4f4387b0d890fa706494df9cb400cf41f3d6495b677110a48f3da3a4e002

Download Submit
/data/data/mark.via.gq/files/iflytek_cached_mark.via.gq
Filesize
69B

MD5
2c1fb4db1116928dcd4bec86ee25100c

SHA1
14add22009c3233be2a3a7b9b95f17e6d50ba8f3

SHA256
af492e6cf5673311131dd0b79f9f3bcc035c48fc787c5724dba50128df0eb880

SHA512
bec6cf9998c8a61c4c20b3456d04c4f6f2a84df2bbc8d6be23fa60b9102374d6377076bbea768a7c4fe8ff0e8f34fad9e8e71b1d188fe959c6400ecb2e0bb1ef

Download Submit

Analysis

Sharing