c3bf4bea9d57ac1d1a1ac6132967f3b4ced8930ca84753a50c982f6aa5d819ed

Analysis

max time kernel
50s
max time network
141s
platform
android_x64
resource
android-x64-arm64-20240514-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system
submitted
22-05-2024 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

676de1ccdd5f6903223a8fdef576a160_JaffaCakes118.apk
Size

1.6MB
MD5

676de1ccdd5f6903223a8fdef576a160
SHA1

a15e58ea0fb6a13e68f107b74b56766deef4e4e0
SHA256

c3bf4bea9d57ac1d1a1ac6132967f3b4ced8930ca84753a50c982f6aa5d819ed
SHA512

da5d4ebe0f6ab42c1e8f9b8008599ea53454608908deae9ba8a7537347c071a8272bc6d9575fbfda2a0d1a0d721ff1627817d621ea52a3762830617c03eff0af
SSDEEP

24576:ERx2F5mWlHY02U7mokJlhv79uSXvBQKHJfiIzkPySm02xA5ZpGWSG9vGtt48M:EH2F75Y02Dlhv79uSfympgqSm02We1G

Score

8^/10

collection credential_access discovery evasion persistence stealth trojan

Malware Config

Signatures

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

T1516

T1513

T1417.001

T1417.002

Processes:

xqxxuiz.msdcfphykahx.uanptwppgkrh

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	xqxxuiz.msdcfphykahx.uanptwppgkrh
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	xqxxuiz.msdcfphykahx.uanptwppgkrh

Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

T1628.001

Processes:

xqxxuiz.msdcfphykahx.uanptwppgkrh

pid process

4526 xqxxuiz.msdcfphykahx.uanptwppgkrh

pid	process
4526	xqxxuiz.msdcfphykahx.uanptwppgkrh

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

T1407

Processes:

xqxxuiz.msdcfphykahx.uanptwppgkrh

ioc	pid	process
/data/user/0/xqxxuiz.msdcfphykahx.uanptwppgkrh/app_DynamicOptDex/zijfksgpbdc	4526	xqxxuiz.msdcfphykahx.uanptwppgkrh
[anon:dalvik-classes.dex extracted in memory from /data/user/0/xqxxuiz.msdcfphykahx.uanptwppgkrh/app_DynamicOptDex/zijfksgpbdc]	4526	xqxxuiz.msdcfphykahx.uanptwppgkrh
[anon:dalvik-classes.dex extracted in memory from /data/user/0/xqxxuiz.msdcfphykahx.uanptwppgkrh/app_DynamicOptDex/zijfksgpbdc]	4526	xqxxuiz.msdcfphykahx.uanptwppgkrh

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

T1541

Processes:

xqxxuiz.msdcfphykahx.uanptwppgkrh

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground xqxxuiz.msdcfphykahx.uanptwppgkrh
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

T1422

Processes:

xqxxuiz.msdcfphykahx.uanptwppgkrh

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone xqxxuiz.msdcfphykahx.uanptwppgkrh
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

T1422
Requests enabling of the accessibility settings. 1 IoCs

Processes:

xqxxuiz.msdcfphykahx.uanptwppgkrh

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS xqxxuiz.msdcfphykahx.uanptwppgkrh
Acquires the wake lock 1 IoCs

Processes:

xqxxuiz.msdcfphykahx.uanptwppgkrh

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock xqxxuiz.msdcfphykahx.uanptwppgkrh
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

T1421

Processes:

xqxxuiz.msdcfphykahx.uanptwppgkrh

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo xqxxuiz.msdcfphykahx.uanptwppgkrh
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

T1628.002

Processes:

xqxxuiz.msdcfphykahx.uanptwppgkrh

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS xqxxuiz.msdcfphykahx.uanptwppgkrh
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
evasion

T1628.002

Processes:

xqxxuiz.msdcfphykahx.uanptwppgkrh

description ioc process

Framework API call android.hardware.SensorManager.registerListener xqxxuiz.msdcfphykahx.uanptwppgkrh

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	xqxxuiz.msdcfphykahx.uanptwppgkrh

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	xqxxuiz.msdcfphykahx.uanptwppgkrh

description	ioc	process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	xqxxuiz.msdcfphykahx.uanptwppgkrh

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	xqxxuiz.msdcfphykahx.uanptwppgkrh

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	xqxxuiz.msdcfphykahx.uanptwppgkrh

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	xqxxuiz.msdcfphykahx.uanptwppgkrh

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	xqxxuiz.msdcfphykahx.uanptwppgkrh

xqxxuiz.msdcfphykahx.uanptwppgkrh
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Requests enabling of the accessibility settings.
- Acquires the wake lock
- Checks if the internet connection is available
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4526

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/xqxxuiz.msdcfphykahx.uanptwppgkrh/app_DynamicOptDex/oat/zijfksgpbdc.cur.prof
Filesize
250B

MD5
b3ab21d95256ba406d74075127555984

SHA1
b64f6a9951b8361f7fd235cfae25228bc972ef8a

SHA256
d72e723e110931ec47ee3bad610d7bbbb41fbdbfdf21c5a53f366633da7bb029

SHA512
2361bac501098e22261a23b009fa8c43e1193a6dec5858dd71563caf7ec00abaf276f016c18f87c6c410a8f500eb979c316723db5fedb7758f9a158756a9a145

Download Submit
/data/user/0/xqxxuiz.msdcfphykahx.uanptwppgkrh/app_DynamicOptDex/zijfksgpbdc
Filesize
275KB

MD5
abd19690bd4cd05ca98a566a7fe4d557

SHA1
ce029ac4c59353df2ce4cd7ca8e4e5a9f4dac16a

SHA256
8b7bc1673a915853b7a849e2ee2e68a812564588103a7d6cdede905b4a5b502d

SHA512
4be945568e6adcbd395aa3fe011e25443a1904421222d6dcae622efedba38abde45d5fcb794a4a3bddc859124747babfc9359505d4882e85e6c42d72fe33d849

Download Submit
/data/user/0/xqxxuiz.msdcfphykahx.uanptwppgkrh/app_DynamicOptDex/zijfksgpbdc
Filesize
275KB

MD5
4780a37e525123b13fa158914394bbcc

SHA1
cd004f6d3dff23e776520a81ecbd47f6f03f8761

SHA256
3e590545bcfe6bed7085bd65f713c97eb21169098c8bdab38aab7adad1d966a2

SHA512
5e1690a9f81fab02489ef3561d966f21a18588ced06b30a1f45836bf0f52a246144559d5f0fb289b7a14ed4dba7b864071d2ac08d0fec72c220e87c85b439f10

Download Submit
/data/user/0/xqxxuiz.msdcfphykahx.uanptwppgkrh/app_DynamicOptDex/zijfksgpbdc
Filesize
409KB

MD5
7ddd2875efeedc769bbf25e30bf87e7f

SHA1
699b1097d2e14088d24bcd622580d3665a822a49

SHA256
ae32636299b27f1e7166b2854778bc1ddb31504d4e089cff03fb8ef79533b43c

SHA512
0a6892cb3ef38a911c4c80905d2da454e502d7e442c23ea0217b1fe6ae8ab4329490a1367d70d36630be33702ff2dbdc7f9bbcee805974d3c84dd252ab2f9988

Download Submit