1f31fa819f7a182e880a7a7a29f25fb628bfd3d774d655d2a1b96cd5968a6f72

General

Target

67f2a774c857d13f7480abf7e1f6e74c_JaffaCakes118.apk
Size

4.8MB
MD5

67f2a774c857d13f7480abf7e1f6e74c
SHA1

1755dcd246e34b417c3fdd9ec31b353a62b61b1a
SHA256

1f31fa819f7a182e880a7a7a29f25fb628bfd3d774d655d2a1b96cd5968a6f72
SHA512

6fc8ae5b347ff98f746cb9aff851de1b3f7e29de7b8efcc7a5195cc29cecf15d7994d90307a907612a927fd3a74291c5cff8d1392b28e3ab84da0e742e134d4b
SSDEEP

98304:OlXjWgwd0cA8PUXcRFLpuGCLydaMwafNHnvk6JQ:Owd5A8PWiFMPmdSUdFJQ

Score

8^/10

discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 2 IoCs
evasion

System Information Discovery
T1426

Processes:

/system/bin/sh -c type sucom.jpgame.zasg

ioc process

/sbin/su /system/bin/sh -c type su
/system/app/Superuser.apk com.jpgame.zasg
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.jpgame.zasg

description ioc process

File opened for read /proc/cpuinfo com.jpgame.zasg
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.jpgame.zasg

description ioc process

File opened for read /proc/meminfo com.jpgame.zasg
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

Process Discovery
T1424

Processes:

com.jpgame.zasg

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.jpgame.zasg
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.jpgame.zasg

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.jpgame.zasg
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.jpgame.zasg

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.jpgame.zasg
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.jpgame.zasg

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.jpgame.zasg
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.jpgame.zasg

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.jpgame.zasg
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.jpgame.zasg

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.jpgame.zasg

ioc	process
/sbin/su	/system/bin/sh -c type su
/system/app/Superuser.apk	com.jpgame.zasg

description	ioc	process
File opened for read	/proc/cpuinfo	com.jpgame.zasg

description	ioc	process
File opened for read	/proc/meminfo	com.jpgame.zasg

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.jpgame.zasg

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.jpgame.zasg

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.jpgame.zasg

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.jpgame.zasg

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.jpgame.zasg

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.jpgame.zasg

com.jpgame.zasg
1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks memory information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4263

/system/bin/sh -c type su
2⤵
- Checks if the Android device is rooted.
PID:4452

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Discovery

Process Discovery

1

T1424

System Information Discovery

3

T1426

System Network Configuration Discovery

2

T1422

System Network Connections Discovery

2

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.jpgame.zasg/app_crashrecord/1004
Filesize
58B

MD5
0d210bfb2a0e1f1b4c082a6a0f79de07

SHA1
bb8ed9e364db79d1d9f2fcde3f15091893222faa

SHA256
988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d

SHA512
536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

Download Submit
/data/data/com.jpgame.zasg/app_crashrecord/1004
Filesize
224B

MD5
47400cb7d5531ef6c540879dc32b5524

SHA1
2fbadd527b53779b113556777befed2c70088722

SHA256
e2b000ba7ae8c89056e3b2ba74a82105e7be9b0728c9cf03e97fb755baf6da52

SHA512
c2908b3c20794bb4202e43a1be645478e1d0f6f8a6b145ee3a00d799b96e1bae2aaa21f4cdfd709c84aa9e1bdbfc51931ee76fd93fcd90f8094afb540b5cbe80

Download Submit
/data/data/com.jpgame.zasg/databases/bugly_db_
Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.jpgame.zasg/databases/bugly_db_-journal
Filesize
512B

MD5
d43b3bd8b1edd5664a9f47cff5567bcd

SHA1
0b0afbb4f36c1c5e019495cd42a5eb992e6ef08d

SHA256
eaea4e4f0451fb1d28b3df2b8d47222874b288b289ac87876d04d563c5c2b0f9

SHA512
30b2aec14ce5f029367bcee8daa26fcd5b74147af18b47f19a57b8f1654031260ed7758a78ddd9ac9867bb7e469154003a6534ba2593b01b95f964593c2bff6f

Download Submit
/data/data/com.jpgame.zasg/databases/bugly_db_-shm
Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.jpgame.zasg/databases/bugly_db_-wal
Filesize
76KB

MD5
f38e3f877905995a6b0d2efa66ab6f3e

SHA1
52f065a2b71d324ca01abc97c2d10cf717b8127f

SHA256
7b1110560c3f455b2934d2d4a17762b434f75aba02d469d8760cf7049f3db7a9

SHA512
5d24c2752518b437d1ad6dda8139fec8af16f9bfa7753626cad3c69e940aaa7643a24391b3565762a2a19428329fa084bfc88b87226c2321addad1dbd5fdf00d

Download Submit
/storage/emulated/0/UcQkDir/qk.dvid.txt
Filesize
65B

MD5
1c75733241834161ac5f753584a857b1

SHA1
ce724fa1207cf99217d0cd426e11f20e8bfa41e9

SHA256
91338c6828dce1a80e55428c31f6fbdd0ddf25735671beb7c0293482c040efbb

SHA512
a9cd56179aa3072cd1fc2aa2aa0763d18084006259e72ac4098a78e86fb68fc9b2815f1ce6af520310249d6716ecff31944eed14acb9b2544fa62358f135d037

Download Submit

Analysis

Sharing