5fc686ed416a629f047c99da069c8ed588b2ed60458f276e8eb8b5ee63d9eeca

General

Target

686462e596cc412774d2062181435326_JaffaCakes118.apk
Size

12.9MB
MD5

686462e596cc412774d2062181435326
SHA1

4dc8844db6bdd0e6b8a91ae3461fcbc8cb77d8ef
SHA256

5fc686ed416a629f047c99da069c8ed588b2ed60458f276e8eb8b5ee63d9eeca
SHA512

99517e9d52ea63507f0cadf6c9f54a1b94e645fd76c4d7cffda2d4faf380bf209bb6ed73ec72d0144077750a4091ccb1af96e626575d560473b1afebb162d114
SSDEEP

393216:3tEEEh7fE64MghvtpQd5thNPu/AIy6WRC:3tEEEh7s6Gd4tPP8AxC

Score

8^/10

banker discovery evasion impact persistence

Malware Config

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.twopxmob.game.candymonsters

description ioc process

File opened for read /proc/cpuinfo com.twopxmob.game.candymonsters
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.twopxmob.game.candymonsters

description ioc process

File opened for read /proc/meminfo com.twopxmob.game.candymonsters

description	ioc	process
File opened for read	/proc/cpuinfo	com.twopxmob.game.candymonsters

description	ioc	process
File opened for read	/proc/meminfo	com.twopxmob.game.candymonsters

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.twopxmob.game.candymonsters/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.twopxmob.game.candymonsters/cache/ads2506385707489660861.jar --output-vdex-fd=92 --oat-fd=93 --oat-location=/data/user/0/com.twopxmob.game.candymonsters/cache/oat/x86/ads2506385707489660861.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/user/0/com.twopxmob.game.candymonsters/cache/ads2506385707489660861.jar	4273	com.twopxmob.game.candymonsters
/data/user/0/com.twopxmob.game.candymonsters/cache/ads2506385707489660861.jar	4415	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.twopxmob.game.candymonsters/cache/ads2506385707489660861.jar --output-vdex-fd=92 --oat-fd=93 --oat-location=/data/user/0/com.twopxmob.game.candymonsters/cache/oat/x86/ads2506385707489660861.odex --compiler-filter=quicken --class-loader-context=&

Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.twopxmob.game.candymonsters

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.twopxmob.game.candymonsters
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.twopxmob.game.candymonsters

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.twopxmob.game.candymonsters

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.twopxmob.game.candymonsters

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.twopxmob.game.candymonsters

Checks if the internet connection is available 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

Processes:

com.twopxmob.game.candymonsterscom.twopxmob.game.candymonsters:mcServiceProcess

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.twopxmob.game.candymonsters
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.twopxmob.game.candymonsters:mcServiceProcess

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs

impact

Data Encrypted for Impact

T1471

Processes:

com.twopxmob.game.candymonsters:mcServiceProcesscom.twopxmob.game.candymonsters

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.twopxmob.game.candymonsters:mcServiceProcess
Framework API call	javax.crypto.Cipher.doFinal	com.twopxmob.game.candymonsters

com.twopxmob.game.candymonsters
1⤵
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4273

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.twopxmob.game.candymonsters/cache/ads2506385707489660861.jar --output-vdex-fd=92 --oat-fd=93 --oat-location=/data/user/0/com.twopxmob.game.candymonsters/cache/oat/x86/ads2506385707489660861.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4415

com.twopxmob.game.candymonsters:mcServiceProcess
1⤵
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4429

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Discovery

Software Discovery

1

T1418

Security Software Discovery

1

T1418.001

System Information Discovery

2

T1426

System Network Configuration Discovery

1

T1422

System Network Connections Discovery

1

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.twopxmob.game.candymonsters/cache/ads2506385707489660861.jar
Filesize
2KB

MD5
74d464d58913ba0f1f80adc7eaab3307

SHA1
1940894e873273c559f6fd17eedd19cdab7a966b

SHA256
2546dfc98a8ac9a18b2870b9fa9c2b45d61cf0663c598d8f11b5c15453f46d5a

SHA512
b7d11f262173bc04555b789ba2a6011ebc86354cd8f48d0594eee3c79b3070216202da799c283cb41012a1cf6d28b7fcaaafec33ba9b068e750f7ebc26112922

Download Submit
/data/data/com.twopxmob.game.candymonsters/files/log_stack.dat
Filesize
1KB

MD5
b33362b4e92562a3f40c675a1a3147d5

SHA1
c1ea8ceb0cae520a40fdcb669c4f4b16be5c55c3

SHA256
0a5ebc51893a409c5dbbe5856d076618736ab4162b9cf0422b5d194fd3dfe24e

SHA512
416a8cc26bfdde8b5f0a4d5e1246765d8ad5993ec2fd1134c76f6460fd91618c6e06ddc80c3fef0d638aa84338a1498c4dd24e7d9a3d7ee884446675583e23e9

Download Submit
/data/data/com.twopxmob.game.candymonsters/files/log_stack.dat
Filesize
1KB

MD5
26b9154b158140285a4fdd759e9bd9d2

SHA1
213a371d933c08b81e9be51a9a6ea244d76f88a5

SHA256
f8e43ca4c886b1642b00685a816a38c60f7f5127f255ed4de95412aeabb9b0e3

SHA512
32db89b09172cae0857a09545bc3d21ff0570e2088d0ecef6231e3771d25599f0ff7b175a3b335ee542f33e494e227d84c9948a707dcb3842bd6f03863aa1307

Download Submit
/data/data/com.twopxmob.game.candymonsters/files/log_stack.dat
Filesize
1KB

MD5
fccf0ed0e4d960881b4176c251bc06c7

SHA1
2c20497dc6a57ab6fe15b092a5f2433a72b349d2

SHA256
85d55bc52a0d9b9781f775a0a4e88a1c3a70a6d82bd3983d478bd8834cfb8d35

SHA512
d77859f13c6ca6a83edafbc4a0165c7ead2a6673200bb1524943d4440cf46761e61b88a4b94f5ba2aa20b13fc8755eab361d2c92bd0d972e3a09e3ea5be98a96

Download Submit
/data/user/0/com.twopxmob.game.candymonsters/cache/ads2506385707489660861.jar
Filesize
4KB

MD5
6175efac331cdc88f352d62e1e1b596d

SHA1
d2e2e8ccdd8ca885dfa83f28208459ac60e9ec1a

SHA256
3d3736a254adb3086b9cb9017b52fc7dbcaba3043e284ebf90bf27c0fa6b74e3

SHA512
c5ba4e091370597ff6780beac694a37b1fd9400a21f20b5a388a62a04253054ed91ffb14d2e84c233b7e4760f6f92fa324a98b88cf90dd868b4ad7f6db3e49f8

Download Submit
/data/user/0/com.twopxmob.game.candymonsters/cache/ads2506385707489660861.jar
Filesize
4KB

MD5
12670a32ad1380c9021a9e74aa5f2281

SHA1
7e8caf0c7a4d78452efb90958e8ce1aae5148e44

SHA256
f3c142f78cadcb57d7da3d8e4dc5f8c7b05377417c639059910696c844afc1f9

SHA512
1277dde373cab02d5df62732834adb79f8dbf1d1a9ac56b5b348e354317fadc24fe20b5ebdd1ecc28f8fc98dcdff807d2839bef75ef7d871e976e68a95851b06

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads