Analysis
-
max time kernel
15s -
max time network
177s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
23-05-2024 21:59
Static task
static1
Behavioral task
behavioral1
Sample
6c64e4975c6ec67cfcbcebfd2cb1e7f4_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
General
-
Target
6c64e4975c6ec67cfcbcebfd2cb1e7f4_JaffaCakes118.apk
-
Size
1.7MB
-
MD5
6c64e4975c6ec67cfcbcebfd2cb1e7f4
-
SHA1
0ee94a5a1977bf9082d3d726eb3a604e75a2584f
-
SHA256
4ade6539f9338ce94717f5454d5b3f5c0e600a12c646388421adfda93efc3729
-
SHA512
4b2a99883d97fe373961f19191e703aa75bb98151af40e95b91af46d110c3a27b3ad3c5bc9095af61a782aab944fdf72664435d06eccc4e4336421084a9221ca
-
SSDEEP
24576:40DR/V+CDj54m4Y0xT8enmA+pwZUNXkrtySAQb2vyZ4wtnf2x3bziKYZI2GsKG:dhDum4T8giwZ2kUSAg8a9exrzbmUsH
Malware Config
Signatures
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 7 IoCs
Runs executable file dropped to the device during analysis.
Processes:
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fop.hywtkk/files/hul/uBAHENvqs.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.fop.hywtkk/files/hul/oat/x86/uBAHENvqs.odex --compiler-filter=quicken --class-loader-context=&com.fop.hywtkk/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fop.hywtkk/files/Pdd.apk --output-vdex-fd=60 --oat-fd=65 --oat-location=/data/user/0/com.fop.hywtkk/files/oat/x86/Pdd.odex --compiler-filter=quicken --class-loader-context=&/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fop.hywtkk/app_dex/utopay.jar --output-vdex-fd=73 --oat-fd=75 --oat-location=/data/user/0/com.fop.hywtkk/app_dex/oat/x86/utopay.odex --compiler-filter=quicken --class-loader-context=&ioc pid process /data/user/0/com.fop.hywtkk/files/hul/uBAHENvqs.jar 4369 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fop.hywtkk/files/hul/uBAHENvqs.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.fop.hywtkk/files/hul/oat/x86/uBAHENvqs.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.fop.hywtkk/files/hul/uBAHENvqs.jar 4334 com.fop.hywtkk /data/user/0/com.fop.hywtkk/files/Pdd.apk 4458 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fop.hywtkk/files/Pdd.apk --output-vdex-fd=60 --oat-fd=65 --oat-location=/data/user/0/com.fop.hywtkk/files/oat/x86/Pdd.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.fop.hywtkk/files/Pdd.apk 4334 com.fop.hywtkk /data/user/0/com.fop.hywtkk/app_dex/utopay.jar 4492 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fop.hywtkk/app_dex/utopay.jar --output-vdex-fd=73 --oat-fd=75 --oat-location=/data/user/0/com.fop.hywtkk/app_dex/oat/x86/utopay.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.fop.hywtkk/app_dex/utopay.jar 4334 com.fop.hywtkk /data/user/0/com.fop.hywtkk/files/yl_plugin.apk 4334 com.fop.hywtkk -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.fop.hywtkkdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.fop.hywtkk -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.fop.hywtkkdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.fop.hywtkk -
Reads the content of SMS inbox messages. 1 TTPs 1 IoCs
Processes:
com.fop.hywtkkdescription ioc process URI accessed for read content://sms/inbox com.fop.hywtkk -
Reads the content of the SMS messages. 1 TTPs 1 IoCs
Processes:
com.fop.hywtkkdescription ioc process URI accessed for read content://sms/ com.fop.hywtkk -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.fop.hywtkkdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.fop.hywtkk -
Checks if the internet connection is available 1 TTPs 1 IoCs
Processes:
com.fop.hywtkkdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.fop.hywtkk -
Requests dangerous framework permissions 17 IoCs
Processes:
description ioc Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE Allows an application to read SMS messages. android.permission.READ_SMS Allows an application to receive SMS messages. android.permission.RECEIVE_SMS Allows an application to send SMS messages. android.permission.SEND_SMS Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE Required to be able to access the camera device. android.permission.CAMERA Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE Allows an application to read SMS messages. android.permission.READ_SMS Allows an application to send SMS messages. android.permission.SEND_SMS Allows an application to receive SMS messages. android.permission.RECEIVE_SMS Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.fop.hywtkkdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.fop.hywtkk
Processes
-
com.fop.hywtkk1⤵
- Requests cell location
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Reads the content of SMS inbox messages.
- Reads the content of the SMS messages.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fop.hywtkk/files/hul/uBAHENvqs.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.fop.hywtkk/files/hul/oat/x86/uBAHENvqs.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fop.hywtkk/files/Pdd.apk --output-vdex-fd=60 --oat-fd=65 --oat-location=/data/user/0/com.fop.hywtkk/files/oat/x86/Pdd.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fop.hywtkk/app_dex/utopay.jar --output-vdex-fd=73 --oat-fd=75 --oat-location=/data/user/0/com.fop.hywtkk/app_dex/oat/x86/utopay.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.fop.hywtkk/app_dex/utopay.jarFilesize
30KB
MD5eb6089c1acfa9f12535e533aebee845e
SHA1165e39ee07dcd9ed00fc2dc1ff466bc1d6b813c9
SHA256b825cde84e3dddfc147c71265d2259c422d51a7e56d1dcdba1321e3119b1df07
SHA5125b1bc26bcbcf05fc331865fb4dd572b673a52650d68ab4d9b028ea15219e0d93c1ec17996953436801913388d78e25c67ea33aa93544d65e96a799eb06cc70f5
-
/data/data/com.fop.hywtkk/databases/740410100062013-journalFilesize
512B
MD50276d897a632643abc96155f05ea0e5e
SHA1e1afc50bdee70a14894479d62c084b686f436f94
SHA256103c11a46778f8b817994e76a66caa529f1e367c2d65622550c2c824d40c6df6
SHA5126e4d209e886a9feaa869e2495961bcff688a816937ad61f4a2b53cc6c2b54a1e449863e54bf172e4d077f09c587d8716cc9cbb4bac6e7778078fb32f065609dd
-
/data/data/com.fop.hywtkk/databases/740410100062013-walFilesize
16KB
MD5a9dd127e2bc32d0b8617f7aa9416d2ad
SHA13bc4066ab3700525253eaf4ee58188d357f4fb24
SHA2562c720537e376f6c9ae90dd7f4845b7c4c9abc550a61ce86a689f9b8d40df79f2
SHA5128f62110ca73458fe6baefe466719b97ddf9c732d85325425ffcaac54cb69ba00c7a25b11655c0e14e9e88713c39183558e272eb54299947df6092256b7303efc
-
/data/data/com.fop.hywtkk/databases/wochi_v4.dbFilesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
/data/data/com.fop.hywtkk/databases/wochi_v4.db-journalFilesize
512B
MD5f81d2a02d0d4a1b9a23ba011b93c7bc6
SHA149cca568886e292b489d86645d3bac4683500916
SHA2562b14d22642f5125f6606266923e7b5fc9c785cf38e48e45e6caa528a72ce597a
SHA51240aa3d1303799c66e7ef569fc41840eb1e33591d89f7b226c2df6998da3f1839c0d13dd2146222a62a1da72b1e0cdedbd92a29cd688edbd5daa22f64b7fb17d8
-
/data/data/com.fop.hywtkk/databases/wochi_v4.db-shmFilesize
28KB
MD5cf845a781c107ec1346e849c9dd1b7e8
SHA1b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA25618619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA5124802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612
-
/data/data/com.fop.hywtkk/databases/wochi_v4.db-walFilesize
20KB
MD58a89120cee7cb8a5957a62a694d9a146
SHA1a6344f67bf4f5017e8883d81540085a285435781
SHA256b164594de125d4842fe897a4d88b748bf97819e544a70e8bd858830f80a736f3
SHA5122a93e0958bfb488d7bac3fce74f107c3bda42dbbcfa493fba0f17547457aa208030390e258bb236a0785e849044946017b8eecd2fd6405635060592adf8d39fa
-
/data/data/com.fop.hywtkk/files/Pdd.apkFilesize
99KB
MD5e8fbf92c750dbd6fb316be82a6b7b7ae
SHA12a6ae9568698807cacc8cf4349556446c996b136
SHA2562a3cb93d0ca14a1d0b0820c2a26df502a461fb2546ef4587524087c130553f10
SHA5127848191878b5b8ba2d5020c7be953e70ccc4d392d29e400a65a57cd3731604933125de1d81b3732d251b3450fd4766a814ccd01f3975beda2499a9ba585a26e0
-
/data/data/com.fop.hywtkk/files/hul/uBAHENvqs.jarFilesize
772KB
MD5fd59a2263254ba8ee9b54b57f7897d1e
SHA192e6fb43242f5c5b6eea3017d43a833213ae54df
SHA256e44d79c44fdf13ee4df40043011a623a8596d255faa90f70b8e67db54d4b0b59
SHA51267c502944a872852f6536be10e4d1f3d60a8e9b2d2ef19fe8fbf2910993bf647518255d9f0a281bc9c57fe03ca57300b770c8c602063793307165aef73f7feda
-
/data/data/com.fop.hywtkk/files/log.datFilesize
221B
MD5ff9229f8e7c92d44d48e25206d43b021
SHA1be3d75050c16c5b7484652ba292fdd6510f205d3
SHA25677fc3599be409f7e73e643de843c0ebcfa20662964c498fc59e245c7f5e003a2
SHA512be7b3aa8d670a2873c6b7bfd4ca93121fd2450723cbbc36d9d06d152fafa3ce90451f0a60ab56bc96bccb81cf5aae0167b404073db14dc17b9513ac73d455c58
-
/data/data/com.fop.hywtkk/files/yl_plugin.apkFilesize
58KB
MD55a4c666b43ee7f2b6995aaf3527e4a4d
SHA1b205bcb022797f3b16635db139c7524c0c388adc
SHA25605eb3e1ca331b8c6a1f60f92abb2bddbac54a7b2c229ac07bf26c756297fe72a
SHA512c84fceddbf9928110fc3b85e0989b9cedd06383007ff99dea5a25096d8f892ab52d30ed9b52b72211449041f1274ead85bb42929ec269b58b6b0e616a8545e17
-
/data/user/0/com.fop.hywtkk/app_dex/utopay.jarFilesize
67KB
MD53b8bb9a8679ac8c24e8d179fc5bae999
SHA1e6ea7a1095524087f481ba04321c4cb6fd2426f3
SHA25683c996c0d067b5f516897480f427dfffdcfb49ab7654dac9b805376bbd49e1db
SHA512abf1cbed7a8cf4a29d7a32a83f15aa0a6c9e2be8484c2dd8d9bf16a76e337b17b9c05efa0773598806b3d3da4fe3a9217b583abb9aaf5e3dc054dc77b10cae63
-
/data/user/0/com.fop.hywtkk/app_dex/utopay.jarFilesize
67KB
MD55220524411d0bacd600da60814d1ee9f
SHA1fef7210ff44e757328bc0ff7aae7bb2191cbf634
SHA2566286a800597b845785eb664710253ebd20771737dddd5b80067e0e9d37c804b2
SHA512b2d8af5019c176d682634747d83320e609fb6122ef850f4069a0c78c2415d242087099cf60ecb03039a9ab71902a4e3b22e9cf144de89e506991fb93280f6a5f
-
/data/user/0/com.fop.hywtkk/files/Pdd.apkFilesize
201KB
MD5b91783059376e2bebfd7c24802289350
SHA19e0f855404908f993a3beb146e7a4e83789674bd
SHA25646245d65e1d96038918f77ed8412bcde6a72b513c94a72369a751251f568e73c
SHA512c50af3f34a519fdb34aa9be70128c55c57df169f8112887f17f9dece581a15cd9b6702939ee4f77370bb33a5d2fe449610c42e699008d4233344d406c3563f30
-
/data/user/0/com.fop.hywtkk/files/Pdd.apkFilesize
201KB
MD5a4237ef36f11c2db307f6d9701da0062
SHA15d11008a4b9275034db8904e538f7115a429ef0d
SHA25632f697f7444c79efe23be55fdcdab52c8e6f5cd43474cd1735602675feb5639e
SHA5126921b3cbb4e6a062eb9408c06e46e6d6cd7554f6e485b8f6275d8df3b7a8d23b26220c0cb979d3fe919fb6622d5d49160769b0567eebe61488cc4c7708f3b34d
-
/data/user/0/com.fop.hywtkk/files/hul/uBAHENvqs.jarFilesize
1.8MB
MD547b903db4755bded81796df10598727f
SHA1a8467d4305c6d583bc2bce002d5d7aa0c20b9138
SHA2562ea43ee22dd851a9ea2560342697d4bb49be0f7231f61f1cd335b6c5102e310e
SHA512d4ff62156840e12d225bfa616599e69e845c84c16088b39327bd3a0e24dc53b569c05983d5df06fa3bebc024078dd59dfb511bbecbf0fa546365931e73d48fc3
-
/data/user/0/com.fop.hywtkk/files/hul/uBAHENvqs.jarFilesize
1.8MB
MD5fe81101dd31e4c9cb4a417a2dceffd30
SHA15486003b6dd78151f69443240b922a72e717bfee
SHA2567838a807176b78303461c359eec997b6decc1a28926e5803f46c407fceda1db5
SHA5125d3dc98a6abeb0b02e061e8972d420a6becf4ac7696dc3ef0ce46d7c9114079ecd3a284af2d88d0244aa3a6df15b4809239e920328240f8fd67083ff6a27b53e
-
/data/user/0/com.fop.hywtkk/files/yl_plugin.apkFilesize
123KB
MD5918890b3fc5a3dc184a57d027ead24da
SHA1c638f375f49bc4731b633bdc001aeeadf9462039
SHA25657d03ac2189851d5069515da6997e12ca307c145aa21679da001477df5f81836
SHA512fd9bfe41ce4041dc8c7db17df2a2164a24ea96372c212399c499f94d1fb7d95d430b8a7eb86041b9b2db88dfca0cf39e53cba2dad1e346aebed29e4ca5deb2ef