Analysis
-
max time kernel
129s -
max time network
181s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
23-05-2024 23:31
Static task
static1
Behavioral task
behavioral1
Sample
6ca38c64d2146f086d40754c2fb1eb1f_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
General
-
Target
6ca38c64d2146f086d40754c2fb1eb1f_JaffaCakes118.apk
-
Size
12.9MB
-
MD5
6ca38c64d2146f086d40754c2fb1eb1f
-
SHA1
a78da9a5efee29f922d8384e5fcec62bd98c1d12
-
SHA256
88271071bbf07e266ede4f03be2081e0352f0e8dfad443d166aae4c4e3214078
-
SHA512
65a80bcdada11e73907b4f90a3f32c0c1b1d093fa4d8d216cea6dd732284b02d755ef6165b006b5f69b72a5b88130b5cfbd2e018d08d6bf480c3dde427342c17
-
SSDEEP
393216:SBULHH+FiU+jY8wiRV9ovfQbhoAesKL4mTSrKO3Vwivi:H9U+juWYfQbWAesK+mO3eia
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 4 IoCs
Processes:
vip.mytokenpocket/system/bin/sh -c type suioc process /system/app/Superuser.apk vip.mytokenpocket /system/bin/su vip.mytokenpocket /system/xbin/su vip.mytokenpocket /sbin/su /system/bin/sh -c type su -
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
-
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
Processes:
vip.mytokenpocket/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/vip.mytokenpocket/mix.dex --output-vdex-fd=57 --oat-fd=58 --oat-location=/data/data/vip.mytokenpocket/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&ioc pid process /data/data/vip.mytokenpocket/mix.dex 4321 vip.mytokenpocket /data/data/vip.mytokenpocket/mix.dex 4391 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/vip.mytokenpocket/mix.dex --output-vdex-fd=57 --oat-fd=58 --oat-location=/data/data/vip.mytokenpocket/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=& /data/data/vip.mytokenpocket/mix.dex 4321 vip.mytokenpocket -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
vip.mytokenpocketdescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses vip.mytokenpocket -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
vip.mytokenpocketdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo vip.mytokenpocket -
Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
Processes:
vip.mytokenpocketdescription ioc process Framework service call android.net.wifi.IWifiManager.getScanResults vip.mytokenpocket -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
vip.mytokenpocketdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone vip.mytokenpocket -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
vip.mytokenpocketdescription ioc process Framework service call android.app.IActivityManager.registerReceiver vip.mytokenpocket -
Checks if the internet connection is available 1 TTPs 1 IoCs
Processes:
vip.mytokenpocketdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo vip.mytokenpocket -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Checks the presence of a debugger
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
Processes:
vip.mytokenpocketdescription ioc process Framework API call android.hardware.SensorManager.registerListener vip.mytokenpocket -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
vip.mytokenpocketdescription ioc process Framework API call javax.crypto.Cipher.doFinal vip.mytokenpocket
Processes
-
vip.mytokenpocket1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Listens for changes in the sensor environment (might be used to detect emulation)
- Uses Crypto APIs (Might try to encrypt user data)
-
sh -c getprop ro.yunos.version2⤵
-
getprop ro.yunos.version2⤵
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/vip.mytokenpocket/mix.dex --output-vdex-fd=57 --oat-fd=58 --oat-location=/data/data/vip.mytokenpocket/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
/system/bin/sh -c type su2⤵
- Checks if the Android device is rooted.
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/vip.mytokenpocket/app_crashrecord/1002Filesize
227B
MD5aeeafbecac429b8a2d0bbfdfdbe803b2
SHA1475cf5aaa9ca623a4f98d2d38e64004ec7de5a25
SHA256feae95d6ec199abe58f94776d6f623ed6adc60ff9fbadfbfbe458c765b84a6ae
SHA51215306c0a349e7875e68e9786704821f0f90510ea79568cca59c67435ef5812f70e3259eef136111e3e8b1aee9c7b295ffddb6b6bd374eca05ef8a2db8d01fede
-
/data/data/vip.mytokenpocket/app_crashrecord/1004Filesize
227B
MD5d7300d9fc5ba3c983baf374ab44477d7
SHA1dbf458070e24fe34cd35b063d3aab0153f5ee319
SHA2566cf824e67297eb8a760b3d2dcc980023bfe77440d2078b4f1dda778fb10e96c6
SHA512d8c4b02f5a5f6a17b2daeef7d1231cea0faa92db0ffd7f1448286aec2a7ddb6d321db7f926ca6bbbf6325866852e4b96caa907a5aaf84dfb17189e36ac972ddd
-
/data/data/vip.mytokenpocket/app_crashrecord/1004Filesize
58B
MD50d210bfb2a0e1f1b4c082a6a0f79de07
SHA1bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1
-
/data/data/vip.mytokenpocket/databases/bugly_db_-journalFilesize
512B
MD54b3ae2212ee768318c5833fbac12e99b
SHA1ae671fc56639397a09c9a7bb96b402b07357ff34
SHA256bc305eac43caae6b9431e98afff3948f8c04d7b66bc012150d77603a58c3cfae
SHA51262c30484f01887bff7551609ab8a3f8ea4c2b0162eab002bef1b6ff6f7d29fc8d0020f9c5a0fd00da21672b960ce2a9e3fa6ac6c19ef7d1fe154557fcde397c9
-
/data/data/vip.mytokenpocket/databases/bugly_db_-walFilesize
76KB
MD5c1607a8532f014fbdcbf83ef9034d38f
SHA1f678be1bf4e1695c8334da3ea2cee5fa49908690
SHA25617bda4e43480d0858d57627cd26045d74b3140cf8711d2e83d98c33dcf909485
SHA51229e6b04b11c938bb3a717fb9671a04462739cb61e04f076313e99acb1b4272abfcf855a5cd0ed4f3cc80c5607b1d2ceb19bcf52798ae15b55619f7db7425405e
-
/data/data/vip.mytokenpocket/databases/bugly_db_leguFilesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
/data/data/vip.mytokenpocket/databases/bugly_db_legu-journalFilesize
512B
MD587c550bc312d86eb345252fbda872fdd
SHA1364da8c504165e1c0327cf2c44afbf736468d802
SHA256f4a307904d8ccc7981b3e88e46ca8e4986e5ef27aec1074c21ce552db3a9d50a
SHA512ba2511571d6d47c55c85e9a382622785fbd2b986958f56fce34f9ec4df0f7903d893fc41f78218d4af08a2d8e2376a8603693920fd18e822af9c67e13f62735a
-
/data/data/vip.mytokenpocket/databases/bugly_db_legu-shmFilesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
/data/data/vip.mytokenpocket/databases/bugly_db_legu-walFilesize
92KB
MD559d782e407da214a37ec459764c68557
SHA1172064496a0ff8d2037ba40f06b8b8a54ee67f0a
SHA25648cc247d1d55cbba2427b156db809b9f3e85f7e03ff36afeb6b4910a00b22da5
SHA512697681d3ec756523f4a5bf04d3b391eb63b51621325fd9aa0ffeb2c896093d196fd87454f66412c8f86fe42bd3c46cb0104fd8b39155ce6da7b3570c4072ba75
-
/data/data/vip.mytokenpocket/databases/tp_dbFilesize
5KB
MD55b2cacf406fb5b152030664a48458f03
SHA1300ca6aba62a92ded85eb32142bd141702053bea
SHA256314394af23cbbb06d43eb4c8bfd22b342aff58628e7b8cb12fc4e5f9ac77c3d8
SHA5127486711e030ab062ceeb22c2f750ba33bbbf3c6dc16cecdd7cf46b1238cc5a74946a0b7dd1807bd3f25516f2813c8d461bdbc31e36a5715bb5a57158f2ac0ed0
-
/data/data/vip.mytokenpocket/databases/tp_db-journalFilesize
512B
MD5514758f613e15452064ad398d0471f02
SHA1ce5777030d7782b53c09f1d1a9b4ebd8fe9703c4
SHA256e6df651c22117b5e16b1765d88720ab6c157cbeca608a0663207f9b078c60bf5
SHA5128da983b8138bd4e39acece26edec0ce8ad5559b2822f120db0ac1959f6dc6908f8621d2615a485bd2949c3a2ed6451a4bdf6e7a95422ae19af5b0df8c90d2e6a
-
/data/data/vip.mytokenpocket/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE2NTA3MTMwNjMyFilesize
1KB
MD586aaa1a8b950d00a56c8d6439b9f64a1
SHA109318d81969076d3b714bda7da6d293ead0bd38f
SHA256e5e510f15f89050d4638a1a6cd23bfc8940a9401acbb212bab3bb402981013ed
SHA51251ecfcd17d9e75e00b94954229969b01b9d27d409b6de70a79f7f0df96606376b7ac5ea482b869bc10ef8911c9f476932573f8ba91be21de19d3f8e4f058f05d
-
/data/data/vip.mytokenpocket/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE2NTA3MTYwOTc4Filesize
1KB
MD50cbf5bf902d6192e9ad1b9b93cb25115
SHA1876fd3b2810f33e4cad749ca4aa6b196b9d46186
SHA256121b8b671d10740b3275f57f6748673382cf37f9348f09f5fa320d2c1018e5f1
SHA512fff8473917d9a17325be41e0631ee4bb5d736180a9e2fc7b8dcc51be5a829059db0f3144f8cac1ccccc18fd23d44f3ddf1de0479a23d5fcd0aabb0f066c98222
-
/data/data/vip.mytokenpocket/files/umeng_it.cacheFilesize
415B
MD5d1c40e3e4802c9dbcc08d1825ae8c0c7
SHA1936c548faf3e457228a630714f012fc58781e6b0
SHA256dd5b0dc090eb0e10b274dbf4647e2ab78294e9adf3e03845a63cbfe862e3a072
SHA5128b7d2836908acc709ac4ea1e8ca695821238c2376c777314574493f1cae50727e1f7964a596dc2562c7f1f519d62c0f182407f1328df980a20ca05a598edb53e
-
/data/data/vip.mytokenpocket/mix.dexFilesize
292B
MD563f77f99bd2c2b772a479923bde11974
SHA1c7632e7d301e4463fafce85f84e9c3d7da3fdbbe
SHA2564c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615
SHA5123aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c