88271071bbf07e266ede4f03be2081e0352f0e8dfad443d166aae4c4e3214078

Analysis

max time kernel
129s
max time network
181s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
23-05-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ca38c64d2146f086d40754c2fb1eb1f_JaffaCakes118.apk
Size

12.9MB
MD5

6ca38c64d2146f086d40754c2fb1eb1f
SHA1

a78da9a5efee29f922d8384e5fcec62bd98c1d12
SHA256

88271071bbf07e266ede4f03be2081e0352f0e8dfad443d166aae4c4e3214078
SHA512

65a80bcdada11e73907b4f90a3f32c0c1b1d093fa4d8d216cea6dd732284b02d755ef6165b006b5f69b72a5b88130b5cfbd2e018d08d6bf480c3dde427342c17
SSDEEP

393216:SBULHH+FiU+jY8wiRV9ovfQbhoAesKL4mTSrKO3Vwivi:H9U+juWYfQbWAesK+mO3eia

Score

8^/10

collection discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 4 IoCs
evasion

T1426

Processes:

vip.mytokenpocket/system/bin/sh -c type su

ioc process

/system/app/Superuser.apk vip.mytokenpocket
/system/bin/su vip.mytokenpocket
/system/xbin/su vip.mytokenpocket
/sbin/su /system/bin/sh -c type su
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

T1430

T1627.001

Processes:

vip.mytokenpocket

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation vip.mytokenpocket
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

T1633.001

T1426

Processes:

vip.mytokenpocket

description ioc process

File opened for read /proc/cpuinfo vip.mytokenpocket
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

T1633.001

T1426

Processes:

vip.mytokenpocket

description ioc process

File opened for read /proc/meminfo vip.mytokenpocket

ioc	process
/system/app/Superuser.apk	vip.mytokenpocket
/system/bin/su	vip.mytokenpocket
/system/xbin/su	vip.mytokenpocket
/sbin/su	/system/bin/sh -c type su

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	vip.mytokenpocket

description	ioc	process
File opened for read	/proc/cpuinfo	vip.mytokenpocket

description	ioc	process
File opened for read	/proc/meminfo	vip.mytokenpocket

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

T1407

Processes:

vip.mytokenpocket/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/vip.mytokenpocket/mix.dex --output-vdex-fd=57 --oat-fd=58 --oat-location=/data/data/vip.mytokenpocket/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/data/vip.mytokenpocket/mix.dex	4321	vip.mytokenpocket
/data/data/vip.mytokenpocket/mix.dex	4391	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/vip.mytokenpocket/mix.dex --output-vdex-fd=57 --oat-fd=58 --oat-location=/data/data/vip.mytokenpocket/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&
/data/data/vip.mytokenpocket/mix.dex	4321	vip.mytokenpocket

Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

T1424

Processes:

vip.mytokenpocket

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses vip.mytokenpocket
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

T1421

Processes:

vip.mytokenpocket

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo vip.mytokenpocket
Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
discovery

T1421

Processes:

vip.mytokenpocket

description ioc process

Framework service call android.net.wifi.IWifiManager.getScanResults vip.mytokenpocket
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

T1422

Processes:

vip.mytokenpocket

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone vip.mytokenpocket
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

T1624.001

Processes:

vip.mytokenpocket

description ioc process

Framework service call android.app.IActivityManager.registerReceiver vip.mytokenpocket
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

T1421

Processes:

vip.mytokenpocket

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo vip.mytokenpocket
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

T1422
Checks the presence of a debugger
evasion
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
evasion

T1628.002

Processes:

vip.mytokenpocket

description ioc process

Framework API call android.hardware.SensorManager.registerListener vip.mytokenpocket
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

T1471

Processes:

vip.mytokenpocket

description ioc process

Framework API call javax.crypto.Cipher.doFinal vip.mytokenpocket

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	vip.mytokenpocket

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	vip.mytokenpocket

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getScanResults	vip.mytokenpocket

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	vip.mytokenpocket

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	vip.mytokenpocket

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	vip.mytokenpocket

description	ioc	process
Framework API call	android.hardware.SensorManager.registerListener	vip.mytokenpocket

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	vip.mytokenpocket

vip.mytokenpocket
1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Listens for changes in the sensor environment (might be used to detect emulation)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4321

sh -c getprop ro.yunos.version
2⤵
PID:4365

getprop ro.yunos.version
2⤵
PID:4365

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/vip.mytokenpocket/mix.dex --output-vdex-fd=57 --oat-fd=58 --oat-location=/data/data/vip.mytokenpocket/oat/x86/mix.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4391

/system/bin/sh -c type su
2⤵
- Checks if the Android device is rooted.
PID:4579

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/vip.mytokenpocket/app_crashrecord/1002
Filesize
227B

MD5
aeeafbecac429b8a2d0bbfdfdbe803b2

SHA1
475cf5aaa9ca623a4f98d2d38e64004ec7de5a25

SHA256
feae95d6ec199abe58f94776d6f623ed6adc60ff9fbadfbfbe458c765b84a6ae

SHA512
15306c0a349e7875e68e9786704821f0f90510ea79568cca59c67435ef5812f70e3259eef136111e3e8b1aee9c7b295ffddb6b6bd374eca05ef8a2db8d01fede

Download Submit
/data/data/vip.mytokenpocket/app_crashrecord/1004
Filesize
227B

MD5
d7300d9fc5ba3c983baf374ab44477d7

SHA1
dbf458070e24fe34cd35b063d3aab0153f5ee319

SHA256
6cf824e67297eb8a760b3d2dcc980023bfe77440d2078b4f1dda778fb10e96c6

SHA512
d8c4b02f5a5f6a17b2daeef7d1231cea0faa92db0ffd7f1448286aec2a7ddb6d321db7f926ca6bbbf6325866852e4b96caa907a5aaf84dfb17189e36ac972ddd

Download Submit
/data/data/vip.mytokenpocket/app_crashrecord/1004
Filesize
58B

MD5
0d210bfb2a0e1f1b4c082a6a0f79de07

SHA1
bb8ed9e364db79d1d9f2fcde3f15091893222faa

SHA256
988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d

SHA512
536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

Download Submit
/data/data/vip.mytokenpocket/databases/bugly_db_-journal
Filesize
512B

MD5
4b3ae2212ee768318c5833fbac12e99b

SHA1
ae671fc56639397a09c9a7bb96b402b07357ff34

SHA256
bc305eac43caae6b9431e98afff3948f8c04d7b66bc012150d77603a58c3cfae

SHA512
62c30484f01887bff7551609ab8a3f8ea4c2b0162eab002bef1b6ff6f7d29fc8d0020f9c5a0fd00da21672b960ce2a9e3fa6ac6c19ef7d1fe154557fcde397c9

Download Submit
/data/data/vip.mytokenpocket/databases/bugly_db_-wal
Filesize
76KB

MD5
c1607a8532f014fbdcbf83ef9034d38f

SHA1
f678be1bf4e1695c8334da3ea2cee5fa49908690

SHA256
17bda4e43480d0858d57627cd26045d74b3140cf8711d2e83d98c33dcf909485

SHA512
29e6b04b11c938bb3a717fb9671a04462739cb61e04f076313e99acb1b4272abfcf855a5cd0ed4f3cc80c5607b1d2ceb19bcf52798ae15b55619f7db7425405e

Download Submit
/data/data/vip.mytokenpocket/databases/bugly_db_legu
Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/vip.mytokenpocket/databases/bugly_db_legu-journal
Filesize
512B

MD5
87c550bc312d86eb345252fbda872fdd

SHA1
364da8c504165e1c0327cf2c44afbf736468d802

SHA256
f4a307904d8ccc7981b3e88e46ca8e4986e5ef27aec1074c21ce552db3a9d50a

SHA512
ba2511571d6d47c55c85e9a382622785fbd2b986958f56fce34f9ec4df0f7903d893fc41f78218d4af08a2d8e2376a8603693920fd18e822af9c67e13f62735a

Download Submit
/data/data/vip.mytokenpocket/databases/bugly_db_legu-shm
Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/vip.mytokenpocket/databases/bugly_db_legu-wal
Filesize
92KB

MD5
59d782e407da214a37ec459764c68557

SHA1
172064496a0ff8d2037ba40f06b8b8a54ee67f0a

SHA256
48cc247d1d55cbba2427b156db809b9f3e85f7e03ff36afeb6b4910a00b22da5

SHA512
697681d3ec756523f4a5bf04d3b391eb63b51621325fd9aa0ffeb2c896093d196fd87454f66412c8f86fe42bd3c46cb0104fd8b39155ce6da7b3570c4072ba75

Download Submit
/data/data/vip.mytokenpocket/databases/tp_db
Filesize
5KB

MD5
5b2cacf406fb5b152030664a48458f03

SHA1
300ca6aba62a92ded85eb32142bd141702053bea

SHA256
314394af23cbbb06d43eb4c8bfd22b342aff58628e7b8cb12fc4e5f9ac77c3d8

SHA512
7486711e030ab062ceeb22c2f750ba33bbbf3c6dc16cecdd7cf46b1238cc5a74946a0b7dd1807bd3f25516f2813c8d461bdbc31e36a5715bb5a57158f2ac0ed0

Download Submit
/data/data/vip.mytokenpocket/databases/tp_db-journal
Filesize
512B

MD5
514758f613e15452064ad398d0471f02

SHA1
ce5777030d7782b53c09f1d1a9b4ebd8fe9703c4

SHA256
e6df651c22117b5e16b1765d88720ab6c157cbeca608a0663207f9b078c60bf5

SHA512
8da983b8138bd4e39acece26edec0ce8ad5559b2822f120db0ac1959f6dc6908f8621d2615a485bd2949c3a2ed6451a4bdf6e7a95422ae19af5b0df8c90d2e6a

Download Submit
/data/data/vip.mytokenpocket/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE2NTA3MTMwNjMy
Filesize
1KB

MD5
86aaa1a8b950d00a56c8d6439b9f64a1

SHA1
09318d81969076d3b714bda7da6d293ead0bd38f

SHA256
e5e510f15f89050d4638a1a6cd23bfc8940a9401acbb212bab3bb402981013ed

SHA512
51ecfcd17d9e75e00b94954229969b01b9d27d409b6de70a79f7f0df96606376b7ac5ea482b869bc10ef8911c9f476932573f8ba91be21de19d3f8e4f058f05d

Download Submit
/data/data/vip.mytokenpocket/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE2NTA3MTYwOTc4
Filesize
1KB

MD5
0cbf5bf902d6192e9ad1b9b93cb25115

SHA1
876fd3b2810f33e4cad749ca4aa6b196b9d46186

SHA256
121b8b671d10740b3275f57f6748673382cf37f9348f09f5fa320d2c1018e5f1

SHA512
fff8473917d9a17325be41e0631ee4bb5d736180a9e2fc7b8dcc51be5a829059db0f3144f8cac1ccccc18fd23d44f3ddf1de0479a23d5fcd0aabb0f066c98222

Download Submit
/data/data/vip.mytokenpocket/files/umeng_it.cache
Filesize
415B

MD5
d1c40e3e4802c9dbcc08d1825ae8c0c7

SHA1
936c548faf3e457228a630714f012fc58781e6b0

SHA256
dd5b0dc090eb0e10b274dbf4647e2ab78294e9adf3e03845a63cbfe862e3a072

SHA512
8b7d2836908acc709ac4ea1e8ca695821238c2376c777314574493f1cae50727e1f7964a596dc2562c7f1f519d62c0f182407f1328df980a20ca05a598edb53e

Download Submit
/data/data/vip.mytokenpocket/mix.dex
Filesize
292B

MD5
63f77f99bd2c2b772a479923bde11974

SHA1
c7632e7d301e4463fafce85f84e9c3d7da3fdbbe

SHA256
4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615

SHA512
3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

Download Submit