0fdfd21b3274747a73983daa96e96996e8f7bf2bd8a205b80e441bccfecdfd62

Analysis

max time kernel
179s
max time network
167s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
23-05-2024 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6927ace6eefa97350f7ad3077822f2b9_JaffaCakes118.apk
Size

5.7MB
MD5

6927ace6eefa97350f7ad3077822f2b9
SHA1

89ee54a4901e16e447d7525bf1cf6116b762dd7a
SHA256

0fdfd21b3274747a73983daa96e96996e8f7bf2bd8a205b80e441bccfecdfd62
SHA512

f579c83d910a4083fd796645ee6e272278b2c5c44107896c1f427f01cfe99ee7759fd63c3d1d195b510b5a17a59c43d9401ceb17f022a88f124bc5281f8bbaa7
SSDEEP

98304:yoHElAYE8N06nD7QzEl+El3eDi3+W8VmM3/rvkev8uhSbmLqTFSi:yoHEM6nDDwbiOW80MzOuhSbm4ki

Score

8^/10

banker collection discovery evasion persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 2 IoCs
evasion

System Information Discovery
T1426

Processes:

com.snowfish.a.a.bg

ioc process

/system/bin/su com.snowfish.a.a.bg
/system/xbin/su com.snowfish.a.a.bg
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

Location Tracking
T1430

Geofencing
T1627.001

Processes:

com.cmge.kxxxlgw

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.cmge.kxxxlgw
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.snowfish.a.a.bg

description ioc process

File opened for read /proc/cpuinfo com.snowfish.a.a.bg
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.snowfish.a.a.bg

description ioc process

File opened for read /proc/meminfo com.snowfish.a.a.bg

ioc	process
/system/bin/su	com.snowfish.a.a.bg
/system/xbin/su	com.snowfish.a.a.bg

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.cmge.kxxxlgw

description	ioc	process
File opened for read	/proc/cpuinfo	com.snowfish.a.a.bg

description	ioc	process
File opened for read	/proc/meminfo	com.snowfish.a.a.bg

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cmge.kxxxlgw/files/epay.jar --output-vdex-fd=56 --oat-fd=59 --oat-location=/data/user/0/com.cmge.kxxxlgw/files/oat/x86/epay.odex --compiler-filter=quicken --class-loader-context=&com.cmge.kxxxlgw/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/storage/emulated/0/Sonnenblume/res.apk --output-vdex-fd=47 --oat-fd=48 --oat-location=/storage/emulated/0/Sonnenblume/oat/x86/res.odex --compiler-filter=quicken --class-loader-context=&com.snowfish.a.a.bg

ioc	pid	process
/data/user/0/com.cmge.kxxxlgw/files/epay.jar	4416	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cmge.kxxxlgw/files/epay.jar --output-vdex-fd=56 --oat-fd=59 --oat-location=/data/user/0/com.cmge.kxxxlgw/files/oat/x86/epay.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.cmge.kxxxlgw/files/epay.jar	4312	com.cmge.kxxxlgw
/storage/emulated/0/Sonnenblume/res.apk	4494	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/storage/emulated/0/Sonnenblume/res.apk --output-vdex-fd=47 --oat-fd=48 --oat-location=/storage/emulated/0/Sonnenblume/oat/x86/res.odex --compiler-filter=quicken --class-loader-context=&
/storage/emulated/0/Sonnenblume/res.apk	4451	com.snowfish.a.a.bg

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.snowfish.a.a.bg

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.snowfish.a.a.bg
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.snowfish.a.a.bg

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.snowfish.a.a.bg
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.snowfish.a.a.bg

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.snowfish.a.a.bg
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.snowfish.a.a.bg

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.snowfish.a.a.bg

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.snowfish.a.a.bg

com.cmge.kxxxlgw
1⤵
- Requests cell location
- Loads dropped Dex/Jar
PID:4312
- chmod /data/user/0/com.cmge.kxxxlgw 777&& busybox chmod /data/user/0/com.cmge.kxxxlgw 777
  2⤵
  PID:4380
- chmod /data/user/0/com.cmge.kxxxlgw 777&& busybox chmod /data/user/0/com.cmge.kxxxlgw 777
  2⤵
  PID:4396
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cmge.kxxxlgw/files/epay.jar --output-vdex-fd=56 --oat-fd=59 --oat-location=/data/user/0/com.cmge.kxxxlgw/files/oat/x86/epay.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4416

com.snowfish.a.a.bg
1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:4451
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/storage/emulated/0/Sonnenblume/res.apk --output-vdex-fd=47 --oat-fd=48 --oat-location=/storage/emulated/0/Sonnenblume/oat/x86/res.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4494

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Execution Guardrails

T1627

Geofencing

T1627.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.cmge.kxxxlgw/files/epay.jar

Filesize
158KB

MD5
544b4b6cfde7c5a9f28b765d2bb245ec

SHA1
7e12d510d4601833ce1fa979ce99325804a8dc09

SHA256
f72e9cc8e96b617b7792f1cef27d078a2f1d72b52ebf92774a50a349dc15a21e

SHA512
89c3222a6aaf284dcc00ae38177668bbc772e0a694f6dd32420726a30736d80ffbaac72661ee98c60ae3a2bbcdba96a3ecf0e5371bf3414d1453014ebb4c045e

Download Submit
/data/user/0/com.cmge.kxxxlgw/files/epay.jar

Filesize
290KB

MD5
ac2e8a38fd93de41bbb5915928e2819c

SHA1
7ef2a5c9ce4cbb3cb68e0c140ac196098feabe3c

SHA256
4ed57a11968667db63f6fd8e39163cde60e9d4e864241d9fae065d22a8db7556

SHA512
3dec9384224407b8525afc244cd291539a8c8633f9a97a177b7c803508f54d155d45dbfb671320f141d1555772357b282c3d2bbbec0e17693182eb4cc3abf7c1

Download Submit
/data/user/0/com.cmge.kxxxlgw/files/epay.jar

Filesize
290KB

MD5
67e28a2b7ae4411e42169eaa341b8def

SHA1
f18f8038e637af8bc93514599ff7dda5d76e5a26

SHA256
ace471968f2c391fd60159bb056375f445dee4934a69bd967d1208d98e369f53

SHA512
eaa16e007d72a01e827452e0586dba7812365fbc1fa7c62961c0b464de18f263e0c583dd11f9699fc7a9a56e0422cfc506bc670c78e1bd63f536a872d571fb15

Download Submit
/storage/emulated/0/Sonnenblume/4A72F2DFFDBD84EB0C5C797BB76AFC44

Filesize
132B

MD5
d9a00fff2151a163b64e8f6ea22627ff

SHA1
b1cebbaf42ebb1031b06ef41c4b1fd58f7ed83ee

SHA256
415d939524d8dd9ea75432ecf0d08cbae556d99259377efb86b60a5def9ae878

SHA512
6b569af7330b6bd2345d34ed0a8f525d17dee38b7e69cfcbb19a5abd85431b08ce5b8bb4c22e4cfda5a0c29431278215d5ef3690ebfd5c935db791007e7a76ab

Download Submit
/storage/emulated/0/Sonnenblume/EE53AF5B170264468E95E783E26D76C2

Filesize
317B

MD5
58a2e48a47e2340f3dc6643126aee745

SHA1
5f9eb061e6d1bc79e9bd0047ebf3ea5312dcb999

SHA256
8970751a23d2dcc97f981672c6863a8bd0c5746a475e3c7745e39b16ff0121e9

SHA512
0a2a3ad27b88f31650b1b6bf7257f343bd43c1975d8a516003f5b5c23fb0147c8f3dace30947ef2a1bf49d3170a996aa89b4b05c89a79aa011ffdfff637b2c75

Download Submit
/storage/emulated/0/Sonnenblume/EE53AF5B170264468E95E783E26D76C2

Filesize
353B

MD5
3e0da954b484c12d6d48ef9d1397ddf3

SHA1
24b209e898631bf41c53adc7b1b40b1d44296759

SHA256
db8d4b0c0ad54aa95cba33ea8826717e70ef6d6cc4609915a41edf116594d989

SHA512
a60e9f3454ed744632d317e0e6a1c98d50e04a6d7df426e740a1103bc865a56c66c84113361d51010e7858c7cf92683514bdf611ef38003878ff4d65116f3830

Download Submit
/storage/emulated/0/Sonnenblume/EE53AF5B170264468E95E783E26D76C2

Filesize
353B

MD5
3f4b124968b3cd03a5d5e152e14f5661

SHA1
0c1f548effa613d2c3a36783ae73380bcf3f24e0

SHA256
9bdcb6a26571c718eb793d3e99d89f4dceb2ef082aca5b24dc173777567d79bf

SHA512
9d27bb4607f1ba6e4d07ede6b7bb14875b48d93c350905bba736f2b97a2035114942f26fa76a43ecb9ed3dd93d36a7dd791e6467a8b154605dc586b92d17059b

Download Submit
/storage/emulated/0/Sonnenblume/EE53AF5B170264468E95E783E26D76C2

Filesize
319B

MD5
0dfd4411518d5c504e639924848f0998

SHA1
2510ffb84b2a523c1f87ce574e3934155edf35fa

SHA256
a651ac300ed2ca88c44a0414089dd8e709ecac62f1514120314233ed8700b1b1

SHA512
65416394a320a7cf8ca850929d8684aeb5b5d58b83a7cb3de0be1115f9b59032fc1bd7c522b73b7c422b972662a9d2f5744a59e897d50110cf76a5d754e3c654

Download Submit
/storage/emulated/0/Sonnenblume/res.apk

Filesize
335KB

MD5
7304676ed86ba7302add9c83aa5188e4

SHA1
9f7bf2ecbba8d9d5ee1bf2cda006aa9910bb422c

SHA256
5262c65999ec23a99a3e176dfaf397cfded7323d00c80e0e67c3e48be3f5d38a

SHA512
b15a2138f35346da77662f5109b291c33408b77e2c0952cf861c3c486cef05bf17d23366d667eed101716087e38ee5c7e8a8c3b04fd6faaf467994ccc01b83d4

Download Submit
/storage/emulated/0/Sonnenblume/res.apk

Filesize
335KB

MD5
2bc5eedfa756ebcdedebdaa3646788e6

SHA1
99f113c6a451f01babfe7947c762a9072f70c24f

SHA256
c90c05c7fde144fb61c4a3bc8f283195e5651f61872b083b3a6f586897726a68

SHA512
c26607bae7641638a6df12b8f2d8ac28bdf29b270a58e8b5ff5909a972bb1ad4ebd1edb354c2825b5f9f504288a1a02dcde1ffffd4f815b6030ae12f2bd52b58

Download Submit