f7dcea67f15ed1a461dea73515e7ecd467e86901da7b72280aa23396aee76d98

Analysis

max time kernel
179s
max time network
131s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
23-05-2024 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

696acdf4d4b9d7a79de1f8522a466bed_JaffaCakes118.apk
Size

307KB
MD5

696acdf4d4b9d7a79de1f8522a466bed
SHA1

1202ab7d8a6a4a9f5f74a3e7c992b0d53d1fd72a
SHA256

f7dcea67f15ed1a461dea73515e7ecd467e86901da7b72280aa23396aee76d98
SHA512

bc840a616b288695ff0a05045195bc669cd0c60968c3b632e709d2319f771f98ae5c4773f676112a1c5e04fea2dcb645ea9b550bc478604232732ab6ffb9b00b
SSDEEP

6144:V1UFRQ98qOm76nUgUHuzie9rx4g66zG6uPPJ2Jfo2Cd8IHcDi+NSYIS6tODNafj+:V4Q98zqcUgxr91qUACmcDi+AtoNQI

Score

8^/10

discovery evasion impact privilege_escalation stealth trojan

Malware Config

Signatures

Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.mfvbrdnoufqa.sjoknuyhv

pid process

4257 com.mfvbrdnoufqa.sjoknuyhv

pid	process
4257	com.mfvbrdnoufqa.sjoknuyhv

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.mfvbrdnoufqa.sjoknuyhv/app_dex/xrvjofqdyznwk.jar --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.mfvbrdnoufqa.sjoknuyhv/app_dex/oat/x86/xrvjofqdyznwk.odex --compiler-filter=quicken --class-loader-context=&com.mfvbrdnoufqa.sjoknuyhv

ioc	pid	process
/data/user/0/com.mfvbrdnoufqa.sjoknuyhv/app_dex/xrvjofqdyznwk.jar	4284	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.mfvbrdnoufqa.sjoknuyhv/app_dex/xrvjofqdyznwk.jar --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.mfvbrdnoufqa.sjoknuyhv/app_dex/oat/x86/xrvjofqdyznwk.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.mfvbrdnoufqa.sjoknuyhv/app_dex/xrvjofqdyznwk.jar	4257	com.mfvbrdnoufqa.sjoknuyhv

Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

Process Discovery
T1424

Processes:

com.mfvbrdnoufqa.sjoknuyhv

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.mfvbrdnoufqa.sjoknuyhv
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Tries to add a device administrator. 2 TTPs 1 IoCs
privilege_escalation impact

Device Administrator Permissions
T1626.001

Account Access Removal
T1640

Processes:

com.mfvbrdnoufqa.sjoknuyhv

description ioc process

Intent action android.app.action.ADD_DEVICE_ADMIN com.mfvbrdnoufqa.sjoknuyhv
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.mfvbrdnoufqa.sjoknuyhv

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.mfvbrdnoufqa.sjoknuyhv
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.mfvbrdnoufqa.sjoknuyhv

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.mfvbrdnoufqa.sjoknuyhv

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.mfvbrdnoufqa.sjoknuyhv

description	ioc	process
Intent action	android.app.action.ADD_DEVICE_ADMIN	com.mfvbrdnoufqa.sjoknuyhv

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.mfvbrdnoufqa.sjoknuyhv

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.mfvbrdnoufqa.sjoknuyhv

com.mfvbrdnoufqa.sjoknuyhv
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Tries to add a device administrator.
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4257
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.mfvbrdnoufqa.sjoknuyhv/app_dex/xrvjofqdyznwk.jar --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.mfvbrdnoufqa.sjoknuyhv/app_dex/oat/x86/xrvjofqdyznwk.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4284

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1626

Device Administrator Permissions

T1626.001

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Credential Access

Discovery

Process Discovery

T1424

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Account Access Removal

T1640

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.mfvbrdnoufqa.sjoknuyhv/app_dex/xrvjofqdyznwk.jar

Filesize
72KB

MD5
1b1683635d89f047d9435216c0e86ac6

SHA1
ce3396d69b1f12d90a96856e44af44b39d4457c4

SHA256
6d074002cc6881334426a8e6cc0e89eef43e1868c483304e5dedea54a13567d9

SHA512
bb76c25dfdbb72aa2760dde982dff7df0ec793b4f92274280c5ea0570b9fc2ef3bdbf9572100e1e7846d5647a7a44b8c8f2190d5d29d7ef7a7a541cf1b473e67

Download Submit
/data/data/com.mfvbrdnoufqa.sjoknuyhv/files/ls/lt

Filesize
26B

MD5
faeddddb915a91458b244d8deb45b678

SHA1
42bc41430d6d924fe03cb74144000b16f42fdaca

SHA256
02eb5f88a4856cfb954378a7b548b5f66489e6b60e7fb95335d3646e4c2862ad

SHA512
2756f73b1cfb97779f021bf762f632a4ae873bac6a86a3f17c57b59e3b2613ad26c6404f67bd573cf436ffd2c10f9c19dd96eb609437d855172333c809ebc9de

Download Submit
/data/data/com.mfvbrdnoufqa.sjoknuyhv/files/ls/lt

Filesize
125B

MD5
0bba5c9f1feef2c996080ade4a941f25

SHA1
25935c5a4abb56c72ec5cfea295fbbffe8f80618

SHA256
05ea688644193f0bfd5241c74ba091fb833fa6b9014f1c03186c1e11108c9287

SHA512
f58bdb9af560a45cb19eee3ccb2c0d45d7fa4cbb178e35459f4e95c4394d536662d41bbf1d050f6fb7340a2862f93c94b2b4dcbdfaf66f5aefd360809872f607

Download Submit
/data/data/com.mfvbrdnoufqa.sjoknuyhv/files/ls/lt

Filesize
29B

MD5
c315bb7269a8cc6538975ec0c5719645

SHA1
9a845b5abdf4502d21accf9872826519c1ec0ffb

SHA256
81d0a5f2d09407fee79d12d1c89801b652e692a7df4eada6eb7d6bf8aa9cc8d5

SHA512
49de1be51d33cd4cd016b0736f4c88bb6bf8b96cfa211c3d82a0a0d7905f3178bb6de9cc43264a9ec325602e3166ee838efe24a7a7fddf258b5c4441e8d7c131

Download Submit
/data/data/com.mfvbrdnoufqa.sjoknuyhv/files/ls/lt

Filesize
30B

MD5
10757c1bb7be6b2cf3bccb445ea1c78d

SHA1
4e1c2c2fd46a83e039cfad83c132e6a364833c38

SHA256
a84746a18e0d182efaa20ef8ba7c8d8768a0f56bb74c290caae87210220f94e9

SHA512
06a559576e2a51f961cfa08087faca78b3949ff79875cc5b4db33c61263871ebb1bfa4f8385ea17272e039d4db6de7455b2c669be1f308e8a4da45f8aad69789

Download Submit
/data/data/com.mfvbrdnoufqa.sjoknuyhv/files/ls/lt

Filesize
28B

MD5
3e1a248f254feba725d92d220c641f2c

SHA1
f4290eabcb01c26c73fd60f74b73ac0d5b73c817

SHA256
76bcaec03e8d4e253ad77501f1cf5fb32206795256b725319ea9ce4b92216914

SHA512
b462d80677991873ee6b72f3a5f96363cff7bb8841832fb3709670c4ab17623a66bc472cff1e62a36743e91c86c47746e99a0d3196b3a92080623435b7719e1c

Download Submit
/data/data/com.mfvbrdnoufqa.sjoknuyhv/files/ls/lt

Filesize
21B

MD5
171c90bd194e5ccf06aeb3c50cab8be4

SHA1
b1395388671604b232d791eacb5632882dc9f379

SHA256
199e66fd1146c1db36d95f20909243179105e59a4cf08730323adf6ba807daf9

SHA512
67f1a101395a2b5a74c5612df23df8fa6e6aa7c0b13ed5128110bf45bf0969d5f44552d9163dfb8b629fa2a9ee8e2f323bec6c19cd2d9a9ecc3579768ac24fa2

Download Submit
/data/user/0/com.mfvbrdnoufqa.sjoknuyhv/app_dex/xrvjofqdyznwk.jar

Filesize
175KB

MD5
f9a2d71963c8086c1373dc0ab5f8f32e

SHA1
023363564d9ec6aa619e7b6f22a803bf2895ad7f

SHA256
8b7384c5ad6df6b7b6c2b00edf35fbf98ffdb34ddd213b4e1e18ffd74ed0f134

SHA512
2133be34f45ea17ceb58a3ed5cba3d7c1dae083e817361fc28e4a621d689a8e264d44a9c3f1bc83ad65cf4a5ff83a01271d87bdb2b957d4fd940a740c6491f3f

Download Submit
/data/user/0/com.mfvbrdnoufqa.sjoknuyhv/app_dex/xrvjofqdyznwk.jar

Filesize
175KB

MD5
22f62d2e41de9ce2adb98b137ad0dd36

SHA1
eb1e4d87caf423f5700970659c951b652ee47a36

SHA256
78711e8c7534b7eabadc7508a2cef300f34b3a604d398ce4335b6552e345f4b0

SHA512
423991cb95de329fc98d9a290b3446cb9600cb1c119e351eb42976c60c72fa5387bf39d77558ecfb7d5b41262553b0436b2022ddb8c5065eb23231dac275f5c4

Download Submit