b4f5d44b5e982567a5b6d31242168ca3e3134c455b3acc7577bb30ff2a071df1

Analysis

max time kernel
178s
max time network
188s
platform
android_x64
resource
android-x64-arm64-20240514-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system
submitted
23-05-2024 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69b8051a6bb3c84968a42508205bf567_JaffaCakes118.apk
Size

9.6MB
MD5

69b8051a6bb3c84968a42508205bf567
SHA1

92ffb5c7d81bdea3a2d8ee88137bb2f5669064cb
SHA256

b4f5d44b5e982567a5b6d31242168ca3e3134c455b3acc7577bb30ff2a071df1
SHA512

1a46af0366b6230dcd3150009e5f5edad46b5d6d468a6936d75d1afdd46a71ca5ecfd7c21de81617984a575e3f3b26c60ed5e2fa14d1afc2675398ffeded106f
SSDEEP

196608:4B2IdUzkrg+rXnlcv90S6/1++wHnLHgz4ioD2yWoES+ViUIvyVisgxTKNlQ:M2GUzkrj7Xd+C3oD2zBViU0xTClQ

Score

8^/10

banker collection discovery evasion impact

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 1 IoCs
evasion

System Information Discovery
T1426

Processes:

com.aheading.news.yanfudzb

ioc process

/system/bin/su com.aheading.news.yanfudzb
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

Location Tracking
T1430

Geofencing
T1627.001

Processes:

com.aheading.news.yanfudzb

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.aheading.news.yanfudzb
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.aheading.news.yanfudzb

description ioc process

File opened for read /proc/cpuinfo com.aheading.news.yanfudzb
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

Process Discovery
T1424

Processes:

com.aheading.news.yanfudzb

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.aheading.news.yanfudzb

ioc	process
/system/bin/su	com.aheading.news.yanfudzb

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.aheading.news.yanfudzb

description	ioc	process
File opened for read	/proc/cpuinfo	com.aheading.news.yanfudzb

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.aheading.news.yanfudzb

Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

Processes:

com.aheading.news.yanfudzbcom.aheading.news.yanfudzb:pushservice

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.aheading.news.yanfudzb
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.aheading.news.yanfudzb:pushservice

Queries information about the current nearby Wi-Fi networks 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

discovery

System Network Connections Discovery

T1421

Processes:

com.aheading.news.yanfudzb:pushservicecom.aheading.news.yanfudzb

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getScanResults	com.aheading.news.yanfudzb:pushservice
Framework service call	android.net.wifi.IWifiManager.getScanResults	com.aheading.news.yanfudzb

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Acquires the wake lock 1 IoCs

Processes:

com.aheading.news.yanfudzb:pushservice

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.aheading.news.yanfudzb:pushservice

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.aheading.news.yanfudzb:pushservice

Checks if the internet connection is available 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

Processes:

com.aheading.news.yanfudzbcom.aheading.news.yanfudzb:pushservice

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.aheading.news.yanfudzb
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.aheading.news.yanfudzb:pushservice

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs

impact

Data Encrypted for Impact

T1471

Processes:

com.aheading.news.yanfudzbcom.aheading.news.yanfudzb:pushservice

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.aheading.news.yanfudzb
Framework API call	javax.crypto.Cipher.doFinal	com.aheading.news.yanfudzb:pushservice

com.aheading.news.yanfudzb
1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Checks CPU information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4556

com.aheading.news.yanfudzb:pushservice
1⤵
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Acquires the wake lock
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4608

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Execution Guardrails

T1627

Geofencing

T1627.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Location Tracking

T1430

Process Discovery

T1424

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.aheading.news.yanfudzb/databases/AheadNews280.db
Filesize
144KB

MD5
110719deabd82518b14b001ebc6c9451

SHA1
06955b11bacb3061ca597eee44f859d571232993

SHA256
5f8ff849e437b387997546adae3fc254a8b970221c0a1c5f831214a8f6aadf54

SHA512
7b25023e814480734e2126408305a74d0fc2ee018b17f4b33fa8b1cad2d30b44d447f6c89755dc91dccaf964dae2238b458581691ca322bf117d6ac73fac0784

Download Submit
/data/user/0/com.aheading.news.yanfudzb/databases/AheadNews280.db-journal
Filesize
512B

MD5
05ac6ab8b9d3e111f7a5b26572564693

SHA1
f70e888e639a815862b2112de63d5ad022efd517

SHA256
97fb2230fbf2a45a2922641a26776721c2047e43ea2084d5f822ee9764ea57db

SHA512
3972329337413a453e66288f166d455df7d08193bcab354b318807330f263148e4e093a27f445bc4dd48756807bfa18a21da0b7e0835a4fc54836d4fd4c658e2

Download Submit
/data/user/0/com.aheading.news.yanfudzb/databases/AheadNews280.db-journal
Filesize
8KB

MD5
908c4837fcce0725857b3843f64bf650

SHA1
7db61cf298a470adb3718abeb3655c52a319c358

SHA256
d23baab80231bb259e9db28c2b107a4d2a71034be3652c8446f97ecc47ecddc0

SHA512
bfb1b08ddc7fd6e53311506712c2919ffb59c52a8035c53c50328c1b6b4147ec4ed5e7c44b4199870e44888e087994965190454b9f5c9801075ae46c352a2369

Download Submit
/data/user/0/com.aheading.news.yanfudzb/databases/AheadNews280.db-journal
Filesize
8KB

MD5
181c6f5fe06fe64c975d3e1820d184b4

SHA1
2ec87f8853d03eb6aca503748d6772130bc11f98

SHA256
51d0e69b5db3ed4b32d8c3dff2562aab9d5ceb4ea28e56687e9a7e95dbede5be

SHA512
323a842c230e823be5c85d1070910ebf8cfbb9dec7c4e7c3564918eae54519349aba7577b6b4138f416bd6d0f747a1b5694b5552aec9d483acd02c0c72b67ce9

Download Submit
/data/user/0/com.aheading.news.yanfudzb/databases/pushsdk.db-journal
Filesize
4KB

MD5
09fa30e53cc327fc125a1bbb3b8e7ec3

SHA1
3975fa687d980b18dd48e9947694a6c9001fd74f

SHA256
326fa482037ad0dfb5bae57a21495aad99d2725594b541893c3996d1a269f3f4

SHA512
950896f86713d3944f1861360ce4b5ded0c4fff5d563e14ecb886a4773c48091cbb10bc5d9957a2bf38e3954b873d9da0ac118bc10114af997ff24afaece22f0

Download Submit
/data/user/0/com.aheading.news.yanfudzb/files/.imprint
Filesize
933B

MD5
78b2398138ea7515f2131057b100d183

SHA1
e63f1ec74608139177ac2ab6d131e880f84c4c46

SHA256
a3a9022b0f84fc05509ac1cd70cc09655085a2b40f7b3d37e54395463a5f1a3c

SHA512
13e59ae2b0e11132e8f092dae299d3973e75803925b3970d0de5253d76f5a3aa0ff163e7e21515045da938a20df16adc51c81b44ec73daafd7e00d56ecfd4ad4

Download Submit
/data/user/0/com.aheading.news.yanfudzb/files/.umeng/exchangeIdentity.json
Filesize
162B

MD5
57ee14cdc6675f0617cc1a39bad0ad1f

SHA1
ffa7e274668b258612701fb4b0957173d318ae45

SHA256
10470b295458b21217679d640294be62319c0fe7f76e0f68174a8b06de892e3c

SHA512
e5baa3d2125b8d4cd152e2ed26427aba4d5d7fb32f99e0a8bcd3c4f327217dbc36d8448e55540acf6bbe6ac9dcf818459159677a1c108c0281700f66374645cc

Download Submit
/data/user/0/com.aheading.news.yanfudzb/files/lotuseed.apps
Filesize
7KB

MD5
3e5e1146477298ebd518707a4e9edc7f

SHA1
bb0a46e286bcd1ce33746542c05a7464d7390062

SHA256
2c3d373c4cd7ce413f177522e262a9435e582e081c0b30c6b10475568a109f1c

SHA512
c20a4029f89d40134717910820bd3b1f39483d96488e3ed8cabb5466976fce447f2b6165fa6703ec5fbe6e9c009fe9649dc2c0cd66446ddb45602ae7c4bfe81e

Download Submit
/data/user/0/com.aheading.news.yanfudzb/files/lotuseed.s
Filesize
19KB

MD5
ff8b5cd0a19ac5a79c27ec35a55b2ef1

SHA1
177a296658c252a97f711b84abd1a5830c924bf1

SHA256
eb76f66dc9bafabb0b831bdf54ae568a82174fed53159451046cbda867b1e149

SHA512
428c150366a3a38a2a46d49d9266fe09e067b8556351f8a64e54b35254851897efe58fff2fdd582e8fc67918fa47c28f34247726c59c3dfc932b30136c29cc4d

Download Submit
/data/user/0/com.aheading.news.yanfudzb/files/lotuseed.s
Filesize
166B

MD5
702aa175711d3b8db70ca1d9a526165c

SHA1
262ba07791553e4b733233187f80caefc81dc2d0

SHA256
e525aee62c432a71844ccfbc39706c9241ab5d4ba898081dfe21fe890ec482f5

SHA512
09b280cb223b9647cb40d673588f8cd0a2555b4868be2f4ee623230569151417d4b4db9ea9f3326d7b203b9a89850d82520df62db538bade987753adf7ca64d7

Download Submit
/data/user/0/com.aheading.news.yanfudzb/files/lotuseed.s
Filesize
8KB

MD5
1160a9395220bc7f20c2464e620f060d

SHA1
b087923c33910a8344838420c56c0811d06999f7

SHA256
29c43507105caf0b96bba0a50c6a69dbc69a3cfb9d6a347c32fdd83c514e10f5

SHA512
3e595246b1423196761861d52f29e6109b620f8e218762a75e6d1e4a69da0d7a4754793e86480fcfa92b005be2b3faeb08245364156a1627e3077a1e90f5e2a7

Download Submit
/data/user/0/com.aheading.news.yanfudzb/files/lotuseed.s
Filesize
172B

MD5
f72b528139ec8e5cd5af81788e268362

SHA1
06295820a03590a2b5f732a3103c3178d6d25e43

SHA256
a5a3b91d9eb2929492b008087be93c98ebf864b9546c59399e64e5bf18abd445

SHA512
85a7475aa55f6a41f9769152c53c2b29491f03d8d81b2f04226a3f2afef871795cf553ab82cff73a7d0fa3a47562b07b81ba6f9a5587303b1f050c6cd8eb3f6d

Download Submit
/data/user/0/com.aheading.news.yanfudzb/files/lotuseed.task
Filesize
87B

MD5
a340f3649d552b6c6304f68da109660f

SHA1
5453e1a6e82b16644d07d570437c20171df4fd31

SHA256
42ab1649e8a7a7cb62450f3c240da91efe264cffb7b94f3d12b806e5580619ce

SHA512
94906f7d055502a1f957ff048cfe72426249102039134111efc2e55b10431bf6c06028fcb7edb223cc71e239ebecf809490e9173f762844c38342a063bbe6295

Download Submit
/data/user/0/com.aheading.news.yanfudzb/files/mobclick_agent_cached_com.aheading.news.yanfudzb840
Filesize
3KB

MD5
101456db9016b83ee04b0c69dc348304

SHA1
499158f92fdf68998c1ae8e2da85c2ba90f2e7de

SHA256
fc411b0ddaa56f7c0cee5d6323af152f95620b2b03e21dcca856b417d6b0edc0

SHA512
57c15055bdefc8269548caffce6c78a8b7f6d6e9d3dc49b548ddaebf4509b37e099b69c2e7b0f784307015bbf7f1d4b600cde399fd3dce230c67d953c0a7d71c

Download Submit
/data/user/0/com.aheading.news.yanfudzb/files/umeng_it.cache
Filesize
178B

MD5
da401d8dd72dca74081eb7c6f0df0d36

SHA1
8c1b28efdf8a0afe71ccf10b2d0bfd6c41815af6

SHA256
ea96fcc1687b9677341b46ae56368a14f29ab9801d2b165054c1f5099a17cf73

SHA512
b0879d9ce1dc715dead2e2f6bba8f1edffd448d73e38ef547f0fab389e79ab93a77cf5fc97006cff96ab6b7eabf21def20c62ec2793ed9eec5d1b3cd8724da00

Download Submit
/data/user/0/com.aheading.news.yanfudzb/files/umeng_it.cache
Filesize
350B

MD5
e38dd1bf15411caf49c61f5b276e99f6

SHA1
96fcaad8439beeea22b75333745f66c5178ccb1c

SHA256
c8634ed1107ae646e307ba46a6571fa82538daaa511d482e109146990b32c989

SHA512
a87a6ca8a9beaf2b486ea6cff0de9bd8a75e71fe52311efcebb71381bbfd9f2c31fa15002fdbe4032089802abcaa5375cf20fa7d948278080378a34d63cb4ac5

Download Submit
/storage/emulated/0/.system/lotuseed.devid
Filesize
8KB

MD5
2a542b7e04fd1fcf226df40a94e542b8

SHA1
a5d32474a8db8a99a913aad56d00c1232ca7f187

SHA256
ae59983d8200c7f61adbccd663bf53320a8170d4cec0bdf628b7fd5a777108b0

SHA512
53a0bd130dc5a99350cdf3710ba6ad9f90eeda8604146c68f472fecc6acba5fe36dbaf2c4cc70b7764f3743285854710a6028f243c7dbaf0d00f342cee16065f

Download Submit