47b1d674795b23c828a71a4fd44b78fafd5cb4fab0b1a37ce1274b4f3be8fc14

Analysis

max time kernel
59s
max time network
134s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
23-05-2024 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69c65c8773e2797104b9f805cf7aa271_JaffaCakes118.apk
Size

9.3MB
MD5

69c65c8773e2797104b9f805cf7aa271
SHA1

3b7300c6b8a585f6538f6397cbadcfefa561445f
SHA256

47b1d674795b23c828a71a4fd44b78fafd5cb4fab0b1a37ce1274b4f3be8fc14
SHA512

8ce2755c250f2fe42a47c76111fdaa4874bef330a888f84c82985e9e1b827d6417baae845940f25011cfd7a3d06d178f1ada9796655b1c4b8e863ca66ac0911c
SSDEEP

196608:PG1TTPDyOG1dm+7XHlADcoojtnvyO4sK2fMsgioQAoFd75W:STryOe7XFADcoojtn6EK20sgiLFd7A

Score

8^/10

collection discovery evasion persistence

Malware Config

Signatures

Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

Location Tracking
T1430

Geofencing
T1627.001

Processes:

ly.pp.justpiano:remote

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation ly.pp.justpiano:remote
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

ly.pp.justpiano

description ioc process

File opened for read /proc/cpuinfo ly.pp.justpiano

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	ly.pp.justpiano:remote

description	ioc	process
File opened for read	/proc/cpuinfo	ly.pp.justpiano

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/ly.pp.justpiano/files/mvad/update/dynamic.jar --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/ly.pp.justpiano/files/mvad/update/oat/x86/dynamic.odex --compiler-filter=quicken --class-loader-context=&ly.pp.justpiano

ioc	pid	process
/data/user/0/ly.pp.justpiano/files/mvad/update/dynamic.jar	4336	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/ly.pp.justpiano/files/mvad/update/dynamic.jar --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/ly.pp.justpiano/files/mvad/update/oat/x86/dynamic.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/ly.pp.justpiano/files/mvad/update/dynamic.jar	4295	ly.pp.justpiano

Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

Process Discovery
T1424

Processes:

ly.pp.justpiano

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses ly.pp.justpiano
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

ly.pp.justpiano

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo ly.pp.justpiano
Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
discovery

System Network Connections Discovery
T1421

Processes:

ly.pp.justpiano:remote

description ioc process

Framework service call android.net.wifi.IWifiManager.getScanResults ly.pp.justpiano:remote
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

ly.pp.justpiano:remote

description ioc process

Framework service call android.app.IActivityManager.registerReceiver ly.pp.justpiano:remote

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	ly.pp.justpiano

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	ly.pp.justpiano

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getScanResults	ly.pp.justpiano:remote

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	ly.pp.justpiano:remote

Checks if the internet connection is available 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

Processes:

ly.pp.justpianoly.pp.justpiano:remote

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	ly.pp.justpiano
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	ly.pp.justpiano:remote

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

ly.pp.justpiano
1⤵
- Checks CPU information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Checks if the internet connection is available
PID:4295

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/ly.pp.justpiano/files/mvad/update/dynamic.jar --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/ly.pp.justpiano/files/mvad/update/oat/x86/dynamic.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4336

ly.pp.justpiano:remote
1⤵
- Requests cell location
- Queries information about the current nearby Wi-Fi networks
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:4379

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Execution Guardrails

T1627

Geofencing

T1627.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Location Tracking

T1430

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/ly.pp.justpiano/databases/data-wal
Filesize
281KB

MD5
02f97a41199fc60240cc20561f47ea9a

SHA1
eb2b39bd1351bd3c54005ffeed06c2befbb7867a

SHA256
a7a1626506beba3579ef677914fd9b098d74c98a90b00700023ed84a13393a06

SHA512
68a7c208557cf732f3f3ee000b1cb4dab0aba5a62d26ab3400a4d93b33a45ea91e7580b77a843c43c2f2be35a7bfb675b6453bd63fcfba1175810b95e11a1d28

Download Submit
/data/data/ly.pp.justpiano/files/mvad/update/dynamic.jar
Filesize
64KB

MD5
8d92708470ba5fb6a2368f30548a0d7b

SHA1
72888fc5e4cda27457cf9eb41a4426d8a569d232

SHA256
0d17bada34b9631a370c83e98b56734e08d4d7b8d54a58c966e2644cbf462a6c

SHA512
565d896661ab8f7a0dacd62171c5bcbd0881c8b2f4f43a3933e6700aaa41d7c89dc5f2b5d9edadd3c050d72782085f1592f72b0c3d09b3aadcbc8b2a7cf01384

Download Submit
/data/user/0/ly.pp.justpiano/files/mvad/update/dynamic.jar
Filesize
137KB

MD5
e1e226a728f1767efec44ca63bf71f92

SHA1
5a387cedba37d17f9e0dc30dea2b5dcb9ca430a0

SHA256
1a90143df04317f567acc321d291ef9ac0b0677240433fca668a3e2385bf3043

SHA512
c27bf9b4bb3e2c53eaed724f4100be237fa64da71548dc3dae02b990ef87aff5b6c268e8f248c38220f43c3b3ee3d5a91293e90cdd4c3f85ac95baac8f6287a0

Download Submit
/data/user/0/ly.pp.justpiano/files/mvad/update/dynamic.jar
Filesize
137KB

MD5
c47d5bb29ac93e4e92a2320081f87007

SHA1
865b08ba46659466cb272d21f2c36eda65bd148f

SHA256
797b7373afce579158f159895dce096d61cc302069285a91dfbd12a6bd443e89

SHA512
a8d70a996088cdfa7a5c53757064e9fcf5cd9149d192e3436345e9b974db66fa3158f53f6d1751755abde7d1f2bf7ca69c013302d8fa8fad45b97ac98bd3147b

Download Submit
/storage/emulated/0/JustPiano/Skins/ReadMe.txt
Filesize
36B

MD5
3d1d8e540f624aac5695d28ed165f9e2

SHA1
5d8b8a50567eae8e82a447a0771b3b6ffa59e182

SHA256
ef51d6f69a6560d688cd3cedb7e371575b490c8147ec167b7b76b18558a05e4c

SHA512
7e8d45b042d151121288d9b74836b27ef6dbbcd9d92d076ba4338f36defbf4685578695013430873af22d5ceb58abf7c03793ebb52c9031bed8c6fa16e79b6fb

Download Submit
/storage/emulated/0/baidu/tempdata/con.dat
Filesize
12B

MD5
8d80bc8ea90e9cac010d3ddf97bda5f5

SHA1
f063bc0d356e6ba9ab1eb9a851131ffbefd8fa07

SHA256
f52db31332534833414abd5e870f78c810b8ebbe5b134bbf599506beecfd1b93

SHA512
9ea732dd572a9a4ba91b70891972230a09576687ca1bc19e62d5a98b5b84e0f2ae11985108008bc9fbccf357219b8bd3dbf146bb70752f618f70dc5d0c46a7c7

Download Submit
/storage/emulated/0/baidu/tempdata/con.dat
Filesize
152B

MD5
3b3e6b8a6bd21efca75972221f2d493e

SHA1
9bbb3180ea100317e97d1599ecbb64c1be20bd67

SHA256
43ad8329ac0b4eede59a76414b409455f929af3c5dc27a173a7ec6176a044c62

SHA512
dce0b3d21ad60441c8edfb5ffbec21e56aa20a00c7cb18ad39394e81bc03c1318895337ce4e659f89cd9dd5ba6f4758cbd58d153a654adccf92084a226e36b32

Download Submit
/storage/emulated/0/baidu/tempdata/ls.db
Filesize
20KB

MD5
fe644bf9ae47accfbd71fa1e06969618

SHA1
2465930b7fdcafce7053a971db30604e0c930d9a

SHA256
0679994901623e8a1338396703863fe9945b809980146bd343ab13db096c4776

SHA512
7d7ef4767e5b27adf9ffed163ff2eff605934afd40ef04cb07a1e9257e2f9062632c77f8b3045e400dad9dee90db4a849438e6f2b1a17bc185bbcff2996cd886

Download Submit
/storage/emulated/0/baidu/tempdata/ls.db-shm
Filesize
28KB

MD5
cf845a781c107ec1346e849c9dd1b7e8

SHA1
b44ccc7f7d519352422e59ee8b0bdbac881768a7

SHA256
18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

SHA512
4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

Download Submit
/storage/emulated/0/baidu/tempdata/ls.db-wal
Filesize
32KB

MD5
819e3e580d8957365148390576cb675a

SHA1
6ff55242a5328dbd4f3dea18ae255b895bd98048

SHA256
e949d8693f90d166370755edf072d13224a2b3b0fc666247e6b1c389f0bba984

SHA512
c878bb377beda87b57a19ed2eb2653bb4f4e6f40d471bd3cfadef210afbd193a02c90caefea8481e9805fec66260748698768e919ff12364d95a960b994555f0

Download Submit
/storage/emulated/0/baidu/tempdata/yoh.dat
Filesize
252KB

MD5
f0beaa934fc88f983c4eadd349e38b0b

SHA1
a111f2b8a48261420b1ea41f574b0648dadabebf

SHA256
dec944b1e291ed41f4a2df4564d0b7742179bb8c45bd871a6aab510d2d4b2da4

SHA512
71b25eee04c018e5821db601c0aef19fd39226bb8302c1fdf7e12436e836c7e080b2e97728ef2c00f675f6b37d9333930b9547fa7b7225bffbe26a5957870487

Download Submit
/storage/emulated/0/baidu/tempdata/yoh.dat
Filesize
512B

MD5
68a8deea6f94befb12c7e9e073f0550a

SHA1
783af2fcb9eb6096f277f488c68b0e0c549be409

SHA256
99fb62c21de566ec8cb0d05926020ff53182a575e17d6bc27015809979c4ea44

SHA512
c550ffc8eabcb7e451bf96cacf8c474a4190a633ea7c167910d4176878dbdb66c025e5326fce574937b330fc33127a5bf75d46b395f7040a3395da6ea50ce3e6

Download Submit
/storage/emulated/0/baidu/tempdata/yol.dat
Filesize
24B

MD5
a936690571e9104e1922dda4a0ba5bd1

SHA1
65f49c57edde2f96be2a1dbdfc3f7351f1e66554

SHA256
f0f5049c51879dd7da0ce4a43349b5b34ce053d072a0ca704f62cf22ba4a8412

SHA512
3be1c3693963aebdfc04e86b1c820ee0ec3cf0b200e6a4788ef1141f39fd6c2f77f4227247ae4affa66c0a6c027df8466cc0dcec1e67ebfb953e36bee97de394

Download Submit
/storage/emulated/0/baidu/tempdata/yol.dat
Filesize
24B

MD5
1681ffc6e046c7af98c9e6c232a3fe0a

SHA1
d3399b7262fb56cb9ed053d68db9291c410839c4

SHA256
9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0

SHA512
11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

Download Submit
/storage/emulated/0/baidu/tempdata/yom.dat
Filesize
32KB

MD5
8bc8185be2162588b5962c9132f1ffc5

SHA1
65767d3a5fe4dba61bf052fb2584c174bb21e1ce

SHA256
dd818a5ddcec10dcf95ead817b6c155f2d735610fe16cbd719834d513c4e0e4e

SHA512
3aa7075a9ee72a4fbcbbeb5f4e52ffb842c4d50bc04417a877cc9d7b396f6d1d851e3faa1d77bb4c1f3578eb67bb8928892b63d70b664c73cef21508ea4cd094

Download Submit
/storage/emulated/0/baidu/tempdata/yom.dat
Filesize
321B

MD5
e7feac855b18b6627ff130dc5cd9c0ef

SHA1
a29a1b0f7d6cf0a5032469ef0088192d394c7e61

SHA256
1bfb1370dcedd66cec5a6cb49cd6630ea83e65898e1a15b5e33347766909e975

SHA512
70c17af0623242d8ec88eabb0fa2c76ed54fe4e24cf5e36c670f69959bde6b9f703b5aa59c92c6cd7f263239dfcad35e668fd94b760407a99b27acbc7d46107b

Download Submit