Analysis
-
max time kernel
179s -
max time network
189s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
23-05-2024 08:33
Static task
static1
General
-
Target
6a5aa10d1bb1c001060b40745ec030d3_JaffaCakes118.apk
-
Size
18.9MB
-
MD5
6a5aa10d1bb1c001060b40745ec030d3
-
SHA1
44826c73c6dc795bcc7c2d3d1b0582dd8bd3fcb5
-
SHA256
3803ebef8dfa7d847caad81a7fb69ac124bf07afb904eb608374d0ae7fe97bc8
-
SHA512
69e70a255608de3bec3f74b4882da4f3f946518d6675becfd52d7bee230574f61e0a741fd2ecb0d76ff96bc650f527b1dd41336d01ba3656061d107415c2aa8b
-
SSDEEP
393216:yYfJ6URycycy69Ysy2YWH694747l75e2nycOZ6zuSMUk+qJ:+U8kYsy/5flE2nPOZQlk+qJ
Malware Config
Signatures
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Checks if the Android device is rooted. 1 TTPs 4 IoCs
Processes:
com.fcai88998.com68.mn188ioc process /system/xbin/su com.fcai88998.com68.mn188 /sbin/su com.fcai88998.com68.mn188 /system/app/Superuser.apk com.fcai88998.com68.mn188 /system/bin/su com.fcai88998.com68.mn188 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Reads device subscriber ID 1 TTPs 1 IoCs
Uses Android APIs to read subscriber ID (IMSI on GSM devices).
Processes:
com.fcai88998.com68.mn188description ioc process Framework service call com.android.internal.telephony.IPhoneSubInfo.getSubscriberId com.fcai88998.com68.mn188 -
Checks Android system properties for emulator presence. 1 TTPs 1 IoCs
Processes:
com.fcai88998.com68.mn188description ioc process Accessed system property key: ro.product.model com.fcai88998.com68.mn188 -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks known Qemu files. 1 TTPs 3 IoCs
Checks for known Qemu files that exist on Android virtual device images.
Processes:
com.fcai88998.com68.mn188ioc process /system/bin/qemu-props com.fcai88998.com68.mn188 /system/lib/libc_malloc_debug_qemu.so com.fcai88998.com68.mn188 /sys/qemu_trace com.fcai88998.com68.mn188 -
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Queries information about running processes on the device 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.fcai88998.com68.mn188com.fcai88998.com68.mn188:channeldescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.fcai88998.com68.mn188 Framework service call android.app.IActivityManager.getRunningAppProcesses com.fcai88998.com68.mn188:channel -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.fcai88998.com68.mn188description ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.fcai88998.com68.mn188 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.fcai88998.com68.mn188description ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.fcai88998.com68.mn188 -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
Processes:
com.fcai88998.com68.mn188com.fcai88998.com68.mn188:channeldescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.fcai88998.com68.mn188 Framework service call android.app.IActivityManager.registerReceiver com.fcai88998.com68.mn188:channel -
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 114.114.114.114 Destination IP 1.0.0.1 Destination IP 114.114.114.114 Destination IP 1.0.0.1 Destination IP 114.114.114.114 Destination IP 1.0.0.1 Destination IP 9.9.9.9 Destination IP 114.114.114.114 Destination IP 1.0.0.1 Destination IP 223.6.6.6 Destination IP 114.114.114.114 Destination IP 223.6.6.6 Destination IP 9.9.9.9 Destination IP 114.114.114.114 Destination IP 223.6.6.6 Destination IP 223.6.6.6 Destination IP 1.0.0.1 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 1.0.0.1 Destination IP 9.9.9.9 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 223.6.6.6 Destination IP 114.114.114.114 Destination IP 1.0.0.1 Destination IP 223.6.6.6 Destination IP 223.6.6.6 Destination IP 114.114.114.114 Destination IP 223.6.6.6 Destination IP 1.0.0.1 Destination IP 114.114.114.114 Destination IP 9.9.9.9 Destination IP 1.0.0.1 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 114.114.114.114 Destination IP 1.0.0.1 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 114.114.114.114 Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 114.114.114.114 Destination IP 1.0.0.1 Destination IP 223.6.6.6 Destination IP 114.114.114.114 Destination IP 9.9.9.9 Destination IP 1.0.0.1 Destination IP 223.6.6.6 Destination IP 114.114.114.114 Destination IP 9.9.9.9 Destination IP 114.114.114.114 Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 1.0.0.1 Destination IP 223.6.6.6 Destination IP 223.6.6.6 Destination IP 114.114.114.114 -
Checks if the internet connection is available 1 TTPs 2 IoCs
Processes:
com.fcai88998.com68.mn188com.fcai88998.com68.mn188:channeldescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.fcai88998.com68.mn188 Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.fcai88998.com68.mn188:channel -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes:
com.fcai88998.com68.mn188:channeldescription ioc process Framework service call android.app.job.IJobScheduler.schedule com.fcai88998.com68.mn188:channel -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
Processes:
com.fcai88998.com68.mn188description ioc process Framework API call android.hardware.SensorManager.registerListener com.fcai88998.com68.mn188 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
Processes:
com.fcai88998.com68.mn188com.fcai88998.com68.mn188:channeldescription ioc process Framework API call javax.crypto.Cipher.doFinal com.fcai88998.com68.mn188 Framework API call javax.crypto.Cipher.doFinal com.fcai88998.com68.mn188:channel
Processes
-
com.fcai88998.com68.mn1881⤵
- Checks if the Android device is rooted.
- Reads device subscriber ID
- Checks Android system properties for emulator presence.
- Checks CPU information
- Checks known Qemu files.
- Checks memory information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Listens for changes in the sensor environment (might be used to detect emulation)
- Uses Crypto APIs (Might try to encrypt user data)
-
com.fcai88998.com68.mn188:channel1⤵
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.fcai88998.com68.mn188/databases/MessageStore.dbFilesize
4KB
MD539134a96a737526fd093463646b0d73f
SHA18ea3e73ef4cb4d0819cd0d308768e42e2278f648
SHA25626d95532edb2994a8abef96b985f714163026413c5e2452517628a8064dfba1f
SHA51257fbca6fa94b7d21c7a6dcdd5bfddd6c9b489e20eb0c0886ce6d59330dea242f553685dac3134a5a0a91af46c636e80d6210c90a2b62a6a5857215a9bdc4cd41
-
/data/data/com.fcai88998.com68.mn188/databases/MessageStore.db-journalFilesize
512B
MD5c11f8e9df32a2e362275f43416a3eee8
SHA167b582b23f62dc544c5fc224c92caa6749c8615e
SHA256d2f4eb49b70b4ac3feb5e6a8bdd74b1546d273a140d701c5f5d56d5f3185079e
SHA512c6d1e54754b688f5efa3a8fd200d0f2cf1dcede7d011dcfabe798ea689a77a2b079c5e838b62dbebf0ca2b6e01428941df1b74f3d53e4728a3f72ef61839a08c
-
/data/data/com.fcai88998.com68.mn188/databases/MessageStore.db-shmFilesize
32KB
MD545d1b99640ce810324a3bdc48ffe0bbf
SHA1965d64b0a6ccd44d58c07eed646015e5df5f75aa
SHA256b50ddaa38edef84e366d3386aaa26f31eac6a5475aa67a56a7ab22d19d3a4c4d
SHA512f200f535c1371676a300dec8af1a1013943709bc7500cbf0644792e140baf4eb7ee70eef11c998be4daaee24fe8cbfde3f8294c0a0749b3a4a4526c22c0afbba
-
/data/data/com.fcai88998.com68.mn188/databases/MessageStore.db-walFilesize
64KB
MD516e8b7d00434e1c8e5d6841f27c8760f
SHA1acddcf97b2282d1b50f67b32c84a438cc20e4e2b
SHA2566c22af32f8895b860c5b438a6f8e92e568de64cdd28e86316b511e4ee981e0e3
SHA51203651fd858f1b40e14e8d3f81c17fbe9e8e8da62d1b3b3555c0b409b62d40a58273489b423639fad77ec086c2d5b8752170d9520857edfe3b82cc0e60ceef3bf
-
/data/data/com.fcai88998.com68.mn188/databases/MsgLogStore.dbFilesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
/data/data/com.fcai88998.com68.mn188/databases/MsgLogStore.db-journalFilesize
512B
MD59fbefd51ec02f87eee2cf7ad62d2d87f
SHA1f833a6f2b6ef25ffad12c1a05ce1b27d68991006
SHA256924893889877aa0164e757f5ecaf7c900e5e8b8093d2fd0942559a151c2a414c
SHA512dcc61b9ae604c9bfca74383666ca0b8df1bb49841bec78debb9cf3163f88f4bf37d28c4037954e679fb532aa600e89a85b26f5314e43f8680802b9ddd63f52e9
-
/data/data/com.fcai88998.com68.mn188/databases/MsgLogStore.db-shmFilesize
36KB
MD5486e2bac2b3e9e1cb411d2838a4854bd
SHA181dd0a7537f4af319b830ae834908986be85da8b
SHA2565644a250fa6cef16c2c802b98275656a5fc39dcf89bcc22193742d85c7313f57
SHA512c146789563dae163e373489b3df53f22efebd32b69643992969241eb5ad5eec668de67e7cd2aaf5c3a8af57b0842115d00183825734f57643d3fdb09835fe681
-
/data/data/com.fcai88998.com68.mn188/databases/MsgLogStore.db-walFilesize
68KB
MD553df01bcc52011c45f1c82036becf0e5
SHA1955958ab6bf73dc3a318f44da76836e21b939c45
SHA256232f32025d7faf84c002234b45fd19ae48e3b6ac91c94a53ec7d238bc507a775
SHA512fe58e857eb9d7fde613d1d7e296ecb9951c5758edd805e20ca2eda1ec9a8e7832709a22e0b3281a30cbc378cb41aa589047c599522bda2a0bee501394c3897f9
-
/data/data/com.fcai88998.com68.mn188/databases/accs.db-journalFilesize
512B
MD5b0dd8c62f437b5a6c029cc4f7cc0e501
SHA16da425236056a461babbf1b4a9c28fba8d0c68d5
SHA2569aa18d4b24139d2723b6b973505dbe3598627216513a62c068dd27194eefb2bc
SHA5126f0ecc2b947091e78df4f42357c876dde2986790e68e97b4c1114184cbd8d753f0f237862f0f729ff642c5adfbd08126a10e4121bbd0e0336ad90cf12c52c78b
-
/data/data/com.fcai88998.com68.mn188/databases/accs.db-shmFilesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
/data/data/com.fcai88998.com68.mn188/databases/accs.db-walFilesize
32KB
MD55b79b4ccab24035e691919efde37be83
SHA1a4c38e549241ce620f82520c290b660119f77536
SHA256c16efc54a1b1676967e72ac05c360ae4ec7d2ead47b51048817bd98cc8c255f8
SHA51289775060e60759503068bc2cf80e84b9e0d85a28818ffff9a34a5de7a5459e41315f56ef6dd7b4424ed0d9f916dc037696e1995b5f2dedded0bff7ae3c9848b1
-
/storage/emulated/0/.DataStorage/ContextData.xmlFilesize
32KB
MD5b15b00bf90b7c93b3665eda88fbc4808
SHA15d90cbaee0798753afcad7e6555a92d2567dd02a
SHA25692882182a7ffae56437ee1b2b3a68ddc0594b28c1e3a4254920023015cb4b429
SHA512cbea5c61e2043c01bbf5b0ba79e45106bf011e29447317a4bc66560afb52177f2268f5fd95d84868152b25b1aa4368256392d24eed3f4fb9a56cb2eaa1b27059
-
/storage/emulated/0/.DataStorage/ContextData.xmlFilesize
111B
MD52f91159e775071ca92df949a107b20b5
SHA1efe3e36fc56f5e9eae3dc617b05e1f0547b076a6
SHA25696fd43568922db39a9f2fc2b708e4e89fadca0b615206c255d690d8f37ea5917
SHA512bbee71875f929341d55a68dbdba9441e1eaa67bab616632f7b351351d33ff3fc721d4b892b23ddae208b71dcd99758e8ad4bd5e917e6db7dfd5743f8e2c22be5
-
/storage/emulated/0/.DataStorage/ContextData.xmlFilesize
213B
MD51a0909957a843e01ce2ae3eb76d02cbe
SHA1ece3a64778884d1328d0c2e4c440a3b572ac611b
SHA256395eb55814c0defcf22edce4624d88617cc367d36a5a2af85c606c4a83b9a3da
SHA512fa1f58745758a4df6913e1336117b78f84126aed18c398f4c1945a440f75604a094f2ddf0f42dc852aa42715e309bc3631a4d482b9a7624d8161eb4a27f6a057
-
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xmlFilesize
48KB
MD5e205af6627b5fc128c3e761817c1d42c
SHA1b43c9c66e51f515c7372512bb92193712fb4e344
SHA256f2437c62210aa2e5fd4fcd718d0bab4434cd145294aed231dedc37a4b5b6c095
SHA512896f35fbd5e77ff536e670740220ce7c9d7c8c953a611d996f426ccd78da5461c652e0de162b652a07d077090abf45f1edef761357a08f49027f7eec7a8bb75b
-
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xmlFilesize
167B
MD572186759f3257baaab481bfb17958fa2
SHA12bd398ac835fa4d67c1077209b073fec950c743c
SHA2563cab9f46c72b5c36e05082b243a41989ca43a4d493b8aa2884b2da72700dcefe
SHA51204f03a6741cd945f5573548d0a3cb0e4b754b81bea1d509271591d701e3089a2ded1bd19a5c16b96663cd3137f5402e20c02a12998ad8da007eb1a8469dc16ca
-
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xmlFilesize
512B
MD5667e23ac83ca1acf3d5e6981aab862e4
SHA124c5ece968c2c597fa8bcf62821a8b797e51c1ac
SHA256f33b280155be13d98faf093700555c7a155c41cf51606ab01b65dbbd01e392a9
SHA5124108d86b4628e9bab35bd601842baa7f98b7cd9ef30eb0cbd7ec500e85552e87487a8dc1c23b3793416260c3225d568e4bcfa8a3ecf2d9439d600dd5da7944c5
-
/storage/emulated/0/Android/data/.446a7aa5f882d1846062b729d9ae143aFilesize
360B
MD5d0fb6336d5c9d36a506ee5116065158c
SHA1ec53652fc8fbef850f2383efce7b79d59a364dbe
SHA256842d7cd940de7580dc59e6fecfc10d0f0c7970a9662c9076146f37c4230a4a9b
SHA51223ce8b137514478072eaa49f16781f36e883e196a2015030f09dd5bc9d0061fa0975766ffb2744cf32e65111d8a70c1e509f34e16b346d8fc830c16d3efcf9ed