Analysis
-
max time kernel
179s -
max time network
186s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
23-05-2024 09:34
Static task
static1
Behavioral task
behavioral1
Sample
6a80ef189ac8d04756163358d5956c05_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
General
-
Target
6a80ef189ac8d04756163358d5956c05_JaffaCakes118.apk
-
Size
15.1MB
-
MD5
6a80ef189ac8d04756163358d5956c05
-
SHA1
fb348666c06882d648dde2f0024f6abae9c22e1c
-
SHA256
9c9ca1d052263bd1c2a0ad35b656e78e2644c5d84fbdf4405aff6d3745eba4b3
-
SHA512
42cb82c4e1d76bbcbdd7db9b58b27dd9ef3f407e512e6106d202e9fe85c3be9db9227b9766145003d987f0f26a9c58e623cbf32805859abc5b9ee19847d7a28a
-
SSDEEP
196608:NdW7YmcRJ0Dapphhyw7mpk8PVCZzgq3lr5SSEDMysS5nAtYt1V/v2vhCa8H:LW7Bs0DozJam4VCrVr5iDlhl1VP
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
Processes:
com.soquanpu.fosioc process /system/bin/su com.soquanpu.fos /system/xbin/su com.soquanpu.fos -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Queries information about running processes on the device 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.soquanpu.foscom.soquanpu.fos:remotedescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.soquanpu.fos Framework service call android.app.IActivityManager.getRunningAppProcesses com.soquanpu.fos:remote -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.soquanpu.fosdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.soquanpu.fos -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
Processes:
com.soquanpu.foscom.soquanpu.fos:remotedescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.soquanpu.fos Framework service call android.app.IActivityManager.registerReceiver com.soquanpu.fos:remote -
Checks if the internet connection is available 1 TTPs 2 IoCs
Processes:
com.soquanpu.foscom.soquanpu.fos:remotedescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.soquanpu.fos Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.soquanpu.fos:remote -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
Processes:
com.soquanpu.fos:remotecom.soquanpu.fosdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.soquanpu.fos:remote Framework API call javax.crypto.Cipher.doFinal com.soquanpu.fos
Processes
-
com.soquanpu.fos1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks memory information
- Queries information about running processes on the device
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
-
com.soquanpu.fos:remote1⤵
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.soquanpu.fos/files/jpush_stat_history/active_user/nowrap/2801b370-54f6-4887-90af-8164b1f3fd44Filesize
159B
MD5c564befa38d088ea8137b4ee216c8fd1
SHA11a20c610221f6cb533cba935ab25df6ca1d06cc0
SHA2564ca108e73819719d868648117ef95276300edbc895361556a8fa65354c8e82bb
SHA5122424a5bb282115b91f1d9dd6364cb79129c32a23a4ea961a2356e20c3739f5a2188b6edf941b277309a379dfa921914f4ad147473042ac514de95f2896538d41
-
/data/data/com.soquanpu.fos/files/jpush_stat_history_remote/normal/nowrap/e403cc7d-3e6f-4743-a287-0ce120c2626dFilesize
202B
MD5a8ebf4e15967c0bdea9d3d42811ce8cb
SHA15b92cb6bba457b0e567a371ed88c4f1c1289e077
SHA256181c614849754e8e599186b4bc2b48f430f2f49e69201567cc838c97950226d2
SHA51237011e30e4ba3ca31bd75acb44c267c2de436920a6bad533f1cdb99eeea7242ab969518a17849edb3d6e663688cc8bfa1bc92af329f3692039e6c43bb6fb81e4
-
/storage/emulated/0/Android/data/com.soquanpu.fos/files/tbslog/tbslog.txtFilesize
12KB
MD5de641ad87ec6896e162b14b0b6785aa8
SHA1f121adcb81fe273217f9b7745c723990c80fe3d0
SHA2560309cd4c7cae7d6e6315640a5d62430fa51cc4790ad928d65d64cee3577495c6
SHA5124a85c30a5df700bf53dedc475681940076e4ac9329b9c70583f9b98ffd3259b3643c9e07dc70f8df484f7ceea1870c8b4431e4725c274289afc04df72acc8c41
-
/storage/emulated/0/data/.push_deviceidFilesize
32B
MD50c26d038553c9bf737602e1770d01ec2
SHA1320c40aaef3c6e53704018fd64d1febca4616985
SHA256d8ab3017174e06f85a0fc8a1a7818decfce7469485ebc09bf3378909c1af0d23
SHA512401a47b8b661705fb1df28e7f06fcfc0a5849d3469b643fc16cb8de499f9fb22f9dc130a2c701ab670d542a1b54f2930b4c94e7194966b68b09faf841fca3b37