86aa66adc19964bb6ce4feafbfddc62fdddf0970fe4f5144b3f992a6c5b40972

Analysis

max time kernel
73s
max time network
157s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
24-05-2024 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e030b1af12bac7c52db50e59fb43bfa_JaffaCakes118.apk
Size

1.7MB
MD5

6e030b1af12bac7c52db50e59fb43bfa
SHA1

ee679e44c6c447c5f41c7a7d28c905ef8336f2bf
SHA256

86aa66adc19964bb6ce4feafbfddc62fdddf0970fe4f5144b3f992a6c5b40972
SHA512

07a1d4a0df84905809c5f0aa7ac74554141506e3b9982708f7947fe1200d2ed5a577c3fc60d14844885c122293b6d93b8fccb3f6fb42add63ebf28c24dbff9b0
SSDEEP

49152:9PiG8YZBDQhNZ/gCoScXphDDEHZXgWNMnkUp:QGF8hNiCwDY5XgfkY

Score

8^/10

banker collection discovery evasion impact persistence

Malware Config

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

T1418.001
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

T1430

T1627.001

Processes:

com.iol.raopez

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.iol.raopez
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

T1633.001

T1426

Processes:

com.iol.raopez

description ioc process

File opened for read /proc/cpuinfo com.iol.raopez

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.iol.raopez

description	ioc	process
File opened for read	/proc/cpuinfo	com.iol.raopez

Loads dropped Dex/Jar 1 TTPs 6 IoCs

Runs executable file dropped to the device during analysis.

evasion

T1407

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.iol.raopez/files/zuo/RwTzqLu.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.iol.raopez/files/zuo/oat/x86/RwTzqLu.odex --compiler-filter=quicken --class-loader-context=&com.iol.raopez/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.iol.raopez/files/Plugin2.apk --output-vdex-fd=55 --oat-fd=74 --oat-location=/data/user/0/com.iol.raopez/files/oat/x86/Plugin2.odex --compiler-filter=quicken --class-loader-context=&/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.iol.raopez/app_dex/utopay.jar --output-vdex-fd=83 --oat-fd=84 --oat-location=/data/user/0/com.iol.raopez/app_dex/oat/x86/utopay.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/user/0/com.iol.raopez/files/zuo/RwTzqLu.jar	4342	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.iol.raopez/files/zuo/RwTzqLu.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.iol.raopez/files/zuo/oat/x86/RwTzqLu.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.iol.raopez/files/zuo/RwTzqLu.jar	4315	com.iol.raopez
/data/user/0/com.iol.raopez/files/Plugin2.apk	4585	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.iol.raopez/files/Plugin2.apk --output-vdex-fd=55 --oat-fd=74 --oat-location=/data/user/0/com.iol.raopez/files/oat/x86/Plugin2.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.iol.raopez/files/Plugin2.apk	4315	com.iol.raopez
/data/user/0/com.iol.raopez/app_dex/utopay.jar	4620	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.iol.raopez/app_dex/utopay.jar --output-vdex-fd=83 --oat-fd=84 --oat-location=/data/user/0/com.iol.raopez/app_dex/oat/x86/utopay.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.iol.raopez/app_dex/utopay.jar	4315	com.iol.raopez

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

T1421

Processes:

com.iol.raopez

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.iol.raopez
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

T1422
Reads the content of SMS inbox messages. 1 TTPs 1 IoCs
collection

T1636.004

Processes:

com.iol.raopez

description ioc process

URI accessed for read content://sms/inbox com.iol.raopez
Reads the content of the SMS messages. 1 TTPs 1 IoCs
collection

T1636.004

Processes:

com.iol.raopez

description ioc process

URI accessed for read content://sms/ com.iol.raopez
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

T1624.001

Processes:

com.iol.raopez

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.iol.raopez
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

T1421

Processes:

com.iol.raopez

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.iol.raopez

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.iol.raopez

description	ioc	process
URI accessed for read	content://sms/inbox	com.iol.raopez

description	ioc	process
URI accessed for read	content://sms/	com.iol.raopez

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.iol.raopez

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.iol.raopez

Requests dangerous framework permissions 17 IoCs

Processes:

description	ioc
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device.	android.permission.READ_PHONE_STATE
Allows an application to write to external storage.	android.permission.WRITE_EXTERNAL_STORAGE
Allows an application to read from external storage.	android.permission.READ_EXTERNAL_STORAGE
Allows an application to read SMS messages.	android.permission.READ_SMS
Allows an application to receive SMS messages.	android.permission.RECEIVE_SMS
Allows an application to send SMS messages.	android.permission.SEND_SMS
Allows an app to access approximate location.	android.permission.ACCESS_COARSE_LOCATION
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps.	android.permission.SYSTEM_ALERT_WINDOW
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call.	android.permission.CALL_PHONE
Required to be able to access the camera device.	android.permission.CAMERA
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device.	android.permission.READ_PHONE_STATE
Allows an application to write to external storage.	android.permission.WRITE_EXTERNAL_STORAGE
Allows an application to read from external storage.	android.permission.READ_EXTERNAL_STORAGE
Allows an application to read SMS messages.	android.permission.READ_SMS
Allows an application to send SMS messages.	android.permission.SEND_SMS
Allows an application to receive SMS messages.	android.permission.RECEIVE_SMS
Allows an app to access approximate location.	android.permission.ACCESS_COARSE_LOCATION

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

T1471

Processes:

com.iol.raopez

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.iol.raopez

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.iol.raopez

com.iol.raopez
1⤵
- Requests cell location
- Checks CPU information
- Loads dropped Dex/Jar
- Queries information about the current Wi-Fi connection
- Reads the content of SMS inbox messages.
- Reads the content of the SMS messages.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4315

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.iol.raopez/files/zuo/RwTzqLu.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.iol.raopez/files/zuo/oat/x86/RwTzqLu.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4342

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.iol.raopez/files/Plugin2.apk --output-vdex-fd=55 --oat-fd=74 --oat-location=/data/user/0/com.iol.raopez/files/oat/x86/Plugin2.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4585

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.iol.raopez/app_dex/utopay.jar --output-vdex-fd=83 --oat-fd=84 --oat-location=/data/user/0/com.iol.raopez/app_dex/oat/x86/utopay.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.iol.raopez/app_dex/utopay.jar
Filesize
30KB

MD5
eb6089c1acfa9f12535e533aebee845e

SHA1
165e39ee07dcd9ed00fc2dc1ff466bc1d6b813c9

SHA256
b825cde84e3dddfc147c71265d2259c422d51a7e56d1dcdba1321e3119b1df07

SHA512
5b1bc26bcbcf05fc331865fb4dd572b673a52650d68ab4d9b028ea15219e0d93c1ec17996953436801913388d78e25c67ea33aa93544d65e96a799eb06cc70f5

Download Submit
/data/data/com.iol.raopez/databases/wochi_v4.db
Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.iol.raopez/databases/wochi_v4.db-journal
Filesize
512B

MD5
cc4a2ce8a84861ea05305439b23e3131

SHA1
dc10900fedf42458a978cf5d70fe1f304d326309

SHA256
d9a4d5cbcce2f9bae11607739c9104a589d0e41e4361bfa5de7e5c6549e95fe8

SHA512
8037bbaed3f4e55401f0d8fa4b0f0d291d49f564271bfae4aa935d481cdfa73ac30fb0f2307c021e6c4b7197e71495c1229fbb896c7b39db045aac902b198948

Download Submit
/data/data/com.iol.raopez/databases/wochi_v4.db-shm
Filesize
28KB

MD5
cf845a781c107ec1346e849c9dd1b7e8

SHA1
b44ccc7f7d519352422e59ee8b0bdbac881768a7

SHA256
18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

SHA512
4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

Download Submit
/data/data/com.iol.raopez/databases/wochi_v4.db-wal
Filesize
20KB

MD5
1854621b720dc49cd4ffd1d56eec5e09

SHA1
d3323f4bdd2a6c2ceb0a405df5db78ea38834c03

SHA256
9cf53f49bebd290fb060a0f9d4cd9db812efdb4e454e2a4b624f78f20b304f96

SHA512
92f9a6596a892c94ccba3a8bd7a058beb8b403e191fb9b7b685af1d98e772a291b9631fa5685b95e098a596f1a2b66b283fbd8546b95e7168a807f88e55f19b2

Download Submit
/data/data/com.iol.raopez/files/Plugin2.apk
Filesize
99KB

MD5
3d216f8fddb9705a6720a285475837f1

SHA1
f053d23b284bfe2faf6e76d353ff052471e2de2c

SHA256
de7bf40574754a5144fa5cf3bc5e97f7adc7f5abebb18c41e8f0631917db4c0c

SHA512
38be39da8f96abc87109cfd57b2d63ddfa72971f023024a5b4ce1f97cd905a96a94e19eea19ae9b745f28d02c6689a4473627ce57ec85dce2018a77e699620cb

Download Submit
/data/data/com.iol.raopez/files/log.dat
Filesize
221B

MD5
ff9229f8e7c92d44d48e25206d43b021

SHA1
be3d75050c16c5b7484652ba292fdd6510f205d3

SHA256
77fc3599be409f7e73e643de843c0ebcfa20662964c498fc59e245c7f5e003a2

SHA512
be7b3aa8d670a2873c6b7bfd4ca93121fd2450723cbbc36d9d06d152fafa3ce90451f0a60ab56bc96bccb81cf5aae0167b404073db14dc17b9513ac73d455c58

Download Submit
/data/data/com.iol.raopez/files/umeng_it.cache
Filesize
310B

MD5
796ff84d99de4879bf822d6ef1b8ee56

SHA1
78fd98f8ca423a834aa88583c375266dcf0efc8e

SHA256
71e879d7185378517a1a7ca8afda56c3ebd861aa1832113b73bae4d9cb7788cb

SHA512
de3402e7f8f50ca015db6679e0d99ef32e8c10aa54f4de7398f38dbb1c97e9032aa4aa5e1afb82ec79697eaa538eee2e19562f7a7ec6fa1d4ceffe99e6a2cd52

Download Submit
/data/data/com.iol.raopez/files/yl_plugin.apk
Filesize
58KB

MD5
5a4c666b43ee7f2b6995aaf3527e4a4d

SHA1
b205bcb022797f3b16635db139c7524c0c388adc

SHA256
05eb3e1ca331b8c6a1f60f92abb2bddbac54a7b2c229ac07bf26c756297fe72a

SHA512
c84fceddbf9928110fc3b85e0989b9cedd06383007ff99dea5a25096d8f892ab52d30ed9b52b72211449041f1274ead85bb42929ec269b58b6b0e616a8545e17

Download Submit
/data/data/com.iol.raopez/files/zuo/RwTzqLu.jar
Filesize
789KB

MD5
fa47762836da9aafc4dee754e91e566d

SHA1
85fa4359c79d6b293e6e99a1da0f9a989be541d3

SHA256
d55f2b7824b6022ed7c3d4eefb27f0a2be977ef239b8af09d8097d91d99749ad

SHA512
d7ec4d7459f7ebd93ae9518a3b8d54df4fc9b3feb904103cf38d66e2df5393d0b4b6c7f97e67bdab0109c92aee4177226add0f7ec86ec53b7ad11ac270c0a675

Download Submit
/data/user/0/com.iol.raopez/app_dex/utopay.jar
Filesize
67KB

MD5
3b8bb9a8679ac8c24e8d179fc5bae999

SHA1
e6ea7a1095524087f481ba04321c4cb6fd2426f3

SHA256
83c996c0d067b5f516897480f427dfffdcfb49ab7654dac9b805376bbd49e1db

SHA512
abf1cbed7a8cf4a29d7a32a83f15aa0a6c9e2be8484c2dd8d9bf16a76e337b17b9c05efa0773598806b3d3da4fe3a9217b583abb9aaf5e3dc054dc77b10cae63

Download Submit
/data/user/0/com.iol.raopez/app_dex/utopay.jar
Filesize
67KB

MD5
5220524411d0bacd600da60814d1ee9f

SHA1
fef7210ff44e757328bc0ff7aae7bb2191cbf634

SHA256
6286a800597b845785eb664710253ebd20771737dddd5b80067e0e9d37c804b2

SHA512
b2d8af5019c176d682634747d83320e609fb6122ef850f4069a0c78c2415d242087099cf60ecb03039a9ab71902a4e3b22e9cf144de89e506991fb93280f6a5f

Download Submit
/data/user/0/com.iol.raopez/files/Plugin2.apk
Filesize
201KB

MD5
ef019d14367b7346b1ae2419e9d445c8

SHA1
23d81fcf81f3a9f2a991ba4d0d135fe2a28aa188

SHA256
1d83642ede6b16a071676e895f547d056543b5b4622bbc9b9b4ab45e47bf9ba0

SHA512
ea582f21c6054c37c679c798e93116c9c18c9544c0feb78fb949bed7b2cd3122c8d7bb8ecef329829c2531764abeb6200f0af49ede97c3b0b7448bdb65a34a60

Download Submit
/data/user/0/com.iol.raopez/files/Plugin2.apk
Filesize
201KB

MD5
2a425e0fae74f20a2c475da937a619a2

SHA1
4d701c7e6d828aa96ba8a493720e7282c49ec741

SHA256
2c61a25f1ad5783bf82eea9faa2536cac4788ed3147bc1864d9ef17ea01be6a7

SHA512
44c8d2a837b606de99055badbd4b5e708424ca9809b1583d13aefadc4d4af974658dc3a3f179fc3047eef7167151c638ff66dd6c8d38121b6ecdfb464d2a5a60

Download Submit
/data/user/0/com.iol.raopez/files/zuo/RwTzqLu.jar
Filesize
1.9MB

MD5
98cd635473869a363a03b6e4b93a3b45

SHA1
15d2b55bd03c5151fe590ef019a66e9465755b84

SHA256
feb4e338c5fbb4ef2752c8302ce35f231e1f89878d286ac571f265ed7b4d5331

SHA512
4cfeeda7a930fca94ba7094d56b8a80f79926f20e2ce8515fb92d6c6b9e0d077bf72dbd7efa56b00a31daba00067b457fc2b39ab41b4a94ed2058f810f3e3b29

Download Submit
/data/user/0/com.iol.raopez/files/zuo/RwTzqLu.jar
Filesize
1.9MB

MD5
11401cf9c1ed8ccb1ba6cfb5c3fa960d

SHA1
d7610129de7959e3f40febbb69d35faa5d59bb1f

SHA256
97fb2ccdd2f20dc725dc711e9255a3e1eb26995f8eb2b59065f30061e2e3ea53

SHA512
aed6841230006e5787d8d492a8554686887a87684a259c1b3452d19a0c3aedd406ef44478681c3d292fe931c4bfb24add4ee131a5f5bedecde4c66948a34a5a9

Download Submit