5fe0d38c39ab6cb4c20d0a4b333c242aebed12e9a75138fcfe3ce8986ebc3c00

Analysis

max time kernel
135s
max time network
188s
platform
android_x64
resource
android-x64-arm64-20240514-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system
submitted
24-05-2024 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f05479fe223584d78606b3fe3d1f0be_JaffaCakes118.apk
Size

13.0MB
MD5

6f05479fe223584d78606b3fe3d1f0be
SHA1

ca9cfd5226cb563b867235e323cb30daec331ff8
SHA256

5fe0d38c39ab6cb4c20d0a4b333c242aebed12e9a75138fcfe3ce8986ebc3c00
SHA512

2502f468374bade315a8aa2aca0dda9f5218cce2eef09abc733045a8d7bd3a8ec6ceab4e1d524e6b91cd85f4e4e7effc04ac0acf7a6a72f41f5684222e835b8b
SSDEEP

196608:8SOVpt3w7VZxDDAsiR5byIoSDe17SzI51CoRjGuvBa7nZvwUPlZuaSXJi:8pV2Pf4wSDal51CoRj/Q7n/PlZuS

Score

8^/10

collection discovery evasion impact persistence

Malware Config

Signatures

Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

Location Tracking
T1430

Geofencing
T1627.001

Processes:

cn.it.picliu.fanyu.shuyou:TcmsService

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation cn.it.picliu.fanyu.shuyou:TcmsService
Checks memory information 2 TTPs 2 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

cn.it.picliu.fanyu.shuyoucn.it.picliu.fanyu.shuyou:channel

description ioc process

File opened for read /proc/meminfo cn.it.picliu.fanyu.shuyou
File opened for read /proc/meminfo cn.it.picliu.fanyu.shuyou:channel

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	cn.it.picliu.fanyu.shuyou:TcmsService

description	ioc	process
File opened for read	/proc/meminfo	cn.it.picliu.fanyu.shuyou
File opened for read	/proc/meminfo	cn.it.picliu.fanyu.shuyou:channel

Makes use of the framework's foreground persistence service 1 TTPs 2 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

Processes:

cn.it.picliu.fanyu.shuyou:TcmsServicecn.it.picliu.fanyu.shuyou:channel

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	cn.it.picliu.fanyu.shuyou:TcmsService
Framework service call	android.app.IActivityManager.setServiceForeground	cn.it.picliu.fanyu.shuyou:channel

Queries information about running processes on the device 1 TTPs 3 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

Processes:

cn.it.picliu.fanyu.shuyoucn.it.picliu.fanyu.shuyou:channelcn.it.picliu.fanyu.shuyou:TcmsService

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	cn.it.picliu.fanyu.shuyou
Framework service call	android.app.IActivityManager.getRunningAppProcesses	cn.it.picliu.fanyu.shuyou:channel
Framework service call	android.app.IActivityManager.getRunningAppProcesses	cn.it.picliu.fanyu.shuyou:TcmsService

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

cn.it.picliu.fanyu.shuyou:TcmsService

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo cn.it.picliu.fanyu.shuyou:TcmsService

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	cn.it.picliu.fanyu.shuyou:TcmsService

Checks if the internet connection is available 1 TTPs 3 IoCs

discovery

System Network Connections Discovery

T1421

Processes:

cn.it.picliu.fanyu.shuyoucn.it.picliu.fanyu.shuyou:TcmsServicecn.it.picliu.fanyu.shuyou:channel

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	cn.it.picliu.fanyu.shuyou
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	cn.it.picliu.fanyu.shuyou:TcmsService
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	cn.it.picliu.fanyu.shuyou:channel

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 3 IoCs

impact

Data Encrypted for Impact

T1471

Processes:

cn.it.picliu.fanyu.shuyoucn.it.picliu.fanyu.shuyou:channelcn.it.picliu.fanyu.shuyou:TcmsService

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	cn.it.picliu.fanyu.shuyou
Framework API call	javax.crypto.Cipher.doFinal	cn.it.picliu.fanyu.shuyou:channel
Framework API call	javax.crypto.Cipher.doFinal	cn.it.picliu.fanyu.shuyou:TcmsService

cn.it.picliu.fanyu.shuyou
1⤵
- Checks memory information
- Queries information about running processes on the device
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4659

cn.it.picliu.fanyu.shuyou:channel
1⤵
- Checks memory information
- Makes use of the framework's foreground persistence service
- Queries information about running processes on the device
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4696

cn.it.picliu.fanyu.shuyou:TcmsService
1⤵
- Requests cell location
- Makes use of the framework's foreground persistence service
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4815

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Execution Guardrails

T1627

Geofencing

T1627.001

Foreground Persistence

T1541

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Location Tracking

T1430

Process Discovery

T1424

System Information Discovery

T1426

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/cn.it.picliu.fanyu.shuyou/databases/MessageStore.db

Filesize
36KB

MD5
30a22bb89c0564efe82468e7f2b8f6f2

SHA1
493c0f151689fcc133493a2318017564b2544311

SHA256
ff313d835b17bcc25de0c723293165ad86493076f0687e2127a63f2663f19915

SHA512
4f3ac031219ceca4bea70d4ceab2ab3244c56aa56a597725e3e49bf1da52708c503df0cd9d3ffcc88542d6777b9882edac30192fa4aada87a2a397e31a18a705

Download Submit
/data/user/0/cn.it.picliu.fanyu.shuyou/databases/MessageStore.db-journal

Filesize
512B

MD5
08fa3221258101b781876edbed121cde

SHA1
eb644b18ada0a2979dc0e61e225f89c600f85fbf

SHA256
02225b550ae2bd77a042ce05418a0afae1f677ad0b7fbce74a8197dd21d509b3

SHA512
10ca754bb279a80487d912075b53bbc5b4f2b7cfd34cdb87bf36b742b51a56777954dde9aaafc16f90053216a3e3ff41774a5912c0a6a41979aaca7e668be7e1

Download Submit
/data/user/0/cn.it.picliu.fanyu.shuyou/databases/MessageStore.db-journal

Filesize
8KB

MD5
abb5fc8fc33a476184e4bfdf9b957169

SHA1
cc2b4f62a9a77947463431c5f860bbea73d802a0

SHA256
a524747752ee261fb7335b3705a1978ab3a77b665bf56fea936f21222fe37019

SHA512
04602bbf2fd72c2f40925c5e2b645d4d3ac18d3da9e119b445a9333e4f1ef3bffe60aa2d8a41a541d5ddca02d5a6b928ed78150111798c30633d7403334f0404

Download Submit
/data/user/0/cn.it.picliu.fanyu.shuyou/databases/MessageStore.db-journal

Filesize
8KB

MD5
273a04c232b0330438b2b5c3299d7169

SHA1
ed773fe6c99553dc7bb9ef755acc7add553df824

SHA256
a528802ef56f651afbbf2bf0fef6c9f21c2fa9d10c056dfc186f802d795fc886

SHA512
a72f25ec52c67a12069e7cbc0b51d1b1872ab539e1bafbb8dffdbc06bc7a58100169afadff301d18fa328ddf5e6d7a3672a28cb76f80aa39cef246e3002b5252

Download Submit
/data/user/0/cn.it.picliu.fanyu.shuyou/databases/accs.db

Filesize
20KB

MD5
ca8224424dbc75407e5a55b35818b158

SHA1
fcf85f5936a55d2b450f4e4d4289620ac230bd3a

SHA256
be9f7bc91051c2eba9ed6c02d9f71e1a44637cd141f829be45c838fb656a006d

SHA512
8af2ae0cd26162a6b5d5f96984dad4d4732bbc6d99e98d9c632b128b8122048f36940cac4aac15a3b5ce9bece0b2b9be85dabae5f77bb2b451b5afb8a1794bdf

Download Submit
/data/user/0/cn.it.picliu.fanyu.shuyou/databases/accs.db-journal

Filesize
512B

MD5
5d299a366bd585763c9378a4cdd63a2d

SHA1
65556444d4dd7b58626d9c5ff2e7e08cfd1dec23

SHA256
2b518e5677b918cae39a7a3160d22aee7c9bc998914da9260f7495c49d83203a

SHA512
cbdb422e9f9b29e0b979937c050ad9c74dfa326976f89fc99959e4d0a4bcf0a47763d00d78d858faa3078d2c5d4b1d8f425a32407fb7383ea6f5b8fc83dee8e8

Download Submit
/data/user/0/cn.it.picliu.fanyu.shuyou/databases/accs.db-journal

Filesize
8KB

MD5
2f4531cd195bcc7e446b1ae6004271ee

SHA1
94c5c389ed9df2de38ef48e57384854f5e32ac83

SHA256
dbcc6d3f372f846ddb776ef70c5f6b6cc8cd3f878f1a0057527c3841af31db4b

SHA512
aacbd97e49be085592c970cd3da4ccdc98623beff07f9c84cb26b3f6012a2c795591d1e8d075ee3c12209db82f204e15fc1f41257a78c89aa29a3d2f694c6dd6

Download Submit
/data/user/0/cn.it.picliu.fanyu.shuyou/databases/accs.db-journal

Filesize
8KB

MD5
d76367ef62228ef08467361042628474

SHA1
d9e2a5f247dc13d2643a3b8e770918a330dfaf2a

SHA256
5bbfb524da273d1ce3db729365d24d76f4b165cfa513755079d1c3f2c43fcc5f

SHA512
7f8e557d9aff22f7f26316e3a777923395975d692eeb0474b48b59647e7c95beef90dcd6e54f9ec02b31fb8b9eac52508dc1647a75f4f1591ccb719170a7fd41

Download Submit
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

Filesize
167B

MD5
c74c6dc5c4b3aa3e6ab9dafe4fd6192b

SHA1
bff9f23de802bf9369644a935f4bf8694c10e6f7

SHA256
3e1dfef2aa122bad7e43d7b1742de97c83d6b6472742e6c656bfb357652c3fa7

SHA512
87b66e6c45eb6af4c7a6270d46e2afcec14a14fe246b003d2e401b1c9b078a235eaf89944dcadf861522e387f937a027a6efc7d8c754a9e89547a9ab4ffa91b0

Download Submit
/storage/emulated/0/Android/data/cn.it.picliu.fanyu.shuyou/files/tnetlogs/inapp_20240524.log (deleted)

Filesize
544B

MD5
d0c1564a7b0f3af03ecf1d489f904cca

SHA1
8c65ae4f038cce52bb83bd56410a33d1fa7b5642

SHA256
4bebeaa6e36517cf34613acdcec727a9aa9311d46fef9882ab377729fec231eb

SHA512
1c6446ec4dcb810d6b3169bc292e4209ee8afe8b8da27404f5639e13f3efc5c514bfee175eeee071a58339686444c06b6e98b88279f400c4da35b3adddee04da

Download Submit
/storage/emulated/0/crash/crash-2024-05-24-15-44-42-1716565482196.log

Filesize
4KB

MD5
d65d2e0da9bff79e350ced083657e0ac

SHA1
e16fd2e0a17ad1cf874de838931bba542eff3e6f

SHA256
e43d4de8f37fc8f465c45430eb1e822b41e916ced6836a81415ee9d9d4e5ed39

SHA512
fab42a4bdabe2162058dc7213d1b768324d9607f76d849c118991cccd8ad55427e871ffd8ec8c6795a31e9e19e9005ada73146ffa4ea24941d94ffeb66fef2ce

Download Submit