Analysis
-
max time kernel
17s -
max time network
130s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
26/05/2024, 23:49
Behavioral task
behavioral1
Sample
773823233832d2c2cb4d0a52fd21ef2b_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
General
-
Target
773823233832d2c2cb4d0a52fd21ef2b_JaffaCakes118.apk
-
Size
4.4MB
-
MD5
773823233832d2c2cb4d0a52fd21ef2b
-
SHA1
fbebfb80769de54ef78e1988b4e90d9349a89d11
-
SHA256
b2dcd4c008dd36a492a928e32056aba77c9649e70d62ad3cbc54a1f7f5282b8a
-
SHA512
d120b53e5922c4a0aeb7b4b3af5c7fadb615186f99c0d74162b836d37d1f52b7976f813f84f68fde31e32a2b6ce710842d05e946f60bb1502d7b40857786c511
-
SSDEEP
98304:GryHbC5kN0RHnNsfUeT9TMqzJYr1ZZhpK7aW+J/WA:7bC5a0RK99QqVyfZhpTfRWA
Malware Config
Signatures
-
BadMirror
BadMirror is an Android infostealer first seen in March 2016.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests cell location 2 TTPs 2 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.aiwan.xmxx209.asz Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo com.aiwan.xmxx209.asz -
Checks Android system properties for emulator presence. 1 TTPs 1 IoCs
description ioc Process Accessed system property key: ro.product.model com.aiwan.xmxx209.asz -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/cpuinfo com.aiwan.xmxx209.asz -
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/meminfo com.aiwan.xmxx209.asz -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.aiwan.xmxx209.asz -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.aiwan.xmxx209.asz -
Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
description ioc Process Framework service call android.net.wifi.IWifiManager.getScanResults com.aiwan.xmxx209.asz -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.aiwan.xmxx209.asz -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of SMS inbox messages. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://sms/inbox com.aiwan.xmxx209.asz -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.aiwan.xmxx209.asz -
Checks if the internet connection is available 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.aiwan.xmxx209.asz -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
flow ioc 14 alog.umeng.com -
Reads information about phone network operator. 1 TTPs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.aiwan.xmxx209.asz -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.aiwan.xmxx209.asz
Processes
-
com.aiwan.xmxx209.asz1⤵
- Requests cell location
- Checks Android system properties for emulator presence.
- Checks CPU information
- Checks memory information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Queries the mobile country code (MCC)
- Reads the content of SMS inbox messages.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Listens for changes in the sensor environment (might be used to detect emulation)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4314 -
cat /sys/block/mmcblk0/device/cid2⤵PID:4512
-
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Execution Guardrails
1Geofencing
1Hide Artifacts
1User Evasion
1Virtualization/Sandbox Evasion
3System Checks
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD5a770ffd8234907c03b60380cec5e8191
SHA19b355e34eaf3adf0e204f46a3c819c955ae01699
SHA25699398ebd0b5b943a53d99eb3c4d10ec5c58ec45dbd29146e128658ced5354e5f
SHA51251af60af7fedfe1bba0e32410505f16f601af02d86ee450a879ace3b7126e3bf5127ebdd184e51745a1f8b4229c460dd9aa355cf809e6381cc2c8407ab6721a7
-
Filesize
6KB
MD54eb7459a5c71ea72fdf6d9d37f645175
SHA11f2fcb849d70ca8c935570befa28bd3d57974e34
SHA2569823d61e152352dee44bb2cc6feaaef314ed1ddba7029819c17d259c4c34484a
SHA512b3890fc135c493f96e48c91beda2cd4b3c870b3300510830c19d843ee60d8f60f8bcb8e085908b01e8fab64edbfefb67790aa97652cff8fc763a36e0be3d0afa
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5952e815b39b8d13448c9a234c567f36c
SHA17ca82167eee53ae3dfcc774a0b43b4a7dfecdcda
SHA256a518c3ec4fc376fb923df3f73cfa0af47baf9b882e1960d2b8ae60d569f7c6af
SHA512ddedfca39c1fe95d264664d2fe8bec6b5769df90bfa24c01f1eaa59c1e5ba578eef6df6d06780dfeb0fe3aa1ccd39c944959b0f4f6c6ec8c9fc60392e50633f3
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
56KB
MD507336dfd91c43eb64b0058ce38dc9f36
SHA17787f27b80be08c61f923dfec2fcbfacd91210c9
SHA256b65d4c1697ffcb7aaf2dcece7e030723110f628e9bef953c3ba0bc084702bdd8
SHA5123befd0878c7fa94640c9c9938612ffb2bd2f471f57d645e11d2e5213a701d40e9bb331e9d816eb19a5d8a9a168e68ae385333cd5e6d549bc64e5aec5c840a18d
-
Filesize
310B
MD56c891a0fb36c692be836b9b474cd3600
SHA179f9d9c549358ab07510fc6351d732d3a13c1ad8
SHA256c75b6f2c158f1deeb1dc00d0dfceb3a3b0b66ac21b96ea7a733ceabf8f0d8747
SHA512eb20420c185233ec9b75bcda43a52cfa23df5c46d1db2435e1276d8ff194b4c2f7e4a203c9f88c1bdfc0a9e3d869921211abaa5801fbb5d09132a0827ef0ceb5
-
Filesize
150B
MD5ed97d837dbed16f76965527871f4f8dd
SHA1c461597730890e38870a7bb3872ecb7a64792c80
SHA256950f3ebb09c50f095af894ef60bd137dd531d0bb260c56178a55cedd76bd7942
SHA512484c6a5d2b363f9fb50998d1bfb70b2b52ef0ad95d165386228a30ad703954ee6fb0fdeeb57a0b74c425cca8bf5cd84153e7f39715a6ee7303cb1c3ecf7110b4