51c3fed39510f9b0af862b8552294ceae6aeed6fc879cca6b53379e099d58301

General

Target

820f46eca72897a7738b3b5c2526063d_JaffaCakes118.apk
Size

1.9MB
MD5

820f46eca72897a7738b3b5c2526063d
SHA1

f3b87b5fc4837ec752357f6536639f91c7400840
SHA256

51c3fed39510f9b0af862b8552294ceae6aeed6fc879cca6b53379e099d58301
SHA512

9900dfe6793e73756ad864409fbc478529c17df00caa5f57eac01719a823d1195730790d70b46584a03f4f3ed2f1b829e2be9be2f40a5bb1d964ad3471df609e
SSDEEP

49152:4qNGWEGPFJT6sdThCO2JK1H0jw878KQm73ZGj:4qo+9JjdlCOmn78zJ

Score

8^/10

collection credential_access discovery evasion execution impact persistence stealth trojan

Malware Config

Signatures

Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.spacegame.cashshow.hack

pid process

5235 com.spacegame.cashshow.hack
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.spacegame.cashshow.hack

description ioc process

File opened for read /proc/cpuinfo com.spacegame.cashshow.hack
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.spacegame.cashshow.hack

description ioc process

File opened for read /proc/meminfo com.spacegame.cashshow.hack
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
collection credential_access impact

Clipboard Data
T1414

Transmitted Data Manipulation
T1641.001

Processes:

com.spacegame.cashshow.hack

description ioc process

Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.spacegame.cashshow.hack
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.spacegame.cashshow.hack

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.spacegame.cashshow.hack
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.spacegame.cashshow.hack

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.spacegame.cashshow.hack
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
execution persistence

Scheduled Task/Job
T1603

Processes:

com.spacegame.cashshow.hack

description ioc process

Framework service call android.app.job.IJobScheduler.schedule com.spacegame.cashshow.hack

pid	process
5235	com.spacegame.cashshow.hack

description	ioc	process
File opened for read	/proc/cpuinfo	com.spacegame.cashshow.hack

description	ioc	process
File opened for read	/proc/meminfo	com.spacegame.cashshow.hack

description	ioc	process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.spacegame.cashshow.hack

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.spacegame.cashshow.hack

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.spacegame.cashshow.hack

description	ioc	process
Framework service call	android.app.job.IJobScheduler.schedule	com.spacegame.cashshow.hack

com.spacegame.cashshow.hack
1⤵
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:5235

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1

T1603

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1628

Suppress Application Icon

1

T1628.001

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

1

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

1

T1641.001

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.spacegame.cashshow.hack/databases/evernote_jobs.db

Filesize
16KB

MD5
12627a2ec645c4a4bc50dba5903afd59

SHA1
504005c938517e61bcf68b65a055c2faba635c2e

SHA256
f177ffae9650eb4f407c2d9a510bb5a5abe1ece2fdfe24effc62478a1bfa5903

SHA512
7ff69589296e02383a217373399e75d8a82fa17146e4273f4c0eb630f096dd9f394a3324d60858b02f7e5cf177c82c6d966f5cbedb68ae6a98df7cc851b79cfd

Download Submit
/data/data/com.spacegame.cashshow.hack/databases/evernote_jobs.db

Filesize
16KB

MD5
0ed77b773b3560182bb9d2a0ba34db7e

SHA1
c5cc7bea4946848b825cfd2b5f58fb55e7652788

SHA256
429ff6c26a3345418df8d5fbfeeaa42de885b03fa0fb70553a420c14316ed4d1

SHA512
2862c2209e701f04a3dedb0b4d989c45fd11656fc04803673bebfd75242b9056530abe1b3ab44d44355d3ab0e6e2f3fd93edeae3bc5880dcaa0ca38443be249e

Download Submit
/data/data/com.spacegame.cashshow.hack/databases/evernote_jobs.db-journal

Filesize
512B

MD5
807b71ccbf299de47f6ae5b27d178b5f

SHA1
a8986c5fbebff8e1cc57592f757f52633b1b068e

SHA256
5ddbeaae469b0dfbde170dfb5acad78429c9ebd8043db2f462896797742a0a84

SHA512
ead2e389d7f8a0ddaa2acdd4e2c61ff11de87bc5ee3bbf837136a19b17569de8630e9fc017060308ddb2096314ece2d3a015d1b8a28bde66ddfe9729305cda26

Download Submit
/data/data/com.spacegame.cashshow.hack/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
f6b0ec07ba04999f9ab7ba61c08fcbd1

SHA1
7d18ac27c76aa6cedd196a1a2e122ab2c8a7b8a2

SHA256
ab2bae7ea40eaf257dac964428ac81415b0143574a907afcee75542b7f129b7d

SHA512
0e5e16a755f4a6ecf836a45418a801d045c4d2379b970973a8b1debb10fb6f8a40cb0d464818e37c638f32f15bb1dace1a16e7e34858c4ec4b53bf2cff7db39a

Download Submit
/data/data/com.spacegame.cashshow.hack/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
349287c478afb46ff79aaee5064949fc

SHA1
33db15ad1c005a368b0d4290e34a4468bd050a10

SHA256
941d2f623a9c919000e3223c44a0a6d26173a64f90b5a022cbf45c9d79869301

SHA512
4a06913d11a257d8b785e5630ce497895fe0cbc3e1c90d9c1879bee7eb2de3cdeedf6047b47d4e95f46b7bb7984f755e7da1828f428c5ee83729b7558069a610

Download Submit
/data/data/com.spacegame.cashshow.hack/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
613624b6518888e1211419b6bdbcf85b

SHA1
282bafe999ab32837d8a9b6ea3ed3a51e22035c7

SHA256
3a2ed041019f3a54b2d1bdcb2d4f3bc9352f18845560e22d6d34c82dcb8ab185

SHA512
1dec68900a81137e4ce52071801e2d9cf7cbcd5d564bc97dce6b88f3b2c759f9bea83d160a5470f1d2e846875329f6d42d3e0f4da14a12c7d5929988aa57bfd4

Download Submit

Analysis

Sharing