0516416947f71b9af9dbc95a72b0d4fd0fbff816c97bca163deed795cd75d02d

Analysis

max time kernel
179s
max time network
159s
platform
android_x64
resource
android-x64-20240514-en
resource tags

androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system
submitted
30-05-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

840af04291bf6f8c239c5178e1674772_JaffaCakes118.apk
Size

263KB
MD5

840af04291bf6f8c239c5178e1674772
SHA1

35322bd708e281a3af6f33a7a48cf01f969f123c
SHA256

0516416947f71b9af9dbc95a72b0d4fd0fbff816c97bca163deed795cd75d02d
SHA512

30a41c2a1ff09f2e7a0a479d7cd2b160d498398bc43ab0f338dae1a822e5611e3932ad21c60c836d8956003ad68497a5d9b47834107398305ef46ddf641696f2
SSDEEP

6144:bRIZPNvivXSCeVvnD2IJOsBFaw4IzEsS/ZXBc2Y4MT5fNq:bRI3i6tQIwsBFa/IvcR9Uq

Score

8^/10

banker collection credential_access discovery evasion execution impact persistence stealth trojan

Malware Config

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.news.geynci.jxvlsxqrljv

pid process

5107 com.news.geynci.jxvlsxqrljv
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.news.geynci.jxvlsxqrljv

description ioc process

File opened for read /proc/meminfo com.news.geynci.jxvlsxqrljv
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
evasion

Download New Code at Runtime
T1407

Processes:

com.news.geynci.jxvlsxqrljv

ioc pid process

/data/user/0/com.news.geynci.jxvlsxqrljv/app_tfile/fields.jar 5107 com.news.geynci.jxvlsxqrljv
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
collection credential_access impact

Clipboard Data
T1414

Transmitted Data Manipulation
T1641.001

Processes:

com.news.geynci.jxvlsxqrljv

description ioc process

Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.news.geynci.jxvlsxqrljv
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

Stored Application Data
T1409

Processes:

com.news.geynci.jxvlsxqrljv

description ioc process

Framework service call android.accounts.IAccountManager.getAccountsAsUser com.news.geynci.jxvlsxqrljv
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.news.geynci.jxvlsxqrljv

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.news.geynci.jxvlsxqrljv
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.news.geynci.jxvlsxqrljv

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.news.geynci.jxvlsxqrljv
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.news.geynci.jxvlsxqrljv

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.news.geynci.jxvlsxqrljv
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

pid	process
5107	com.news.geynci.jxvlsxqrljv

description	ioc	process
File opened for read	/proc/meminfo	com.news.geynci.jxvlsxqrljv

ioc	pid	process
/data/user/0/com.news.geynci.jxvlsxqrljv/app_tfile/fields.jar	5107	com.news.geynci.jxvlsxqrljv

description	ioc	process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.news.geynci.jxvlsxqrljv

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.news.geynci.jxvlsxqrljv

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.news.geynci.jxvlsxqrljv

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.news.geynci.jxvlsxqrljv

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.news.geynci.jxvlsxqrljv

Schedules tasks to execute at a specified time 1 TTPs 2 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

Processes:

com.news.geynci.jxvlsxqrljvcom.news.geynci.jxvlsxqrljv:guard

description	ioc	process
Framework service call	android.app.job.IJobScheduler.schedule	com.news.geynci.jxvlsxqrljv
Framework service call	android.app.job.IJobScheduler.schedule	com.news.geynci.jxvlsxqrljv:guard

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.news.geynci.jxvlsxqrljv

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.news.geynci.jxvlsxqrljv

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.news.geynci.jxvlsxqrljv

com.news.geynci.jxvlsxqrljv
1⤵
- Removes its main activity from the application launcher
- Checks memory information
- Loads dropped Dex/Jar
- Obtains sensitive information copied to the device clipboard
- Queries account information for other applications stored on the device
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:5107

com.news.geynci.jxvlsxqrljv:RemoteProcess
1⤵
PID:5151

com.news.geynci.jxvlsxqrljv:guard
1⤵
- Schedules tasks to execute at a specified time
PID:5635

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Clipboard Data

T1414

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.news.geynci.jxvlsxqrljv/app_tfile/fields.jar
Filesize
138KB

MD5
cceb8db3b057d24673d49eda229e9892

SHA1
b18f6353b2156410249079a3b7b86ef3a530e8ee

SHA256
e900cb4c3fe9d8f45196a7457e9645c65b0f3cde820f4161950252cff67a4d97

SHA512
4a42cde3165a706e823caa1362001ed8aa647caf22325a4f2554c64fc4ebcd79afe44fe5eab5474221806f26e7aca9d2901026de6e597ef62fe867f123e4bd57

Download Submit
/data/data/com.news.geynci.jxvlsxqrljv/app_tfile/oat/fields.jar.cur.prof
Filesize
369B

MD5
6de41202d76cfb91657a014430e7f33d

SHA1
1c066a98ee1dae3493881522b42a6978ef72ffee

SHA256
51491488aa5999f64c4d74c50676559497e9890b2a3978cdc8f07dc782e945ec

SHA512
765ef4f4ca7a832af8677b8cb38b705a5cf809b6d321f7d86bcb03471d5e55d8c9b8dc04dbad9f89b10febd5e87b29d29e1bd36fa91259ba00ea863ad1225236

Download Submit
/data/data/com.news.geynci.jxvlsxqrljv/databases/tbcom.news.geynci.jxvlsxqrljv
Filesize
36KB

MD5
ae8aa93151da27ce1348c21d6ea98a45

SHA1
d187ce29f387717ea0c7d2919a77945a6f04a954

SHA256
b5023c1c2354845e52c945166be1111d7565a000e57ea18d8ce2943c73580e81

SHA512
7bc212292c6dd5192e2d714d1e06c3109f133bf0f5bddb4dd4113a4b9ab3a8db3ba7e1cab4a7da44724361b8d7d53cdde3d50506cf7264fb00d7b4521014c85a

Download Submit
/data/data/com.news.geynci.jxvlsxqrljv/databases/tbcom.news.geynci.jxvlsxqrljv-journal
Filesize
512B

MD5
f73b480a1e40468ed99bcda714e34841

SHA1
b2a896fcea6b3dc0de3d8f0b8691e39190d573a6

SHA256
f33c1163d7751baf812a38db05fee58923cbf0cbbab0aa87384b95d5869341f1

SHA512
7178acbeb9f0fdf3b6448d9d951c3c69ce619c866f482d1722047907ae47756e743610822a637060f167238dc06c7b8b70a5a6b6d8355ce01c820bf2ca4c29b9

Download Submit
/data/data/com.news.geynci.jxvlsxqrljv/databases/tbcom.news.geynci.jxvlsxqrljv-journal
Filesize
8KB

MD5
43b8ceb059d9c8cbb797bc482378f3c0

SHA1
649b643d338b26c45ddb4b2444f040a99498d647

SHA256
b5db74194260aa59aa504b5f3936013203feb79f06f0e707f62758cea07fd8cf

SHA512
3e3f86b0c32405140fc908dc9140b88fb78aa38f9877186a74c8dd495d2eccc58b50658b99e08e0d1cce8c939e8534527a31dd1e8df1064e2fdb0c424b7e6502

Download Submit
/data/data/com.news.geynci.jxvlsxqrljv/databases/tbcom.news.geynci.jxvlsxqrljv-journal
Filesize
8KB

MD5
7afa5fc55cbeeb40cf0711cc89224344

SHA1
43bc158e3f6acf3fbeec01861e12c8b867b01f20

SHA256
928c1b13d3b414b61a838c612ee3073b315bb0ba03bdcf8683419bd3f961ec79

SHA512
e13f16d040184a421c1149c44a4a0087f1868c4aaf227d328079e2d13450e0c4a769c64786fb4d87d950556db6815298971158869642073f1faaba9f4614cad4

Download Submit
/data/user/0/com.news.geynci.jxvlsxqrljv/app_tfile/fields.jar
Filesize
281KB

MD5
73b11c4c10150bbd4f29ad012dc11dde

SHA1
65c83ad32c29f9811c32eda75d7fcdc92ef42dda

SHA256
52132037e9b950a9cb48d6374ee2c6747a6bfe776e13a726395771f1b40ee9da

SHA512
3e53b1ee22a00e60896da86d2695195e0965c93d190c4d1c0dba2eb5c611d670ee7693a9f8756858255e2b170cb82a753719dd4d6a827af437309b7a1dcc6f01

Download Submit
/storage/emulated/0/Download/sdsid
Filesize
4B

MD5
b8c37e33defde51cf91e1e03e51657da

SHA1
dd01903921ea24941c26a48f2cec24e0bb0e8cc7

SHA256
fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71

SHA512
e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7

Download Submit