7956093822959b097087cb76f69fe0b0138de189e4d0d12a29ef961f0c970c30

General

Target

84cff0035bc2348a00acfb5254c7d16c_JaffaCakes118.apk
Size

9.4MB
MD5

84cff0035bc2348a00acfb5254c7d16c
SHA1

1296018fe46ccdce6c832d86bc426cf1e2ebc196
SHA256

7956093822959b097087cb76f69fe0b0138de189e4d0d12a29ef961f0c970c30
SHA512

090882adc4b1fa6ee096e91eb8672a0339a55afbf2a0fa176ae316cdad8a20810e1a81b7d90c5b1eac25201a87b8a4f738e21e9c6f3ee6320cac0e7ce900609e
SSDEEP

196608:xpwi2zyHF6Vz233mpTdnTnIFaw0dyHA9Hh/2jyX/wDnil:f2ml61DJGUsHyh/nwDnC

Score

8^/10

banker discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 2 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/xbin/su	com.h202018720.qrt
/system/bin/su	com.h202018720.qrt

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Checks CPU information 2 TTPs 1 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.h202018720.qrt

Checks memory information 2 TTPs 2 IoCs

Checks memory information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.h202018720.qrt
File opened for read	/proc/meminfo	com.h202018720.qrt:remote

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.h202018720.qrt:remote

Queries information about running processes on the device 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.h202018720.qrt:remote
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.h202018720.qrt

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.h202018720.qrt

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.h202018720.qrt
Framework service call	android.app.IActivityManager.registerReceiver	com.h202018720.qrt:remote

Checks if the internet connection is available 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.h202018720.qrt

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.h202018720.qrt

com.h202018720.qrt
1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks memory information
- Queries information about running processes on the device
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4263
- getprop ro.product.cpu.abi
  2⤵
  PID:4308

com.h202018720.qrt:remote
1⤵
- Checks memory information
- Makes use of the framework's foreground persistence service
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4410

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Foreground Persistence

1

T1541

Privilege Escalation

Defense Evasion

Foreground Persistence

1

T1541

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Discovery

Process Discovery

1

T1424

Software Discovery

1

T1418

Security Software Discovery

1

T1418.001

System Information Discovery

3

T1426

System Network Configuration Discovery

2

T1422

System Network Connections Discovery

1

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.h202018720.qrt/app_tbs/core_private/download_upload

Filesize
84B

MD5
4329c9456940b11bedc64eedbcfd2193

SHA1
e20ddebc3204131dce1e1b5f6608d5f58c2beb84

SHA256
936395158e92c9e374325f08eb3cd8cd5ef6b02b480882476598f52bffe2cebd

SHA512
faabe572d8c9244d2e2e3559f723e0b2a340fc674ae48fdf1eb1770375e919f959074662102cd2bd79995773ff0da45b8101259349617fdd6d07c9de73b0fc50

Download Submit
/data/data/com.h202018720.qrt/app_tbs/core_private/download_upload

Filesize
56B

MD5
d5e5489e06a20c165345d5da86763233

SHA1
191098a520251695569388e2d2eabea32e6a1532

SHA256
3dc12a50c0909747c3c8f3b76b8eb135bf9e7bc6e680dd8f992a306c7cd8a199

SHA512
8b43b1005dd2d51c3a95a53ddcd0db60effbc8bbf9e67dde5cb3ea1e4c69c1180dab019b4c6637b3a5d61c4e44c0f2a9eb917338fb636b3f8a19f183a94dd6a2

Download Submit
/data/data/com.h202018720.qrt/app_tbs/core_private/download_upload

Filesize
56B

MD5
55d77fb95b6cc0bcbe4a2d6f57bf2790

SHA1
a2201450a562d1b582f39e3cb1ed9e306bc52639

SHA256
d91847acb6e2517c0c39f462c9fce58bf118a7bf6e9ab4405f055ed6805643cb

SHA512
ac3fdfe608a9e2c59db76cb2b4d1afc899c27985a3149fc36b66b7acb7e118c73896dacd25058b9eb7d56bafb1acd1d3bf76d15c65f8c484bd80049bdf8541db

Download Submit
/data/data/com.h202018720.qrt/app_tbs/core_private/download_upload

Filesize
84B

MD5
0a4cdef800ba7aea8f2157dc2447e8a4

SHA1
cada73cf8068edbb9e6464d4671995d98462ed6c

SHA256
263d0bb9aa0ba890b21b3c362da63f955b58886837f76a3913f1b43555b544de

SHA512
8c5efa1fec8880deb6e52370317115e7f217fd199c7d40ffb706b6c8b05050fc833ca3ee1e766c688af3fc714a967e6a80b1e4efb01f0e77b38487f001bcec06

Download Submit
/storage/emulated/0/Android/data/com.h202018720.qrt/files/tbslog/tbslog.txt

Filesize
14KB

MD5
060c75a68da997b03fe658aa02c735da

SHA1
25a99f7fbcdef498716b7384027e570890ec9541

SHA256
c5e868bc0c07fd50a1877e4ce71072de8474f12f0cc4add54922cd1f028e6888

SHA512
22b0cd88e97d7ef97f65cfc257ddf9c8114b86deac2a2acac66445ba98e01a1e4951c15798ecd568f610f208668b2caba42d21655bf4e512f01388b97a201ef1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads