Analysis
-
max time kernel
177s -
max time network
171s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
01-06-2024 03:26
Static task
static1
Behavioral task
behavioral1
Sample
893d51dd6fb7ae889d8882dc1d75b7bb_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
893d51dd6fb7ae889d8882dc1d75b7bb_JaffaCakes118.apk
Resource
android-x64-20240514-en
General
-
Target
893d51dd6fb7ae889d8882dc1d75b7bb_JaffaCakes118.apk
-
Size
18.5MB
-
MD5
893d51dd6fb7ae889d8882dc1d75b7bb
-
SHA1
c9eb7c526e80963e3f9967817e2965419499fe96
-
SHA256
0783d113641dfd20c236395078809c92a6a44a3174140b45d971ad626948c629
-
SHA512
a215db1b8e3ebdf3576d1b92fdcc9b4ec7bf205d60bf81fc0395d58ad090d59363fc5d1d58fa4e7d3586cc92ee559574bb9d16f38f7d7afd057539e4b9ee7118
-
SSDEEP
393216:7+zY3XIwkqHxhYCUKWySZ3XYj9HFjIkTvh0d6+Tuv+DjbswlryRTB:7EgI8Hxh5UKWT41F8MCd6+qv+DktTB
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 6 IoCs
ioc Process /system/app/Superuser.apk com.mklove.coco:ipc /system/bin/su com.mklove.coco:ipc /sbin/su com.mklove.coco:ipc /sbin/su com.mklove.coco:ipc /system/app/Superuser.apk com.mklove.coco:ipc /system/bin/su com.mklove.coco:ipc -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/cpuinfo com.mklove.coco -
Checks known Qemu files. 1 TTPs 6 IoCs
Checks for known Qemu files that exist on Android virtual device images.
ioc Process /system/bin/qemu-props com.mklove.coco:ipc /system/lib/libc_malloc_debug_qemu.so com.mklove.coco:ipc /sys/qemu_trace com.mklove.coco:ipc /system/bin/qemu-props com.mklove.coco:ipc /system/lib/libc_malloc_debug_qemu.so com.mklove.coco:ipc /sys/qemu_trace com.mklove.coco:ipc -
Checks known Qemu pipes. 1 TTPs 4 IoCs
Checks for known pipes used by the Android emulator to communicate with the host.
ioc Process /dev/socket/qemud com.mklove.coco:ipc /dev/qemu_pipe com.mklove.coco:ipc /dev/socket/qemud com.mklove.coco:ipc /dev/qemu_pipe com.mklove.coco:ipc -
Checks memory information 2 TTPs 3 IoCs
Checks memory information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/meminfo com.mklove.coco:ipc File opened for read /proc/meminfo com.mklove.coco:ipc File opened for read /proc/meminfo com.mklove.coco -
Loads dropped Dex/Jar 1 TTPs 9 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/data/com.mklove.coco/.jiagu/classes.dex 4259 com.mklove.coco /data/data/com.mklove.coco/.jiagu/classes.dex!classes2.dex 4259 com.mklove.coco /data/data/com.mklove.coco/.jiagu/classes.dex!classes3.dex 4259 com.mklove.coco /data/data/com.mklove.coco/.jiagu/classes.dex 4315 com.mklove.coco:ipc /data/data/com.mklove.coco/.jiagu/classes.dex!classes2.dex 4315 com.mklove.coco:ipc /data/data/com.mklove.coco/.jiagu/classes.dex!classes3.dex 4315 com.mklove.coco:ipc /data/data/com.mklove.coco/.jiagu/classes.dex 4455 com.mklove.coco:ipc /data/data/com.mklove.coco/.jiagu/classes.dex!classes2.dex 4455 com.mklove.coco:ipc /data/data/com.mklove.coco/.jiagu/classes.dex!classes3.dex 4455 com.mklove.coco:ipc -
Queries information about running processes on the device 1 TTPs 3 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.mklove.coco Framework service call android.app.IActivityManager.getRunningAppProcesses com.mklove.coco:ipc Framework service call android.app.IActivityManager.getRunningAppProcesses com.mklove.coco:ipc -
Queries information about the current Wi-Fi connection 1 TTPs 3 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.mklove.coco Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.mklove.coco:ipc Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.mklove.coco:ipc -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 3 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.mklove.coco:ipc Framework service call android.app.IActivityManager.registerReceiver com.mklove.coco:ipc Framework service call android.app.IActivityManager.registerReceiver com.mklove.coco -
Checks if the internet connection is available 1 TTPs 3 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.mklove.coco Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.mklove.coco:ipc Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.mklove.coco:ipc -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
flow ioc 12 s.appjiagu.com -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 3 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.mklove.coco:ipc Framework API call javax.crypto.Cipher.doFinal com.mklove.coco Framework API call javax.crypto.Cipher.doFinal com.mklove.coco:ipc
Processes
-
com.mklove.coco1⤵
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4259 -
sh -c ps2⤵PID:4487
-
-
ps2⤵PID:4487
-
-
com.mklove.coco:ipc1⤵
- Checks if the Android device is rooted.
- Checks known Qemu files.
- Checks known Qemu pipes.
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4315 -
/system/bin/sh -c getprop2⤵PID:4398
-
-
getprop2⤵PID:4398
-
-
logcat -d -v threadtime2⤵PID:4428
-
-
com.mklove.coco:ipc1⤵
- Checks if the Android device is rooted.
- Checks known Qemu files.
- Checks known Qemu pipes.
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4455 -
logcat -d -v threadtime2⤵PID:4544
-
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.2MB
MD5776666b6ffcaaae598f1f131cd8036e5
SHA1ad66a12c101cbe8fabca4e7f181a133fcc5b77d4
SHA256df77079f58cb5ffae461349f5900ee326a9d04a050ae8196a02d9f821dc56e87
SHA512cad7273e261ce78012a0f9d4d4d212fd063adb3264fc31bd8d49d4a89d73b13c5b92d4c7934721285d9f9da36a1a3049c41e355c4fec588386cbf38a8b1e1c63
-
Filesize
6.5MB
MD5aafa933e9d5788d9548e59c7cb90a7a8
SHA18eb0ea8f984c800beecfb1f1f57fd57404769238
SHA2561aa3c1bdf4fb4b945977e0f3191aa4c1808d73812601abad1908da8d7adafaa7
SHA5125952f2cf2001e4ebcd05b7aa58009af39ae43f4b53642e2d411c0c036085d10b4cbc9f8d560cb0e872388c326aa8ea9b9c9d17663124d622efc3e0a4044045ec
-
Filesize
274KB
MD544d1beef1778fdd14ac712a7ac7da370
SHA13be8adacfb7b3e9787f3d64bd93e8f58a3bab1ed
SHA256f3e34bd5ec9c8953792cfbfe55aee311adfd0c5dc0217749759085232c7c78ba
SHA512bbc78449c98783f0faff72fe93f727866a48982915f43838797c06c2128863a5bb278ef7f025926aa66402a6543dca9cb6bdb3fafa540aa309749baf91b1f399
-
Filesize
482KB
MD50e6c6a80b8d73b86833da191ab530fc8
SHA1f270c9ffcdc8dd520d756f2990cbfcc02b39aa09
SHA256062a20ba9735ba3dcb6f91893ec015348fcec8e694b082eb47f24cee86fd3ba2
SHA512631f6b90709db5d370b8fb9888c2ae85e46e84cc96b8e25a99548f55ef91d8e7b8f1e6c0040dce7eab5ccb9e5ef6abb6ba5099f0012903e821b8d603b5b0370a
-
Filesize
31B
MD58c92de9ce46d41a22f3b20f77404cc1d
SHA18671a6dca00edb72be47363a7071be65cf270373
SHA25668bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA51230f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56
-
Filesize
32KB
MD5584f95e40c14c0efaeaf79529d403818
SHA1f7fe4f787adcecda0a96bbb514dc4756731c461f
SHA25637588a849f2d4a2ff2bbe159a29fb3be46d2dd722eaa3298511cfee2a80f371c
SHA5129f23c405e062d6c088603de811c89c57020a4c98dd0a777c5271d4a9532811fdf36f70a51ea1fc6dbc4eee253c641ee77d87caa5fe003ddfc1dfb3a4ae05cb63
-
Filesize
340B
MD5a498ee998a7c8ffcf987abd166c765e5
SHA14b4285205d89a0669098a4a2a7b3f7e9a208ea9d
SHA256c528444fe459ccd70623d5d9812794082e831004caa00b24a501eaf48c61323e
SHA512a1a9d8b1425dd9f8733804645e1c974cdfdad0876019fbca4a3c94fba328ee8296e58305878e4f5ec7e0f83caa386c633d754675e462ef7e881ce54a2471072b
-
Filesize
340B
MD583e4cf0c0bb31e7507f0f8cbc6301ee7
SHA1e687db134999675414e0015ecbaae250136ef65c
SHA256aa06d36d8d3b0f4fae5e0e2a23f52fea35a20cfc72f7fd5dbbff0531350a7e72
SHA512653c96ae85cc12ce3824566b0a672c377c73494d7f4da472533e718bdf4e263da48a6960a65a98fa7626737874d604aa989c84b5546155a2496a1d6bcc96c654
-
Filesize
40B
MD53cbd6e083fd496d0bf562c068fe25775
SHA17c7f31e67e18b1bde29c56728dcfe4353fab4789
SHA25690a52ef97e8914ebc5354518013807523558d1895f58b1cb0eefbe0e161889e1
SHA51226a913b7c9d060a8d6de54104a64aebcd4384c5e577311ab950d2d87da3462c109e116c315f686617e3305b02956673979587a4f9d74aadabf095cdb9ea5ab72
-
Filesize
32KB
MD549a58f06d1dfe278119cc515fba1ee8c
SHA1e2bf15d796fd1301e261c3699082e5a86a0e448a
SHA2565dbff8f0dfba2e9085ae454827daf6b873e5e7f077c9e8bc8e358112176c1b7e
SHA5128e6178ae979b7fde0e9f807dafddb9598b37502239081630eb7de0d4d969e9d2ca60b7a3654f76638634152a9b17ed9f1a2c9b6b71aa9d7f35774dc8f19c944d
-
Filesize
512B
MD54ff9feea07afa1dc503b081c2412bc67
SHA1545d7b874500416cc7e7e705bbdb0881efc4780d
SHA25662dff12a5d06ae611e66a6c54c046f754916d49a5fbcf8245592486e420a895c
SHA512ac38fb0fef05f687c0d060de718034c9566cba35b130d62fa910d518f9eff9fc4060b10a93e0719b6ad2e2f0c9c58a5a5a2f4460b4c6db8f5c1e50861fcb32ce
-
Filesize
127B
MD5439ee42d43f8a42bbc97321abd323671
SHA1ff695196cc9f0d16339efac3d45b11c041f586c9
SHA25634dfa496dac94a44bc94d296b942a58b60ca2e6f008e2282b1e72acffdbc5db5
SHA5124130a7dbff16d2d48ea4149f9055eb9b59c69cdd612aeec4cb1a4004ecef4246ad67dcfe4df41e7f19282da9569db57b22b4939ebb7218a024de3ef5c32f4686
-
Filesize
144KB
MD56cabf77917b6f7d4650bf6694a7727c0
SHA1d5c824613933b09ab3456fbe72f478dd50865491
SHA2562ff220fe99885dee5a9556f7b88d1d20425ff409ae12def764f38425fc665994
SHA512c12797903d44bcc682cdfd94b5132cf8e736e97bfd161ff40e7ef9bfbfee2f2f92cbe1b805d2aca894988a0677490b7486cf7815c48aeb359bbd75c9caac1749
-
Filesize
241KB
MD5d498c3102db7a838116dbbcd258c85a5
SHA1bb9333e866c08d46e4f4456a328ec38b90bfaab4
SHA2560747db5a2b6edce8d81b24f1b9c3cfc3d84a2bb6779ffbb3ff4819c0987c1dc3
SHA512c4b62817124a27f9ae94822dd3a061a144feefeadd4dae1e2956e1224141f60bb3a3f1dfb1e328e06f36022e4aff16a43474ab82c27532d7e618fbb1845678eb
-
Filesize
58B
MD50d210bfb2a0e1f1b4c082a6a0f79de07
SHA1bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1
-
Filesize
663KB
MD557a85c959a6d03bd875d5c4628a35436
SHA184124371a2eb61388434035c2ea53bef026a8965
SHA256a8dd2e90ee501906f0ff86d380fd94b5db5aece4abcb957900122166ef85839d
SHA512195ebabc9e29b97daf9ab5745a10a046d64d43d81feb4ab403ea56f503d4a99f7772e395126a56f29a13316a5d68bbefe6d401d606550c118e2bb79831e2fd86