Analysis
-
max time kernel
29s -
max time network
131s -
platform
android_x64 -
resource
android-x64-20240514-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system -
submitted
01-06-2024 03:26
Static task
static1
Behavioral task
behavioral1
Sample
893d51dd6fb7ae889d8882dc1d75b7bb_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
893d51dd6fb7ae889d8882dc1d75b7bb_JaffaCakes118.apk
Resource
android-x64-20240514-en
General
-
Target
893d51dd6fb7ae889d8882dc1d75b7bb_JaffaCakes118.apk
-
Size
18.5MB
-
MD5
893d51dd6fb7ae889d8882dc1d75b7bb
-
SHA1
c9eb7c526e80963e3f9967817e2965419499fe96
-
SHA256
0783d113641dfd20c236395078809c92a6a44a3174140b45d971ad626948c629
-
SHA512
a215db1b8e3ebdf3576d1b92fdcc9b4ec7bf205d60bf81fc0395d58ad090d59363fc5d1d58fa4e7d3586cc92ee559574bb9d16f38f7d7afd057539e4b9ee7118
-
SSDEEP
393216:7+zY3XIwkqHxhYCUKWySZ3XYj9HFjIkTvh0d6+Tuv+DjbswlryRTB:7EgI8Hxh5UKWT41F8MCd6+qv+DktTB
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
ioc Process /system/app/Superuser.apk com.mklove.coco:ipc /system/bin/su com.mklove.coco:ipc /sbin/su com.mklove.coco:ipc -
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.mklove.coco -
Checks Android system properties for emulator presence. 1 TTPs 3 IoCs
description ioc Process Accessed system property key: ro.product.device com.mklove.coco Accessed system property key: ro.product.model com.mklove.coco Accessed system property key: ro.product.name com.mklove.coco -
Checks CPU information 2 TTPs 2 IoCs
Checks CPU information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/cpuinfo com.mklove.coco File opened for read /proc/cpuinfo io.rong.push -
Checks known Qemu files. 1 TTPs 5 IoCs
Checks for known Qemu files that exist on Android virtual device images.
ioc Process /system/lib/libc_malloc_debug_qemu.so com.mklove.coco /sys/qemu_trace com.mklove.coco /system/lib/libc_malloc_debug_qemu.so com.mklove.coco:ipc /sys/qemu_trace com.mklove.coco:ipc /system/bin/qemu-props com.mklove.coco:ipc -
Checks known Qemu pipes. 1 TTPs 4 IoCs
Checks for known pipes used by the Android emulator to communicate with the host.
ioc Process /dev/socket/qemud com.mklove.coco /dev/qemu_pipe com.mklove.coco /dev/socket/qemud com.mklove.coco:ipc /dev/qemu_pipe com.mklove.coco:ipc -
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/meminfo com.mklove.coco:ipc -
Loads dropped Dex/Jar 1 TTPs 9 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/data/com.mklove.coco/.jiagu/classes.dex 5115 com.mklove.coco /data/data/com.mklove.coco/.jiagu/classes.dex!classes2.dex 5115 com.mklove.coco /data/data/com.mklove.coco/.jiagu/classes.dex!classes3.dex 5115 com.mklove.coco /data/data/com.mklove.coco/.jiagu/classes.dex 5269 com.mklove.coco:ipc /data/data/com.mklove.coco/.jiagu/classes.dex 5333 io.rong.push /data/data/com.mklove.coco/.jiagu/classes.dex!classes2.dex 5333 io.rong.push /data/data/com.mklove.coco/.jiagu/classes.dex!classes3.dex 5333 io.rong.push /data/data/com.mklove.coco/.jiagu/classes.dex!classes2.dex 5269 com.mklove.coco:ipc /data/data/com.mklove.coco/.jiagu/classes.dex!classes3.dex 5269 com.mklove.coco:ipc -
Queries information about running processes on the device 1 TTPs 3 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.mklove.coco Framework service call android.app.IActivityManager.getRunningAppProcesses io.rong.push Framework service call android.app.IActivityManager.getRunningAppProcesses com.mklove.coco:ipc -
Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.mklove.coco Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.mklove.coco:ipc -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 3 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.mklove.coco Framework service call android.app.IActivityManager.registerReceiver io.rong.push Framework service call android.app.IActivityManager.registerReceiver com.mklove.coco:ipc -
Checks if the internet connection is available 1 TTPs 3 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.mklove.coco Framework service call android.net.IConnectivityManager.getActiveNetworkInfo io.rong.push Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.mklove.coco:ipc -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.mklove.coco -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal io.rong.push Framework API call javax.crypto.Cipher.doFinal com.mklove.coco:ipc
Processes
-
com.mklove.coco1⤵
- Requests cell location
- Checks Android system properties for emulator presence.
- Checks CPU information
- Checks known Qemu files.
- Checks known Qemu pipes.
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:5115
-
com.mklove.coco:ipc1⤵
- Checks if the Android device is rooted.
- Checks known Qemu files.
- Checks known Qemu pipes.
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:5269
-
io.rong.push1⤵
- Checks CPU information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:5333
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Execution Guardrails
1Geofencing
1Hide Artifacts
1User Evasion
1Virtualization/Sandbox Evasion
5System Checks
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.2MB
MD5776666b6ffcaaae598f1f131cd8036e5
SHA1ad66a12c101cbe8fabca4e7f181a133fcc5b77d4
SHA256df77079f58cb5ffae461349f5900ee326a9d04a050ae8196a02d9f821dc56e87
SHA512cad7273e261ce78012a0f9d4d4d212fd063adb3264fc31bd8d49d4a89d73b13c5b92d4c7934721285d9f9da36a1a3049c41e355c4fec588386cbf38a8b1e1c63
-
Filesize
6.5MB
MD5aafa933e9d5788d9548e59c7cb90a7a8
SHA18eb0ea8f984c800beecfb1f1f57fd57404769238
SHA2561aa3c1bdf4fb4b945977e0f3191aa4c1808d73812601abad1908da8d7adafaa7
SHA5125952f2cf2001e4ebcd05b7aa58009af39ae43f4b53642e2d411c0c036085d10b4cbc9f8d560cb0e872388c326aa8ea9b9c9d17663124d622efc3e0a4044045ec
-
Filesize
274KB
MD544d1beef1778fdd14ac712a7ac7da370
SHA13be8adacfb7b3e9787f3d64bd93e8f58a3bab1ed
SHA256f3e34bd5ec9c8953792cfbfe55aee311adfd0c5dc0217749759085232c7c78ba
SHA512bbc78449c98783f0faff72fe93f727866a48982915f43838797c06c2128863a5bb278ef7f025926aa66402a6543dca9cb6bdb3fafa540aa309749baf91b1f399
-
Filesize
482KB
MD5d9adada5d6551f4f934bd867714cfb3d
SHA1b81024554c9b48f7fad85d83b27697bbd85d6387
SHA25695e95c86650b1a80cf23b9c3286918c8ad64d52b0e22267ebb737cbd824d2491
SHA512e66abac93edd4369772cef12c6c1716702661bf17f8eb6ecee86ad50361140b4f854ca7dc4fbf8e46802f36b81706ec7d951d6e9c803e242881dfb7ca865d456
-
Filesize
510KB
MD53f01d185c3ebafb8c0236bfcd634c4d6
SHA1cc2da08fce34b6b57bedbd0a3d5319d2e58a1827
SHA256e160d6098a09718bb4fd6c8a0a9bad2a4000336e2ebcc08e439a841d6c3cfb22
SHA51251979a1bd27cff8459e6f266744480b598c48775da35f4c60f58a2d1a88f888747fa66b8a495499e5ae033433f301bb42f2fd845a3eeffdcbf9166fed669b139
-
Filesize
224B
MD5fb0f05b639daea206a604ee417dd6963
SHA1edf4d3e7b0d87ca534070114a9887415e1fa1259
SHA2560ce2249ff8d7042b56fd9e848ce6136a1709aa607ae393548cc22dec71692680
SHA512a9751fba388df6000cab6fbea453fd3d77424fe1a739ca83e8c7260df8b47e21bb9d123cc185e1f41cc19b7aa8af032f4320752e0504f31711297ef67d5f531c
-
Filesize
8KB
MD5c9bee95e49a3e1809c65cd5b67ade340
SHA1fb159e6701198d02680bb033bcfecd5b8c26b62b
SHA2562deda7fb8ed729201164280e04b715de0552c3904fccd464c4daaf1deebc6ca0
SHA512d64001261f7f629c4e29bb051f179e7af51b43414e0f2398c197c2837f348644709d20f7769161f20b6340b38b381c0dfd69df0888310a80663098b8ccc60ee2
-
Filesize
52KB
MD50c15fc4c0ecb4c4d5f69563e62f4f184
SHA17553b26a49e7226c94aa3291e35a69e4d88a416b
SHA25685b5263442fb4ba2f8a5105a5d74b6586b19744e5cba0fbebb2a97cab8fed07c
SHA5126432ff3add9ca1e45428d725ee0e1cb2fdc5492b481686414579b1475dff811e44c3dabe09b394ef9c5f1813b073bcf5fdf59614458e121e35932e80441e6054
-
Filesize
512B
MD56798bfa0886059e3dc6d31901f8546ab
SHA191d3d62f3721f3c1ebb98db4242c22ab17253677
SHA2565717931da044e86e161cc5ef36c3b3c2a158926eb7eb6340e659bf3613cb1a58
SHA5126492bd928b1195f38df9e4b9dcb271865ec350d9d0edadc99e4f6181f08821c2d4244e6acbfc8efb8ef6ab85bc420213c9b15dad185655cb202662c91a7c170b
-
Filesize
8KB
MD5038594f642bc99a2c8518d4ad5b40a1e
SHA1b67dac851605c3259c83ed18ff7247f4db7ed871
SHA2564562dcff56a78a36fb1854417aac0ac204bf06f4c94b1186ffa42d205a7cc05e
SHA5122d931118350457e21a1ba5d74060a70892b1bbc9f93934ffd39d6e68e245885703fb1cf2d85018aca4ec3ee5eb3c06fb719d940b544629db8c9fcab3597c4e2e
-
Filesize
8KB
MD5dbf9b5d5919a6cb9991e7b45b5594fa4
SHA1633cc268fda25bf948314f0ce98253d59c4098ea
SHA2560a9a41ceb83c944625a601af49b997842e5d2208689f7336a3e0b39b87a84649
SHA512ae9af23b65c055f32e440dc251c02450af337e3a00aa9b79f51481d1cbf1c1d35ef5220179f6bb17d74cec7aa32fa6833cee60905b6d84b278802a0258a0924e
-
Filesize
8KB
MD5ffed0da96d533a8e940f56938ca1c53b
SHA18e382c68c0224595e350dcd3bc4aabc440429c4b
SHA256ba9004d999edc6ef7202fd35d8a80543d4f7bed75041b7a415c81be0acc9ab42
SHA512c16315150960db2b9a6c5264881ff54f0949e4acf7bfdcfaa6811eae0e62f3b19060b893d82af056cc1e96d87fa4a42fb638fc94e317b2bd7dd67cb51f800f1a
-
Filesize
8KB
MD598ca249f85c436d857e6d5d2fdf9aa3d
SHA1335fd5c262e84f2d6c6a6e8c71f8e360f7edd587
SHA2566eae09a4de48c92ac8dd224f68d4a77d03ab21af160be56a3d685e6eb339604d
SHA5121347b8dace24c8156e3913d7f80b0979ab80eb4041fb390d6ece09fcbbe3b56d4a61313a408d4aee33deab23b087dfe51b4f3a2cfd04c7540cec5815fbb7dc46
-
Filesize
8KB
MD556a99db9fbef6549cb392ad9540413ba
SHA17a594214944df3fdb0ba31e448a2c0f90e5c09dd
SHA2569a3507506d7a8358934d1f8654fb871be0c7fc3eeb193f164782c0b25375c63f
SHA512290ac6a2718f7b26d6ab9bf91c4c39455cc8991185b41390eefa8a1d8d7ab1471b04589a40b7dfe8e8f5130ccd48941085834ec6f52ea64dbf0d40dcf1481b4a
-
Filesize
663KB
MD5bbf0bcf20f39702e1063a6e932d7c56f
SHA148a5a009f9d7b18cb2ce2ad5144da9f4b780fa68
SHA2560ccc8f3a0e26244581bbdd9e36a03ba01261a2d8579f691f2dede13233cb4cfc
SHA512c73662c81f152d09bb6a633b63c9b4eafc7d27bcdefc2d7942b69339bbdbccbf078aeeafc5cea0812059a97e35f13cdf87bfc45bb0a927405d0249a2e2adea32
-
Filesize
8KB
MD5dcff185367b5bece82b7864e3dfee51b
SHA1fa00204e0d358d43536fae174af68be3b0ab11c8
SHA256145af0c6ddbfcd4b686c05dff1252bc5561493c6e06c6414c1ee8c6350c25067
SHA512e287ddee56fa9ddc2780bc43ea61b8ed7c0afd13dea32e17bfdfb4f96b8402ccfa7d612e11d28f91eb862bc617d5eccc30f36235dc0cdb3d7fb9e8bb76ee8632
-
Filesize
314B
MD584a986566b3b9e543c6937492bb742ca
SHA190fabe2b7f0a5a6854e8ca66e4e4f59aaf1df331
SHA256800f08b7270edc4168d9e2357d6b7094686dc8b6057eea77a5f6cc9d9656b7c9
SHA51254124762b3c0ddf520baa9cd116c1ad1da4cd5a33233b45b2883db453b1fbfbfd2e78e1138d4b78ff0a212d46097059604cbf9f352916eebc213b21fe438ee7e
-
Filesize
58B
MD50d210bfb2a0e1f1b4c082a6a0f79de07
SHA1bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1
-
Filesize
8KB
MD53520b64c94b4135ab784c82d45587192
SHA1f2bb0d98a095e96ff1447194e796f530522d128a
SHA256bb159fdb88b66fc7e693fe62248a7cfd87836d358f71981ed6d39b46fbe8d668
SHA512f5b7fea2a4f77d7a9e4f1fe0235f46add818cf025371f0d0d5bc1bb43881df5256f7f7472accf6f231de9507357224eb14c86ec8201c5205fd10ab8614305dcb
-
Filesize
1KB
MD5e557e4e0363378a44849f4862638df25
SHA1dbbf8a57c6f4fbb997883a23a063ae9825eb670f
SHA25666247024ad712e8e040f215438471369cbcf9f9b7eca0e210ab372cc3fabeb80
SHA512eff7562c45e068d65868ab741a0cbe872a26fe77ea4f9ee484968b6d3b45c17bbc762fe844a0cecf95240a84753275854c73151b735088ac2381adb00c36ebbc
-
Filesize
12KB
MD56ce3f0d91a56280a6d7a22c8d4924023
SHA127d90e6062cf4592b1f19808fb6d653deb982bba
SHA2562a7d6bdd7e4b50eb8c435bb0a7763bc55a28c0caa421a48c1f585f6368728c04
SHA5129ae1e2bfe6dd8cd9aacbde234b3c3eacf675e2303c9b5ce9a28697c466b640a52fb451bd0c79de04deec232b4f562d08c4699f0952add564d85b3c539b1bad5f