Overview

overview

8

Static

static

6

8b0c89faf2...18.apk

android-9-x86

8

8b0c89faf2...18.apk

android-10-x64

8

8b0c89faf2...18.apk

android-11-x64

8

Analysis

  • max time kernel
    179s
  • max time network
    182s
  • platform
    android_x86
  • resource
    android-x86-arm-20240514-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
  • submitted
    01-06-2024 16:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8b0c89faf2b07b6ba36f7a81b7c79bbc_JaffaCakes118.apk

  • Size

    989KB

  • MD5

    8b0c89faf2b07b6ba36f7a81b7c79bbc

  • SHA1

    c3e4aab40dc6fa16c1246dee2ac79009a5243c6f

  • SHA256

    51d55e7e57b18fe8f4bd5f2b30566063b634c7f9b1efbee083407e29ec6446c3

  • SHA512

    6c69c2e9eba47c1e2ab5091a7fb5be2cdc2a8a33d87b36ff4c07ba200ad358844e4d6157757231f88e724b7925c4c8565ae72f91a46f513819e6be0ef7b296e5

  • SSDEEP

    24576:MLApizZWrqvgb3NwBifWu8GLjCMazxxgUHdRC69:8PZOiGGif7BjCvxDRCm

Score
8/10
bankercollectiondiscoveryevasionimpactpersistenceprivilege_escalationstealthtrojan

Malware Config

Signatures

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Requests cell location 2 TTPs 1 IoCs

    Uses Android APIs to to get current cell location.

    collectiondiscoveryevasion
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

    evasiondiscovery
  • Checks known Qemu pipes. 1 TTPs 2 IoCs

    Checks for known pipes used by the Android emulator to communicate with the host.

    evasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Tries to add a device administrator. 2 TTPs 1 IoCs
    privilege_escalationimpact
  • Acquires the wake lock 1 IoCs
  • Checks if the internet connection is available 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery

Processes

  • com.vaukcxeuyx.lvfzcrplmxu
    1⤵
    • Removes its main activity from the application launcher
    • Requests cell location
    • Checks CPU information
    • Checks known Qemu pipes.
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Tries to add a device administrator.
    • Acquires the wake lock
    • Checks if the internet connection is available
    PID:4283
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.vaukcxeuyx.lvfzcrplmxu/app_wybrolv/dtkfskytdr.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.vaukcxeuyx.lvfzcrplmxu/app_wybrolv/oat/x86/dtkfskytdr.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4342

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.vaukcxeuyx.lvfzcrplmxu/app_wybrolv/dtkfskytdr.jar
    Filesize

    344KB

    MD5

    98edb99186a9ad3e4f164e35118a85d0

    SHA1

    4cbb0a10d6aea00b7bcc588460348f24793f8d4c

    SHA256

    6a568079d8281fc451e377c6f37a1f7e5f1d98acfe3918603addada434f1b3c0

    SHA512

    a63c4e43a8fce749d9fc7d4252790c78335069b533696ad67afa1541b32206c7117a35acaddb664960a42450d24ac7fb4902d8eb8731651e01279fea8ee4e990

    Download Submit
  • /data/data/com.vaukcxeuyx.lvfzcrplmxu/app_wybrolv/oat/dtkfskytdr.jar.cur.prof
    Filesize

    1KB

    MD5

    c63420882f37dfd43885c81fe89ac897

    SHA1

    0d7911287d196c1022f5778fbdad40452ec5179c

    SHA256

    352f42171522f0f24501ba3b85821cb98c9072573c1d9cc8cd3c63f351d083fe

    SHA512

    8fd287fa37fec17e87192933cdb86891621daecd5ca5f0c93c21915382fabd08aeb262b933e216ce02696bba7d9d9278ea87db421b69fa1f0ce91225b0479cd3

    Download Submit
  • /data/user/0/com.vaukcxeuyx.lvfzcrplmxu/app_wybrolv/dtkfskytdr.jar
    Filesize

    829KB

    MD5

    c341e79bf4c322fe506c5a215ff1f9f9

    SHA1

    a03d21ab8c612ff6ef549603f790a776a3a3d763

    SHA256

    2d3ae8cb24a2cd74687439b7be105d0f5b49792ff69b8c43870275bb37137b07

    SHA512

    1412500629e6ef11fe15a670225f1f08eedc7d7e817a388547a82a81e50e72069e99eced629d738b6e7ab366ae9eb5bfa9202b53f1c98fecac94354852a7dd58

    Download Submit
  • /data/user/0/com.vaukcxeuyx.lvfzcrplmxu/app_wybrolv/dtkfskytdr.jar
    Filesize

    829KB

    MD5

    c95df19d6d33737c16036c9780c884eb

    SHA1

    1d12570e83369d36eff19a17348197b67a41b30f

    SHA256

    5a442bd439821f13ab9a7d5dc6b6b5c85080d367cd6bd4266ffc9c826eec851d

    SHA512

    de70b8aa435cf97e2f93b9ebf613b8ba1f7020257adc735a6601c040a2b433ec2b4bbaa72c42da5913528d9888714a9576b53bce08c833369fa69032cecd1ef3

    Download Submit