39008771c876221b4e66d6df767a04230297d184cd0fc3868debd2a51003dd44

Analysis

max time kernel
177s
max time network
149s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
01/06/2024, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8baec34688fc52ac8145046341ae1427_JaffaCakes118.apk
Size

30.8MB
MD5

8baec34688fc52ac8145046341ae1427
SHA1

ae0a32d62134e36ed57680bc1841ca4ba585c918
SHA256

39008771c876221b4e66d6df767a04230297d184cd0fc3868debd2a51003dd44
SHA512

a47f0309d42ba91973522dc70ab7afb723572ffec74d95ae49d9440a4c5232a6d572a55783b467a65066d86459b90472560177ad984d9d7bfb206a58699f1dad
SSDEEP

786432:c9ZTAkr1VdgysOzRZP+42X8h7g8sjYS1X:iZk+bWysAd+vMxg8snV

Score

8^/10

banker discovery evasion persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 4 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/bin/su	com.hjyldfc.yiqu
/system/xbin/su	com.hjyldfc.yiqu
/system/bin/su	com.snowfish.a.a.bg
/system/xbin/su	com.snowfish.a.a.bg

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Checks CPU information 2 TTPs 8 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	/system/bin/cat /proc/cpuinfo
File opened for read	/proc/cpuinfo	/system/bin/cat /proc/cpuinfo
File opened for read	/proc/cpuinfo	/system/bin/cat /proc/cpuinfo
File opened for read	/proc/cpuinfo	/system/bin/cat /proc/cpuinfo
File opened for read	/proc/cpuinfo	/system/bin/cat /proc/cpuinfo
File opened for read	/proc/cpuinfo	com.hjyldfc.yiqu
File opened for read	/proc/cpuinfo	com.snowfish.a.a.bg
File opened for read	/proc/cpuinfo	/system/bin/cat /proc/cpuinfo

Checks known Qemu files. 1 TTPs 1 IoCs

Checks for known Qemu files that exist on Android virtual device images.

evasion

System Checks

T1633.001

ioc	Process
/sys/qemu_trace	com.snowfish.a.a.bg

Checks known Qemu pipes. 1 TTPs 1 IoCs

Checks for known pipes used by the Android emulator to communicate with the host.

evasion

System Checks

T1633.001

ioc	Process
/dev/socket/qemud	com.snowfish.a.a.bg

Checks memory information 2 TTPs 2 IoCs

Checks memory information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.hjyldfc.yiqu
File opened for read	/proc/meminfo	com.snowfish.a.a.bg

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/storage/emulated/0/Sonnenblume/res.apk	4342	com.hjyldfc.yiqu
/storage/emulated/0/Sonnenblume/res.apk	4455	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/storage/emulated/0/Sonnenblume/res.apk --output-vdex-fd=46 --oat-fd=47 --oat-location=/storage/emulated/0/Sonnenblume/oat/x86/res.odex --compiler-filter=quicken --class-loader-context=&
/storage/emulated/0/Sonnenblume/res.apk	4385	com.snowfish.a.a.bg

Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.snowfish.a.a.bg
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.hjyldfc.yiqu

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.snowfish.a.a.bg
Framework service call	android.app.IActivityManager.registerReceiver	com.hjyldfc.yiqu

Checks if the internet connection is available 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.snowfish.a.a.bg
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.hjyldfc.yiqu

com.hjyldfc.yiqu
1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:4342
- cat /sys/block/mmcblk0/device/cid
  2⤵
  PID:4374

com.snowfish.a.a.bg
1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks known Qemu files.
- Checks known Qemu pipes.
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:4385
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/storage/emulated/0/Sonnenblume/res.apk --output-vdex-fd=46 --oat-fd=47 --oat-location=/storage/emulated/0/Sonnenblume/oat/x86/res.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4455
- cat /sys/block/mmcblk0/device/cid
  2⤵
  PID:4620
- /system/bin/cat /proc/cpuinfo
  2⤵
  - Checks CPU information
  PID:4642
- /system/bin/cat /proc/cpuinfo
  2⤵
  - Checks CPU information
  PID:4722
- /system/bin/cat /proc/cpuinfo
  2⤵
  - Checks CPU information
  PID:4774
- /system/bin/cat /proc/cpuinfo
  2⤵
  - Checks CPU information
  PID:4811
- /system/bin/cat /proc/cpuinfo
  2⤵
  - Checks CPU information
  PID:4839
- /system/bin/cat /proc/cpuinfo
  2⤵
  - Checks CPU information
  PID:4869

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.hjyldfc.yiqu/files/duration

Filesize
40B

MD5
488575884d03c0fb5327abe2d7302426

SHA1
6a4134687b22c3578d1fcd7e7a89fe42dfe41cb3

SHA256
1b1bd61dff9f4c2119433606ff5b2c6e2d0d7a3d54c0887a657d48353b7ce307

SHA512
604f11d211c1e2e71d3335c9a2d519d878d3ea420d28efaa8b342ada6ff30f6f90293a4d36e8d337417c143c8bd627565bf25871359595e7bd8c444bcdba4dff

Download Submit
/data/data/com.hjyldfc.yiqu/files/st_database.db

Filesize
28KB

MD5
20f09f9ce7a9a0edc7601d7d0401c87f

SHA1
d368b0947fd5421cbe2cddccc2182e1e15997538

SHA256
16dce37e333070c3d67cf4c8f4c08de43cfd217fc55bb4e2086717a028fbd35d

SHA512
1e6cb47eafbc906d2bcb06853c5d139ef3536d3820eb1d457703a6ed455f5275c97d11804d3263be7791ada1c952d1c0e5f6348ba959e7537f7d927278848489

Download Submit
/data/data/com.hjyldfc.yiqu/files/st_database.db-journal

Filesize
512B

MD5
4ea17de63301ff283da38e35283ab11c

SHA1
20b4e7a05de4320f6fa67cace9349ef0691f4c09

SHA256
a11ac5d8d20d544199058c5bd696907bacac8058dd64dbead7c379b715939f0c

SHA512
53a4f125eb786e162f4bc254b59b3a4f33f525d0ca608c18a24b63458e9668b0460e95d3cd810a2581dca6e649b3490688e4d251b0eaabc6e05abbb00d73a9b2

Download Submit
/data/data/com.hjyldfc.yiqu/files/st_database.db-shm

Filesize
353B

MD5
25d0bec9e5c47e7d6119affe0066fdc2

SHA1
a44be42b151ec3644eab246488a3b45eaacd3f09

SHA256
c78a95ed6add569582070ccbd0de881cadf178a83cc5157f54ec13b175128163

SHA512
9c9aab3348ea98f8b443a41f16e4295ac627ce029dd4f6eacf7259643a9ed6882f671a0949cc2a0e97166608ce583096a23f45edbb2287eee8660b10f5dcc461

Download Submit
/data/data/com.hjyldfc.yiqu/files/st_database.db-wal

Filesize
48KB

MD5
2c19b78915b3e7faeb95c0753d302ffb

SHA1
d2eebe9728d812cb3a36fa87ee77cdc04680e072

SHA256
b93d86822837d46d02a3919e612fb1cdb708807099d7df59b8a40baf9db999ac

SHA512
dd97a84042b6df539f808ed8966f3292a783851b5728d498aeda1435a06e3537579fb4d4c80b81753fc9fbdc3072f7a5fbd8e08abc3674c13132238b9c2f26eb

Download Submit
/storage/emulated/0/Sonnenblume/4A72F2DFFDBD84EB0C5C797BB76AFC44

Filesize
128B

MD5
657969fba72627ac97a192310458bedd

SHA1
12dfd75dca46ed1826bb4e703007314e3904f916

SHA256
b83305fbed6837164b90e0e49b32f6e8833d86e76aad34cb6ae01d2d8b5a6f0f

SHA512
0e5ae4f522ae05801527358bfa8b197002ecd966264ca983be2cb633883113c187e54725d524e14dc1eb4cfe5a5335c383128beefe38c4786f2c07d4310de195

Download Submit
/storage/emulated/0/Sonnenblume/EE53AF5B170264468E95E783E26D76C2

Filesize
319B

MD5
43774ad5c40819dfe5d1d26bd40334e6

SHA1
67c6dc033fa3280a1281b4e1e0599b548eed6f4b

SHA256
44260f6154322dcd0811bab92cd3f7a6456f8dca402f8b77e887530fb6b84773

SHA512
6c812bb63bbdb79657d9df0e49a55ef6794454694f1f080e5f7cda12c79d46d8d5767c632b09aae070e4b626acd7c209e0a5d68b85618605f6ee70109f57682d

Download Submit
/storage/emulated/0/Sonnenblume/EE53AF5B170264468E95E783E26D76C2

Filesize
353B

MD5
00e703180bea0c6162950448e824240b

SHA1
58a5fd9cdf7b222334a308ef3b55a684f7c04293

SHA256
1edb57262b95105a63c71a480974c8acea76a62b74b58722b4b910f908551873

SHA512
2a2df8db77d0edd8440acf205c35474847d7d5ba004f959e07ad93b208cf9b5f50d39ce45fca6362a9a3615bdce2e07f21f1f8658b3fd369d514c5417031842d

Download Submit
/storage/emulated/0/Sonnenblume/EE53AF5B170264468E95E783E26D76C2

Filesize
353B

MD5
bf8212f0bd483c753c2a42b057348a5c

SHA1
8ac4f17f0cff7ceed5ac0f766909b6b6c9c716ec

SHA256
6d3a6328c540818dab972f478e3ed6d3a4b4ed8043309a385aa328ebb6c3c069

SHA512
6d058d011549e31e939052150562ccdad3967b0e35e5a02552321664309bffaaad84169a18aa0f7e0055cbeb7d616193d478af931d3adc97f141ee8c9ccfbb19

Download Submit
/storage/emulated/0/Sonnenblume/res.apk

Filesize
433KB

MD5
2639a7fafd82266d6313f59ac1c927cd

SHA1
1a0d135ed060c236ec35aedf25ae2b481e0c226f

SHA256
e653eba8ee86ca07139b427c3366b10245abb9e694db6412a1811726381830f2

SHA512
e0578d5369a81710ee3ccb2b5dfe5633e830caba079f41761fff94480ff7b33fd965aaa75a17b839e377a640404a2aff2b4c503ebf06a8c78f428541ef60c00e

Download Submit
/storage/emulated/0/Sonnenblume/res.apk

Filesize
433KB

MD5
f619f2744ecf318ddc66a6649ab0303c

SHA1
6f831b3a13716c1cd4836b0e16d867ec816b3b78

SHA256
b0911522dbd8f142da6e89d45639377af0ba89ff43184dfa3a03b215052c295e

SHA512
c5bbf4d719519d3e0a7715ca6dea48f76d0b0a52ea786d65bcffe13e6d6daea493bd250fd87ddcea24455797604c1c0ef00862d5a24e8b1cd77c0056d53b1258

Download Submit
/storage/emulated/0/Sonnenblume/res.apk.u

Filesize
205KB

MD5
dafb7d4b90ea8d376128c625183dd9ad

SHA1
883c9b0586e740e9fb976d27a437e84fc26e92fd

SHA256
07be7e035e50b372d700b7cc148515a26b0775b2b485e50895988753fe24b12b

SHA512
56deefb30f358f2d404c93725f331374f0878b8121d95412ab1b1299364b2eea2b7fe179e21bbe96f4076300556a09f55825118ff67b401504c2f3b82af6b13b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads