Analysis
-
max time kernel
55s -
max time network
175s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
02-06-2024 08:01
Static task
static1
Behavioral task
behavioral1
Sample
8d6346731b68f41af2e69f11d93e24fa_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
8d6346731b68f41af2e69f11d93e24fa_JaffaCakes118.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
8d6346731b68f41af2e69f11d93e24fa_JaffaCakes118.apk
-
Size
26.5MB
-
MD5
8d6346731b68f41af2e69f11d93e24fa
-
SHA1
374c8dffc3fd80fc531e6f4468e84bc133bf0a6f
-
SHA256
32222772e81d03ab733bce47fa0348e7cda65020a2c9fce95220a12936d847c5
-
SHA512
06e284cff6c5d5460630988709e9f153e642d4de00377209f092823094b99529de7a13f7bb2aa17c1e6b6d12fe89923d372de2871cb43351551fa94f7b6e16d5
-
SSDEEP
786432:4QcW79bfAHziywLUEdrvu+jh7evTTEXAogoqEfIq:xcybfAGL1drW+NKbTEAfJEfh
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
Processes:
com.incooltech.xsydioc process /sbin/su com.incooltech.xsyd -
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
Processes:
com.incooltech.xsyddescription ioc process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.incooltech.xsyd -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
Processes:
com.incooltech.xsyddescription ioc process File opened for read /proc/cpuinfo com.incooltech.xsyd -
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
Processes:
com.incooltech.xsyddescription ioc process File opened for read /proc/meminfo com.incooltech.xsyd -
Queries information about running processes on the device 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.incooltech.xsydcom.incooltech.xsyd:pushcoredescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.incooltech.xsyd Framework service call android.app.IActivityManager.getRunningAppProcesses com.incooltech.xsyd:pushcore -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.incooltech.xsyddescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.incooltech.xsyd -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.incooltech.xsyddescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.incooltech.xsyd -
Reads the content of the SMS messages. 1 TTPs 1 IoCs
Processes:
com.incooltech.xsyddescription ioc process URI accessed for read content://sms/ com.incooltech.xsyd -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
Processes:
com.incooltech.xsydcom.incooltech.xsyd:pushcoredescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.incooltech.xsyd Framework service call android.app.IActivityManager.registerReceiver com.incooltech.xsyd:pushcore -
Acquires the wake lock 1 IoCs
Processes:
com.incooltech.xsyddescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.incooltech.xsyd -
Checks if the internet connection is available 1 TTPs 2 IoCs
Processes:
com.incooltech.xsydcom.incooltech.xsyd:pushcoredescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.incooltech.xsyd Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.incooltech.xsyd:pushcore -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
Processes:
flow ioc 21 alog.umeng.com -
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.incooltech.xsyddescription ioc process Framework API call javax.crypto.Cipher.doFinal com.incooltech.xsyd
Processes
-
com.incooltech.xsyd1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Checks CPU information
- Checks memory information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Reads the content of the SMS messages.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4265
-
com.incooltech.xsyd:pushcore1⤵
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:4299 -
cat /sys/class/net/wlan0/address2⤵PID:4460
-
cat /sys/class/net/wlan0/address2⤵PID:4486
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Execution Guardrails
1Geofencing
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD55d7ea1a23af19b4340cc8d90f28297d5
SHA14cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA51233071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b
-
Filesize
36KB
MD5ce6135aa1b1fe4f2c2db2a546d2a5558
SHA179b59582154017aadab783dc266fcb158c252940
SHA2567b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA5122839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4
-
Filesize
512B
MD5f470fb85e614e630bdf0625e27f4d139
SHA1bc63ac736b80a29a83b2cb6f0ee135aa473f09ac
SHA256a75a492789cb9a4b69c2fcf0ceb01e3e16741341f132b1d62760ca74c387df61
SHA5128edbe50ff8bbaa84f0c2cad937937fc334b2cc459b4d7ddf71606333f3c9ffb469325127a3475c5ee0a42a423ad74bc805e90d36a9e02e2d0d5dac5a0e2df4d9
-
Filesize
48KB
MD5822685c1d57121ef1bdf90ce4c0e7fe2
SHA19325d48ae54e320498604ff8e49adb528d2f0efe
SHA25698cc67caca3b99ea61ffef63c5114aa5bfc0a91c05e1c44f9472cb59148639f3
SHA5127ddb03df33125fb20c2ba29cf64965f0b5dce9837c3b5e27947b47802c766027acc57c2165b4e54a53a376d7b726349446ca786f4de484189913295edeadd5d9
-
Filesize
16KB
MD500cfcf1bb8e4fef555a320f473cfac5a
SHA1f45feffe6bfd0a3129c5e30ca4a270bfdb43c770
SHA256d29d67b74dcc5b8bf3512c122a7c77c9f4824077d75555f8f9bfc140b38a11c8
SHA5127ba3a6a7295faa70e4a3c71cebb4f6071eaaaaca7482fbe27f8ad91f1b01354c61d1db64cca220ab4549c1b7565dfa7c6c876099f6592edfbcc82122ae361701
-
Filesize
16KB
MD555ebeefc745c0a3a81b964fbc318a176
SHA1ae1d22cd030f99603813af4b572f8bffa784b964
SHA256d450e328a26a748a2760fc1952b148b78a4500a76dcd6af1b379893e462ff5df
SHA5127e7105753581ae1bc549a012137953d8e531f5318e8b924070e9ef3a86a2ca0fa2532cb9c530f607237c347c016d09dc565290176e7f7bfe05e56e5516a9612a
-
Filesize
16KB
MD503dac5531f6bd4129f0c32a9bb9e74e4
SHA16666e7a3bcf9d7a428fc3254f25c19b716b7b411
SHA256937584515066666a9ddc46527179bd8e1c0132a463802bfd83319dd58b9375df
SHA512bd69e3046774a43bfb4ab53df12deb20f12a8f0fdda8791313c90c97eebe3ffdf390c429fcb25276d0bac88f234f640f9a5ce40438113b6ae06ee7d106ca0a1e
-
Filesize
32KB
MD5d604a3bf1f8d992cc320ea5b1f7609bd
SHA1247f88df0b55c7d523ea5398637711a0e4a483a4
SHA256329940b4d46326d58e73c842dd099704061d0ef7338777bf31ad895f29013c17
SHA51267e28f6713cb5c238a9664df128f01a89a2efb7c8c9330c1e45bc0d40ebab81fa20df5166743d84d81dc0386a89ff0329f022281c098339baa2e851ff0a1e1ab
-
Filesize
32KB
MD5efb8a79e4122d40377a74e3cb5db2507
SHA17834215022042586dae7e68ce27f81c70f88e344
SHA256b20c81f8c15e53393025fce7652314e0d961437e97939118802ba4534a20ca51
SHA51266e55a74dda0bc3b35ca3b44980f5ca2219a1abefffcc49784c01f03eff07080770d6487052cfca86430eb5696ea2349e9772ae35ee0b4680fbffeeec90ec695
-
Filesize
512B
MD55cba01063bb754b7987aed33ac31df5c
SHA11c2b823bd6f6671e135c2ccfcf21b3822b5acc3e
SHA256489cb0bcfb76f348df95198ddbeff5c0152e5070424eea8a92173295ca55f8bf
SHA512d7f275391bf46ace3d1e05a98500148bd1aa0612298a7cab12d587db623ec0e7dcaa7e4ddcfda770fd077d89152a37fccb0cf531f333212022e8e1f2544fc2f0
-
Filesize
4KB
MD5d8341200d0fcaada372a622d6f01013b
SHA1be7df5d5ac7a2cc01885a67807ec4b9e6a606c6a
SHA2568d8eeb1e1b9998e8fdec4a37579d5ebf5b41061a1957d9b3d4a50966486f7bd3
SHA51235f16735939ffc51bc82800a5aca38f24f04ffca4a01b20fe8626a2aabd2ba4f06be585cab85e4a4b1795640337d925ff993b3adf06de6eb2af86574a17cf6b6
-
Filesize
4KB
MD550d054849f9521b14650a02a25ef8486
SHA1d7ad4d86f8f12f016bf1f3c5ec87d681b9758b3f
SHA2564498dbc78562c3242cfa2400ed74f3f286c3a539f32c69c6dca92972b294c7c5
SHA512e85bbf0650ffcb760002a4f1549fe3fde869a13966c01f3257f2e2c55679efbbf470bee4f437bdce2b42ddb3f0a9e7fd026ac3a5126ce598bcef4c0c393084ee
-
Filesize
8KB
MD5c7cb0d8c2de621ca4750766d6c386652
SHA1cb15f85e72133e995dfcce46fbe279b221ca7905
SHA256bd1c4c1f2b64431a64b4ec8c2ceafe0c4c79fd4ce291a7581f818612e8d2a47b
SHA5123b816e31fe31d74ee8c36c39329146ad174367a60720941fc4a46ba02dbc2b3549fbbe8865aec887f2a6c1aa7061e97b837a0b98ae8d9846d0dabb37afc561c5
-
Filesize
56KB
MD5bdeda1baf396b2f3421a2e04205dd9c0
SHA19e00abea17621b6c89542041facbf7ac51fa3f46
SHA256cb1519942abacc70b1ef8cf1ba3820cf27e3beca403d71b5670b323ca8978386
SHA5129084ea15aedfe46cb7b5b2c7262dd5a241860d0440fe9a271af4427c35b20ef7e053edf67b5205aa310536b4ff65cb1332bbba982b20a187c4f9a18ac7c4d3af
-
Filesize
4KB
MD5ab999a08654430a869d29846d4bc09f4
SHA1d649d2a2fa7a3e38f8d09d98c24e5f4cedcf7b5e
SHA256c646aa1f4e26737a122261fe0cc4d5899bdd953b56d630c5b4ca7b00d48291b9
SHA5124bf08cef7b600fe036920d38f8424814a495e35d3dccd05af734ec26585a356cddde9e6f4f16c20839d21b6729ef146345903c02bf3d66595b5a4a4a45e6985e
-
Filesize
512B
MD5f56dfbb32246957a1c992d1e7dd18724
SHA1d1fff9e3e7bb9b2d69c5e16ffba5e11c025ff318
SHA256a437422baee8ec9e7ce90ad9810958091680d449ed80534e318056c57d69b72b
SHA5120d083d09ffcce815c1b9c3550c8a640ddd484741269a6712532dedf294c9e5a3b379b46d0beef3086646ad71bd22d8a46c251a439744ee96b9787b690c51f4a5
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
64KB
MD54fe861e9cba7723bda75c13129a473db
SHA1c2659be240cfa4037396fae33e995f1c455da49d
SHA256da079eb215d1f3939514b1eef034bd527cdfedb2162ea24491927ee3f152f1f2
SHA512755972504dd42572452bb594e082c7b42fcaeade29cd9b4922e1a666d72744065fd68bbbecd5d5f5ab19dc352422d19b084ca1033ccbea4fc6e0f3fe507b75f5
-
Filesize
162B
MD5fbe7238e1c23a7038e64e6443ff38136
SHA17e3ce6f6617829731f25a5476a477f0f637a2c44
SHA256dbfb729f0a9da4462bf451d1bf141a28e3bb475d84f24fa5e47c51a33a80cf0f
SHA51215283624ad817e977635e3105c843e346a4f83deaa64bf34af3479637eddc6e575c31d2a204e3c58f254c1a16215aa7d8536e54e59de9a7aa7c4798c727a9468
-
Filesize
61B
MD5c7539f9280b210d74c3d91d9472cbc03
SHA109adecc3d5a51c92f22df462d3df3ef11cef3ad3
SHA256120d578f7c7c6fab440603d116b605c539e590abe2c93cad236c31cab7e4ba6a
SHA51202f0884ed535f0762aa59606a6a60e5ec0c1587067c1a61f4167e66fff08b368375c69f280488cbd3d7c9c7c039a6f0ce485d8847d8b60338aaf25485b54bbe3
-
Filesize
134B
MD56a79c599d510ca9ed1df2863d65072a6
SHA16f1549f18ff862861d9f10b731677388dab8dbff
SHA25620291c9e3d2b9831edb6a1f6e53a85e697ecf086b72b30a69053bcbe64f15fd9
SHA51243fec660ea574cea4ea30d8c94cefc39ce113a714ee4e775a5a94d3c0e4a2131037e2e4e21eee5d2511ba1d1041d4234e1eeeeee9b5f2ccc17c69d8884d7ac05
-
Filesize
413B
MD5f1d2fcd05440fc5fe8a7e4353b9785c3
SHA172db5092aa7f98f7ce56889a1406fe38de6d57bb
SHA256d5ff12ad647215e1f84c03a2f03ec588291e8704431b795c6e911fc968c90cda
SHA5126cd8399c23b74271698ce25ab25eb91563de051af4991f9ca15b2ec700f77c12c61c9cf10689ed99b3eac6e0a4335df32d882b8e4b69e7b40760744e375a39d3
-
Filesize
36B
MD57c45bec709cd80286218342a09024c6c
SHA17ce4fe6a158b3deeff2072424953f1b005262e1f
SHA256d1cbacd25908a24a829defe41f11469289d03c5d8d63ea4c6b8a1ce885096044
SHA51205d52be2c9bc86125358c95d22f787ff72828fb6abe76a0e731af0b82921ac46c0c4ffef5d4397a5689e40044f468ffe48d9252ee4ba4484f8cf045c68c1470e