General

  • Target

    90856505ad24499042ce139ee985190e_JaffaCakes118

  • Size

    18.6MB

  • Sample

    240603-e1rz8sbc2z

  • MD5

    90856505ad24499042ce139ee985190e

  • SHA1

    104d06f2d2ab5e7ec569b9a025684466fc02749e

  • SHA256

    1fb9013bff278259a6c99cbed5c231a07e55c570ce03d4566c1e15f61041355f

  • SHA512

    882b8521ad8ef50c9a52acf4b54bf6338700b9119dea0112a547c9884d8b963cc36be4d3c2bdb7d554715f9df25577e70df1d13714db03841a2b6d0d0513fbc1

  • SSDEEP

    393216:Up70AjaM9AY85pxETATCOnwHuKUbtJCVAmFG++LbK8Ma7yTCzgIiIwyUxsT/POOV:Uh0AjaFlGThOnwLYQwvKjLWzXzMw

Malware Config

Targets

    • Target

      90856505ad24499042ce139ee985190e_JaffaCakes118

    • Size

      18.6MB

    • MD5

      90856505ad24499042ce139ee985190e

    • SHA1

      104d06f2d2ab5e7ec569b9a025684466fc02749e

    • SHA256

      1fb9013bff278259a6c99cbed5c231a07e55c570ce03d4566c1e15f61041355f

    • SHA512

      882b8521ad8ef50c9a52acf4b54bf6338700b9119dea0112a547c9884d8b963cc36be4d3c2bdb7d554715f9df25577e70df1d13714db03841a2b6d0d0513fbc1

    • SSDEEP

      393216:Up70AjaM9AY85pxETATCOnwHuKUbtJCVAmFG++LbK8Ma7yTCzgIiIwyUxsT/POOV:Uh0AjaFlGThOnwLYQwvKjLWzXzMw

    • Checks if the Android device is rooted.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Requests cell location

      Uses Android APIs to to get current cell information.

    • Checks known Qemu files.

      Checks for known Qemu files that exist on Android virtual device images.

    • Checks known Qemu pipes.

      Checks for known pipes used by the Android emulator to communicate with the host.

    • Checks memory information

      Checks memory information which indicate if the system is an emulator.

    • Queries account information for other applications stored on the device

      Application may abuse the framework's APIs to collect account information stored on the device.

    • Queries information about running processes on the device

      Application may abuse the framework's APIs to collect information about running processes on the device.

    • Queries information about the current Wi-Fi connection

      Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    • Queries information about the current nearby Wi-Fi networks

      Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

    • Queries the mobile country code (MCC)

    • Queries the phone number (MSISDN for GSM devices)

    • Reads the contacts stored on the device.

    • Reads the content of photos stored on the user's device.

    • Registers a broadcast receiver at runtime (usually for listening for system events)

    • Checks if the internet connection is available

    • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

    • Reads information about phone network operator.

    • Listens for changes in the sensor environment (might be used to detect emulation)

MITRE ATT&CK Mobile v15

Tasks