Overview
overview
8Static
static
690f35d22a6...18.apk
android-9-x86
890f35d22a6...18.apk
android-11-x64
8dmss_v2.apk
android-9-x86
dmss_v2.apk
android-10-x64
dmss_v2.apk
android-11-x64
dump.apk
android-9-x86
1dump.apk
android-10-x64
1dump.apk
android-11-x64
1dynamic.apk
android-9-x86
dynamic.apk
android-10-x64
dynamic.apk
android-11-x64
Analysis
-
max time kernel
155s -
max time network
188s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
03-06-2024 07:27
Static task
static1
Behavioral task
behavioral1
Sample
90f35d22a64f5e5cc7fc917d19907e92_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
90f35d22a64f5e5cc7fc917d19907e92_JaffaCakes118.apk
Resource
android-x64-arm64-20240514-en
Behavioral task
behavioral3
Sample
dmss_v2.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral4
Sample
dmss_v2.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral5
Sample
dmss_v2.apk
Resource
android-x64-arm64-20240514-en
Behavioral task
behavioral6
Sample
dump.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral7
Sample
dump.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral8
Sample
dump.apk
Resource
android-x64-arm64-20240514-en
Behavioral task
behavioral9
Sample
dynamic.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral10
Sample
dynamic.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral11
Sample
dynamic.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
90f35d22a64f5e5cc7fc917d19907e92_JaffaCakes118.apk
-
Size
7.4MB
-
MD5
90f35d22a64f5e5cc7fc917d19907e92
-
SHA1
a56e0b81d66641f589c53d1a4c40cda17798c4fd
-
SHA256
7e3c3a1f748120ce85e1df711e29965f289e2cf04048d0eab94bab1dcf058ce0
-
SHA512
b701240a5885cee03442f111e59d018f642726626d578c65a657a2acf89a676018d68ff6cfa7821ad306a4166dd31312dfc4b7400ae856c9e3e463ebc4efaa1c
-
SSDEEP
98304:yLt13huQSJiqC+6Ii34LK83hthYF2h0ASG9xV9bAifSA53/wiQwEwTBaJ3/7liUb:OtqKL4L33BgTAdV9bVfViwFaVgUVh
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests cell location 1 TTPs 2 IoCs
Uses Android APIs to to get current cell information.
Processes:
com.qihoo.appstoredescription ioc process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo com.qihoo.appstore Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.qihoo.appstore -
Checks CPU information 2 TTPs 2 IoCs
Checks CPU information which indicate if the system is an emulator.
Processes:
com.qihoo.appstorecom.qihoo.daemondescription ioc process File opened for read /proc/cpuinfo com.qihoo.appstore File opened for read /proc/cpuinfo com.qihoo.daemon -
Checks known Qemu files. 1 TTPs 3 IoCs
Checks for known Qemu files that exist on Android virtual device images.
Processes:
com.qihoo.daemonioc process /sys/qemu_trace com.qihoo.daemon /system/bin/qemu-props com.qihoo.daemon /system/lib/libc_malloc_debug_qemu.so com.qihoo.daemon -
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
Processes:
com.qihoo.appstoredescription ioc process File opened for read /proc/meminfo com.qihoo.appstore -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.qihoo.appstoreioc pid process /data/user/0/com.qihoo.appstore/files/sllak/opt/4292/finalcore.jar 4292 com.qihoo.appstore -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.qihoo.daemondescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.qihoo.daemon -
Queries information about running processes on the device 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.qihoo.appstorecom.qihoo.daemondescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.qihoo.appstore Framework service call android.app.IActivityManager.getRunningAppProcesses com.qihoo.daemon -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.qihoo.appstoredescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.qihoo.appstore -
Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
Processes:
com.qihoo.appstoredescription ioc process Framework service call android.net.wifi.IWifiManager.getScanResults com.qihoo.appstore -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 3 IoCs
Processes:
com.qihoo.appstore:criticalcom.qihoo.appstorecom.qihoo.daemondescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.qihoo.appstore:critical Framework service call android.app.IActivityManager.registerReceiver com.qihoo.appstore Framework service call android.app.IActivityManager.registerReceiver com.qihoo.daemon -
Acquires the wake lock 1 IoCs
Processes:
com.qihoo.daemondescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.qihoo.daemon -
Checks if the internet connection is available 1 TTPs 2 IoCs
Processes:
com.qihoo.daemoncom.qihoo.appstoredescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.qihoo.daemon Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.qihoo.appstore -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes:
com.qihoo.daemondescription ioc process Framework service call android.app.job.IJobScheduler.schedule com.qihoo.daemon -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
Processes:
com.qihoo.appstorecom.qihoo.daemondescription ioc process Framework API call javax.crypto.Cipher.doFinal com.qihoo.appstore Framework API call javax.crypto.Cipher.doFinal com.qihoo.daemon
Processes
-
com.qihoo.appstore1⤵
- Requests cell location
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4292 -
/system/bin/ping -i 0.5 -s 56 -w 10 -c 10 221.130.199.882⤵PID:4912
-
-
/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq2⤵PID:4942
-
-
/system/bin/ping -i 0.5 -s 56 -w 10 -c 10 221.130.199.882⤵PID:4995
-
-
/system/bin/ping -i 0.5 -s 56 -w 10 -c 10 221.130.199.882⤵PID:5033
-
-
/system/bin/ping -i 0.5 -s 56 -w 10 -c 10 221.130.199.882⤵PID:5078
-
-
/system/bin/ping -i 0.5 -s 56 -w 10 -c 10 221.130.199.882⤵PID:5108
-
-
com.qihoo.daemon1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks known Qemu files.
- Makes use of the framework's foreground persistence service
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Checks if the internet connection is available
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4323 -
/system/bin/sh2⤵PID:4582
-
-
cat /proc/version2⤵PID:4731
-
-
ps2⤵PID:4791
-
-
com.qihoo.appstore:critical1⤵
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4599
-
app_process32 / com.qihoo.appstore.rootcommand.persistent.CoreDaemon --nice-name=com.qihoo.appstore_CoreDaemon --daemon1⤵PID:4648
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Virtualization/Sandbox Evasion
3System Checks
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD528ccc5e890a85bbba3f328b750a58297
SHA1057f64decf750e9c39c6fcee72493130ea02281d
SHA256f7e61ccd7231a0c80c96faaadd1e88cf9f57ab74142c2596eea6da71b16fb691
SHA51269a81cc63ac78e0e43534e3500dd14d662597fadb01a73c4a71e1b513fbcc5ff5b3df769f7cfd5aec24ba23620b35860331adae2ff77abcb342b01b405026893
-
Filesize
20KB
MD512a79981d7b35d85cc55cf80d1adc1d5
SHA123b5a2e919888fd19fd0c59e7d0a289f9c15e299
SHA256e57778fa5b346a9fb9db49eeddc018ea60d8af872b57e77e407b03bad8a96a08
SHA5125f85b204933cbf71e002e9858c2066b63a0d24e079257877eec47fae772a1276d062bd7db08d88882bf5805711dbdae9fcd82c75b4f1de3972d21b06c0d13204
-
Filesize
4KB
MD5c7aa2c5145d843907aed9145eabbaf5b
SHA1ff34f47c8d32b5f9192263226413790051ce22c0
SHA256b39b27d048a348241f60fdd49b962016fd875251034d66622fd5dae753859bd6
SHA512323b0427604b9ce689647018512e6cc1bc4dfb777e2fc2dbcbb131ab330d2d7eee42d79570e04ddb6daaa36481d7726954de31c09aea961511a67e58e4ec5b0b
-
Filesize
672B
MD5b741fb7d47c1a414b79da707959a936f
SHA167c15e15216902a60f5d991156975a2e4541e664
SHA2569d21fa7bf4749cf44b98c869567c758f9d68cfc3dbdeb57f0636745f53b320cd
SHA512a71e32eadc42eab1be387e9b1f5510d1ce8ae39f155b71c6157d97096d1141a787ea0ecf00ad3739f94d38906d3a80bfff3a310de91e1495108336ef4aa8760a
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
32KB
MD5712930122f9c19bbb7ce2125a5ebf966
SHA1c13eb5f0cb56dfd230f233020350c46ef522f62d
SHA2561694c5fea46c6fe5ae7467893e29ca70832a613e9387cb30b4b3c5fcf9439e62
SHA512909b11acc374dfcc299a8f4c762ac9bea7008c078eced7c5fd392a93a71fb1aca915e0ec01ea8c58bd722bf70e7ee209e55a9ce6795cded9a576c14722ce36cb
-
Filesize
4KB
MD546277aa46f0abf6a947e0694dbfc7da4
SHA1078fc6b029d131a1584fddf453677697584b3341
SHA256929bb59552dd388fd3ae27247bd509b3b81e0cbd54e91194d526e430c8427a11
SHA5128e5a591c0e331d0c17cc512952177c03fd3f227e56b95f4472322c60e39d622db9ff02aab15b6a5cc7130f0fc684f843dcd3d391108d564b13cd9c7bc789798e
-
Filesize
512B
MD5291dfb7302b15fb2387ad4ab27bcbf56
SHA17965f450758cd1d9e185689515529f319f865128
SHA25630df1ac09cd8e168761680a8b5f60a69a6467691e6c020ef7a4e93ff9d5fd619
SHA51275b727e1ad0386e024de838acba9315c57b79a14619c0c40ab86b42cd50d8365d14d10d794a2911eeb7a43bf60686541353e48e80c29d8c4b298304f1825fc0d
-
Filesize
32KB
MD5a96e31b154fd3ebaa7d40f5009d5cf99
SHA186c463c7dd48bce1a925f3c3355f4186f56e9323
SHA256504a3270e54265a1506be8ea80db0290dabffb426b0cf14ced03bb29029328bb
SHA5128025362a071304443eb269b55b2e31400710382ae376d07bb9cf2bbde0336860721f92ea1fa22c32325b4bf16a9f0973bd82a763ade496724a4026d86279e6f6
-
Filesize
12KB
MD53fe30614d7e0d11db870b4624f6c50e0
SHA1053ff0fc621ab40f2afeddb3e7b4a73ee41ec533
SHA25667c532f0324228dd33b445cd399c1426e3a0e0cdc7b9358c66b402c5d40a838d
SHA512c7c09e97a408e88aacaf8099ad4d1fa604d58113393500a384eb3c2eb7c3c105af41314934b86eca2f088045cbab5a20d768bbb295448dc1ae6cb6c3f59821ae
-
Filesize
512B
MD5fe3e53969026bf363b953a05e0bf2e2e
SHA1de01fc6c671a9976a19217d957966e4347a7717f
SHA256dc4b7639cbf6916f911b695c3931aab7bd86bba83f035dd0c1ee88dd7eb58208
SHA51290011f1a8b4017a80faa1a43a05eec5ce2b75764177208ea6dc19af672e200915d18c2e969ee0502189695c7d996c00246257c18a131fd8fb74f1680ae98fbd1
-
Filesize
16KB
MD576fbd35b20b1ac7e67afd5ad10c8452a
SHA1b3c839bbb9fc4804e7be9809aaad85a4b3ca633b
SHA256c29e3bf8759ba90062c9e50f2a12a9f422dce2f112f9166c8d924d1a72cbf23c
SHA5127f7ad0992eb461d03fc529f97787e0489a8544210dc3fad2d0a75851275847edb509e4362c4192e213ae17f3503d03c94fca27b2a785f467fab8114b2b862038
-
Filesize
544B
MD5c2f8e4076bc50c932b3cfaa325252603
SHA1bcaa9a4c65558ac63240b59939a7d53bd267a592
SHA2561c31293a497b26178572eb29d8aa7f9c513cd610678e93c1548c133851ebacfa
SHA512d1f4b5f708cdab915c834283af2e5af6baea7bcffdaafe6dd60426b51e38768995ffed46414670be77c183f678a86a4cc0e8fcba884fae8b3412312b97e6bf9c
-
Filesize
516B
MD5039e6afdfbca418e922bb77567fe5548
SHA12f50fe0d6fa47237b2ec5597be353e2ad32e4779
SHA2569144ec4db8306f090bf8ef983d13fac815c9e255ecbd1f84d84a0bacb674912a
SHA5128ef17dc56d1eb0da024ce8b56524c524349e715f917fade9fd1b3c1986350b869813602a5691b8d1f678404a98de72ede99700b708bd2066bafeaba2be5bde59
-
Filesize
540B
MD5605c525f9a416d87a4f42b3f12c2cf5e
SHA11c1c1852f452c6f41275ee2930ce0a5713d9daf8
SHA256be33b4044955561e5c3774dbf6adfa3040e6f37c5065d1fd9d2c57225b2bc55f
SHA5124b663ee9c685c59f03f41697a3a0cf712ca70c4873f0fd007e97499aaa483d7135d7433f3cb7a434931c5fca8ffecec927d1e8c7e111775f22ed90004a9893d5
-
Filesize
997B
MD5dbedac4ced3fd0d8b2f5d89b230daf33
SHA15aad1f7ff0ce9ef650344cf9a89635d39792daec
SHA2561e2bc0af7b5610878a78d0ca7027cd7273f337f5ce8eeee5af99cc541477f1dd
SHA512ef5d54eb94abb9d51a52f60a441a502e85abc51cc5f1bf8d94814da02e19136a2112f72ad6bccae60e23afcc7e42f59902ced97ad7c5af17c3325881ba9f341b
-
Filesize
1KB
MD5fd049b5d3a825422fd924a599edce75e
SHA1893635a382d207a6a33d9c2f17d4e9557134de0f
SHA2562711070253f136f5b55cd23ee8652c2dcd55ca670f909cb4af5d4526ab59df85
SHA512c0ed6c978639946bcd7dfb0e76ba1e891718e20ec18ce3fd2a59199a77b9647983b52cd4ac3ed903601db68dd7422d529ee3f6d0ad1c49048217a9a2315fc345
-
Filesize
660B
MD59a12a6e38a640f28f7e982e63ebeea24
SHA15488b8a2dd1f3d16876bb34c0bc2f2d2da07067a
SHA25684fa67df2793bf654fda601a0034e78fbdb564c863fa8ec1e07a805ec69fbf66
SHA512daae0169fbdaffe55cc6a46e04ec7f3e0aad534b347c9f00963286b8987a29af88a9104561175633edd7030de1c9681106d208213f92fadf25fc9b87d2e7acd7
-
Filesize
2KB
MD5d2ebe614095242ec9a8ba9b5b727250a
SHA12dd6a30aa544bd1f3c36611e0b6dc16153dfe68f
SHA256dc627229bc410fec84023acc290e9e9dce797d1ecf0a7d2289dec7728b44c6fd
SHA512315ecc7e57b23d163d4950f0b5ec8ba42dc9eda5d34b33baf26f8afa716d7a70feeb6d6de4444a6e6a7a609814ebf9ced6c4290a4f2d91af6b27d926b24a70ff
-
Filesize
596B
MD51a4b50c2762717eaaab569c513bac897
SHA1a07430b83910be7c49563062ea2dea8a90bea666
SHA256d62981256ab5c14255cbe2bca4bb91d58baf0c82e2ecb610fdd338c5f317e1ae
SHA512153535e0d1191099bcd5e659477a66c61d4eab208278b0704260001288bf735a47be5b840b66ae00e8e4ed9c21d2399527c993c647dec6075bdca4e325e622c6
-
Filesize
77KB
MD54227c89f327f3ee78fefd7a69bfcfc68
SHA16bf60ea6b9c92cd007e6439d6f4533ee287d6632
SHA256fcca16c00bcc9071ec97c2b735e549509d1e432664de13f81109a9b58dfbe2e4
SHA512d1a8086284d324ac2c02bb05c6758a799f0eee6a503b703a1473b098901791e554301996319114aa0d3dfb9bb382810410eaaa52acb5e7edfc117f11d3bcd967
-
Filesize
77KB
MD5c14c8a2f5d3a7c47eb2ca8c1b6e69adb
SHA14e57b3c0f34427aba8a5be40c2e9b627172a89c8
SHA2567d7ada76ea057847b5c47ed0f16a6d0e52cdbebbbdb08c1a9519acf70a1a4107
SHA5122be420b849c0fa84d3c594ab6bc85255eb54915e05aac5fd3d711e8dc93f484c5a2add2c662a858d4c2ce316a716c9e930122e9cb1047be7482c495242d766e4
-
Filesize
562B
MD5e4ba2658c8047570b8507bfff38deb38
SHA1685020dd79c548af8c9be057c1f247986ade24ee
SHA256cca74ccc54d06daaf97fee6132f2f07e517084d70ce3dc03e55649168ff83750
SHA512fe072e901cfe3e6c364c26eae429ee8eea681990075cde662a71d27f3f2198b5f185b0aed287b56c185bad37da9d2da003ace7e9c3d24cbeef26136ebf7ca5a1
-
Filesize
176KB
MD5b667ca71e42bbeb899566c8834ed085e
SHA1053a3f889e326efdfa0d3ae7e5b2655f0b7376d2
SHA256536678202267f95d80480f15065e784d7ec609922a0963d935e9c5a4b0f62bef
SHA51252255d3d7066d01bd47a9da788f86c707af14e7666a918737fa5ffb4bb003e97b28dd84a7cead3439ee39e10b568c97e80174a80bf776c7dd58335b06656f8f2
-
Filesize
83B
MD50424b0ad94b45b39faf7c9228fd86291
SHA1dc7de9cc8a03d1f051eddc64555ba8ed9b845f04
SHA2562ce97a2d4970e0482eb2fca808eaa0f6cc5a3b5917c5152c1580978cb8ee265a
SHA51213fc97f86fab384b8657dd6ae16c300e374d6b9a2fd6fd2d9a29a01b4a3d34921b9a59bac69063e3f2d9d7358eda734dc64ea3a8482271ebe2536729ca4e010e