Analysis
-
max time kernel
129s -
max time network
167s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
03-06-2024 07:28
Static task
static1
Behavioral task
behavioral1
Sample
90f420f0982a0436672a5935cf588266_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
90f420f0982a0436672a5935cf588266_JaffaCakes118.apk
Resource
android-x64-arm64-20240514-en
Behavioral task
behavioral3
Sample
alipay_plugin.apk
Resource
android-x86-arm-20240514-en
General
-
Target
90f420f0982a0436672a5935cf588266_JaffaCakes118.apk
-
Size
11.6MB
-
MD5
90f420f0982a0436672a5935cf588266
-
SHA1
2d9adff69e003094a3384d832bdbd6a9cab0dc39
-
SHA256
e2aa1f9bbc9cf18287fddb4984050efcf966b2d2ed60bbdbb056926d134164a2
-
SHA512
07d3adda2f832bd659ab2a98498ccfcc3aded5daaef219bd3632d4f7c6f5ee034a3b040c9f8be49beb138ba0fb41fe98756d78fae5ec6d78fa6160a848843b45
-
SSDEEP
196608:FzHGi2HHDe6Mh+CoziPICBQG+0XfeaB07fnrQTnJ1m3ipJv5nh/jm0O:FTX2nyh1gie3iecjJ5jBnhG
Malware Config
Signatures
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
Processes:
com.gewaradescription ioc process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.gewara -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
Processes:
com.gewaradescription ioc process File opened for read /proc/cpuinfo com.gewara -
Queries information about running processes on the device 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.gewaracom.gewara:moviemusicedescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.gewara Framework service call android.app.IActivityManager.getRunningAppProcesses com.gewara:moviemusice -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.gewaradescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.gewara -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
Processes:
com.gewara:moviemusicecom.gewaradescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.gewara:moviemusice Framework service call android.app.IActivityManager.registerReceiver com.gewara -
Acquires the wake lock 1 IoCs
Processes:
com.gewaradescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.gewara -
Checks if the internet connection is available 1 TTPs 2 IoCs
Processes:
com.gewaracom.gewara:moviemusicedescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.gewara Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.gewara:moviemusice -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
Processes:
flow ioc 16 alog.umeng.com -
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.gewaradescription ioc process Framework API call javax.crypto.Cipher.doFinal com.gewara
Processes
-
com.gewara1⤵
- Requests cell location
- Checks CPU information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4268
-
com.gewara:moviemusice1⤵
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:4307
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Execution Guardrails
1Geofencing
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5383f8ec6283d3bbe77643a9fc0383fd5
SHA178f57d79790ea64deafdb95dd1158943733575bd
SHA256a84f61da229259a62d61759626aa0cb7f22fe4b589aa5c5e1eacd2859a6a5f82
SHA51216182a01279a332d52953783d6c30d74efb4c0a516fc01b9a67839d4f22a542eb9f952bdc1e96007104fb5e16d802dd83795275f116f236cba7817c696af94ec
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD51e8e7e53a52f4743b278cf5cb8924c98
SHA10f650427522c69fc2b1a0577f666bccbe0cb431c
SHA2566aa0c59378a487b2e646182f8023545b96182dcf59f4c91dca755803a62ce58e
SHA512373cfbc13ce59914ad56fd14a283e1342c6dc2508d0d806225a8e991ced9999e6fc255843a93010a734c0b660827ae03249ada5ab99301c0e8fac171dbb207a4
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD53e1c909d2b5ef0084eb1e20f41e02b28
SHA1f35cf5d0c5d1c9f2a90c37b1ee87e1837c9ad26e
SHA256df202e658969319f3b8aff5c72898b71dd7b0e9175d6dd9ae0f8fecf42782339
SHA512952520c85ea75362b0e703e16db797eee2bf36644dfd26109ae146cf183820496fc92bd5e6170db01e48993ce3008600cd4cca273ebe0000c24b32c5bad1116c
-
Filesize
512B
MD5ddb4ddcef381a185c720489aded1b479
SHA1a1a1f8ffa6962f7e88c908a7322c8039816ed4d5
SHA2560a37ce163884c6207e0affb38a310d344ed68311bd25ea687b00f651785dbfcf
SHA512114594337acc50379d72cdd7e9160eac3f299d4207e0ed73f30219c3c02e83bbfd1a23f60f62f65fd571715932df9458d792038f0ad296436918e71936c32dda
-
Filesize
32KB
MD505c872ec33f01a356f7901da39223f6a
SHA1f6a2f5e7611c73869f222115f89c5f882d79e230
SHA25610e708935902f2f68f16589b3f8a7a3ddc8ad48b66fa9a5cef9778142e9cace4
SHA5120a064afd75cffde72dd571403eb2795c0adb298498dd3109276e51825f6ecee40418302379beae3cab7c904073684828bb31a4ecdb2be847323c90ea6d80065f
-
Filesize
979B
MD56a4433c592e491031d14de75afc6a415
SHA1f5357f73f153e1c0be7c4209b6aac5f11304a768
SHA2562054ebe97a19a5ff42a26423cc347c92f5ac26af382aa098e378618464a22dcf
SHA51254b95efc050e61bbaf25ba6577670526f0ee1aee92672a2707236b67439539bf34262be3c97aef2fc8df3bac12268861e67c5a444bf8cfb1e65ca8b9f9e40a3b
-
Filesize
108B
MD5ccb3c6d1a324bb341d33097a55adec38
SHA192f65e46fd18b15450a92fdf713462c0797e6c91
SHA2560d5feb917cf94db6c65d359ff055218e24d15f136f8849574060969c91686878
SHA512586f7a9d526e39a430d4bd1d389f508212821cd3b68fadd096249316a01fddb39a267c8e6ab64af94fa5a48f34c90d32048b7eb3203c14e9a2272280e8dccb73
-
Filesize
211B
MD52b47c387beb05e3428e5cb3481adcbf0
SHA1c0db84a41873dcca3e493dbf8d80ef83a937f840
SHA2563f5b4f8dae52a66c996472000515716d348dbd40b9bd326f5b34c0847f90e53d
SHA5123fd3144226721005a3024f244ca4abea9a9509cf3e9ce66860d49a04d12413d4b2c55b8595cf359c88312bf77d1fdd3af9d7bbc8e2f25f42a4f826ebe3ad9f68
-
Filesize
82B
MD528486cd2dd6627f16d4603d3b5af0d42
SHA1043b2cac7e0a2ceb78660fc9f0b68df3742b4e50
SHA2567aa437acb3604178179e14708f4b59a4286aa68bd11faf3fb8a1e1e879faabc1
SHA512f836e5a3a3e06a1d89337653fc375e28c1c0253a049dfd3ca898d6a1f4558068e7334288f1a08446c336e26cf61a96ce61f0c4bb60ff62394a4647a5d84c0d97
-
Filesize
113B
MD57b0a4d24aba62bbbee3721fd7f638730
SHA1824362467090f0ec0b2873da2b0e2a51392fc118
SHA256fd9904079f662607dc0a7391b04a76eecda23b133f34bd07e17cb9275f4ce9e3
SHA51251ba8b01dc87655d957a8707e9b6325608ad0597663e3956f3998a993eb7b9bb82d2abe39f43867fc54328fe3cad08427b1b832ae39b20af07c2565fc502dacc
-
Filesize
172B
MD599daeb6f70d1d7ae12b317e890a7feea
SHA1325b912e0f9122f6b2a3d4b7838aa0e04b249633
SHA256b3ea1b1f3bc799d7712173be7645ffad7dd89e3dd685d2acb07005e8e69dfd60
SHA5127660bca0ed966f1506ebde70e378df972e7bf39f6e464ba01d69b638845539fbb57ee9244ac927fafc8c231c511bb45ee6fa19b74955219558b33881a9b486f8
-
Filesize
85B
MD544a63b463ac9df39db0a97b6c5d6e8c5
SHA191740a9c80c71445befb1ce310afe99777ba2d80
SHA25692cee3d0e50cc4f08093b6b64d8bea03dd143ba6d5f3c3748d9a80f950e700e1
SHA51240cd1ac1a54b856cf3350aed6cd228387c9b03505e263329d14557d1b2128d9117f6deef8672ffd8afdf4ef216a8bc5953b8c4593edec6e0876630336c488d70
-
Filesize
369B
MD5e06f1f4a3c7b37166b39a70baf8fff2f
SHA19385e84f0ae11e1e5e1b6551bcff850e0452ef37
SHA2567b691841dbb273e52329bf8add31e4756cc342630e4b96456ddfcabf54cfc689
SHA512fe42769b3d4e6f307e8855c10456a29163657e3ca8bfc6a6afe4efd3c3ba8cc9108e0739b774766641071db0bf2a0045c71a1acc5ff37c263235e14e5bb1d8be
-
Filesize
468B
MD54d7617d448ab3a1af7feef1c8508499e
SHA13bdda03bc591a4ef29a393070e742d2c523a5c8a
SHA256ae7d8f8b2772a20de1d094ae28724acb1f2680532add519c57592da2c8c91beb
SHA512af64d53c9ecc1be24232f52c26b8df482944c0108a8dc2e1463ed95934182d5ee8b37344b2a5c3a85cb7670822cb2c476c83113c27f223cb0861efe03e4c933c
-
Filesize
107B
MD5c9383021bd97affc44be4db7018c4d7b
SHA17e680409d1c86e35149bebc22f2cf8c484f0d23e
SHA256b7b7e032170e3190a84359e5c37adede1d58b6bf4c455ef0c01f73335709bb65
SHA5127303f068da97319891e2d25c1c737035f1cfdc365d75d954102b612000e54d7e2b5dfafe10bdf909563e2b46ec3ff9e546423bff6f0aa9496880eab1c1c36a81