Analysis
-
max time kernel
179s -
max time network
186s -
platform
android_x86 -
resource
android-x86-arm-20240603-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240603-enlocale:en-usos:android-9-x86system -
submitted
04-06-2024 00:58
Static task
static1
Behavioral task
behavioral1
Sample
9336481359d14eab6dcf7523e28deb24_JaffaCakes118.apk
Resource
android-x86-arm-20240603-en
General
-
Target
9336481359d14eab6dcf7523e28deb24_JaffaCakes118.apk
-
Size
15.8MB
-
MD5
9336481359d14eab6dcf7523e28deb24
-
SHA1
2a0afa16534a13cced26144ee1cfd606a5c64c3a
-
SHA256
04a06b7e414b6d8370dfb7e98ae35babc907b7fc460604f8b20e96b3131a8a92
-
SHA512
b36fb069b0d084eaac66c6b2dbe0634fdca81ac8d010407916554107d503cf0bb1508b76f86b50a85c75ea8673d0dc1c5012bd7554c83b23728bc63df0c5c6c4
-
SSDEEP
393216:5MzpGBEhuGXt4Zxh17E6ERzqiFn7BAXaoyV7hR/PYzAO:5q8Eh/Cxh17iVHFGqJ7hR/P4
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
Processes:
com.g918832149.ibjioc process /system/bin/su com.g918832149.ibj /system/xbin/su com.g918832149.ibj -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Checks Android system properties for emulator presence. 1 TTPs 1 IoCs
Processes:
com.g918832149.ibjdescription ioc process Accessed system property key: ro.product.model com.g918832149.ibj -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
Processes:
com.g918832149.ibjdescription ioc process File opened for read /proc/cpuinfo com.g918832149.ibj -
Checks memory information 2 TTPs 2 IoCs
Checks memory information which indicate if the system is an emulator.
Processes:
com.g918832149.ibjcom.g918832149.ibj:remotedescription ioc process File opened for read /proc/meminfo com.g918832149.ibj File opened for read /proc/meminfo com.g918832149.ibj:remote -
Queries information about running processes on the device 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.g918832149.ibjcom.g918832149.ibj:remotedescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.g918832149.ibj Framework service call android.app.IActivityManager.getRunningAppProcesses com.g918832149.ibj:remote -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.g918832149.ibjdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.g918832149.ibj -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
Processes:
com.g918832149.ibjcom.g918832149.ibj:remotedescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.g918832149.ibj Framework service call android.app.IActivityManager.registerReceiver com.g918832149.ibj:remote -
Checks if the internet connection is available 1 TTPs 2 IoCs
Processes:
com.g918832149.ibjcom.g918832149.ibj:remotedescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.g918832149.ibj Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.g918832149.ibj:remote -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
Processes:
com.g918832149.ibj:remotecom.g918832149.ibjdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.g918832149.ibj:remote Framework API call javax.crypto.Cipher.doFinal com.g918832149.ibj
Processes
-
com.g918832149.ibj1⤵
- Checks if the Android device is rooted.
- Checks Android system properties for emulator presence.
- Checks CPU information
- Checks memory information
- Queries information about running processes on the device
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4222
-
com.g918832149.ibj:remote1⤵
- Checks memory information
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4259
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.g918832149.ibj/files/jpush_stat_history/active_user/nowrap/958b312b-3ce6-4f5a-bae1-ece7607cf97c
Filesize159B
MD5ee0ea12661ec434290eff8b04ca68029
SHA1251a9367879f006258c48bc53d5dae34b19d60cb
SHA25603dcfa5015ecf09ee9cada976db9db54d7751d381d12667ec1fed4f0dae1eaa6
SHA5124a27b819769b329ac57639755b4a6ff26416753097434a47622f4471cd50873407e747c656e20a79a7e12782a2d4539cb0e66defe7322f755e64934992089ed6
-
Filesize
13KB
MD5727a2bd9ecee7970e1d56f5796f13f63
SHA124c75d9c9a73b6159c376ae525c6193f658194a8
SHA256f853bb5ea6056c4dff47506e13a236a702dfe065dfc7f29635fcddfcb9c0f485
SHA5129a2e02c3c6c47d2064ce492a6237860390c31a68034eb6540d17682bb961d7e3c224aa416b11ed14c235981dd8e10b9fe1f9c5d89bbaf664ec678ef79746960b
-
Filesize
32B
MD5745568abd3c5500b0713400f906a208e
SHA1d2baca725580ff45c60b340067baab36ae52cddd
SHA2560790a61e3237a9db3e94665dda7e63587e74c20414b51776a21463ef81a7ad04
SHA512fd1e171c5ec9236179db7eb3f4c01e726db59261a535b02f4b92a18269b3f7ee1e7c7bd6de5799551fb2941b1d8b32dd71d739093e652facd20521894048a489
-
Filesize
32B
MD5f702520f757e228f8a9205077854537d
SHA11f7504b27ba9fd08db97239fd7781f891d5b92ec
SHA256479b4de5ed5bc1a8768d8a4d54e4d65dfa27a79f4ace6b096c60ec7e73a93803
SHA512fa1c22a2394749ceb68ca195e096909e76c1ab13b40afbc14c13fe3b86cac6769f1534b084f3e597c5e61aa0ff5bd764e381f25850fa46c508d41489f05bac6d