Analysis

  • max time kernel
    179s
  • max time network
    186s
  • platform
    android_x86
  • resource
    android-x86-arm-20240603-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240603-enlocale:en-usos:android-9-x86system
  • submitted
    04-06-2024 00:58

General

  • Target

    9336481359d14eab6dcf7523e28deb24_JaffaCakes118.apk

  • Size

    15.8MB

  • MD5

    9336481359d14eab6dcf7523e28deb24

  • SHA1

    2a0afa16534a13cced26144ee1cfd606a5c64c3a

  • SHA256

    04a06b7e414b6d8370dfb7e98ae35babc907b7fc460604f8b20e96b3131a8a92

  • SHA512

    b36fb069b0d084eaac66c6b2dbe0634fdca81ac8d010407916554107d503cf0bb1508b76f86b50a85c75ea8673d0dc1c5012bd7554c83b23728bc63df0c5c6c4

  • SSDEEP

    393216:5MzpGBEhuGXt4Zxh17E6ERzqiFn7BAXaoyV7hR/PYzAO:5q8Eh/Cxh17iVHFGqJ7hR/P4

Malware Config

Signatures

  • Checks if the Android device is rooted. 1 TTPs 2 IoCs
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Checks Android system properties for emulator presence. 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

  • Checks memory information 2 TTPs 2 IoCs

    Checks memory information which indicate if the system is an emulator.

  • Queries information about running processes on the device 1 TTPs 2 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
  • Checks if the internet connection is available 1 TTPs 2 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs

Processes

  • com.g918832149.ibj
    1⤵
    • Checks if the Android device is rooted.
    • Checks Android system properties for emulator presence.
    • Checks CPU information
    • Checks memory information
    • Queries information about running processes on the device
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks if the internet connection is available
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4222
  • com.g918832149.ibj:remote
    1⤵
    • Checks memory information
    • Queries information about running processes on the device
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks if the internet connection is available
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4259

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.g918832149.ibj/files/jpush_stat_history/active_user/nowrap/958b312b-3ce6-4f5a-bae1-ece7607cf97c

    Filesize

    159B

    MD5

    ee0ea12661ec434290eff8b04ca68029

    SHA1

    251a9367879f006258c48bc53d5dae34b19d60cb

    SHA256

    03dcfa5015ecf09ee9cada976db9db54d7751d381d12667ec1fed4f0dae1eaa6

    SHA512

    4a27b819769b329ac57639755b4a6ff26416753097434a47622f4471cd50873407e747c656e20a79a7e12782a2d4539cb0e66defe7322f755e64934992089ed6

  • /storage/emulated/0/Android/data/com.g918832149.ibj/files/tbslog/tbslog.txt

    Filesize

    13KB

    MD5

    727a2bd9ecee7970e1d56f5796f13f63

    SHA1

    24c75d9c9a73b6159c376ae525c6193f658194a8

    SHA256

    f853bb5ea6056c4dff47506e13a236a702dfe065dfc7f29635fcddfcb9c0f485

    SHA512

    9a2e02c3c6c47d2064ce492a6237860390c31a68034eb6540d17682bb961d7e3c224aa416b11ed14c235981dd8e10b9fe1f9c5d89bbaf664ec678ef79746960b

  • /storage/emulated/0/data/.push_deviceid

    Filesize

    32B

    MD5

    745568abd3c5500b0713400f906a208e

    SHA1

    d2baca725580ff45c60b340067baab36ae52cddd

    SHA256

    0790a61e3237a9db3e94665dda7e63587e74c20414b51776a21463ef81a7ad04

    SHA512

    fd1e171c5ec9236179db7eb3f4c01e726db59261a535b02f4b92a18269b3f7ee1e7c7bd6de5799551fb2941b1d8b32dd71d739093e652facd20521894048a489

  • /storage/emulated/0/data/.push_deviceid

    Filesize

    32B

    MD5

    f702520f757e228f8a9205077854537d

    SHA1

    1f7504b27ba9fd08db97239fd7781f891d5b92ec

    SHA256

    479b4de5ed5bc1a8768d8a4d54e4d65dfa27a79f4ace6b096c60ec7e73a93803

    SHA512

    fa1c22a2394749ceb68ca195e096909e76c1ab13b40afbc14c13fe3b86cac6769f1534b084f3e597c5e61aa0ff5bd764e381f25850fa46c508d41489f05bac6d