Analysis
-
max time kernel
147s -
max time network
189s -
platform
android_x86 -
resource
android-x86-arm-20240603-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240603-enlocale:en-usos:android-9-x86system -
submitted
04-06-2024 01:24
Static task
static1
Behavioral task
behavioral1
Sample
934503993008571ad7ca9b053f415c7a_JaffaCakes118.apk
Resource
android-x86-arm-20240603-en
Behavioral task
behavioral2
Sample
934503993008571ad7ca9b053f415c7a_JaffaCakes118.apk
Resource
android-33-x64-arm64-20240603-en
General
-
Target
934503993008571ad7ca9b053f415c7a_JaffaCakes118.apk
-
Size
12.3MB
-
MD5
934503993008571ad7ca9b053f415c7a
-
SHA1
fae401bae66aee053e45406820995315595b0895
-
SHA256
5b87eb6b067ea9b9023acc1bac54750546ce3360e4ee584f9946f0cbea45ff2a
-
SHA512
ef55dfc486b4d06fbf87b5e75eb494fc015801edfba5288913d32fec4b397ca0b5ceddaae996c6408f3e771fb879e4a6982dc36b1cc56704cb6724d5e4989b80
-
SSDEEP
196608:iD26pDmV6zUKX2q5pqN+lqN2SjxplOgwedO/C4Mf4coMBpkhgaN+6L/706ddll9O:iHsq50WqljtOJC4QBpMdT0slTKUTNuOO
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 8 IoCs
Processes:
com.sogou.androidtool:remote_proxycom.sogou.androidtool:push_service/system/bin/sh -c type su/system/bin/sh -c type sucom.sogou.androidtool:channelcom.sogou.androidtoolioc process /sbin/su com.sogou.androidtool:remote_proxy /sbin/su com.sogou.androidtool:push_service /system/app/Superuser.apk com.sogou.androidtool:remote_proxy /sbin/su /system/bin/sh -c type su /system/app/Superuser.apk com.sogou.androidtool:push_service /sbin/su /system/bin/sh -c type su /sbin/su com.sogou.androidtool:channel /sbin/su com.sogou.androidtool -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests cell location 2 TTPs 4 IoCs
Uses Android APIs to to get current cell location.
Processes:
com.sogou.androidtoolcom.sogou.androidtool:remote_proxycom.sogou.androidtool:push_servicecom.sogou.androidtool:channeldescription ioc process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.sogou.androidtool Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.sogou.androidtool:remote_proxy Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.sogou.androidtool:push_service Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.sogou.androidtool:channel -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
Processes:
com.sogou.androidtooldescription ioc process File opened for read /proc/cpuinfo com.sogou.androidtool -
Checks memory information 2 TTPs 3 IoCs
Checks memory information which indicate if the system is an emulator.
Processes:
com.sogou.androidtool:push_servicecom.sogou.androidtoolcom.sogou.androidtool:remote_proxydescription ioc process File opened for read /proc/meminfo com.sogou.androidtool:push_service File opened for read /proc/meminfo com.sogou.androidtool File opened for read /proc/meminfo com.sogou.androidtool:remote_proxy -
Queries information about running processes on the device 1 TTPs 4 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.sogou.androidtoolcom.sogou.androidtool:remote_proxycom.sogou.androidtool:push_servicecom.sogou.androidtool:channeldescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.sogou.androidtool Framework service call android.app.IActivityManager.getRunningAppProcesses com.sogou.androidtool:remote_proxy Framework service call android.app.IActivityManager.getRunningAppProcesses com.sogou.androidtool:push_service Framework service call android.app.IActivityManager.getRunningAppProcesses com.sogou.androidtool:channel -
Queries information about the current Wi-Fi connection 1 TTPs 4 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.sogou.androidtoolcom.sogou.androidtool:remote_proxycom.sogou.androidtool:push_servicecom.sogou.androidtool:channeldescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.sogou.androidtool Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.sogou.androidtool:remote_proxy Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.sogou.androidtool:push_service Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.sogou.androidtool:channel -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 3 IoCs
Processes:
com.sogou.androidtoolcom.sogou.androidtool:remote_proxycom.sogou.androidtool:push_servicedescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.sogou.androidtool Framework service call android.app.IActivityManager.registerReceiver com.sogou.androidtool:remote_proxy Framework service call android.app.IActivityManager.registerReceiver com.sogou.androidtool:push_service -
Checks if the internet connection is available 1 TTPs 4 IoCs
Processes:
com.sogou.androidtoolcom.sogou.androidtool:remote_proxycom.sogou.androidtool:push_servicecom.sogou.androidtool:channeldescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.sogou.androidtool Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.sogou.androidtool:remote_proxy Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.sogou.androidtool:push_service Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.sogou.androidtool:channel -
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 3 IoCs
Processes:
com.sogou.androidtool:push_servicecom.sogou.androidtoolcom.sogou.androidtool:remote_proxydescription ioc process Framework API call javax.crypto.Cipher.doFinal com.sogou.androidtool:push_service Framework API call javax.crypto.Cipher.doFinal com.sogou.androidtool Framework API call javax.crypto.Cipher.doFinal com.sogou.androidtool:remote_proxy
Processes
-
com.sogou.androidtool1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Checks CPU information
- Checks memory information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4276 -
chmod 777 /data/user/0/com.sogou.androidtool/cache2⤵PID:4305
-
chmod 777 /data/user/0/com.sogou.androidtool/cache2⤵PID:4330
-
chmod 777 /data/user/0/com.sogou.androidtool/files2⤵PID:4412
-
com.sogou.androidtool:remote_proxy1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Checks memory information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4434 -
chmod 777 /data/user/0/com.sogou.androidtool/cache2⤵PID:4491
-
/system/bin/sh -c getprop ro.board.platform2⤵PID:4869
-
getprop ro.board.platform2⤵PID:4869
-
/system/bin/sh -c type su2⤵
- Checks if the Android device is rooted.
PID:5060
-
com.sogou.androidtool:push_service1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Checks memory information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4679 -
chmod 777 /data/user/0/com.sogou.androidtool/cache2⤵PID:4737
-
/system/bin/sh -c getprop ro.board.platform2⤵PID:5082
-
getprop ro.board.platform2⤵PID:5082
-
/system/bin/sh -c type su2⤵
- Checks if the Android device is rooted.
PID:5106
-
com.sogou.androidtool:channel1⤵
- Checks if the Android device is rooted.
- Requests cell location
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Checks if the internet connection is available
PID:5157 -
chmod 777 /data/user/0/com.sogou.androidtool/cache2⤵PID:5189
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Execution Guardrails
1Geofencing
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD54cbbc27dbdb1301d23453bafe4725e5d
SHA1a674d086c56e51af8d9f51af0d3aeb2df5474957
SHA256d8df56f41323117ccd704df0704e22b7ec699f1956c7fe8a0810d131e48e01f9
SHA512d5dcc6a3b9b9289f5b3cf8f7ee8938b28c3a14b2d664a9d68548e072875629d2059b17afb3e0ac40a37d5f4d948c42872e3745b30eb4c51d811421074ade7fa7
-
Filesize
28KB
MD53444d0e5d9f8a399bea255e634b53b8b
SHA15fea4696cac1bbdbf2629ded1ee41ca54848364c
SHA2568adc86836e66a96d9aa134cbd83c53f216d4fddeb6e8d644e4f4ad0c58479a5f
SHA51235291256302285b9b05d8c75e50c0030d56ce3590ea8eb55dfd0b937593d04ae98885b8bbb226d3f1eb6e15cbc24ca24634fbe8783b65a93e57ca256be1f8504
-
Filesize
48KB
MD5be725443d132f886d20f3ea298afc358
SHA18a8741576480fff5a77e73d2049cdb0c454e57de
SHA2562412c60ed218d6a4e5e6f0eaab9a370acb53b28ae2cd9f9e257ea35c85a3d5b8
SHA51282bf8736b025863be450bbcffaf438d2e553f8700ae8bcbab9f694799d9e6cb4edd50652e73311ad9a437cd637413ff36a3f130d2f1df9d78218969e3dca6922
-
Filesize
32KB
MD500e0a38f4deb8b18e6aa0e163426da7f
SHA16e62ee5a5c9a6d4f44449c4c4d9ab0516d8c0ee2
SHA2563f57b44111f258abfe1e22186ac98af1d5e798adc0f55f4a6a846d224bfbdaa3
SHA5129c870ba089497235da58d256f6c8aba133a2c64c1da0a825f5ee37dbebc4c74c5e70c6a838461dc915ab1ebdda8f988dc1c9d848b846780e7d033538aeb86829
-
Filesize
512B
MD5de740a9b7671d245ab73b9ec98228b33
SHA1a27e9a2220f1890d73d3968b9787301e5984ff22
SHA2565ee9cbb6863a091d83b0b132032c454e2d9454aa6c27f1f689d0c4c60ec7c575
SHA51201d29ab789a1892739f563cf62fb986d0e15b1aa0dbe2aba073a1b3a4b913ac2b662b0374931c1ef120287a2020ce048075da6c5963e144ebf8c919ef8b8e427
-
Filesize
28KB
MD5f66b2fe03a7c73594c4538a64f7e247e
SHA1a75c664106d63f02fa86986daf7d631325b40aa6
SHA2560006904dd3c652afee20b0427af3f638dadf6fb090c1b6a1c3ec42726884ad1b
SHA512d160631ab7f84e06ea9ce4c9ef0d0c856b27952807db76cfc73fd006df5e3c1a5b67ae4be99323b81db31e70d6377fac49c3a18485bfc8c41f5440932dfb9161
-
Filesize
68KB
MD504f909a2e8cc83a7b2be78d8bcfb07da
SHA1abf10d914f46c4f15c11d88cd96e12641c917771
SHA256c47a76fb857b7e1456d39c51bdb03693c1d21ba0aee1b6a979e58b4f18ebb173
SHA512f255a638b0f332fb21a21ec677fb399f355be1a0492a615ecd2b6d4a7413a40628e43a6b1807301507f36f945012f759ab2e4c8c39b3805900fbafac0417228b
-
Filesize
512B
MD508947f01c854eabd414b809b32205b36
SHA1dbac51ae3fa5b2c099588ab38419cb80ff32a4bf
SHA256f6e0f2b57f36b1853724abf57c65d88c65fae8dfeeeab4254aea06df24b6985c
SHA512ba3fdb0e0bf634f87312879845723f5e0503aaf21b360a8d305da923891d3a1bc68b1f6ca17ef5510fb023f49d72bf74ae4b7a7d30bb4a74112c91c4892956fb
-
Filesize
48KB
MD5e8f099ca357182adeefd0b906f545c08
SHA162918af251523cf6a3e6beb6bec7456859601e03
SHA25662b11087a5b8d3b2b0eb03a785ef51b29e051ec32a27fde3bc1ef2fde24a8241
SHA512c41689afa808efe1aae20e81189c0636122c44e095f15b4c9bdc92dea8db683c86b52a1c6326f0ac8c96298b5e5b162c9f31f4889a8391244042f563114a9230
-
Filesize
4KB
MD5c3b5c8af3c07b464e682d536a8482096
SHA151c1a0c2d84e9c473b7f9ce0955ca5c7b4ef581e
SHA2562ca28876ee2ec053479b03d04479b63c7d0e0813b1298b5b26b2571233c7a517
SHA512fe2ae57f35d0dfda91fd76f653c5c791d9eab7b128c244f2bd66d7b32b9e196ea06413768cddeb9b819d30739fea4c9a1412617482899648e96013b6c9eea3fd
-
Filesize
512B
MD5e7506eba192b3e3ca1f90add6274038a
SHA1e2b6a821fd80d672969a4934d6556389d0bb3a6a
SHA256a945f4c080f0317a5df2de9d99f10f19858006231f40f2fc36db95536e6972c3
SHA5124e00bcf14e06530ac5e55f18c92e6e80223cf8d0e43f580f44b73ace906426771630caa31afbef89771459db305ddbe863ccf4bad9f27c3ceb5d78c07057caaa
-
Filesize
96KB
MD54be68e2db7350128ff667ef5b7305e9f
SHA13d75441dab5514156bb451a7be8a5b2904d624c0
SHA2565609b75548d82b3851b02021ba2431074c06940c6309a2dfbb75a7d6ec78cd68
SHA5125d0cf72b8d3d1e115dc536ee71c41fe27d16dd824af3be3db41a0127c333e211315f1243e5df620116492152ebb095abc5f91b037cef52bca581ad5c9b713293
-
Filesize
229KB
MD524dc3f27ece3d12ba2a4fd220b9d032b
SHA1e56b4940d2ed9ea2201a4bd3b7773eb59fe466c1
SHA256dc7b6b4143cd851bb31297b5fdeeb8ca374f909e8a1b9c993e01dcb7bd46d5e2
SHA5126ce81e900dcab5e8e6f94eea7d45b5f2894753e9949eb8684e31e4e69cdcc806e3eab8c6ff1b7b767b32a02d5d472f7923d08ff18d65f79748b2def2a276a299
-
Filesize
512B
MD532b1c5473d432ad45cf84aadaf314418
SHA1dbefe1265dc2bdc906022f1a7d152d275db4d9d2
SHA256275fbc8af4bef3a2f287f03852faf8317058564fa7f4fd47720a5841f858cb9b
SHA5129033b7036ac2cdac5cbc33fd20a87ebcc44e4e1f883b9456876a3727923f56abe77791fbf8193b810e66916f76f0a81ee47fdb7b4edeb8fe8d1c1dcfd859e035
-
Filesize
28KB
MD5cf845a781c107ec1346e849c9dd1b7e8
SHA1b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA25618619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA5124802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612
-
Filesize
40KB
MD5c0a674cd2bbb8044454248190b61dc70
SHA1b54fa0d2f99296467b848ec4d204d33695597fbc
SHA25626f3ecf372efe2833de3cc73ed171c783c1157f34226504982a95bcca3b37c70
SHA51256a297ee50e672b4bcdc60d897a88d2b1af745a4d39394ac7e7c6642a16bcb5057a8d98192e02ca4d315e92e9a80b6173f39a226c08dcc326fb378a5d25cd269