d34975ef63b80421f6ce1bc0ff603f3d7fd60202b6c80da7e3f1d67d8b91c264

Analysis

max time kernel
119s
max time network
186s
platform
android_x86
resource
android-x86-arm-20240611.1-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
submitted
15/06/2024, 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ada7bcd4c5c115200374cc7c17c011ba_JaffaCakes118.apk
Size

5.1MB
MD5

ada7bcd4c5c115200374cc7c17c011ba
SHA1

3824cb205b894c5898be4c1fcaef08dfe3977953
SHA256

d34975ef63b80421f6ce1bc0ff603f3d7fd60202b6c80da7e3f1d67d8b91c264
SHA512

bb2a92b6b48fd451bb8592c0752bbee5a92f64c4ced33185867ce34da2f9ecb4015053045091cea54328655f22e45bee91bf3670d4185d7603e5827591100a69
SSDEEP

98304:88RIlBLSBiZeDqdAPrdDpK30WocCfI+Kk576ntYuSSMPqBvzSJTa62:8CMLvxdMJDpK34IZXn1MPKvzZ

Score

7^/10

banker collection discovery evasion impact persistence

Malware Config

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Queries information about running processes on the device 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.xiaochen.android.fate_it
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.xiaochen.android.fate_it:remote

Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getScanResults	com.xiaochen.android.fate_it:remote

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 2 TTPs 1 IoCs

Uses Android APIs to to get current cell location.

collection discovery evasion

Location Tracking

T1430

Geofencing

T1627.001

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.xiaochen.android.fate_it:remote

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs

flow	ioc
10	alog.umeng.com

Queries information about active data network 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.xiaochen.android.fate_it
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.xiaochen.android.fate_it:remote

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.xiaochen.android.fate_it

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.xiaochen.android.fate_it:remote

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.xiaochen.android.fate_it:remote

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.xiaochen.android.fate_it
Framework API call	javax.crypto.Cipher.doFinal	com.xiaochen.android.fate_it:remote

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.xiaochen.android.fate_it

com.xiaochen.android.fate_it
1⤵
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:4170

com.xiaochen.android.fate_it:remote
1⤵
- Queries information about running processes on the device
- Queries information about the current nearby Wi-Fi networks
- Requests cell location
- Queries information about active data network
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4206

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Execution Guardrails

T1627

Geofencing

T1627.001

Hide Artifacts

T1628

User Evasion

T1628.002

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Location Tracking

T1430

Process Discovery

T1424

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.xiaochen.android.fate_it/databases/weshot.db

Filesize
4KB

MD5
887e87741a427709580f86cce5e30fe0

SHA1
93a7d57a9e54abf6e734a41b65046e29971ac863

SHA256
b7fa6ac5c1ea7f7573590fe8f9aeeaf959c9d44f413e58471aa08a4f0e0a4386

SHA512
032d90e70476301eddeaee004df565188b012abcb7f59f6eb2d7f65bb9bbc140aae6d760f69a46f59f8d12ec2d26c307fa89802a01550bebf2963522850c5c5a

Download Submit
/data/data/com.xiaochen.android.fate_it/databases/weshot.db-journal

Filesize
512B

MD5
b91882ef84e193c15e744710828facc6

SHA1
7050c205621e676bce237eae20217b587799a3ed

SHA256
906c2ff01e2ad0a66c93acdb1664d47323ff155c770bd98375b62f7ca5290faf

SHA512
6ef3a4299685f7e7ba5aebcac51a6d284023435f2e50f4ea05b654b39f2b61782b6fc374d5a43ff4f2bb86e99c170a58a4f8222cb7faff4583b4c5498102562b

Download Submit
/data/data/com.xiaochen.android.fate_it/databases/weshot.db-shm

Filesize
32KB

MD5
3bc1f072a0de0314dc3d8d1dcfbc992b

SHA1
00745aeae33221dd2efb9d34e647777460c7eecc

SHA256
622784ebd10f0b38785cb07f23fe16a578d41b5274486458b346ad7af6b3cd64

SHA512
422d5b1e81685f1ebdbbc256d7170f2c7ca84e0be08958bc0f1a0ab38e17f32552d025a99222cbca07da7a58a7e59cbcb07daec49737fd07dd57ecc075f5f5a8

Download Submit
/data/data/com.xiaochen.android.fate_it/databases/weshot.db-wal

Filesize
80KB

MD5
0a9b4420f7e6ef724de307fdfdb5bc59

SHA1
72a4d535fa0f606f56899e0d7b54eb8bb7a001c7

SHA256
d399681824d2cc1621adeca566cea852de6327dd922d9a1c96afb627796975f8

SHA512
9e837bf827a680c27f5fbc3c80efbbea7c2c7949301ab470d0251b96d350d0054689cc5e49309b17d91db6e93b0c08105ba10e4070ca95cff67d2e6cccdcf1ed

Download Submit
/data/data/com.xiaochen.android.fate_it/files/mobclick_agent_sealed_com.xiaochen.android.fate_it

Filesize
567B

MD5
11c0e75d8fc3cd7f034c1456d8202dcd

SHA1
47253249b22cd8e25f43aad8186830b837124a3f

SHA256
702274bd5f0e4adb4c559923a19082f7cb1fb4ae7f6ef8377a06eea73838864b

SHA512
81511263ed3ad0f36ad8a637a9d86d2a47097282d14ebf6de51814838cccdaed9499ac4ec32ab6f961d73be4e2e51743608d1661945a2f9eac25be80f72db792

Download Submit
/storage/emulated/0/baidu/tempdata/ls.db-shm

Filesize
32KB

MD5
d717ac120e505923f43be48040f7508b

SHA1
ef97b3ba668ec684dc382a3ae5dc0a19da549fa9

SHA256
acc7a98b7de36c092ff2e5a0f12653426ed7b064af2695389d7f411f953e1832

SHA512
23403c598e2e1f786f732c3b7d2b4ea8b1efca3083b59a24da9e5746e3c5ad4c5e9916521fd0a418d2f1899b9db9d7e0f5abd19ef56a509a814064a17798f279

Download Submit
/storage/emulated/0/baidu/tempdata/ls.db-wal

Filesize
52KB

MD5
4b277421f6eaf126845eaf778a1af030

SHA1
d86633eeb0907deb46bde16826cf2acb8dcba369

SHA256
13a003ecf262d31e100e4c0c7c2d0576ae889661dfc98c4243500b9c8a36146d

SHA512
ad0774d6fac52a0be945fa91d4a4e117a2b9bc6afda76d5c2aaaf7cfec5f21119c2e95996cbe11a19506077c515ef6c343500fb685c1d6a570bd44cb565e0e4a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads