f0fa2766b8d5063ba60d44739bf5aeadbad532236133d95552fe08dd05ac1229

Analysis

max time kernel
61s
max time network
159s
platform
android_x86
resource
android-x86-arm-20240611.1-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
submitted
16/06/2024, 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b17b27bcba9d3aee7fb7bc51fb1a57ee_JaffaCakes118.apk
Size

1.7MB
MD5

b17b27bcba9d3aee7fb7bc51fb1a57ee
SHA1

2c979ad9c10b183126a3beb5af38df9cd4b64e57
SHA256

f0fa2766b8d5063ba60d44739bf5aeadbad532236133d95552fe08dd05ac1229
SHA512

ebc36abae07f08f73826b4dd933260f9d18df2424312047f800fc31b493d80db5270b0f08f004508fa04ed49c42d7b38752df601238ca8d2f502b9a5e2025c28
SSDEEP

24576:Z4AEfaacDj9Q4TqGEC2bRTNYrERkQlJkKxvaSzxMhGpUgWN1QnP8I2GN:O4DJbTq62deWk2kKnahXgWN+nkUN

Score

7^/10

banker collection discovery evasion impact persistence

Malware Config

Signatures

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.zym.crawmk/files/xu/hMNdf.jar	4349	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.zym.crawmk/files/xu/hMNdf.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.zym.crawmk/files/xu/oat/x86/hMNdf.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.zym.crawmk/files/xu/hMNdf.jar	4290	com.zym.crawmk
/data/user/0/com.zym.crawmk/files/Plugin2.apk	4456	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.zym.crawmk/files/Plugin2.apk --output-vdex-fd=60 --oat-fd=68 --oat-location=/data/user/0/com.zym.crawmk/files/oat/x86/Plugin2.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.zym.crawmk/files/Plugin2.apk	4290	com.zym.crawmk

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Reads the content of SMS inbox messages. 1 TTPs 1 IoCs

collection

SMS Messages

T1636.004

description	ioc	Process
URI accessed for read	content://sms/inbox	com.zym.crawmk

Reads the content of the SMS messages. 1 TTPs 1 IoCs

collection

SMS Messages

T1636.004

description	ioc	Process
URI accessed for read	content://sms/	com.zym.crawmk

Requests cell location 2 TTPs 1 IoCs

Uses Android APIs to to get current cell location.

collection discovery evasion

Location Tracking

T1430

Geofencing

T1627.001

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.zym.crawmk

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.zym.crawmk

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.zym.crawmk

Requests dangerous framework permissions 10 IoCs

description	ioc
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device.	android.permission.READ_PHONE_STATE
Allows an application to write to external storage.	android.permission.WRITE_EXTERNAL_STORAGE
Allows an application to read from external storage.	android.permission.READ_EXTERNAL_STORAGE
Allows an application to read SMS messages.	android.permission.READ_SMS
Allows an application to receive SMS messages.	android.permission.RECEIVE_SMS
Allows an application to send SMS messages.	android.permission.SEND_SMS
Allows an app to access approximate location.	android.permission.ACCESS_COARSE_LOCATION
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps.	android.permission.SYSTEM_ALERT_WINDOW
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call.	android.permission.CALL_PHONE
Required to be able to access the camera device.	android.permission.CAMERA

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.zym.crawmk

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.zym.crawmk

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.zym.crawmk

com.zym.crawmk
1⤵
- Loads dropped Dex/Jar
- Reads the content of SMS inbox messages.
- Reads the content of the SMS messages.
- Requests cell location
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:4290
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.zym.crawmk/files/xu/hMNdf.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.zym.crawmk/files/xu/oat/x86/hMNdf.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4349
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.zym.crawmk/files/Plugin2.apk --output-vdex-fd=60 --oat-fd=68 --oat-location=/data/user/0/com.zym.crawmk/files/oat/x86/Plugin2.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4456
- getprop ro.product.cpu.abi
  2⤵
  PID:4490
- getprop ro.product.cpu.abi2
  2⤵
  PID:4510

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Execution Guardrails

T1627

Geofencing

T1627.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Protected User Data

T1636

SMS Messages

T1636.004

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.zym.crawmk/databases/wochi_v4.db

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.zym.crawmk/databases/wochi_v4.db-journal

Filesize
512B

MD5
39c46b6d3875a0b5158935a00c2a31ae

SHA1
9056b4237415952b99fc3a27068dc299e110b1a4

SHA256
65ff5a367ccef51d7d3c4d57d7ad0e9dd48db9903dbb2d28bea46e38bb483b39

SHA512
4efb4e5181a9b3777bdc3af743a2f511aa6666658ac249337ce1f21d5bfc873dba84390c42d71dca3f381979df3d7b8aa19e38dc0abcab0e15e73da00b72b847

Download Submit
/data/data/com.zym.crawmk/databases/wochi_v4.db-wal

Filesize
20KB

MD5
d77ee3698250b4447ca8c94beb21490f

SHA1
16af91e3b2c8a37514d73fc842d1455e05a93e85

SHA256
7927384f991a654a984f3b1a556452aab7f92da3847895983a396543c52688e2

SHA512
f5580d41c74f55ad4e80a2fdcf3fd6e1156729fcc1f6fb817c3e50e1ba5700ff02ae41c63757a85e0cbb8beeef535e84ddc7ea13fbad8dd046be23e522bd7bd5

Download Submit
/data/data/com.zym.crawmk/files/Plugin2.apk

Filesize
99KB

MD5
3d216f8fddb9705a6720a285475837f1

SHA1
f053d23b284bfe2faf6e76d353ff052471e2de2c

SHA256
de7bf40574754a5144fa5cf3bc5e97f7adc7f5abebb18c41e8f0631917db4c0c

SHA512
38be39da8f96abc87109cfd57b2d63ddfa72971f023024a5b4ce1f97cd905a96a94e19eea19ae9b745f28d02c6689a4473627ce57ec85dce2018a77e699620cb

Download Submit
/data/data/com.zym.crawmk/files/log.dat

Filesize
221B

MD5
ff9229f8e7c92d44d48e25206d43b021

SHA1
be3d75050c16c5b7484652ba292fdd6510f205d3

SHA256
77fc3599be409f7e73e643de843c0ebcfa20662964c498fc59e245c7f5e003a2

SHA512
be7b3aa8d670a2873c6b7bfd4ca93121fd2450723cbbc36d9d06d152fafa3ce90451f0a60ab56bc96bccb81cf5aae0167b404073db14dc17b9513ac73d455c58

Download Submit
/data/data/com.zym.crawmk/files/umeng_it.cache

Filesize
310B

MD5
4e955c58818a1a094d31c1396354d7de

SHA1
bdf1adfc0b75491fb2c58b718d99543d367e2b9f

SHA256
6033478f9183be8805319f895a2ffd15a1462b9d88d5931dbc1b71df380963ae

SHA512
6933000b4086d8f22c109c167db64234ccf521f5e718aad5bd76ca0f8ec650c023d8e7f7a776c17ebbf2286015ebd804a8eeb5380ee8de5fbd4aace437a18462

Download Submit
/data/data/com.zym.crawmk/files/xu/hMNdf.jar

Filesize
789KB

MD5
7164101988d2864fac19df3200fc5aff

SHA1
de602d0f052a6d9c5d8dec3453162bd0a1f37881

SHA256
720d2ffe2ed9e5210e8741d3867c377924bea8570d86b15e5ae5821acd8db946

SHA512
1b349d9ce56872504b73f441eecef767c5ecd6b3b1325cc19d3a16f5878e29b6ebeb99e3f3a867c8491473b80109cf417d6368e241bd061e03e4ddd484d7b1af

Download Submit
/data/user/0/com.zym.crawmk/files/Plugin2.apk

Filesize
201KB

MD5
ef019d14367b7346b1ae2419e9d445c8

SHA1
23d81fcf81f3a9f2a991ba4d0d135fe2a28aa188

SHA256
1d83642ede6b16a071676e895f547d056543b5b4622bbc9b9b4ab45e47bf9ba0

SHA512
ea582f21c6054c37c679c798e93116c9c18c9544c0feb78fb949bed7b2cd3122c8d7bb8ecef329829c2531764abeb6200f0af49ede97c3b0b7448bdb65a34a60

Download Submit
/data/user/0/com.zym.crawmk/files/Plugin2.apk

Filesize
201KB

MD5
2a425e0fae74f20a2c475da937a619a2

SHA1
4d701c7e6d828aa96ba8a493720e7282c49ec741

SHA256
2c61a25f1ad5783bf82eea9faa2536cac4788ed3147bc1864d9ef17ea01be6a7

SHA512
44c8d2a837b606de99055badbd4b5e708424ca9809b1583d13aefadc4d4af974658dc3a3f179fc3047eef7167151c638ff66dd6c8d38121b6ecdfb464d2a5a60

Download Submit
/data/user/0/com.zym.crawmk/files/xu/hMNdf.jar

Filesize
1.9MB

MD5
1e04a654a986ff4638adc2c268fc71dd

SHA1
9c12d8e43a012cd7559b64b711a8df514ad6cae2

SHA256
9878427fda5efc263bdfc652a90a4e1a1a2437fa5d7fea6b3429c8336b1f48d6

SHA512
ff7234b64d57ebfa100548c28a5483cd46adf20db11ce334db38134eb650f44e50701af612cee67104ab6bb423d04770a8a2fd98f45bb1951a9f3524d3e197a1

Download Submit
/data/user/0/com.zym.crawmk/files/xu/hMNdf.jar

Filesize
1.9MB

MD5
07ed85d8e6cd21dc38cfa93bf68dcb6c

SHA1
996cca89cb2a794ec0e7705c8c3a7852c8b2c26f

SHA256
ccdc485f41bbab77be1b04ce9406a2fac304bc2b1097167d1ff0f0b50eb69769

SHA512
451444bbe1d6ea1e020fdeb59bbdae1c97b1cb31805a7b3ad0384163cda5bd753e9f1cc6d5e7653c423fcbda3970cdbe614e51cf6c44b0928887225c124ac8e4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads