Analysis
-
max time kernel
126s -
max time network
178s -
platform
android_x86 -
resource
android-x86-arm-20240611.1-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system -
submitted
16-06-2024 19:44
Static task
static1
Behavioral task
behavioral1
Sample
b4e271be9edb6ea6c53092f1b5473862_JaffaCakes118.apk
Resource
android-x86-arm-20240611.1-en
General
-
Target
b4e271be9edb6ea6c53092f1b5473862_JaffaCakes118.apk
-
Size
10.0MB
-
MD5
b4e271be9edb6ea6c53092f1b5473862
-
SHA1
03d11e9d0e351ab3801a7896d510738fb3ea454b
-
SHA256
22e7086881793f9680b4938c4eea1065d451cac36ae1c70fa4a5fffb22dd7682
-
SHA512
bb2941dec03f4404c5d35c281c86b60a2e387d56ca311524b542c56a22db89d3e5ed26aa376fa34a7c7ad3e0f92c54333ea929aa73f81e8101029d71c7ab4851
-
SSDEEP
196608:B2pX83QtEk7KNRermqxlgIJ0aYb2JA8D4dVzQaq0jkMGdBziOYGoqF3:B2p3+k7wermelXGa9JA88dFkB2OYGoqN
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
ioc Process /sbin/su com.kgezbv.kbrqeym -
Checks Android system properties for emulator presence. 1 TTPs 1 IoCs
description ioc Process Accessed system property key: ro.product.model com.kgezbv.kbrqeym -
Checks known Qemu files. 1 TTPs 3 IoCs
Checks for known Qemu files that exist on Android virtual device images.
ioc Process /sys/qemu_trace com.kgezbv.kbrqeym /system/bin/qemu-props com.kgezbv.kbrqeym /system/lib/libc_malloc_debug_qemu.so com.kgezbv.kbrqeym -
Checks known Qemu pipes. 1 TTPs 2 IoCs
Checks for known pipes used by the Android emulator to communicate with the host.
ioc Process /dev/socket/qemud com.kgezbv.kbrqeym /dev/qemu_pipe com.kgezbv.kbrqeym -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process Anonymous-DexFile@0xcdb39000-0xcdb4a74c 4261 com.kgezbv.kbrqeym -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.kgezbv.kbrqeym -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.kgezbv.kbrqeym -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.kgezbv.kbrqeym -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.kgezbv.kbrqeym -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.kgezbv.kbrqeym -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.kgezbv.kbrqeym -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.kgezbv.kbrqeym -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.kgezbv.kbrqeym
Processes
-
com.kgezbv.kbrqeym1⤵
- Checks if the Android device is rooted.
- Checks Android system properties for emulator presence.
- Checks known Qemu files.
- Checks known Qemu pipes.
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4261 -
/system/bin/sh -c getprop2⤵PID:4300
-
-
getprop ro.product.cpu.abi2⤵PID:4319
-
-
getprop2⤵PID:4300
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Virtualization/Sandbox Evasion
5System Checks
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD575a8168e7080b90fc2956592c268371f
SHA13702da56d31f381525473364f031dc884e37076d
SHA2560b9c032080788add7f5989d0ce145e66a4686ff3a43b0e48dec60bf18bf75701
SHA51233536573c834fffab7236dd96c22cbc3d075ab70b622ff7787381e5c7c262ab62e0252f0d07313c9227ccc8308cd93cd96373e57fa55a066691d5b5cfb55f5d3
-
Filesize
69KB
MD502f69eb4fe05ebc6c9f736d83e5f7e26
SHA1777d75e14a73f5721fc4ae34f49a9a4b82311373
SHA25613502356b7d3f910107aeff131e9c4a2b892744a125a2d1a2a206b219dc36042
SHA5127c1f5d68d40bf37aef2e59aa9a4f96d1ef642a8db7e53295953b0b5fa3a63cd7546c5cf8ad3fc17f6b84a795a08e13024d8dcb3db828ca3fad634964cba69bcc
-
Filesize
58B
MD50d210bfb2a0e1f1b4c082a6a0f79de07
SHA1bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1
-
Filesize
238B
MD5505f9b130eba3bbdb24b6eaa8b1538d9
SHA1dfd6b7cf0d6746e8370dca4abb8800311f3d6542
SHA25652fd799bdd2a951a68bd961b14eb0699f4ca2b19656e1a30863c9cdcbf1dde51
SHA5125a19e035e95c37574da9fb6f1e4e220e3c8ca33758c89706d7c3c80856ad447c571d9b0b6be94b05aab0b7f4dd4c853f48df3157348bcc5d794916924143bd44
-
Filesize
101B
MD5e9e87978b18fcac9f879435d3260698d
SHA14ad9663180b131a495fa85a6f7b75d3096bbf177
SHA256756bc2270414ce9c88546fe44006b5bd33c314978e449b6548546ea7690dbb30
SHA51261e530338c2e387c1b889d4d4259608a39cba48c4e53f77cd00222534c291da5829107ecc44f2c7fb1ee39df4a36ab6d0949c80c272aed27a3ce5449045d38aa
-
Filesize
56B
MD5598d90b13eb746a7815418a8204195e4
SHA13d60b5cab6962acd9d59ce40f6f90b1750de9c53
SHA2568de0df25e2ed549ed43594dd88fa7a27a19048670e5f00876b621a650059f71c
SHA512e119d32a6e06df717059ce280f851dd0586a1caf31a490c1348e2337315d5f69bec86fabe756dc8c90c76516f7ce2d3a15bf262e5c994bc4f8b59e81b0030087
-
Filesize
56B
MD5a7bb31bc2801f84ab0a74c2ecbeafa59
SHA10a1883cc9029d7ae6089aaebd446bba0dbc6c532
SHA25631a0e5a560098c7928e7e79cded663f5e6820a852829b917506bca5e0ada433f
SHA512c591ac139a0d7dab5d7b442f5c91c3ecc68092dba33b22acf57e4e46947eecc4eeb1bad4f4304558d16ca4f10a1d7cb3a2c4786095da22c2c614909190c1d037
-
Filesize
84B
MD550dd1be461fd601fa5add63e51bf1a09
SHA1944c87d691860e993a9bcd1dc53fb00a054bc75f
SHA256e73a50b9df0149c0d144847df9ca01ed0b976752f9066a1c7c441ddeed5a4bb4
SHA512c2748e0d47ffabd54047d7b2f6c18137abb782659785c4cf35da2c1fd59ad8a2a0a3b3532bec1391afa483ee0d8002f7dcc0112c01dbb97580bc2aa6dffaa149
-
Filesize
84B
MD57676e5f4c356ea78babee2748bb88a27
SHA1d7bcc91dccc62e34c6512b10989f2dd32783b981
SHA25681b2b703783b83482e85b8a984945545ecabb335b06666ef6def855c7667772e
SHA5120aa59565be792da19d1e82ab7eaa3ee1cf1df1526c4d7adb84e01dae649ea0a0d36180000a3de3f3a4f585ee4045a0100d10ad26e30508adb03e73b44c05c7cf
-
Filesize
84B
MD5ec70e49ca6280ca474fa1a78afeda1e2
SHA1061f11054c7c09315b821a94b2e90a4b9deb78b6
SHA25646c63d04569cb1ecac471fda1425244532169ed70ad24f3632db202222ad75ae
SHA5128a04ba554ff4b3e5af181290ccbc36d5bbc26f504435a89754b439e4c924573f7771b9f07e3e3a506958ee029751075f8fe9e525d6a9c5a13be8f399565fdc30
-
Filesize
31B
MD58c92de9ce46d41a22f3b20f77404cc1d
SHA18671a6dca00edb72be47363a7071be65cf270373
SHA25668bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA51230f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56
-
Filesize
512B
MD54e5312b8590439f47711513f43f23b4f
SHA1d179b5145086beaa65f29cdd4a0ecf1ed6cf13f8
SHA256d46e345009220e3fcc098ff0f2583a6ef861ced2d14321c9007403033b252750
SHA512f501a74ec685535f91b66dbc773b1b835a8ad771ba1627239beee17fab43e897f0c7cf621aa46d83d7fca509ab4070adb3e3ac0c5fa3adc9337e2733016b10ce
-
Filesize
76KB
MD584f06f71846a7cc590d7f394ddb86248
SHA1928c47266c6bafa7e66657bda6e4828dc27b524e
SHA256f0c70fc8067423c8e7f2f466fc207179433310e724098b9e4886171c42285487
SHA512475e3059a6b088309b1cc6c9608093b650a179e11917e0044721d9dea5bed42009b23581a8485d1d884f83a676f529ee81782909d5664aa6d7b255e20418c36d
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5f126b163805d5407f60c03afe01d7ca1
SHA19cc293a7fb3a4f48d0ddea8c40cf4c49ffa2dfd4
SHA256c692f62858f36e5b95df8657d9db31d433f29b0d419208b60127551a302ab542
SHA512f3f62ffdbdec6330b27f3ca07ce84c1cda7ccd831c4206987d1da7fa6946a5ecb535e9b35e0f0adebb6fd526f7db8982eed85329bf1bc0534fee1e829024a106
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
32KB
MD505203e8870534345cbec5a472e563e24
SHA101f1468d8453ff3c06b59bbc6152234d2ec6530f
SHA256e03555a53dc7c42d571bf65fc41ef96ec0408cb43ee25a297f54f15485af662d
SHA512831641531b980078dabbb21aebb7e28636b78136bbd6d849cadf8245236ed6bd219b7986aa1cae684c27734cd83bb0ea2291052b92874241cc2ca6b0c64a27cb
-
Filesize
14KB
MD5ad1d8bfa6c2783d5034e8fc2fede030b
SHA19e89644132e2af7b87431ace6921098ca3341503
SHA2560709100f0cc28491cff726549db4ad294dc14b40adf17bb376df943fcbc341b9
SHA51259d580c44ecdc1cee4058dc2bee182db8a43e46954d58acc80754eae4ea09d38e9b919be64aba7b76c946a6212ca052532dbff7b816981920ff429c286175b9f