Overview
overview
8Static
static
6ba31892a4e...18.apk
android-9-x86
8register.apk
android-9-x86
4register.apk
android-10-x64
4register.apk
android-11-x64
1safetynet.apk
android-9-x86
1safetynet.apk
android-10-x64
1safetynet.apk
android-11-x64
1vending.apk
android-9-x86
6vending.apk
android-10-x64
7vending.apk
android-11-x64
7Analysis
-
max time kernel
17s -
max time network
160s -
platform
android_x86 -
resource
android-x86-arm-20240611.1-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system -
submitted
17-06-2024 23:59
Static task
static1
Behavioral task
behavioral1
Sample
ba31892a4ec9bb79f6d97c5b2c5a9302_JaffaCakes118.apk
Resource
android-x86-arm-20240611.1-en
Behavioral task
behavioral2
Sample
register.apk
Resource
android-x86-arm-20240611.1-en
Behavioral task
behavioral3
Sample
register.apk
Resource
android-x64-20240611.1-en
Behavioral task
behavioral4
Sample
register.apk
Resource
android-x64-arm64-20240611.1-en
Behavioral task
behavioral5
Sample
safetynet.apk
Resource
android-x86-arm-20240611.1-en
Behavioral task
behavioral6
Sample
safetynet.apk
Resource
android-x64-20240611.1-en
Behavioral task
behavioral7
Sample
safetynet.apk
Resource
android-x64-arm64-20240611.1-en
Behavioral task
behavioral8
Sample
vending.apk
Resource
android-x86-arm-20240611.1-en
Behavioral task
behavioral9
Sample
vending.apk
Resource
android-x64-20240611.1-en
Behavioral task
behavioral10
Sample
vending.apk
Resource
android-x64-arm64-20240611.1-en
General
-
Target
ba31892a4ec9bb79f6d97c5b2c5a9302_JaffaCakes118.apk
-
Size
16.1MB
-
MD5
ba31892a4ec9bb79f6d97c5b2c5a9302
-
SHA1
0a0bc2c7b20ba470f9e529074e2a3a614ef69b71
-
SHA256
4c61c0f33e7f6a6c4f6dea58507fb86fed6cb4e26b38f2ac70c61e13075205fe
-
SHA512
8fb9809170fc0b1178e641a0920c3634447ff472d53777485fdda16a1bc996f9612173133956458c2e338434969d9c1e16986a7cd2f370cb0ec18634dca1c024
-
SSDEEP
393216:R4ZTgVA/ktIO/dfX3Rm9NiX9hYvFszeMeArRqMS6TSNSqr6:+SVAMtrl/3E90SsaMeArR/be36
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
Processes:
com.excean.gspaceioc process /system/bin/su com.excean.gspace /system/xbin/su com.excean.gspace -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
Processes:
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/com.excean.gspace/.platformcache/oat/x86/kxqpplatform2.odex --compiler-filter=quicken --class-loader-context=&com.excean.gspacecom.excean.gspace:lbcoreioc pid process /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar 4396 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/com.excean.gspace/.platformcache/oat/x86/kxqpplatform2.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar 4321 com.excean.gspace /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar 4495 com.excean.gspace:lbcore -
Queries information about running processes on the device 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.excean.gspacecom.excean.gspace:lbcoredescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.excean.gspace Framework service call android.app.IActivityManager.getRunningAppProcesses com.excean.gspace:lbcore -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.excean.gspace:lbcoredescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.excean.gspace:lbcore -
Queries information about active data network 1 TTPs 2 IoCs
Processes:
com.excean.gspacecom.excean.gspace:lbcoredescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.excean.gspace Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.excean.gspace:lbcore -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
Processes:
com.excean.gspacecom.excean.gspace:lbcoredescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.excean.gspace Framework service call android.app.IActivityManager.registerReceiver com.excean.gspace:lbcore -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.excean.gspacedescription ioc process Framework API call javax.crypto.Cipher.doFinal com.excean.gspace -
Checks CPU information 2 TTPs 1 IoCs
Processes:
com.excean.gspacedescription ioc process File opened for read /proc/cpuinfo com.excean.gspace
Processes
-
com.excean.gspace1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:4321 -
chmod 755 /data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar2⤵PID:4356
-
chmod 755 /data/user/0/com.excean.gspace/.platformcache/main.jar2⤵PID:4370
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.excean.gspace/.platformcache/kxqpplatform2.jar --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/com.excean.gspace/.platformcache/oat/x86/kxqpplatform2.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4396
-
com.excean.gspace:lbcore1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4495
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD530525875f3b40cb3317bad9cd15d44b7
SHA14bb16fe5ea922818d3b51dfaf2e01701f7f11c1a
SHA2567c333097c0be419d16065b310eaa9a7d5b3b60ae4797a9060236e25845f0b363
SHA5126841a0f2c9b66caa48cd5fcd5ad2e65970fcb42337865549abb9abeba29195db351dcbcd34f24b0345b3e729326c41bf97df63f3ff3ed0c75500c7ab89b34aa8
-
Filesize
1.2MB
MD55d81f1b764b48fd8b8e7cb35de54df42
SHA1e60195e1b7b99138ec02425139a357c39385da12
SHA256bb1b0801aa5af16c20d13d308dc267d0fb8c3db4ab94521af8965cda73dd7183
SHA512588d429a00f7f115d5b8a552124023765ee387414d48f3b5ebb3fdc98f83ec76c1d331a7ce9d8baaefb5c2d84b739cac35042d607292b25259ad021fb0a5a86c
-
Filesize
2KB
MD581a6b68f93a2a6ebd99773e7acb69bb9
SHA1aad12c03915062b5820034d7026cbbb4d5e2ffef
SHA256de6b351b54176858e1b1a3263509a936b677758ba375d4de40b0b42139bcdb6e
SHA512ad55ac3afdcad24b8d85d1a6473190733ffd97c8da65499841ac0e6e0abae2a9883310875719e82e8eb659a35928b30e6bf7419f2dd0bad97ff51ae8cc657f01
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD56e0656967bf99f5975e58908b165c7dd
SHA1947b75756bc93018a0b1b16ac40b55817df82120
SHA256f04458e0bfd6044396ddd432827090b15d4832a56b84330fdffa54b2f2bac792
SHA512edcc89ef65358b8ecdcfa7f537c36abc0864daa2112edec583635d8e63c34369450101f7a85053cc38ce9fa3c1d542167cd4387dfb5cacafe2f7ba7ff734cff0
-
Filesize
88KB
MD5015d0411a60ab7848e9837b914ec4b21
SHA16c41e4fff0102c4ac21e6194b1a40906e45d4e2f
SHA256c3d8900221f53956e8e170391bd9d82faadf144bb977ce0a12f7fe35b621a447
SHA51247e27263c8d811ed61d29ee19f0655496611cc022aef5efe39393ebd219e892eebd608c381fb72935b039dc4af0f2f2b2d036f079fd11bc659a6b3352f4f1a1d
-
Filesize
324B
MD548949aa2d439216961e2d48e2c14821e
SHA13d7d8981b8fa107ad9974f41dfc640d4bc9d2a6e
SHA25628958225e65bc7fdfed593ed7719558c5086b4ebf008135b0f239adeeab71343
SHA5120ce0c2b62afcd50af6b4e575f26cc7d040e6120f0956f6135f7ab0f0e3ee011755add0bc6fcd8053547d7bedb5a3c58cd3e16d266e5373405787d2acb99f8c13
-
Filesize
1.6MB
MD5ecac07d95f325f0e3ef728be1a22659d
SHA12f1c072bfdcd847c3031e275805c19b177eeed9e
SHA256b9455514624c8519a5e16aac00fdfd04bf7d61805ce97ae8d9f2c54389d7fccf
SHA512ef080dd996d4ab3b230459eb7aec3dcae96f478b41fc8f6649be41844d399a645320097aa5f3046583b2a00cd70ec74e41c7a6d5f68127559dc5908cf781e0de
-
Filesize
1.6MB
MD5cdeef1728825127066a839eaacc29f95
SHA1aa0baa92842ce7b84ffe89e8ac5dfaa6fe92c0e1
SHA256ef388bdcb59deac7449972450cf99a7784aab5d9b61f721974a42a15b5cb059c
SHA5121180a2eb5cf2b6e82adee2aeff03ba18ad7af86e50b00d2218e18d186846e7b0b43af3551c44ab7715945bc6699594dea7ba07b17b32bb01da0d22b4ac9cacb3
-
Filesize
132B
MD5e5916159f87693114bb211591b53e6d9
SHA1aaaf055adca6acbaee1b747f0a52740fe30fa387
SHA2561de77a4b0a3b6545c8fd9cb343671d2a6877b28079a776897d0a9ca91d46e4a2
SHA512767d87f6fe3822c1e8314755a8093f862179b17ef5670a4ab41e12fd07accd9a1d2a77134876ee75cd704619d1a4a90acde94f1529269f917fed0d0dea91a719
-
Filesize
1.2MB
MD5bd78ebbf05924aada6d575e30ee411e9
SHA1f09db33af5ddac6032b5bfa560517e10bc35c217
SHA256d3fa78a16a4ef58b48116a8675c000214ccb05577b1652c927dee00651a98be0
SHA5124d065a078ce085b34014b42e1738e6fef38788fe6719108f600687f7e1941d7733eb96cd66c3c1f2f78ebf917314c4c764ea0c3b6970c887d29dec1387dabdc4
-
Filesize
31B
MD544c986a883f31781c180a3418445a767
SHA11bb940f9adaf5a0fe687eb66fe5c36200f389ad0
SHA2569eea0f70c28f1357da08aae5c0861b87a10a6f27b34d7325afd04f91d4b3120a
SHA512d40fcf33dbe30f56f65d0842c587f06177a8f6dc0e4e42aebd529c32b4c74be78d607a59b1836c56f14d401b3b392eb08e90cc580844e2e76d27014a02725d8b
-
Filesize
85B
MD5fc71f5e4e805a2ec310cc2edf303d84d
SHA1022e729e32fb093b37fba686a97abae42cd4757e
SHA2563073389a228e6bee85dd40f1da6422d97cb6ee838ba3b68f88a02f33ac34bf07
SHA512a925e670eb126891bc70038c05cd960d50812c1f9b35fbebe9af34524b5918df94fa53aa5d0149ac9a1a27b2730b3ee237f3facb2d89189e89d41dd3b9155da6
-
Filesize
82B
MD5d17bb9a9ba580f1f00aaab095fc1bf66
SHA1cea38a22debedc891ff89c2ec7501325122a6f99
SHA2563feef8baadb6e26e071711da59617ee5695733323ca03df23161c1ce10491172
SHA512d7af4c0443567445ef75099a64ebf530430a66ac0a5a1191130d6bab975fe78747c832a7c4a8adcc9914489dd637df2f1b15ea8eae75f549a10104b98c9169e2
-
Filesize
24B
MD592685f57d9fea3561ea0ca908e8aa422
SHA1907d179b00ede6dd563c3a881f6130685aa086cd
SHA256fbc6ed2c7644564d7df4abd69a0d349d7951f94406955f51d8f8b35a90192e27
SHA51205cb4d4612244f171f85fe9c98b4882feca788db29cc8cdfa121482c84fe90f1622b3271d8b7367a62f5c09ed73c2114a7f23ac6d76dc3ff2281078839ec4c48