62392b9c68f3ca8a3d2a5ebd7158d9e889d25c3e8558f913bf9fced104701632

Analysis

max time kernel
123s
max time network
137s
platform
android_x86
resource
android-x86-arm-20240611.1-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
submitted
17/06/2024, 09:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b7d8fa1a02ed45a38a6cbda36dc857f9_JaffaCakes118.apk
Size

17.0MB
MD5

b7d8fa1a02ed45a38a6cbda36dc857f9
SHA1

12771d374ed96dc2546ac78562ae6922a1cd3c1e
SHA256

62392b9c68f3ca8a3d2a5ebd7158d9e889d25c3e8558f913bf9fced104701632
SHA512

82510203f15a697834a8645c70e658172eb8a9b169137592ad2366bef3fd513d89a4d1aafe06c043dba4039da68601a8e849f5ccd65921f3245885f469239c0d
SSDEEP

393216:x5bswfxAA3E3zhwVcAStwvz/ZDJP34dwJOIUSnDTfD:x5bsw+A3+zhwoqbZDJP3xOIUkDLD

Score

7^/10

collection discovery evasion impact persistence

Malware Config

Signatures

Queries information about running processes on the device 1 TTPs 3 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.smile.gifmaker:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.smile.gifmaker:remote
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.smile.gifmaker

Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getScanResults	com.smile.gifmaker:remote

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 2 TTPs 1 IoCs

Uses Android APIs to to get current cell location.

collection discovery evasion

Location Tracking

T1430

Geofencing

T1627.001

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.smile.gifmaker:remote

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs

flow	ioc
8	alog.umeng.com

Queries information about active data network 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.smile.gifmaker:remote
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.smile.gifmaker

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.smile.gifmaker

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 3 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.smile.gifmaker
Framework service call	android.app.IActivityManager.registerReceiver	com.smile.gifmaker:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.smile.gifmaker:remote

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.smile.gifmaker
Framework API call	javax.crypto.Cipher.doFinal	com.smile.gifmaker:remote

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.smile.gifmaker

com.smile.gifmaker
1⤵
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:4172

com.smile.gifmaker:bdservice_v1
1⤵
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4236

com.smile.gifmaker:remote
1⤵
- Queries information about running processes on the device
- Queries information about the current nearby Wi-Fi networks
- Requests cell location
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4267

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Execution Guardrails

T1627

Geofencing

T1627.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Location Tracking

T1430

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.smile.gifmaker/databases/google_analytics_v4.db

Filesize
4KB

MD5
d5aeb8414523e7e4e47162298b6b6815

SHA1
d8ea406b5426efe0ed927e957cae17339c838068

SHA256
ce2964a4da2cf76fded1d0103f47393ddbac78e2532e236f6eeb2e8bcafef0ee

SHA512
d4f671344c5266c9252fddee2b064a37a639b45a4e30cab6a252f6652d6d70749d1ad2ae9d195d99fab10b3aae8e014cae92178df8b037eca8ad46b72c1cbaa2

Download Submit
/data/data/com.smile.gifmaker/databases/google_analytics_v4.db-journal

Filesize
512B

MD5
28aa76fa325329fb554b35828f517690

SHA1
428167c98df04d8465c7a0865636dd844a65ea5b

SHA256
65bdde0d6084cd7b21e3ccdf306fa65ecc4acb21b05485677cd55339ed8870a0

SHA512
0f514223e30d693f6b49ddd84b58aa38922e1c4ca2cf07f50c7d796184c67108d20efb5c9f8365019d3917ed9d2e8c42a2564af51fd8ebff61345265021d86be

Download Submit
/data/data/com.smile.gifmaker/databases/google_analytics_v4.db-shm

Filesize
32KB

MD5
3bc1f072a0de0314dc3d8d1dcfbc992b

SHA1
00745aeae33221dd2efb9d34e647777460c7eecc

SHA256
622784ebd10f0b38785cb07f23fe16a578d41b5274486458b346ad7af6b3cd64

SHA512
422d5b1e81685f1ebdbbc256d7170f2c7ca84e0be08958bc0f1a0ab38e17f32552d025a99222cbca07da7a58a7e59cbcb07daec49737fd07dd57ecc075f5f5a8

Download Submit
/data/data/com.smile.gifmaker/databases/google_analytics_v4.db-wal

Filesize
60KB

MD5
4c43fa362b263b42cb931b92f5917d1d

SHA1
a88f518ecb5d3786b49f1b60312d40c41be212f7

SHA256
acb71cbb8fa0040032b0cfc7d7c4fa9dac9fd501fff40510f14bcffcb309c5e5

SHA512
71a61156696b020b8198dfe9780ba90fad25b513e5653e6bdfe759775d34e3bd04022a524bbefd9c4a28135b7570bb41f18395236d5a5e338a956c4518e05296

Download Submit
/data/data/com.smile.gifmaker/files/gaClientId

Filesize
52KB

MD5
acf382d3ec346b5e1eb618ea9083327c

SHA1
25549a362948a24d217be36ec4c208315356bd48

SHA256
7fa4f6ffc1bc065ce6956d0c87bb4e098fcbf6e134850cfe618ca25d71b6fe76

SHA512
b1b8d57a80b08302df138169c6e6e88e7f80ffa8919b6a3fc9f5ebe1d3076dec3788f0e35af3c0f314a302f7cc071ae2e2de62c2b89d4fe84505b665c8965512

Download Submit
/data/data/com.smile.gifmaker/files/umeng_it.cache

Filesize
28KB

MD5
4b4881a9e8502434db307f00db7c687e

SHA1
0280b61ba20c2249c4be44fdb5bbb73c1bcc2097

SHA256
935badd937c5ed45235f5fed30e612fd917de0e3808760a5b7d7e700735b4667

SHA512
a14831f6be72eb1d25544a37ccf6d148f797b74241cbfbf73b5ef19f301f18a370776b859eb402ad0ff1944f04ffdbd598d5b8473dfef74bf8c6838dd21c26b6

Download Submit
/storage/emulated/0/Android/data/com.smile.gifmaker/cache/.cache/journal.tmp

Filesize
31B

MD5
8c92de9ce46d41a22f3b20f77404cc1d

SHA1
8671a6dca00edb72be47363a7071be65cf270373

SHA256
68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274

SHA512
30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

Download Submit
/storage/emulated/0/baidu/tempdata/conlts.dat

Filesize
158B

MD5
98dcc72d05e9a7a15b0587df5a49f931

SHA1
abbd8e2549d604ef3ba2fecb43a48cddcbbd2c44

SHA256
1edf13415b4f4b922c6e5a9845512e272eb54ef387608b754e6be6c7aae1f2af

SHA512
11a3a6037ad1d96ac9b6dc0488793d0df1b27c13b593d1e14fad852c8bb166f282403befa156d6bb073bc8169f111d7a74d24aa0c20e8b039b02851a65e9a0ef

Download Submit
/storage/emulated/0/baidu/tempdata/conlts.dat

Filesize
905B

MD5
d295c872d083d72b6c0be06e77251c1c

SHA1
5ce01f82ce7fb8f57d44a4e21669c491171fa916

SHA256
13081c06ecfa6bcd9fa0e9db7b836fdb7813095524f19bd035c779d7fb07c459

SHA512
a5a5feaa8bcaafe432dd4c47964cdf0c61560bd2b94c5a4f5c8a933507be7d5f8759615aab6af8a12c2fcfad14400945e7a44b6febe6adac849fccc484d6e4bb

Download Submit
/storage/emulated/0/baidu/tempdata/yoh.dat

Filesize
24B

MD5
a936690571e9104e1922dda4a0ba5bd1

SHA1
65f49c57edde2f96be2a1dbdfc3f7351f1e66554

SHA256
f0f5049c51879dd7da0ce4a43349b5b34ce053d072a0ca704f62cf22ba4a8412

SHA512
3be1c3693963aebdfc04e86b1c820ee0ec3cf0b200e6a4788ef1141f39fd6c2f77f4227247ae4affa66c0a6c027df8466cc0dcec1e67ebfb953e36bee97de394

Download Submit
/storage/emulated/0/baidu/tempdata/yoh.dat

Filesize
24B

MD5
1681ffc6e046c7af98c9e6c232a3fe0a

SHA1
d3399b7262fb56cb9ed053d68db9291c410839c4

SHA256
9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0

SHA512
11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads