Analysis
-
max time kernel
166s -
max time network
188s -
platform
android_x86 -
resource
android-x86-arm-20240611.1-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system -
submitted
18-06-2024 06:51
Static task
static1
Behavioral task
behavioral1
Sample
bb2de25e537542f093009b6aadc57198_JaffaCakes118.apk
Resource
android-x86-arm-20240611.1-en
General
-
Target
bb2de25e537542f093009b6aadc57198_JaffaCakes118.apk
-
Size
31.5MB
-
MD5
bb2de25e537542f093009b6aadc57198
-
SHA1
4b29c638fd4d343497150e7975e73403c9ca597a
-
SHA256
5021f2b565e786d7030ed2db6839b9274f2512e91f96ee536fc7173d70d0f205
-
SHA512
7c659dd731bac18bdb2d99c07b85f24b304048bc0b78a58c853ee8abccd9904ff2b002a2b0ac3efb918837198d2886e49a5220cd1054f15a8d7aca6c75388b4d
-
SSDEEP
786432:eE8xNafc2+s3iBJgm3xJVTcbXodYS3D0O1ou:eEGac2r3id3x8keSz0Lu
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 6 IoCs
Processes:
com.yewang.beautytalkcom.yewang.beautytalk:ipcio.rong.push/system/bin/sh -c type sucom.yewang.beautytalk:EmulatorCheckService/system/bin/sh -c type suioc process /system/app/Superuser.apk com.yewang.beautytalk /system/app/Superuser.apk com.yewang.beautytalk:ipc /system/app/Superuser.apk io.rong.push /sbin/su /system/bin/sh -c type su /system/app/Superuser.apk com.yewang.beautytalk:EmulatorCheckService /sbin/su /system/bin/sh -c type su -
Checks Android system properties for emulator presence. 1 TTPs 4 IoCs
Processes:
com.yewang.beautytalkcom.yewang.beautytalk:ipcio.rong.pushcom.yewang.beautytalk:EmulatorCheckServicedescription ioc process Accessed system property key: ro.product.model com.yewang.beautytalk Accessed system property key: ro.product.model com.yewang.beautytalk:ipc Accessed system property key: ro.product.model io.rong.push Accessed system property key: ro.product.model com.yewang.beautytalk:EmulatorCheckService -
Obtains sensitive information copied to the device clipboard 2 TTPs 4 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
Processes:
io.rong.pushcom.yewang.beautytalk:EmulatorCheckServicecom.yewang.beautytalkcom.yewang.beautytalk:ipcdescription ioc process Framework service call android.content.IClipboard.addPrimaryClipChangedListener io.rong.push Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.yewang.beautytalk:EmulatorCheckService Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.yewang.beautytalk Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.yewang.beautytalk:ipc -
Queries information about running processes on the device 1 TTPs 4 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.yewang.beautytalk:ipcio.rong.pushcom.yewang.beautytalk:EmulatorCheckServicecom.yewang.beautytalkdescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.yewang.beautytalk:ipc Framework service call android.app.IActivityManager.getRunningAppProcesses io.rong.push Framework service call android.app.IActivityManager.getRunningAppProcesses com.yewang.beautytalk:EmulatorCheckService Framework service call android.app.IActivityManager.getRunningAppProcesses com.yewang.beautytalk -
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
Processes:
com.yewang.beautytalkdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.yewang.beautytalk -
Queries information about active data network 1 TTPs 4 IoCs
Processes:
com.yewang.beautytalkcom.yewang.beautytalk:ipcio.rong.pushcom.yewang.beautytalk:EmulatorCheckServicedescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.yewang.beautytalk Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.yewang.beautytalk:ipc Framework service call android.net.IConnectivityManager.getActiveNetworkInfo io.rong.push Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.yewang.beautytalk:EmulatorCheckService -
Queries information about the current Wi-Fi connection 1 TTPs 3 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.yewang.beautytalk:EmulatorCheckServicecom.yewang.beautytalkio.rong.pushdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.yewang.beautytalk:EmulatorCheckService Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.yewang.beautytalk Framework service call android.net.wifi.IWifiManager.getConnectionInfo io.rong.push -
Reads information about phone network operator. 1 TTPs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
Processes:
com.yewang.beautytalkdescription ioc process Framework API call android.hardware.SensorManager.registerListener com.yewang.beautytalk -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 4 IoCs
Processes:
io.rong.pushcom.yewang.beautytalk:EmulatorCheckServicecom.yewang.beautytalkcom.yewang.beautytalk:ipcdescription ioc process Framework service call android.app.IActivityManager.registerReceiver io.rong.push Framework service call android.app.IActivityManager.registerReceiver com.yewang.beautytalk:EmulatorCheckService Framework service call android.app.IActivityManager.registerReceiver com.yewang.beautytalk Framework service call android.app.IActivityManager.registerReceiver com.yewang.beautytalk:ipc -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
Processes:
io.rong.pushcom.yewang.beautytalk:EmulatorCheckServicedescription ioc process Framework API call javax.crypto.Cipher.doFinal io.rong.push Framework API call javax.crypto.Cipher.doFinal com.yewang.beautytalk:EmulatorCheckService -
Checks CPU information 2 TTPs 1 IoCs
Processes:
com.yewang.beautytalkdescription ioc process File opened for read /proc/cpuinfo com.yewang.beautytalk -
Checks memory information 2 TTPs 4 IoCs
Processes:
com.yewang.beautytalk:ipcio.rong.pushcom.yewang.beautytalk:EmulatorCheckServicecom.yewang.beautytalkdescription ioc process File opened for read /proc/meminfo com.yewang.beautytalk:ipc File opened for read /proc/meminfo io.rong.push File opened for read /proc/meminfo com.yewang.beautytalk:EmulatorCheckService File opened for read /proc/meminfo com.yewang.beautytalk
Processes
-
com.yewang.beautytalk1⤵
- Checks if the Android device is rooted.
- Checks Android system properties for emulator presence.
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Requests cell location
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4265 -
/system/bin/sh -c getprop2⤵PID:4409
-
getprop2⤵PID:4409
-
com.yewang.beautytalk:ipc1⤵
- Checks if the Android device is rooted.
- Checks Android system properties for emulator presence.
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks memory information
PID:4318
-
io.rong.push1⤵
- Checks if the Android device is rooted.
- Checks Android system properties for emulator presence.
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks memory information
PID:4335 -
/system/bin/sh -c getprop2⤵PID:4593
-
getprop2⤵PID:4593
-
/system/bin/sh -c type su2⤵
- Checks if the Android device is rooted.
PID:4654
-
com.yewang.beautytalk:EmulatorCheckService1⤵
- Checks if the Android device is rooted.
- Checks Android system properties for emulator presence.
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks memory information
PID:4469 -
/system/bin/sh -c getprop2⤵PID:4687
-
getprop2⤵PID:4687
-
/system/bin/sh -c type su2⤵
- Checks if the Android device is rooted.
PID:4717
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Execution Guardrails
1Geofencing
1Hide Artifacts
1User Evasion
1Virtualization/Sandbox Evasion
3System Checks
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230B
MD57e417354a693307bc8f28e7704da6bb1
SHA1f6dc4b229306052646c95a0d1522ea8b037ad5e5
SHA256374ea6cf64002050b5c9b9021493e2da837c2ff3043f4f235cf50707b14bb6b0
SHA512b50a446876bd7dbc1481a735a3262e33f8785c9c60a28e67dd50f321d154816727611a6170e30227b98b6f825e99103b4a741918f61354fd44ea18e53c7baf61
-
Filesize
58B
MD50d210bfb2a0e1f1b4c082a6a0f79de07
SHA1bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1
-
Filesize
96KB
MD549ba216299599d18362322d863d48b6d
SHA1a402c05796889a72d0a059c7c90a38b765563ba4
SHA2568a8c0df94868811d6fa4d75abb1e9e15fa49ea8c97fe35a122bec08426832c7b
SHA512023e66bec7c15725b370e7b97dc60f104910e2868033816be7da080e19b9fa367bec4155aa6187ee6b941f331ee01e1cfc80ec0b072fed78052cc0253e378fbd
-
Filesize
32KB
MD5022df5ce816dc978f3dc3b858997d4d4
SHA1e58115b6ddb88c2b865307df97983ceb14a95555
SHA256c25252902a7b686136d9559a350a67520ca504a99b4ce18a54fdd222d7a501af
SHA512f064e366213227f6c4a190a7aff3e8e114416a7aff38c3b3fb271f9e2eafa3c778fc8148419441e8efe8a881ebbad957e98c7a2814cfd28189701e46d06ac7d4
-
Filesize
512B
MD5b3dd826ae63b81defaac0c9c60e28dc1
SHA102f0dc5b73052cb49d6e375a2c0688da8bd39a0b
SHA2560f3d806828a8af759d6a23606143ccc2c44b89d19aa06ce8af13c75d22f0ceef
SHA5126078e5d09f6e2cccae5c059fb5ce400d32f00128f63d48e698c3ebc36654a2ed464cc5cd8505130095e4ca5b92d24ec2f02edd9c193ab41bf7b74421cd726bc5
-
Filesize
28KB
MD5b354a3798d70ae0a36c4359aac6a5a58
SHA1591bf4d73a4ea2ede29f25db14d53f0a63b0323d
SHA2569e3ca451e62c6db03da38f24710d89f83aaa89b5278cecaee6931edb367c249f
SHA51296a1831defe9bf18c8a1b5b22e7c102da6f63c2e42b30ddc9a428fde7a986d877f0fa848ba8d860946007557146c7d94a87ca9e967dde46e53574b56318eea96
-
Filesize
60KB
MD5a147bba47cb5aa47814d53798616dbca
SHA1e46dbbc32ddd3c38576f46409b61b3b7b517c76f
SHA256ab3b06e5b37128e4274160048431743ad8358eb0060c42a971ee2f3b487e96de
SHA5127c8197008d29067dc0d05fab13d0a76329619423c5ef876d2e13fdca45de2c9d452bd6aaa6e1c683601c42bbb2eae42b9e8e24c0e7a155b85971d454e191a593
-
Filesize
4KB
MD5aa99281ce0cd69a9302f8b64b918ad75
SHA1ccafc0e5fb16198e466b209a888301f4100fafe8
SHA256a3cde8388c50e78c7b3c8dab1d0c46c64c375248031adbb6a5802e3da65bb431
SHA512a8b80f09a555652d3e4b9775b6aa58341dad7fb120509e128df417533ba361353b19530306e8691f1ce5fc0c69f1a89d29bd2eb176291a5e85b945d14c9eb085
-
Filesize
22KB
MD5ed4f17dc95b32c106489dcca43053619
SHA194f6bfb3172c7d038c79590d9f70b80fd57b6ef3
SHA256a87325322479545fb44e9247bb04543d7787e8d388bb3610c81fd1cfe2d8f365
SHA512acd20ae13bbb97cec412a7b9f3288756689e7692c9275c366c3cd4298b955a727fb9e234a1f4e889b7de06548a743f43c0b5f6aa644a80ab994b0b9a2cf63345
-
Filesize
28KB
MD5cf845a781c107ec1346e849c9dd1b7e8
SHA1b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA25618619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA5124802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612
-
Filesize
72KB
MD5528a223e2eca1a93381f3a0705806db2
SHA10a41ceb8d384204d2ff248b66a293bae2079e09c
SHA256d610b86a3946d1916ccafacbef3aa16ccf29b518d857a384278f87c68119dadb
SHA5129e8ef35b46978e1e0658ccb1a5edc45a3851e15139c5af07704882fd8d0cc43cae4c94cd11a6bb554a89996f2404e435b43046e5ed28ef4ecd15f65e59ac692b
-
Filesize
76KB
MD59d13c95d25c4b237b816c1977f9c2915
SHA149aabab01bb469769d958d80ddcf08d3f1289f28
SHA256f598781e154babb9d263bd34ca08206ccc28202a5c80843835f37039b3d81686
SHA512f6761c57e6a3da6dfa6780a3f5feb13bdbe3fcbb6529905f700062706c5d8a4e821f234704fba362a7410cf4effff107cfeaee6b93a778fd793a0f57f63629b1
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5f43d9fdb69e84375257f1b432d38dfb0
SHA18fb3564373a9d138b95007707c916420c11683fe
SHA256f5cb1bb39554d6938f6f42c977b8752fcea1bb28ae4b8b776ff9504193a93f8f
SHA512f26ef83cc6389b29a1c58465ba68a6e1eca01b3b027f4713653fec933749202aab271a3e9c45663602fc73a9269699a2caf055a7832963b0034127daf8d4a64f
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
64KB
MD500db8abba3aefef75378c39a37a47d58
SHA1e4f2f82c2ba6424bb17149a869b923055e42fc6f
SHA2561bf439d033c7c4bdddd7cd3f6f059c1125f0b7a7d724bd5f988a83ef9c435373
SHA51200d39780429b5efd50efee3458c2d3c5a7c32623d8aa744ab4622c1825353ec539e0822a278eadd54f5742324b4ef71af41a13c2b07e86078f3283b87539072b
-
Filesize
201B
MD5982ddd1d43d896f058bae6190452fe8b
SHA10eaadfb1fcab9c7f9806f3aba821619493bd33c4
SHA256bb5c90023d5b8da09f22c8621e2644147150c59f9eba28b69a8b836abfe62c5c
SHA51220a94c70fa248440036e2dae7533918afa8d0b9c007591c99f74e9d4a94b21f740478e7b9c0c396fc265f2764139c273643fb3b4275f727bdcaaaf905401bddc
-
Filesize
208B
MD5485e3095b426bbed8aa5a037ebd08f96
SHA14e83faddfe11cbdf7d8c95ade5096536f263c31f
SHA256d5fd73138156474f7844719c97785dc13e8ff28f999e5930576f1ecf6c3798b1
SHA51204f9e64ca7bd21daf4ff0f0fa22bf519af5ddf2b4bcf060e949a6b12d9605420eabb4c928c3099e078e5d62aa1854e97ed1ed0951478dc91b9489daa8d95a13c