Analysis
-
max time kernel
172s -
max time network
185s -
platform
android_x86 -
resource
android-x86-arm-20240611.1-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system -
submitted
18-06-2024 10:15
Static task
static1
Behavioral task
behavioral1
Sample
bb670adbc9250ed0ee160ef2a0399550_JaffaCakes118.apk
Resource
android-x86-arm-20240611.1-en
General
-
Target
bb670adbc9250ed0ee160ef2a0399550_JaffaCakes118.apk
-
Size
6.6MB
-
MD5
bb670adbc9250ed0ee160ef2a0399550
-
SHA1
a30b4877c613710627f1e5899a092509d842dcd5
-
SHA256
01755742a3164eef8b28727f5bb37b4f2fb7b20d32c84232d624070d2c0d000a
-
SHA512
9899a649a3e9b79cef67d14ad251f41c6236a43a037910d5857484e6d832cc4dbe163bfa7599dd125764ce5907a60eff7e5d57504a7b3bfbbf9aa134680bea28
-
SSDEEP
98304:zY2v/44GQs6oHT56xNO+wUCSxToDj0t+q3l3z3JMp5Eg4vHx3YrZ955x+wxZq:zYvlJ6oizOSxTAjWl3jW5EgaHNqJ5Ra
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 6 IoCs
ioc Process /sbin/su com.sogou.androidtool:push_service /system/app/Superuser.apk com.sogou.androidtool:remote_proxy /sbin/su /system/bin/sh -c type su /system/app/Superuser.apk com.sogou.androidtool:push_service /sbin/su /system/bin/sh -c type su /sbin/su com.sogou.androidtool:remote_proxy -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 3 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.sogou.androidtool:push_service Framework service call android.app.IActivityManager.getRunningAppProcesses com.sogou.androidtool Framework service call android.app.IActivityManager.getRunningAppProcesses com.sogou.androidtool:remote_proxy -
Requests cell location 2 TTPs 2 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.sogou.androidtool:remote_proxy Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.sogou.androidtool:push_service -
Queries information about active data network 1 TTPs 2 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.sogou.androidtool:remote_proxy Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.sogou.androidtool:push_service -
Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.sogou.androidtool:remote_proxy Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.sogou.androidtool:push_service -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.sogou.androidtool:push_service -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 3 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.sogou.androidtool Framework service call android.app.IActivityManager.registerReceiver com.sogou.androidtool:remote_proxy Framework service call android.app.IActivityManager.registerReceiver com.sogou.androidtool:push_service -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.sogou.androidtool:remote_proxy Framework API call javax.crypto.Cipher.doFinal com.sogou.androidtool:push_service -
Checks memory information 2 TTPs 2 IoCs
description ioc Process File opened for read /proc/meminfo com.sogou.androidtool:remote_proxy File opened for read /proc/meminfo com.sogou.androidtool:push_service
Processes
-
com.sogou.androidtool1⤵
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4264
-
com.sogou.androidtool:remote_proxy1⤵
- Checks if the Android device is rooted.
- Queries information about running processes on the device
- Requests cell location
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks memory information
PID:4294 -
/system/bin/sh -c getprop ro.board.platform2⤵PID:4600
-
-
getprop ro.board.platform2⤵PID:4600
-
-
/system/bin/sh -c type su2⤵
- Checks if the Android device is rooted.
PID:4630
-
-
com.sogou.androidtool:push_service1⤵
- Checks if the Android device is rooted.
- Queries information about running processes on the device
- Requests cell location
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks memory information
PID:4445 -
/system/bin/sh -c getprop ro.board.platform2⤵PID:4650
-
-
getprop ro.board.platform2⤵PID:4650
-
-
/system/bin/sh -c type su2⤵
- Checks if the Android device is rooted.
PID:4676
-
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Execution Guardrails
1Geofencing
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
169KB
MD51b90defca07012677644f54d6a2d81a0
SHA1076eb4f8c0cdf45aad79e930d35d7212e418b172
SHA25660c91116c68ee37f5af6e1e7b9cbdc55de3c3e64f2c7ea00e27a5aa58786b27a
SHA512acb453b33f7d6f490056136be8aedc0c19b6cf1da0088239d9212b7ca77fc0e072e35d1a7e4ab9f925cf6ea02b3f778e593a0923c2c27cbad4678f6b6dc52f0f
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
160KB
MD5d7f321507911949887edf8b42b44b6af
SHA1ab2533915a648f41278177bda453b12994a3f2d5
SHA2561ba8eb47fc626fc4e007517e586e03b8b2d086f7269766636b77d3613c062f18
SHA5120fa92859eddc2571be2d2a07780ed5da72450302210e8734bf1567cca9f10bce888b3826c3f30b3c1ef299f17dc787338bf9f774d876f27e005b5465bdffbc51
-
Filesize
51B
MD5a83f28acf7ab63e4d937d8535c99c7a2
SHA12b3fe2ced56985d5bb0e0be943787cf28361cd22
SHA256ca1d6eb391a103fe13b8cbe85110cc96421bf0a4877e7416da7ad737ab796659
SHA512006021acd8a252f248809714f84cec408a3100c59c534a0effc98e28473b6bb27497e630c496482964c9c4bfb59f9430a6163eb222bf4897be0c5b199808c838
-
Filesize
62B
MD5437544e8643a15c7c48dca05345f3f2e
SHA19758aed9e9fd55cfe4ea055cc1c38cd68a59a02c
SHA25653c68bf861fb6d50f4ac089cb450f221f8620675a647ef9e7764ecbcae69883f
SHA51248a695a048665d3382af3113366220b2208123016473bb14d1f317236a712f1e33cddca490f272bce85c160e1634ff5c3530ca63213ed73590a1e7c1b20519e7
-
Filesize
43B
MD5e1fa811099adce7742a7b2118a2fbffa
SHA12f230a41189cddba9db22b6874f5cb6a9d8e2f81
SHA2561a889b06893ef7ef8caed589a6be9cc958669616f01303ff0089b8a447b317e7
SHA51253e9d3009c0c6efa87cc201bc3a209d7db43f9fee86b6f523256b5b3162f1975cf926249edcd9b45ed0a43a7c061ef8e6b0cc1bd1d0d6ce7d57458d92e0a1522
-
Filesize
56B
MD5078ea22edcf3907db1da7ae9db089539
SHA1d7cb163ef1418fa52d69f4af6e2ecb9c10a9f480
SHA2560e60627f3a58fcc31ae2cb4c0506417e370006ca78e33c2dfdcc8872c5aaaf7d
SHA512111a73ebd3e5aa67e44c0a8d2f109978dc3c5ec0b0bf4ba306b8b9ef4cbbf21e2df7caa67c302263b637a63fc3c230348ef223f1fc5563363abd00ea80451ff4
-
Filesize
63B
MD56e09b2f688e45f8a9b95ca0951a83c7d
SHA18b53d2d7742c4ac4d8b98c160a7f58df77e61d29
SHA256408131b62e789cfc1a2c11d1ad001e9eed4bd0f35d145395878d08425302267e
SHA512e76405e3f9bd806fb6f38eff7e042406dc643f1eda90e4e01ac920031bcb45dcaf516cb7df2d7cd4797b1d0827287d7f48ecd052aec10eaab089a97e72e9a70b