Analysis
-
max time kernel
176s -
max time network
166s -
platform
android_x86 -
resource
android-x86-arm-20240611.1-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system -
submitted
18-06-2024 11:36
Static task
static1
Behavioral task
behavioral1
Sample
bbb8a7bd3e3a2e95bebd3f2eff3dbfc5_JaffaCakes118.apk
Resource
android-x86-arm-20240611.1-en
Behavioral task
behavioral2
Sample
bbb8a7bd3e3a2e95bebd3f2eff3dbfc5_JaffaCakes118.apk
Resource
android-x64-arm64-20240611.1-en
Behavioral task
behavioral3
Sample
res.apk
Resource
android-x86-arm-20240611.1-en
Behavioral task
behavioral4
Sample
res.apk
Resource
android-x64-20240611.1-en
Behavioral task
behavioral5
Sample
res.apk
Resource
android-x64-arm64-20240611.1-en
General
-
Target
bbb8a7bd3e3a2e95bebd3f2eff3dbfc5_JaffaCakes118.apk
-
Size
4.8MB
-
MD5
bbb8a7bd3e3a2e95bebd3f2eff3dbfc5
-
SHA1
073d263d52454bd8ba8f37db608776a31f8ba101
-
SHA256
655fc59ddaaf991fa6eccc1b2ade197a19eb5fc449d3be93ef6e7d3a5810ac63
-
SHA512
9dcac9ee70d3f860ad087e90f722f652e0f153f3cff63120d8ce4b48f54980152996f12d3b12efc1224276ce46f69218b31569b158e1216a03a1bcda7305b625
-
SSDEEP
98304:GEa4kgEmlKQaRYSieg4I3Usb8Q7JofxcKBJD+DL6APu17A:79kOraseg46QQClK3KA
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
Processes:
com.snowfish.a.a.bgioc process /system/bin/su com.snowfish.a.a.bg /system/xbin/su com.snowfish.a.a.bg -
Checks Android system properties for emulator presence. 1 TTPs 1 IoCs
Processes:
com.game.songpoetry.yunyingshangno1description ioc process Accessed system property key: ro.product.model com.game.songpoetry.yunyingshangno1 -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
Processes:
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/storage/emulated/0/Sonnenblume/res.apk --output-vdex-fd=49 --oat-fd=50 --oat-location=/storage/emulated/0/Sonnenblume/oat/x86/res.odex --compiler-filter=quicken --class-loader-context=&com.game.songpoetry.yunyingshangno1com.snowfish.a.a.bgioc pid process /storage/emulated/0/Sonnenblume/res.apk 4323 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/storage/emulated/0/Sonnenblume/res.apk --output-vdex-fd=49 --oat-fd=50 --oat-location=/storage/emulated/0/Sonnenblume/oat/x86/res.odex --compiler-filter=quicken --class-loader-context=& /storage/emulated/0/Sonnenblume/res.apk 4292 com.game.songpoetry.yunyingshangno1 /storage/emulated/0/Sonnenblume/res.apk 4357 com.snowfish.a.a.bg -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about active data network 1 TTPs 2 IoCs
Processes:
com.game.songpoetry.yunyingshangno1com.snowfish.a.a.bgdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.game.songpoetry.yunyingshangno1 Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.snowfish.a.a.bg -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.snowfish.a.a.bgdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.snowfish.a.a.bg -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.game.songpoetry.yunyingshangno1description ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.game.songpoetry.yunyingshangno1 -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
Processes:
com.snowfish.a.a.bgcom.game.songpoetry.yunyingshangno1description ioc process Framework service call android.app.IActivityManager.registerReceiver com.snowfish.a.a.bg Framework service call android.app.IActivityManager.registerReceiver com.game.songpoetry.yunyingshangno1 -
Checks CPU information 2 TTPs 1 IoCs
Processes:
com.snowfish.a.a.bgdescription ioc process File opened for read /proc/cpuinfo com.snowfish.a.a.bg -
Checks memory information 2 TTPs 2 IoCs
Processes:
com.game.songpoetry.yunyingshangno1com.snowfish.a.a.bgdescription ioc process File opened for read /proc/meminfo com.game.songpoetry.yunyingshangno1 File opened for read /proc/meminfo com.snowfish.a.a.bg
Processes
-
com.game.songpoetry.yunyingshangno11⤵
- Checks Android system properties for emulator presence.
- Loads dropped Dex/Jar
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks memory information
PID:4292 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/storage/emulated/0/Sonnenblume/res.apk --output-vdex-fd=49 --oat-fd=50 --oat-location=/storage/emulated/0/Sonnenblume/oat/x86/res.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4323
-
com.snowfish.a.a.bg1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4357
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Virtualization/Sandbox Evasion
3System Checks
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12B
MD5855329e8cc0c6b4420af1c40a9819099
SHA18771e3d5eaa2dff1e101eb8cb9c48c8c0f5c524c
SHA25619f8f9b464bc664d0dee5153ca2b475afff4fd70bf2a520ed551cecc7406a1ed
SHA512a25276e492de421afc885f042f2747b4e5b517d0245d3e1f3ea41fd92c993ff459f834754994ea0afa291d1355009f4450ee62d682d18df299718f214aa75bc3
-
Filesize
12B
MD578a16b09f691de114d058022549a18e5
SHA14534e34c87ea68ad5a66486dc19e2bda0c4a1907
SHA256b4c219b4d7a0d3366461a8c4796efd5f80b866183666dba4bfee2ec714e4db24
SHA512bd73135efe5277b9d50743e7ed7b6492106665c37196c04ca3208d22f7fc4b403409ceb137a0fe646a4d265cf7cbe02245eee2210d16f926f5f9b60ebcb3ede3
-
Filesize
12B
MD5d2826039cccd3066ac2641529e921b86
SHA17e000ae07abf3b788c3d671168a427e46a2e9ea8
SHA256e8e03b3c83b103a02a87829425cf6d315998f2b221089f42f203ea76e1c81de1
SHA512dff45aeb7f1d18018622e81003ff40a87fb8362e0f8137af7c268eebe045ffcb99d41f8d919c1311d119bb37070192d1739ff37b1ec00e90b36ea0cc7a888aa6
-
Filesize
12B
MD58f38cc9c07abec87ac85337290dac1b3
SHA1d96fef7173a406f989ee409cabb4b5ccbf598abd
SHA2569098f147a7509466eb99b412bd422ad1c50d3114e5ee7fb53e65f3afc27c1dab
SHA512c8acd3a0b3376aa1fcfd57c6f2a6eaf4ae4ebe3461ec6fc3b4757fa21c6e035658cda2418096bc8dddeec367595f08e9501e1c210bf6cbd99873de5606bb65e1
-
Filesize
12B
MD59b7eff2d669f27f18ca00e9d810f6432
SHA1859c941ff2bf34073fa9ecba2df9b5d4d50de048
SHA2565ffb8a7cbd84707e493aaa9d1c3301945c9a914987c6a0002be476be06aac70d
SHA51229d651e6303259c25091f69d67478b617351a2ee08ebbe049527ed44bbb8d3ef81d5280030405a009f218c7b4c9a033316bf869c6f9b2bd9097190103a756817
-
Filesize
12B
MD51024aab8078ce59801ef86e7e3375ddc
SHA1c9fe4877f4a927996d5b5bde1221c3810787ae74
SHA2561ca402f86e607f315b6333ea8c1a6986f726305928c07976f38c84ffcb56114b
SHA5128eaf1da65fb0574a5c54a2fbe312039471d5bb2797692f1d84bb12f035b562668fac39e51d509c0c3002fd88d30a813bf1dbc239308e6da048556e8097778be7
-
Filesize
28KB
MD5b3ff73b204b209d25c12182854bdc7bf
SHA1ff08ac8bc8ac33eac9f67f024d252ad782e6bb1a
SHA256bf839822ed9ab423d1a63e1d377e7199fa1a7bea2978f16b144efc3e16b4ac7e
SHA5122ca7ae171d6d20c0ed3b92b61014350a8c01f8b05d031a9ff987e4412fbfb5f7feacc2f2734a5956bf1ddae7f515308604004ce1cbf6a68986b03610222c6d9e
-
Filesize
512B
MD523b4484e88a09968656a4e03078e6c1a
SHA1fa07f8c04bc7bea05fd3e0e9e2b8e6d77d3d5d76
SHA256ad8d062f0bfa1211d01da62fba32857c4061c45cf06e627bb38172e9e11ddd41
SHA512c57a8aa96f94aa29b68e2f1b353b167e4c081a77ffc3613b5c5580dd977dadc8c608b5dd8e3705661acc378c2b23f7e79f732d37fd1ac03ad417aebfac8d0927
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
48KB
MD5d335ec96c26bd504ad5d566f27576040
SHA1667d977d8769fc487bc4951338413ebbe1ef4605
SHA256fc883625c769b96f8acde709e10a3919191104fe5979b4691865dabe04fabc11
SHA51296a752b6bd76c221cab1b7933bb1704c4dc8d5c4425d7ec79843b6b28518c58044508693d6ebc50f60aad7ac89a685173265a5f05874049b4b762cc5283dc400
-
Filesize
25B
MD5e12879e37031ad239b3667b7dca8893e
SHA113fc6eb132c9459265cfa01268c3dde2fee43ea5
SHA256ec3bea599d2d70f6ac327dd4bf269a1151c2cf457facd89cca76650c00e4a6d6
SHA512ba3959ad3c42e19d43dfd1b0c7ad852a02324577c180ec6b0f9dc7181485ca13712c944df6867bf9abf0222b1c37d5fc43a86a46ed43c51f0d71e3cf737bc613
-
Filesize
317B
MD5c13a7506884ff753c92f58c3d8af9293
SHA1276d783546858b3722a52746256b8f66c2551e11
SHA25630e05c817e73f598bf8d85b19228cb52c56627e11ce818d6b11a85396d58fc60
SHA512df46779a6aea8a748fb902d042d245067842faf6e5f274737c8af651efe606d9ad0f6ae91aafaaad500e510b5f7a30faf3b80b9b246dcaa8bbf19ffd32ee20a5
-
Filesize
353B
MD5ee59b72f6180aca73234aed78453cffc
SHA1fda142cd9e2a653b55bb6ca81be598ef48581b86
SHA25648168cc962768b310b95dd47ca28053559c0b97d9bbf4f5487b5bb601a73537e
SHA512666d1329158ae701bd24441adfce5e53a6bb0f95e1ee24f8e98d2cb059bc44474284ccdc93e677be152ec917d270b1d9e52445669c4f53625250748d579157d7
-
Filesize
406KB
MD5e467661ceb0044d81fc1d81073c05c6c
SHA13a1aabd7824e147ff771b766288b91b3aa774c5e
SHA256d9e9486a413c6ce14fb9f44a4011ad58cb4dfb18cae3075be1b3508acd6bb48b
SHA512f3c924fd7b7401bb40a83c2f9f43408968903322ae72284322d3cea97fbafd917d2bbe0cad05a7efda4b7b853a7771bef66c79033f30eaf524f7b0d210fb1af0
-
Filesize
406KB
MD568ad8c1d196d7881c9a34b9471ca095c
SHA1be8fbb09720d561d291b373ecfe745d957baffb5
SHA25683c41cf9c785593471c1fe06b5a313064b2b354e9a7045fb6af90bab01351ef7
SHA5125981982fa2762dc341f636bcc0e7f2c1ad0995f9fe936c6d6045196b961e93a23d8a5f8665b8c089febd94cae219f9af0a9752c229a07a13012ab57a7d218ffe
-
Filesize
190KB
MD54f8ffbbab343c81c4965077c9d8e7800
SHA1efffc6a83edc4ba34facf98a903eb0c08eea3c19
SHA256724a9a674efd34affa4f8e34d5bd53b2617166b8def7099a9503adec0e5fc4cb
SHA512fdf566c7189af57a7249aa9e263baee88728eb78c699fa0fadb75f58e1ce1c9f9e8f83375010fc3a273ff7486af8c74d1a44be37ca69d7340314ec502684b5ed