Analysis
-
max time kernel
179s -
max time network
177s -
platform
android_x86 -
resource
android-x86-arm-20240611.1-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system -
submitted
18-06-2024 14:54
Static task
static1
Behavioral task
behavioral1
Sample
bc888e0a545113b7caffd6affa1e2469_JaffaCakes118.apk
Resource
android-x86-arm-20240611.1-en
Behavioral task
behavioral2
Sample
bc888e0a545113b7caffd6affa1e2469_JaffaCakes118.apk
Resource
android-33-x64-arm64-20240611.1-en
Behavioral task
behavioral3
Sample
res.apk
Resource
android-x86-arm-20240611.1-en
Behavioral task
behavioral4
Sample
res.apk
Resource
android-x64-20240611.1-en
Behavioral task
behavioral5
Sample
res.apk
Resource
android-x64-arm64-20240611.1-en
General
-
Target
bc888e0a545113b7caffd6affa1e2469_JaffaCakes118.apk
-
Size
3.5MB
-
MD5
bc888e0a545113b7caffd6affa1e2469
-
SHA1
0fcb64d448b6925510f31b86f44324629e57f2a6
-
SHA256
f08c7ae8ab6150b3f98e27ee85b6565dc97f501692bb40351b4e52e7540b7425
-
SHA512
8329bcfa05b8f1791ea3bbf0a52f65e3777d29a14d0ab8e0616fd4450e3b29bcfe3115efe2f8d508f72be744e97e9db9fa2b5f136938e81282c38e78599e482e
-
SSDEEP
98304:dkZGAIpRy0kSkJp6Cbe4Xme4X9e4XPe4Xee4Xg:dkZGdXy0bJceFHGo
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 4 IoCs
Processes:
com.ccmlmv.bt.qipacom.snowfish.a.a.bgioc process /system/bin/su com.ccmlmv.bt.qipa /system/xbin/su com.ccmlmv.bt.qipa /system/bin/su com.snowfish.a.a.bg /system/xbin/su com.snowfish.a.a.bg -
Checks known Qemu files. 1 TTPs 2 IoCs
Checks for known Qemu files that exist on Android virtual device images.
Processes:
com.ccmlmv.bt.qipacom.snowfish.a.a.bgioc process /sys/qemu_trace com.ccmlmv.bt.qipa /sys/qemu_trace com.snowfish.a.a.bg -
Checks known Qemu pipes. 1 TTPs 2 IoCs
Checks for known pipes used by the Android emulator to communicate with the host.
Processes:
com.ccmlmv.bt.qipacom.snowfish.a.a.bgioc process /dev/socket/qemud com.ccmlmv.bt.qipa /dev/socket/qemud com.snowfish.a.a.bg -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.ccmlmv.bt.qipacom.snowfish.a.a.bgioc pid process /storage/emulated/0/Sonnenblume/res.apk 4174 com.ccmlmv.bt.qipa /storage/emulated/0/Sonnenblume/res.apk 4388 com.snowfish.a.a.bg -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Queries information about active data network 1 TTPs 2 IoCs
Processes:
com.ccmlmv.bt.qipacom.snowfish.a.a.bgdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.ccmlmv.bt.qipa Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.snowfish.a.a.bg -
Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.ccmlmv.bt.qipacom.snowfish.a.a.bgdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.ccmlmv.bt.qipa Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.snowfish.a.a.bg -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.ccmlmv.bt.qipadescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.ccmlmv.bt.qipa -
Reads information about phone network operator. 1 TTPs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
Processes:
com.ccmlmv.bt.qipadescription ioc process Framework API call android.hardware.SensorManager.registerListener com.ccmlmv.bt.qipa -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
Processes:
com.ccmlmv.bt.qipacom.snowfish.a.a.bgdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.ccmlmv.bt.qipa Framework service call android.app.IActivityManager.registerReceiver com.snowfish.a.a.bg -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.ccmlmv.bt.qipadescription ioc process Framework API call javax.crypto.Cipher.doFinal com.ccmlmv.bt.qipa -
Checks CPU information 2 TTPs 10 IoCs
Processes:
com.snowfish.a.a.bg/system/bin/cat /proc/cpuinfo/system/bin/cat /proc/cpuinfo/system/bin/cat /proc/cpuinfo/system/bin/cat /proc/cpuinfo/system/bin/cat /proc/cpuinfo/system/bin/cat /proc/cpuinfocom.ccmlmv.bt.qipa/system/bin/cat /proc/cpuinfo/system/bin/cat /proc/cpuinfodescription ioc process File opened for read /proc/cpuinfo com.snowfish.a.a.bg File opened for read /proc/cpuinfo /system/bin/cat /proc/cpuinfo File opened for read /proc/cpuinfo /system/bin/cat /proc/cpuinfo File opened for read /proc/cpuinfo /system/bin/cat /proc/cpuinfo File opened for read /proc/cpuinfo /system/bin/cat /proc/cpuinfo File opened for read /proc/cpuinfo /system/bin/cat /proc/cpuinfo File opened for read /proc/cpuinfo /system/bin/cat /proc/cpuinfo File opened for read /proc/cpuinfo com.ccmlmv.bt.qipa File opened for read /proc/cpuinfo /system/bin/cat /proc/cpuinfo File opened for read /proc/cpuinfo /system/bin/cat /proc/cpuinfo -
Checks memory information 2 TTPs 2 IoCs
Processes:
com.ccmlmv.bt.qipacom.snowfish.a.a.bgdescription ioc process File opened for read /proc/meminfo com.ccmlmv.bt.qipa File opened for read /proc/meminfo com.snowfish.a.a.bg
Processes
-
com.ccmlmv.bt.qipa1⤵
- Checks if the Android device is rooted.
- Checks known Qemu files.
- Checks known Qemu pipes.
- Loads dropped Dex/Jar
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4174 -
cat /sys/block/mmcblk0/device/cid2⤵PID:4285
-
cat /sys/block/mmcblk0/device/cid2⤵PID:4416
-
/system/bin/cat /proc/cpuinfo2⤵
- Checks CPU information
PID:4434 -
/system/bin/cat /proc/cpuinfo2⤵
- Checks CPU information
PID:4478
-
com.snowfish.a.a.bg1⤵
- Checks if the Android device is rooted.
- Checks known Qemu files.
- Checks known Qemu pipes.
- Loads dropped Dex/Jar
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4388 -
/system/bin/cat /proc/cpuinfo2⤵
- Checks CPU information
PID:4455 -
/system/bin/cat /proc/cpuinfo2⤵
- Checks CPU information
PID:4534 -
/system/bin/cat /proc/cpuinfo2⤵
- Checks CPU information
PID:4566 -
/system/bin/cat /proc/cpuinfo2⤵
- Checks CPU information
PID:4597 -
/system/bin/cat /proc/cpuinfo2⤵
- Checks CPU information
PID:4634 -
/system/bin/cat /proc/cpuinfo2⤵
- Checks CPU information
PID:4664
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
1User Evasion
1Virtualization/Sandbox Evasion
4System Checks
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
131B
MD560daed37806cd7d34713455dde11cd5e
SHA12ebef52009949c9581695f35caba7ef5fe7a0cd0
SHA256cc41a8e74ae0c84aa80d681988e1e491a36d38f734722fbdde139f57215f9629
SHA512ad6b5a56070fc000517bc3ba08677186e13b8b0a980c4c5935ed3ec32f674cda38437760d8c86937963c71f92e6ed60502d4e92ff6ad1afe2dc65febd06242e6
-
Filesize
4KB
MD5b8e19b846c946577684b831e6e441f6a
SHA1bbd7c10a06170b10ae9c1b37a88329f79564c537
SHA2565bececadeaa9df739ae6d1afaaee0dfe335c64322dc381356263cd21ab7e04c7
SHA5124a70e5723dfefd701aebf9ac3b6f90f27636056001e393c2abea4c6c62c0d3689dadf570b681f026794ea6d7e0e647cb2721a4f6d770cd833aac6c9472c93b6d
-
Filesize
512B
MD5e64d61ec3ff5caf2a2c2358b96c44ad8
SHA123d3c39ee0244608bb1d185b7dea0e1e902d9d0d
SHA2565696fd0d8a2e4a62517a73cf01c0fff032b3b252e3b63c5af5ac5d95b3513eac
SHA512972440de8a5f7e552e0da656f6b267845594a3d92b8ab7d486c9f8761a3fe7167e70b433a28f7097233416d733e71a4417f0e15a92d72b27f2bab1b181664d37
-
Filesize
32KB
MD5eeec7d0f0662023408426c9fae4dbff5
SHA15b69a5824b3a30ee7a087514f4f980b662753eec
SHA25643e2982f655d0dac1c3294e555cf79a5483df92c02cbe7d0f42af3e0b30626b4
SHA5126c4728018b2a636cd8a44fc7b7f8a886d3342bce39d06317d2db5c54edda9c3f813d633de012cb11e7f6cdba3f81fce945b4b7aa0aa76944babbf43f75a7515d
-
Filesize
48KB
MD53fbfc0708586554d74c339f74ca4becb
SHA14264d39e621eee0ce185b88263b458bdc2f07251
SHA2565e4c2a455502e94ece8b35c41a3d579a030636398102e4e398cc260bc15a6a95
SHA5127fb85042b41b8a66d7e43a2b3ffd6cc28d3943416ef09c29ef5fd8167e0a4b4a2e4e2c406f79bc9c75af48f2452d4ce47b3bc7051709aa027a7090364e8b03a1
-
Filesize
12B
MD5acf2c679193d75f79b132c223220cb5d
SHA1369da0b6124de16626e89990aad9c15eea1abfd8
SHA256479d653f79dce2518263f1dcd77fa978c11ef8f5a13bc31340c1bfc405c45a04
SHA51254baa073291a23ffa86abc7ed6888aec9516f54e31d0796aa39bbf3d071c209e2e23b600aff0d3a2b0021fe92034952d3bed5cfdeb528a4d162b1df71bfde3b6
-
Filesize
12B
MD54f7b676071a679ee0eab019fb80a0423
SHA17d98d7ab5592bd481234dbad95a6a3f28a172303
SHA256fea87e9f21676e9e96e5ae9610e5a55e8f9bf651d59188eb02de5a86aec672b6
SHA5125540a8b011b85cc630371efbfff14c258cad2d0025ce6f34489900c098c2dd27217b753a0e46317db1c50119b028d195714c6936a83d45cff8bb463c893b1f75
-
Filesize
12B
MD5e2a30270d0eee3ffd5b06dcc319c3792
SHA1ab8cbd49e5a17b1ad76af30d202e1209b2f7558b
SHA2568675d81387b6d3692c0f8bb6a7d8248027a002dfd1d449b1fb5d80ff40163794
SHA512ba93b0235f16025015b36f1087848a3d36e7c9a4033ff8a0f9a18ed473c1c3486a530f77201daa2f2c752df5df816a2b97fb98b228f0ac83a1673f3da1362887
-
Filesize
12B
MD5e081e28b8b2e89cb2178f0fc36845dd1
SHA1ed36542b955431169481411305aaa86b4265533e
SHA256406748a630ba86629c35f27b64d54e40edc130824548cba4953b8e47253523b2
SHA51222bab77c5b49f016995a3933cf13cf50e92503845941389ba898e3c9b7388d9b0e9b3aa5910561e0c125f38fb21822c3124b199dfbd73ff2df923e3bbc179940
-
Filesize
12B
MD5703eb48af8ae15dda0456d61d52cdf07
SHA14e0d7381f7496245a1b23da349778d4bd1d607ad
SHA25680e523518738e8d106923f8d52686222a6d5e1a6e1ea8057af9db49b12402cbd
SHA512c17e4bb19dc3f1fef689c8d05e9eb593e7561564e7038a87a3a70ea7e872eba96a59c96653fd99893e1b01eca5ea4a9b3bb97d3f23b2a3b1146868eccefc4191
-
Filesize
12B
MD5e2b2a07b29c63d0881c7ae291a44a291
SHA1536d60471a97960efa3ac083cf2aeb068cf04c32
SHA25675ea772044c1f4430395f0cc70d6df1c0b87e242d5d4b764232c8afe5bbc129c
SHA512ef014828da6e2fe468974592669a10077d6aa431440fe844c15c99a105769352aab9f29f3c819b13ebe0a45912545d0768a4bf88f00668dc5c6cfaa3a4998a66
-
Filesize
28KB
MD593784b7966cd3e0d8815ad13ea54637a
SHA12ce58a6d23b311290ca3e23123dc92cd0a1da879
SHA256c38deb59c30d4452a8f9a77f1d12e91f3e7c4353e741c2f61dbb45d859a80757
SHA5121679342a7c54cde5c56ed5e36173d35a87ce3d00aff888c504ab8c1c344ca26044a51ab270a1363effc84f2f0e272505ecb5449e34f25126ca929ce40e5878a4
-
Filesize
512B
MD53e64c04152410a75a65eeb4d3c27335f
SHA142c6319090cada2f543bf5fd6d7cb239d9def9a4
SHA256e9b0a577ced015392becb661dd2b19b6495f2a3df373ded1c1e4c18850feed83
SHA51239ec2c97c66e80ebf23a06f834b953f8c831c633c409795108e59c3b883beb522638225a92915ddabcf19a353edfc2c0ea98c09b7196ef8e2e38ebfe8402038b
-
Filesize
48KB
MD5cb0e4efd0c5c58dcc311037933007128
SHA10c29e9c18ff0c7a076aa826e456b4045be4af044
SHA2568dedf9fba7a4e54b74ea7d98bd21ccb79ddb66d0f62c0b4633ac12f0b5d636b9
SHA51284715e41002e0c9212007dc5e8478bbc6b2db383c4ee40479e102dd1f9275fc853befc216d785f63fdd6959299a05e531db22271326ece4406d848662483b6d0
-
Filesize
8KB
MD57d756bbb5eb5b96338abcadf591616eb
SHA11d7593e67a896841317c8137d56f529c54b3d344
SHA25647520a48e1bcbcd6965cb9cd193f95795fa3eb70ada9911fa8f327bf2ea8fdf7
SHA5126d1b8c9635896020e0e7fe7dd3a3d54f1a65730b4b21aa8c4c5b12b6d52f2d526d5afbf27c5ba3b72904c66bc36444ef43244225e0bca1b68a7b7dce92cf8cae
-
Filesize
96B
MD5b4b681f1107aee036969ff68bccaa306
SHA1d2a955420ad20716b741d65ba4232e2a1f6bc9fb
SHA256dd66b1556a0068a39aa530bb745c6d9c0155f3f4eddebdde2c2cbe93f52222e9
SHA51218438d2f3533ad02e8ebb98e8736b3c84fc373346775594f3b7563f82916bfb7a9dfdaba8bc0a86689280e73944ccac615cd904a21656705ef33b5752f91659a
-
Filesize
353B
MD543eb7377588643635787e469d42bb5d0
SHA17bb3f867d92d15d925e8f79e60dba775091d0538
SHA256b714d96842e9bb811c0ac96f4964a769bc3693980e2c3184fa9b4b4edfd5c29d
SHA5126016c86f557779c333acb9c91553072524cba734e187c990d8872d2122d27fc63a16945112001f246a0ba8ec56ed663d74ac3197cb77b33d4d1cefe2c5c0099c
-
Filesize
317B
MD5f0bcbe1610292cdeb09264918489ba36
SHA10bf4c00873fc0f08653d74c0c3fcf7e3b4140613
SHA256f8bad47db94ba19064810672257dba535de23ca8e041ed289a45e6bd6d5d0ea7
SHA512e91b8bc1f20c1373fd48bbb1e62e2d9d9df0c60e142e287a23299b1d4cb9a948ea921d3ca24c7b634ab6884c8070502c5cdb077c1e45663577abadabd0aba829
-
Filesize
40B
MD52d91d4402bf1f27d15a9e13db64c4350
SHA19e76d3102066b03c2317d8735b1de39b02f17dd4
SHA25665b1bb2e677dcd0acbe9061e0051c63b38b2940058ec0a9c8281443ef7864bc2
SHA512fe02b350a3cd9a1da3365b20e454352734222c68706457398d0b19a989173f0f266614f2b1eb6a9ed4f7cdf81b9a42ee2d3d066dd4c2434c02edaeadfcf2be60
-
Filesize
433KB
MD52639a7fafd82266d6313f59ac1c927cd
SHA11a0d135ed060c236ec35aedf25ae2b481e0c226f
SHA256e653eba8ee86ca07139b427c3366b10245abb9e694db6412a1811726381830f2
SHA512e0578d5369a81710ee3ccb2b5dfe5633e830caba079f41761fff94480ff7b33fd965aaa75a17b839e377a640404a2aff2b4c503ebf06a8c78f428541ef60c00e
-
Filesize
205KB
MD5dafb7d4b90ea8d376128c625183dd9ad
SHA1883c9b0586e740e9fb976d27a437e84fc26e92fd
SHA25607be7e035e50b372d700b7cc148515a26b0775b2b485e50895988753fe24b12b
SHA51256deefb30f358f2d404c93725f331374f0878b8121d95412ab1b1299364b2eea2b7fe179e21bbe96f4076300556a09f55825118ff67b401504c2f3b82af6b13b
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
36KB
MD5f0435e4bc312d52a610c6676995f5c2b
SHA155865f134f41f2e70a238801da49304f678a85fb
SHA256326c2b61791a76d81bd10fb51e43f2a7555a90a49c4806191d6a6a5faf001284
SHA512a37bae40cb01bf2004d0f2b95e88fc28d731cffed62e8c8f4f98e89d550ce669b86b316882bc9121caee4bb16067d9e2edcf7b60a5fdb2dc8fea81ccf991b254
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
64KB
MD51b47fefa9064540f411a4033e76e1d1a
SHA1d61c7546966ec08429b490ccb1d61a80b9f55a36
SHA2567ed9e8478060724f1aad5ca40482375393e419691ccbb6bd4517e445e30fc365
SHA512ce15ec590847b860a7f726dfce0e4afce7d26538b2ad45b9d72c695432fcf0faf614bbc92406012a5002470cf320d3e62675da159f1fb65443113bfda62901d4