7e2f2b9a922ed78f3b6e86686e8d62b42eb318f1934eadd2cb4fbc07745a2d70

General

Target

149bcad869ed2d1317da524eca2485e5_JaffaCakes118.apk
Size

4.3MB
MD5

149bcad869ed2d1317da524eca2485e5
SHA1

2cc42f48b4644a164643eb354e6a67ac87eca467
SHA256

7e2f2b9a922ed78f3b6e86686e8d62b42eb318f1934eadd2cb4fbc07745a2d70
SHA512

ccbf7a571e8019289629331ddb0f7dafe36a3a8c7f538436f8c240f5e2bfeff9820d2ef1f23e8a0144897608eaeb92ff856edf46869e4b4720f1b55f6fd357ff
SSDEEP

98304:Wmd+L9Eu9QacdWXi6N3UD7+WFLXIVnUWJODIW2xd1YOt4yd54kOg:WmpacCbQaWFLXIVOIpd60LdOkOg

Score

8^/10

collection credential_access discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 2 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/bin/su	com.mmnimlmlmcmpmejhjo.tlbb
/system/xbin/su	com.mmnimlmlmcmpmejhjo.tlbb

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.mmnimlmlmcmpmejhjo.tlbb

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs

flow	ioc
23	alog.umeng.com

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.mmnimlmlmcmpmejhjo.tlbb

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.mmnimlmlmcmpmejhjo.tlbb

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.mmnimlmlmcmpmejhjo.tlbb

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.mmnimlmlmcmpmejhjo.tlbb

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.mmnimlmlmcmpmejhjo.tlbb

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.mmnimlmlmcmpmejhjo.tlbb

com.mmnimlmlmcmpmejhjo.tlbb
1⤵
- Checks if the Android device is rooted.
- Obtains sensitive information copied to the device clipboard
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
PID:4502

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

1

T1541

Privilege Escalation

Defense Evasion

Foreground Persistence

1

T1541

Hide Artifacts

1

T1628

User Evasion

1

T1628.002

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Discovery

System Information Discovery

3

T1426

System Network Connections Discovery

2

T1421

Lateral Movement

Collection

Clipboard Data

1

T1414

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

1

T1641.001

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.mmnimlmlmcmpmejhjo.tlbb/files/eventservice.jar

Filesize
207KB

MD5
c423d532457425d4d0ee81da4c69d653

SHA1
5428a9ae4ce692a00a4f2540ba274c74ab698ebc

SHA256
0dad3c6d6d6e27028b0b46b729c2876506fc9851884a1a83019a66e1e99b75e5

SHA512
80b9764cd73bf56d9f726077ee2d3b84924ba5024c902f3614b2b9947db597c5a38f21f3bc43c1a2a2e3a66442a20f675be96913a14e95f21f617a25a9a64542

Download Submit
/data/user/0/com.mmnimlmlmcmpmejhjo.tlbb/files/script.atc

Filesize
130KB

MD5
58eb4d320cb797f0c06b79bc00a58f1b

SHA1
b4d58a4b93038300fafc8166a89aa7b57bd189ea

SHA256
c23fef6c6bf7302657da9ddf6dd821b34fbbcca7e450d5f422581bbf676ff56b

SHA512
c79952a9d0a40089897b243731b5566c7ce94f5c3c89e70a67c422877f6de8dc195c7a86ff9e3e8d381c2628309421733855e2a11d8e76f7b7682b491b665772

Download Submit
/data/user/0/com.mmnimlmlmcmpmejhjo.tlbb/files/script.cfg

Filesize
129B

MD5
ee7d1ef6ac21f1d1cfbd576314ccffa3

SHA1
25fd18ac1324f86fbaed7804948141327a1f3e8f

SHA256
0751e862ca548a919e233d78182aee2eb5077a382d73809d5f75446102383242

SHA512
9e8bbd70b9f2d99861519cfe92813f2789a29cdc477abd945f06a7e10b7c7df6e11feb372878f80013e8b1cdfa7ee4a6db41e86a6b64ece2c1f07537bb4c52cf

Download Submit
/data/user/0/com.mmnimlmlmcmpmejhjo.tlbb/files/script.lc

Filesize
34KB

MD5
43fbeb15cb014e7e01edb7a705214bc2

SHA1
08dbbd304bd3edc0c4fa59047aa57f737e5b864c

SHA256
d7f265cdea2992ad992637738f6c4da8d94407aa166caf5299bdb3b61af8f840

SHA512
a336cbf03824566f057a9f190df612b1844411672127d4fe8044510bba748d052806ee3f427dbf59cc6c2ca91c7367119f49acbc1ea8164b978fba4780cc34f8

Download Submit
/data/user/0/com.mmnimlmlmcmpmejhjo.tlbb/files/script.prop

Filesize
307B

MD5
7389ed9bf9aa952f51682a62d447faee

SHA1
d06122dae1eb072949d879495f84dc78e65bde13

SHA256
f378bb45f28ecc6a127f7fef955861f7b973a6f7a083bdb5b3e3755d4f436ad1

SHA512
9e4264330889e883f224c3410bfe75d7d3c20308a7faa46d60b97af5d8738f86f70f7ea976669cc0ede6eff4d9ab482ff16c6e5b1288d3eb7b7ed77b5c78b614

Download Submit
/data/user/0/com.mmnimlmlmcmpmejhjo.tlbb/files/script.rtd

Filesize
203KB

MD5
5ac8825e408b3be395f21436d3692f32

SHA1
7bade05a8957a8d21e6f33d584457322e06efd8b

SHA256
5d01d2427940cd343aa97c02fe69f1789cca208bc5a68d03ed96aca86717d55b

SHA512
d61d7070389bd89d34bc40a568c7e8b9454b4145bc6709decc2930d2dfbcb1fab18f97f5ed073b22afd54824ceab95adbab98fa0a6f1c07e0d5b53b8e88112d3

Download Submit
/data/user/0/com.mmnimlmlmcmpmejhjo.tlbb/files/script.ui

Filesize
5KB

MD5
826526bd5fff55aeee3ff8f1ec756100

SHA1
42c9c64970ef17dee87569e21da2946c7370443b

SHA256
544b1801349a067339bf517fe2a10a45f1ecc7ec497f04a041aacbce334b64c6

SHA512
6457078c13684fd4fa630eb319a99850b1c35d68a82e4430ba471abbde4c8fce8ffc9abef507204725c8accf994a152d138638e93468be9423fb59527bf9e97e

Download Submit
/data/user/0/com.mmnimlmlmcmpmejhjo.tlbb/files/start_eventsrv

Filesize
289B

MD5
1f14daf3144c521eb2e5fe07e65340cf

SHA1
33336abc5baa049f181b3b96ef33d76fa314e9af

SHA256
46c835b3563d3983d31c0b283206c88a0d71ac102ff2f239173d1d888bbd5a1a

SHA512
ad633a7234fea7480f08d0f92af1e8a2ebd3ffa11ffc6af1c75d5ab0c09d664d671d969fc450b190c68479a7b64e73a99d9a5c9875505eb40a0ec0a6ab257d0c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads