47204244088727aed359cdc4d7a5f3139f2821b0e11e6dacaca3c7269146ef12

Analysis

max time kernel
7s
max time network
136s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
12/08/2024, 11:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8e935020c94a5826fdd960cc25ef0fd6_JaffaCakes118.apk
Size

4.9MB
MD5

8e935020c94a5826fdd960cc25ef0fd6
SHA1

842816d57a5b716a39f281702bf733c75c58aa76
SHA256

47204244088727aed359cdc4d7a5f3139f2821b0e11e6dacaca3c7269146ef12
SHA512

c30787ab49c8127f23cc5616ccd91b1ec43bf565bbf450712003d35bed5cba38e2dba44c771b32c77a7a0014e4811af31e642b4a29d5de2dd18bb0bb6e74ba76
SSDEEP

98304:+3tJYtVtDpMuPXwPAB16YuDZTHZBPPh90xOOWu:oQDTT6YuDdvPD0xOo

Score

8^/10

collection discovery evasion impact

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 1 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/sbin/su	protect.eye

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/protect.eye/cache/db_fm.jar	4275	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/protect.eye/cache/db_fm.jar --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/user/0/protect.eye/cache/oat/x86/db_fm.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/protect.eye/cache/db_fm.jar	4247	protect.eye

Queries information about running processes on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	protect.eye

Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getScanResults	protect.eye

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	protect.eye

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	protect.eye

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	protect.eye

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 1 TTPs 1 IoCs

Uses Android APIs to to get current cell information.

collection discovery

Location Tracking

T1430

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	protect.eye

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	protect.eye

protect.eye
1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current nearby Wi-Fi networks
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests cell location
- Uses Crypto APIs (Might try to encrypt user data)
PID:4247
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/protect.eye/cache/db_fm.jar --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/user/0/protect.eye/cache/oat/x86/db_fm.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4275

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Location Tracking

T1430

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/protect.eye/cache/db_fm.jar

Filesize
38KB

MD5
351c4cec8c49d9b29f0252aeab3e812c

SHA1
fe8f830a7e03a3db258ce3d2ec153d22fb55eba0

SHA256
ea91becfae9eb4568707d6f7ec120853d94e9c31ceff531f62414e84e4b99b83

SHA512
6965fc1d97f057c7a0a9621ab32e9eb1ec664f2d864ebca3d09ec0023eb2a7273ae216468bc221d0b736efceead527aadb3cbeeadaa4618f18c5f7c7b6d44267

Download Submit
/data/data/protect.eye/databases/imagedb

Filesize
40KB

MD5
ced021e292381755a0cc51fb66324377

SHA1
76556f77732055651b2d611fff8ae48932dda145

SHA256
fdc0a9617b78df6b4e1d73871a483510df319320e0f9fd08f8697fde13d14557

SHA512
8581387a560b3d4bcf418d4f2e72c346ca471a9503227175cef6a81d4e15f5b162533bf04a534e1202d5d5c1507b48901bb1a4f11065edbb96a0d3941d1204fd

Download Submit
/data/data/protect.eye/databases/imagedb-journal

Filesize
512B

MD5
99692b9429493192cfc311c524125167

SHA1
84409267d660dae25da40d0ad46dbebb45cafeff

SHA256
8d67b9e9853e2c39fb13ea744d10d8692c61cd773ae65befe8dad886dcdcc304

SHA512
84f14652f11e9fce68d574b0926b74713d609f47141f8bc9e4854d1388ef40cd837df6c640e08d5e00c0c23b10beaa5f7081715b4f4922da71489d05447eb875

Download Submit
/data/data/protect.eye/databases/imagedb-wal

Filesize
52KB

MD5
248026f7fce2169c8a95410aa306cb0a

SHA1
7414ce195c195a50d0904800bce173c92a86abb7

SHA256
8b7f4c6e1204a123c0ea299bca3283e087989940390d0cb0d2660f99e47a69e7

SHA512
3d821413d4765e6af8225c66b1ecf8528aa95ad39f793272fddd24ee3a9490cef18c6afd4fc988eb03febaf0056c6c0495a86da8f5d5810b26c0bafaa1ca3cd2

Download Submit
/data/data/protect.eye/databases/tray.db

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/protect.eye/databases/tray.db-journal

Filesize
512B

MD5
1eae966c3ce29e0b247e92e3803e1a84

SHA1
d5575f84cefb1ed11879469b437091a99c0929e1

SHA256
cc6dd26b487f58aa9b8f6ed4808d0bbdec7b54353a2e8a45d125b8b2394916b9

SHA512
0759bb4afd0a3a46d699b601d01e342140c41b97039c5eb2b5f6e72ce879f5cf47620c781f8cad721edf0bbd78a11bde8e4eaff1d829194e902a6913a5d245a7

Download Submit
/data/data/protect.eye/databases/tray.db-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/protect.eye/databases/tray.db-wal

Filesize
72KB

MD5
22db1f27edc385adf4a795fe52af3c46

SHA1
1d2aa13df6dd6e8dd5025db535dfece7d2582faf

SHA256
2d331a852078bbbac04277fa8c436af24de34254aa3b098f56375aa1fbc69922

SHA512
72a8222d04295ad6daebb78432086986122c58ad205a25dedec57022a3ba45cf310ac581202b36eba9608ab8f8167acf5d0f55c16560fd6523490b6cbcf4bb15

Download Submit
/data/user/0/protect.eye/cache/db_fm.jar

Filesize
84KB

MD5
59ef2c46d3ceab40d69d2d85e88ccc8f

SHA1
4f5bf095d3f6c3a669f25d50351ec5af1eb53726

SHA256
7a5359eecc5da7a83859fbc1a3b7eeeb36a8062be1a5ea2cced752f76b2a81c0

SHA512
29a0bf8ad0da12a83756ed31fd6b3edf8a6d818c655f5adcbf2559fb025cdb418f8f7a5f2c921ad27f1e8ece09c8b826cc325a9b65e71a16407aab933bb671c8

Download Submit
/data/user/0/protect.eye/cache/db_fm.jar

Filesize
84KB

MD5
cc878e8cfc87dd26622e74e587e74dc6

SHA1
abdeb095447c3d4101e6e7d6b5bf2bc375d840e6

SHA256
caed15bdfa65eededcb5cde6097305716aaf22e8cc839de1bdec497533274638

SHA512
0faacd4916559332efa0f41101d3a5b21524db03af669c048fcce6f66fe4ab9d69fb51bf276fbd052050a2841fd19eb938a2316f172a482a214cec0bdc3e593c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads