Analysis
-
max time kernel
179s -
max time network
166s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
22-08-2024 21:38
Static task
static1
Behavioral task
behavioral1
Sample
b93e21c464b22dc3bebc7a962313a4ce_JaffaCakes118.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
b93e21c464b22dc3bebc7a962313a4ce_JaffaCakes118.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
b93e21c464b22dc3bebc7a962313a4ce_JaffaCakes118.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
b93e21c464b22dc3bebc7a962313a4ce_JaffaCakes118.apk
-
Size
608KB
-
MD5
b93e21c464b22dc3bebc7a962313a4ce
-
SHA1
61171dd38495ada0736b1e86c22d811e448f669e
-
SHA256
5bc74f131a4261a944e9677894828a69902a76dbdd71849508a07014c5ed5440
-
SHA512
db55243fc44750f76a436be9dbb4b147ec8cb793aea105f42e1cbdddb03137beebf7f49fcaf815770f57872574dae11014eaa8e54a837125ea2834253900e49b
-
SSDEEP
12288:K2kUcUwUWJNRWiotOW2GtJzHc53o1ynd+mzG33o1ynd+mzGw:hkB7RRWiotOHWlcO16KI16Kw
Malware Config
Signatures
-
pid Process 4210 com.qbedura.mauzrpl -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.qbedura.mauzrpl/app_files/kcmlvxrybf.jar 4262 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qbedura.mauzrpl/app_files/kcmlvxrybf.jar --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.qbedura.mauzrpl/app_files/oat/x86/kcmlvxrybf.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.qbedura.mauzrpl/app_files/kcmlvxrybf.jar 4210 com.qbedura.mauzrpl -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.qbedura.mauzrpl Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.qbedura.mauzrpl -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.qbedura.mauzrpl -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.qbedura.mauzrpl -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.qbedura.mauzrpl -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.qbedura.mauzrpl -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.qbedura.mauzrpl -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.qbedura.mauzrpl -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.qbedura.mauzrpl
Processes
-
com.qbedura.mauzrpl1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4210 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qbedura.mauzrpl/app_files/kcmlvxrybf.jar --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.qbedura.mauzrpl/app_files/oat/x86/kcmlvxrybf.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4262
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Discovery
System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
121KB
MD5d3245658a179de61d29f6aeaed36760e
SHA16ed4c5fed04dfb5e47c1e6710f5302fd467da5e9
SHA256dc13be485166f54270bee1efdfc487c8e6edf101729fd6ec78acd9180dba0625
SHA5128fa9e0a7570f24bd59190e6a5eceeeeefc0292c1d73cb56795e445a6e694403bd14c6255f80fac7115310655b175877d6f52316b8687db9d9c13d59001d7ad6e
-
Filesize
196B
MD573448b863293f6fd7fae9590b35ea489
SHA12b793fb403bbc46b8217d49a63f671f9fe0da95f
SHA256cd5184834d3015a12298208046da6b1379d06bb96f8956805dff77521b7cb290
SHA512f7d62ee67e4efc5cbcb2867df7615efb47d385e6e80b0db01bbe7c49a08ec15bca807ffb13e82d3ee4bfcf92bea87fdf4f41ddf053c7df872fdba08e4d1b911d
-
Filesize
20KB
MD5c83fd776e7e79bc58433fff39f9fb442
SHA11acf22e5967318c96ed01667aba257b0dd610f94
SHA256147ef6dfe6fcd330946f2462d826e4512ddace2169b12e89372642531183fe42
SHA51261d5a6667a23d1294889df65b42edef777229fca9fcb3dc241d4cbef13170ee54321a6cb0200356b2e518cda2facb50a62f797e2715a84ba90b8f561534b8102
-
Filesize
512B
MD563b36fc0dada9a9dc53815baa0638053
SHA1aa3c30ed5302ecb0d7821cc7e07e494cd9348cdc
SHA2561ee520176c6803d7fa74cc3423a21e2b996d3c7dc94c4f7c6ead374d2e98abb3
SHA5129570c50f7089ffcd4d00eed0096ed183842ded04c201f2d65b1f3e053c3590e82554a9a361797b7c86e54d5efb565efb4db10bda72ddb107377e4f82269add44
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
32KB
MD5e55d2a83e13271c97e66ca2517a7621a
SHA17627d168a5b8cf42f8c12cfbbdfe231bf22b3562
SHA256159b0ecfc3044e02de26400adffdb3d04fd4ea59b6eadc88143b47fa6c0b2e0a
SHA5123676b8139e0a38c9856e1f81bef89c71486d67c0f96b1e6043b359b960d0c700ace8c8479c32ecde806764f42feb330611d66d93aaac31e61fd163b8dc64fc22
-
Filesize
246KB
MD53a1483e9f095b8af8dcfb74bd5a62b72
SHA1990e45352212405b224040801a97db82b10f9779
SHA256d4d3addc2075ce58341d3ad2f9591a690953e7fd7882737998ba9e6113d24ff9
SHA5123f183a25f2ee38307eb7f8ad08eb021dc4fcf5eef0689d4e923f63a4ad4363e0fb7b1d771d5225f6d0b2b7d7a633999dc9fbf6dde7e9b686c02d9afbb8053271
-
Filesize
246KB
MD530bb3b067ba15933c23a1c2b5b6426ae
SHA1891c4b1c6767121c64708ec94c015f6ac983b405
SHA2565abac66e945cd59de13823849c6dd5ef51278047ae533c9a4e35152283fdf3e1
SHA512d5866c4916777c504e661452d0fef76cc6e0a2c1fa198ec0e206b33778d5b68835466aad2085edef67208af4fe694d17c3ac008f2b3cd585ffd0d14eab9bac3c