36a990225799947f58ed6e72c3baeabe5b55942726ea9543b4deeb9adcd33fc6

Analysis

max time kernel
135s
max time network
180s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
24/08/2024, 17:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bf131fe8e95bf133c521d13047b61b08_JaffaCakes118.apk
Size

24.4MB
MD5

bf131fe8e95bf133c521d13047b61b08
SHA1

d68308638f678e9ec01715e96c4d47f3b311d657
SHA256

36a990225799947f58ed6e72c3baeabe5b55942726ea9543b4deeb9adcd33fc6
SHA512

90ac76af1805cb801c3584fc4098b1f8caab3b5ce3686316de6d9c43100d3b8c846d53399f0972ff7c7161339dec721b97339b3694e1eead9a9bd655f112b3e4
SSDEEP

786432:A9HCWObG5N6uAnbljEkVfbWb7P3ANbPUVbnJ:A9HCWObWN6uANEQfMb3ANbyDJ

Score

8^/10

collection discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 2 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/app/Superuser.apk	com.nowcasting.activity:pushservice
/system/app/Superuser.apk	com.nowcasting.activity

Queries information about running processes on the device 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.nowcasting.activity
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.nowcasting.activity:pushservice

Requests cell location 2 TTPs 1 IoCs

Uses Android APIs to to get current cell location.

collection discovery evasion

Location Tracking

T1430

Geofencing

T1627.001

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.nowcasting.activity

Queries information about active data network 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.nowcasting.activity
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.nowcasting.activity:pushservice

Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.nowcasting.activity
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.nowcasting.activity:pushservice

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.nowcasting.activity

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.nowcasting.activity
Framework service call	android.app.IActivityManager.registerReceiver	com.nowcasting.activity:pushservice

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.nowcasting.activity
Framework API call	javax.crypto.Cipher.doFinal	com.nowcasting.activity:pushservice

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.nowcasting.activity

Checks memory information 2 TTPs 2 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.nowcasting.activity
File opened for read	/proc/meminfo	com.nowcasting.activity:pushservice

com.nowcasting.activity
1⤵
- Checks if the Android device is rooted.
- Queries information about running processes on the device
- Requests cell location
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4237
- /system/bin/sh -c getprop
  2⤵
  PID:4330
- getprop
  2⤵
  PID:4330

com.nowcasting.activity:pushservice
1⤵
- Checks if the Android device is rooted.
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks memory information
PID:4391
- /system/bin/sh -c getprop
  2⤵
  PID:4462
- getprop
  2⤵
  PID:4462

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Execution Guardrails

T1627

Geofencing

T1627.001

Hide Artifacts

T1628

User Evasion

T1628.002

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Location Tracking

T1430

Process Discovery

T1424

System Information Discovery

T1426

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.nowcasting.activity/app_crashrecord/1002

Filesize
233B

MD5
cdf84d898772ff026788a7acb88e7d20

SHA1
5808c59e4085d8c2954ed163c1b6213eb3f00b70

SHA256
1ce506ec76e423d0de4d01a1175cf539d522627fd28681b966604b08ce7abc04

SHA512
90021366ab51606697a68eba8c6eb00c065f6abc5134babc6788c24ba4f5bf408b311ed96a92e57cae3bf67c3653c6abf944cba340d5d2766c351b2d5fea5267

Download Submit
/data/data/com.nowcasting.activity/app_crashrecord/1004

Filesize
426B

MD5
ece7330b9178ad838f79fcce85b94560

SHA1
df9368e799d3f50ab57b2e31e041647aafea8fe6

SHA256
40c45d3e0e2ccc2a1c5bfc0474935bfae24bd4a9212446f1bb4be2c70cf9c247

SHA512
5b1d719488c695cc306562367b323d887c8c3f6b10fb08562470b035cc93d952a90b7a3baf0f7ee6b107c158902eab4e8be59cc9d9e6e090b9b200d07ea74653

Download Submit
/data/data/com.nowcasting.activity/app_crashrecord/1004

Filesize
58B

MD5
0d210bfb2a0e1f1b4c082a6a0f79de07

SHA1
bb8ed9e364db79d1d9f2fcde3f15091893222faa

SHA256
988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d

SHA512
536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

Download Submit
/data/data/com.nowcasting.activity/databases/bugly_db_-journal

Filesize
512B

MD5
cc5de9c62078da1c3cbd8f82da67af80

SHA1
d836ce33505597b23b4ae2f4158808ed61fa25e7

SHA256
f42166f1d1787fa8a98e8829577a7dc8aba4892b938e2c23dad4adf2b6b1d2d0

SHA512
09b62d615464489ce2e7158a5828b4d8abe9484ae7e8bd58651b785424b51018077c30e26decbe33d5476a4672dda4ca43465a4beca12c32bf844cc8b6351f69

Download Submit
/data/data/com.nowcasting.activity/databases/bugly_db_-shm

Filesize
28KB

MD5
7a5f0ae168fb06f5b39199bbc0e4c0d8

SHA1
8878792eb1c79ca9ca955566821e3b1aad907914

SHA256
89546ea3b951a2fea2d8a80059811487c6657ac08e56d83eaa6aa70801a6f14e

SHA512
8a4e67c9f60bc72bbd64e65adec95cd28e35139d341f10be18077fbd16348aa139feb2544aa022e99211bb334f901ccaa753a62fd6174199306ad3b07f768c87

Download Submit
/data/data/com.nowcasting.activity/databases/bugly_db_-wal

Filesize
72KB

MD5
ca68d62c7b9bd4a474f5a6f42b800490

SHA1
838350471799d2b8a3d6774685d2fbe1fd9ea29d

SHA256
ff9ac7156711249889f3e4f7c7ae6606b9e20e090ccd709a62e063abedbc8455

SHA512
09187df149f714f3868dcc79595042cd1632a7826923cdc3ef33a59d024803a3e5951a416fbbfa378500d146c04be5c603d5270b9e33047945734040bb49b963

Download Submit
/data/data/com.nowcasting.activity/databases/bugly_db_-wal

Filesize
185KB

MD5
ab8d58ae543c9c62bad542b8f5317c34

SHA1
3af067c8660d6755a3fd84845309f211a7e97fee

SHA256
6d6674e7a0d75f28e3586dc5d436a1110c44fe08490e4b3bcf226d0386684cfc

SHA512
8b7947861564aaaf8f620b2ccda1afffe03c04df8c2733743536cf7ec1c2f037ac9fb34c386cd192e91d7897ccbf20e22daa195c22207667469e64e7487c3a08

Download Submit
/data/data/com.nowcasting.activity/databases/caiyun.db

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.nowcasting.activity/databases/caiyun.db-journal

Filesize
512B

MD5
1c47bb6707766c52a9f667212adeba55

SHA1
f6d2fba4ad9798e6bb3467ddac42b6c04bdd7d26

SHA256
4cad60789987e38a62c4bbc02c6415569d8dd0d04d0da54bc5223083448d3326

SHA512
2ef9d57674880913a95df017e4a264cb59c1ae34aa75c756bfec0694e7c05133dc37ed3fc40ca0f95256f95eb2eda6accb5371bc46727630ac5be55c4b572753

Download Submit
/data/data/com.nowcasting.activity/databases/caiyun.db-shm

Filesize
28KB

MD5
8e4ea1a06ab85648c96e916a96feed05

SHA1
49b9709bff3fe52fbc342831cbdef8ec1430b19a

SHA256
8212c3cdf7f354421a757f3c70a0da41676758196a1cd8cd8718630878745f05

SHA512
19151f22e1c219ae5a5114290a465e8b7a0fbb4ab1cec134b9a386d2c953d1ae3cb46955f1c6af5d2aae5e2afa75902094d3b7000a26d5df5b23939be0815c86

Download Submit
/data/data/com.nowcasting.activity/databases/caiyun.db-wal

Filesize
216KB

MD5
b8c6695074fb906ec7b197409bdff783

SHA1
2e0aaf1dfd048fd5bfdcd015ccd80d99f8485ba6

SHA256
47398242bed415e296d3c710841931d433bbd3f2130ca281326d871671705924

SHA512
2baea373274b511173849502662e120532e733fce01fd4dd93fa0389c16054448134c7069f9c4ab48778ff7428e47b4b16c0e0a30e179ccaa834ce07c1953dcb

Download Submit
/data/data/com.nowcasting.activity/files/mipush_country_code

Filesize
2B

MD5
7516fd43adaa5e0b8a65a672c39845d2

SHA1
aa3093554472fd113135bed5b63e12f84c2e9fe8

SHA256
9b202ecbc6d45c6d8901d989a918878397a3eb9d00e8f48022fc051b19d21a1d

SHA512
8a76767d863acf40ab29d713e6979f1e8568449a14227f8ace9f4b67eebaef85b25ae8082738ad3704bc483a5a94ccfc24f659d1492e0215c77513c0ac04a117

Download Submit
/data/data/com.nowcasting.activity/files/mipush_region

Filesize
6B

MD5
4cc6684df7b4a92b1dec6fce3264fac8

SHA1
5f1184f7df96c5928092ad9c6b550699bf887826

SHA256
a258b30f88c30650e73073d5bdde5cfcc6987100ae62d37789e5c46a0d85b7c6

SHA512
116c901f9af5d8ec7cdd5b8721ad28ef3f5a0b3776d3266a1575e23856ee87cd3c370b22d4f329b4471fe9c6fec485d257377a55c4d95b609b51d35e469ec029

Download Submit
/storage/emulated/0/.mn_410185822

Filesize
130B

MD5
f321656a466363e5192773d92000e401

SHA1
3a6abe9be1a6f4deffaa98fd27f3449c888d3c4a

SHA256
53efd5207de6ed80429ec3c7865eed2b64023a0ed66e0fd29e7f45b708a1751c

SHA512
fcf6884bf5ce8d10b3a3dd461fad96cb6cf0bc4129e01788de112551230fbc4d8ea6961b04411d1c7816e248437c4560277069d9c544e5450612abc0e2c0171d

Download Submit
/storage/emulated/0/.mn_410185822

Filesize
146B

MD5
8eae0215eef27ee35e13765382c9169f

SHA1
7e1e60bd77df4009a02d03e54bd339958551f557

SHA256
1fdeb393f21ffbcaad08f6ee498dd72e9ef516a409b95e2f8938a9a0da6f13d4

SHA512
ee3262cb9ca921a2c2ccd7b6a4d459631bd923a46d3ac2d5a75b42c2565046dc37605ba477b937fcea3ad21a4a037ce75214a4c795d85c7d41e6dbb709a8e002

Download Submit
/storage/emulated/0/Android/data/.mn_410185822

Filesize
245B

MD5
cb4baf529e6e92492747a8c996ae3ba0

SHA1
dfc881cae24b1da6a67cb6ca7d12efb645e3b0ed

SHA256
99f32f84108ca6a37237d1e1e715c5577c56a734512a4b148fcaf08242330d9c

SHA512
b6162a050d39458eb6e0540ad497a237b31729e7f74a50f17fda1dab52ae41e8cffa7b980fbd4f77dc9ff04ed7cc97954bb1b83cf8479ec6cfbb754e68c70d3b

Download Submit
/storage/emulated/0/Android/data/.mn_410185822

Filesize
245B

MD5
0138076ea8c7c3216fd2ea9779f11a41

SHA1
2f5980d1b498eae9d8d984be47f0a843929f5949

SHA256
68e0329d4be7f004cb8dfe4ff66ccf6886893d6b5842b301c9293de56ac8c4ab

SHA512
75d909140b58bd7175ede6e1d0a3adbf2e04b9bd9ccf4c9661061d908cbf1a17e7847271c771fbd1da58873e8117024ff4ac003036144efc6bfda150c732a314

Download Submit
/storage/emulated/0/Mob/.mcw

Filesize
80B

MD5
0514f502ef2c87ee159a6f56bfd561c1

SHA1
1d3aa063aabdcc42c178a925057d1758f1689e45

SHA256
ce4b69be5de68e9bbbbe9d9df6842b8dfa94c1db298be170e646b474fe3d51d2

SHA512
3ee0b1388c4fa45ae94f5e0186910a9f6f165fd46feba1543c970f86c34c43f7dc47f98ff284c2e569f995d8417245ac17aeb2c60b43cf346c429b353cec3266

Download Submit
/storage/emulated/0/Mob/comm/.di

Filesize
57B

MD5
70a42cba408700f9a6c01c7941a8829e

SHA1
eab01cc2c0671538795fb0b1146017dc099d0984

SHA256
499576707ce2623293166979e59c832be5b8636c64ad39aa63ebcf961910c35f

SHA512
8900d4dc8eed0430babbacb72942401bd22ef7fe5430cad90d3ce0c2c53010220d666aa0e2eb1026f3ec81d574c7fa12585b49222a5f15b01637f6ba134fe70c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads