7aa4eda770abd36495dd407cbcab402abc8e18f3a32bb5e35f4a395c9c4c46c0

Analysis

max time kernel
24s
max time network
150s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
13/09/2024, 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dea19b2f2315cff29fd65e91d6c76055_JaffaCakes118.apk
Size

29.0MB
MD5

dea19b2f2315cff29fd65e91d6c76055
SHA1

71bdb4456e053fcc92142ea9963e15c88450c91e
SHA256

7aa4eda770abd36495dd407cbcab402abc8e18f3a32bb5e35f4a395c9c4c46c0
SHA512

33e0a101ed1587fa8464314d1e1050927ccf5f7a30576aeeb37a5f9bb5ed60a8e08c16544d5d8f144f7f9f78fdee94013232651db52f60d769701d22753979b0
SSDEEP

786432:3/L/ndghA9QtAQjr1xAYE+Pl8mnpROy3FED:3D/ndSA+RX1xW+N8mpRt+D

Score

7^/10

discovery evasion impact persistence

Malware Config

Signatures

Loads dropped Dex/Jar 1 TTPs 16 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/data/txunda.com.decorate/.jiagu/classes.dex	4244	txunda.com.decorate
/data/data/txunda.com.decorate/.jiagu/classes.dex!classes2.dex	4244	txunda.com.decorate
/data/data/txunda.com.decorate/.jiagu/classes.dex!classes3.dex	4244	txunda.com.decorate
/data/data/txunda.com.decorate/.jiagu/tmp.dex	4244	txunda.com.decorate
/data/data/txunda.com.decorate/.jiagu/tmp.dex	4276	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/data/txunda.com.decorate/.jiagu/tmp.dex --output-vdex-fd=43 --oat-fd=45 --oat-location=/data/data/txunda.com.decorate/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
/data/data/txunda.com.decorate/.jiagu/tmp.dex	4244	txunda.com.decorate
/data/data/txunda.com.decorate/.jiagu/classes.dex	4313	txunda.com.decorate:mult
/data/data/txunda.com.decorate/.jiagu/classes.dex!classes2.dex	4313	txunda.com.decorate:mult
/data/data/txunda.com.decorate/.jiagu/classes.dex!classes3.dex	4313	txunda.com.decorate:mult
/data/data/txunda.com.decorate/.jiagu/tmp.dex	4313	txunda.com.decorate:mult
/data/data/txunda.com.decorate/.jiagu/tmp.dex	4313	txunda.com.decorate:mult
/data/data/txunda.com.decorate/.jiagu/classes.dex	4500	txunda.com.decorate:mult
/data/data/txunda.com.decorate/.jiagu/classes.dex!classes2.dex	4500	txunda.com.decorate:mult
/data/data/txunda.com.decorate/.jiagu/classes.dex!classes3.dex	4500	txunda.com.decorate:mult
/data/data/txunda.com.decorate/.jiagu/tmp.dex	4500	txunda.com.decorate:mult
/data/data/txunda.com.decorate/.jiagu/tmp.dex	4500	txunda.com.decorate:mult

Queries information about running processes on the device 1 TTPs 3 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	txunda.com.decorate
Framework service call	android.app.IActivityManager.getRunningAppProcesses	txunda.com.decorate:mult
Framework service call	android.app.IActivityManager.getRunningAppProcesses	txunda.com.decorate:mult

Queries information about active data network 1 TTPs 3 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	txunda.com.decorate
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	txunda.com.decorate:mult
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	txunda.com.decorate:mult

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	txunda.com.decorate

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 3 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	txunda.com.decorate
Framework service call	android.app.IActivityManager.registerReceiver	txunda.com.decorate:mult
Framework service call	android.app.IActivityManager.registerReceiver	txunda.com.decorate:mult

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 3 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	txunda.com.decorate
Framework API call	javax.crypto.Cipher.doFinal	txunda.com.decorate:mult
Framework API call	javax.crypto.Cipher.doFinal	txunda.com.decorate:mult

txunda.com.decorate
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4244
- /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/data/txunda.com.decorate/.jiagu/tmp.dex --output-vdex-fd=43 --oat-fd=45 --oat-location=/data/data/txunda.com.decorate/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4276

txunda.com.decorate:mult
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4313

txunda.com.decorate:mult
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4500

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Process Discovery

T1424

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/txunda.com.decorate/.jiagu/classes.dex

Filesize
6.5MB

MD5
4191fe6989c4b5f400bfcc8948509abf

SHA1
3ad42b89fad698bc5b4b2deebc5ec23c3079145e

SHA256
68da33cb1fcf0eefa7a0bc1cafa0461d284bf5fdd50e96e1785c0ddcb782f21f

SHA512
5e1e0632f974175a48330cdb19e61a177f538453c69cda890713107712269fa6b88c934cf666ba4943a4d1016ac5a16fa88f8f23fd0bb3b7af9be90ab11d7b4d

Download Submit
/data/data/txunda.com.decorate/.jiagu/classes.dex!classes2.dex

Filesize
6.9MB

MD5
01169b82f460c8fd4dc9136e0b8070b4

SHA1
27c7690dd8aa6c13cdbc78fb60dae41dfe0c7d46

SHA256
6edb4f69349d2701b75150caf6403514423992e93c8fa0fdd8e68c2d808b3b09

SHA512
5c6b8cdf6bdd119bfeb846e79f34aa4b983ee3854ad61449a27b01ac75e732d96a7da31730f23e3b5b5cb65414e438111ac5800282c1929f28ddacfc1e6cbbb6

Download Submit
/data/data/txunda.com.decorate/.jiagu/classes.dex!classes3.dex

Filesize
831KB

MD5
9e9ba819dcf5a0b94108a8cfd6bdf592

SHA1
2d062ada1db46be2ec99981599f863e43845a705

SHA256
73772ed0c564aac519822802a00fbb3d29e244cfb6f6105bcc211ab4b6ea72fd

SHA512
7ebd09c5dee16a651d3746a3d972c3eed36057532afd353b4911a074257401423682f57e313cfa4b43e11221929fbf68c302f0d7ed51a3e1938473fde61317d6

Download Submit
/data/data/txunda.com.decorate/.jiagu/libjiagu.so

Filesize
485KB

MD5
1da618896802fdb4b6f17c92703424f4

SHA1
b48aa81ac014a5a7f6e95e618e4f951ee12d34c3

SHA256
2cbf986b5e1357e00347d75d6f631539c0f368208079df36bb44603ac4e6973f

SHA512
620a06d8df24597467318582a12bce45e2e2cb66069ffbd6fa27ac5a164c58398ddb9c2348e6ef443272a22ca85fcfa03439d0f0f22109a93708d562e0737cb6

Download Submit
/data/data/txunda.com.decorate/.jiagu/tmp.dex

Filesize
284B

MD5
757eea85e09a10be12a976cffad7ac6c

SHA1
eb080a3aaf7bb16f2b3f38e35f7b7aecd8d5003c

SHA256
10b14100e544ada0418de6c344cbd4e0e1f1b82539801d3a07435c510190518b

SHA512
5a09bec4aed1091411d90479dada4e4ac7edde919f14710bb7929769a162f0bcccfcd7a1042c7b521882edbeff8102b2e4cbd002477686679989975340215f39

Download Submit
/data/data/txunda.com.decorate/.jiagu/tmp.dex

Filesize
284B

MD5
f1771b68f5f9b168b79ff59ae2daabe4

SHA1
0df6a835559f5c99670214a12700e7d8c28e5a42

SHA256
9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939

SHA512
dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d

Download Submit
/data/data/txunda.com.decorate/files/.jglogs/.jg.ac

Filesize
32B

MD5
108840d6bd255a72d755dbee9c42e900

SHA1
a078453fc00701a3186dec53c397e5d5d819045a

SHA256
0ef716ecb7972ee3178798afa826c566697e63a57b276f40ede6a8625d7b619e

SHA512
00054f4a06a1da3f0839ade76ba29321260eef1008e1032ea59e9066e05694e291997b28b992c52b8776fdb43f2826c33c365a2d504ff3b91c5b79607f2fe710

Download Submit
/data/data/txunda.com.decorate/files/.jglogs/.jg.di

Filesize
340B

MD5
3c80c8e28198d4d6a45a1a155a03ca73

SHA1
c73701caa81ccf2e3241c67ffc9754348d050236

SHA256
d584f65a3fabbd4a8512c17be1cca7a2e459f1e83462ee2e39e2ca60060bf3b7

SHA512
78dade164290a164afb6007fcea7c5a7e21844acf409cadbb15612f6f2b0d943e0a0f589df68a3c101d55ebacfbf4d6d05f63414a27ecf65f76809dbbe80e96d

Download Submit
/data/data/txunda.com.decorate/files/.jglogs/.jg.ic

Filesize
32B

MD5
ca8439ff9c84b368db70a9ac19ebcdfe

SHA1
5c589c8ebea5b976a1ff62e948d14f52ad5f7c42

SHA256
06e1bb38d6a89b54483f950e0466656d8845b68c065b0588e3e7e7812f81f2f9

SHA512
646d19b703ef7a006c4c321539c9c596a8a5726f365537726b364252a4ac1ec65c44880ae2292519988b37299feff409d441474c28b3020928820d0f0aa64dca

Download Submit
/data/data/txunda.com.decorate/files/.jglogs/.jg.rd

Filesize
73B

MD5
1361b812342074bfd7e58c3a80fa01bf

SHA1
84c4edc5852b38ed74aab2f4dd419bdebc1a2e17

SHA256
33af3851b7fa84840d0111f52a30b08a04b636d0668437aacca27bd399f1deb7

SHA512
d04fd43c0d63abea3bdfd4a9b3477cf0bb69db333e9c235b66853fd1ee650556950fe208a6f84de5c4ad6689014bb69ca29dc57752c14445e2791ffb65249e99

Download Submit
/data/data/txunda.com.decorate/files/.jglogs/.jg.ri

Filesize
314B

MD5
a211bf6a468d90a7e13e6a74f1e49d38

SHA1
1b693079fc6ff18d360e84c893ebd5c18ef0ec6d

SHA256
ac207711efd437a185cd4f8125b3715e98b5855696757a67b5637c2901efe550

SHA512
ed83424429405fd35dd71c6f9c334eb724655fa26117a21e35e6db832c71cc294eefa4634dc2be7fe4d83ff32eee44d83388658c2e5309891731384b67b8e632

Download Submit
/data/data/txunda.com.decorate/files/.jiagu.lock

Filesize
146B

MD5
d695c26bbe4655315fd012b28d764d0d

SHA1
a819e7d619d2873c512df511e9d6a92dd6451416

SHA256
3f52b784cf3314e1dd17f36cc612e7c9bc7080df6ba2589422bcbded1732b06a

SHA512
b3ef2f675904b687a72da02f28351187b970d7d1baad56be5484863294b886c6538c61f8cfc16dcd28c9b903fda1abbe13c6ca9966d88b2cd969be692af4aa58

Download Submit
/data/data/txunda.com.decorate/files/Mob/domain_1

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
/storage/emulated/0/360/.deviceId

Filesize
48B

MD5
1d8d16c4e3b19ebf18988530d9b9a757

SHA1
bc94c1cce05cd848a53271ecb9c5311e27ffebf5

SHA256
abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7

SHA512
4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82

Download Submit
/storage/emulated/0/360/.iddata

Filesize
32B

MD5
2ea1fe12bd223191413a7a23416bf60f

SHA1
352aee699cfd889394b56ec3ac7523b51445ce13

SHA256
2f45c45de8b8ca11797398bce5b786f2fcdf0a24adae2a643ca683ce88d63c7b

SHA512
552b28813221b5d1c92eb76a7dc0b7f3d70b914f863f50d8d9ca9ccb128ab7182fbeaa84aada2e89b261b5dbb3216478c030fd221de2ab7e04dee830a329ca8a

Download Submit
/storage/emulated/0/Android/data/.mn_410185822

Filesize
130B

MD5
f321656a466363e5192773d92000e401

SHA1
3a6abe9be1a6f4deffaa98fd27f3449c888d3c4a

SHA256
53efd5207de6ed80429ec3c7865eed2b64023a0ed66e0fd29e7f45b708a1751c

SHA512
fcf6884bf5ce8d10b3a3dd461fad96cb6cf0bc4129e01788de112551230fbc4d8ea6961b04411d1c7816e248437c4560277069d9c544e5450612abc0e2c0171d

Download Submit
/storage/emulated/0/Mob/comm/.di

Filesize
57B

MD5
70a42cba408700f9a6c01c7941a8829e

SHA1
eab01cc2c0671538795fb0b1146017dc099d0984

SHA256
499576707ce2623293166979e59c832be5b8636c64ad39aa63ebcf961910c35f

SHA512
8900d4dc8eed0430babbacb72942401bd22ef7fe5430cad90d3ce0c2c53010220d666aa0e2eb1026f3ec81d574c7fa12585b49222a5f15b01637f6ba134fe70c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads