2b9047f8bc9697e5bfd9cc4465e4e740d2bc3300800c22bfa116efccacfdecea

General

Target

ebf19ceaa418a388af87e71b7469fdbc_JaffaCakes118.apk
Size

21.9MB
MD5

ebf19ceaa418a388af87e71b7469fdbc
SHA1

2580711cb6600dbc66914232dbb020a624ccd6c2
SHA256

2b9047f8bc9697e5bfd9cc4465e4e740d2bc3300800c22bfa116efccacfdecea
SHA512

836f0a7bb94b11246bbb35f9bad7da4251541261965f16ac6cbcbb88acc47b1a88ba7efaa64ae7d3c28e986aa8b96042e381b7b9356284997896122428462c0b
SSDEEP

393216:bo0qKTALmxXthNLahY3nSjHnYj02YKGkq7K/goEa9Eh6PiQLgfRv3GIvjCsDq48a:0/Y9hR3neYj0TkqO/YQ+tfRv3PLrDZZx

Score

7^/10

discovery evasion impact persistence

Malware Config

Signatures

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/air.com.wn.CastleFairyEscape/app_push_lib/plugin-deploy.jar	4278	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/air.com.wn.CastleFairyEscape/app_push_lib/plugin-deploy.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/air.com.wn.CastleFairyEscape/app_push_lib/oat/x86/plugin-deploy.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/air.com.wn.CastleFairyEscape/app_push_lib/plugin-deploy.jar	4252	air.com.wn.CastleFairyEscape
/data/user/0/air.com.wn.CastleFairyEscape/app_push_lib/plugin-deploy.jar	4366	air.com.wn.CastleFairyEscape:nk_v1
/data/user/0/air.com.wn.CastleFairyEscape/app_push_lib/plugin-deploy.jar	4463	air.com.wn.CastleFairyEscape:nk_v1

Queries information about active data network 1 TTPs 3 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	air.com.wn.CastleFairyEscape:nk_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	air.com.wn.CastleFairyEscape:nk_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	air.com.wn.CastleFairyEscape

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 3 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	air.com.wn.CastleFairyEscape
Framework service call	android.app.IActivityManager.registerReceiver	air.com.wn.CastleFairyEscape:nk_v1
Framework service call	android.app.IActivityManager.registerReceiver	air.com.wn.CastleFairyEscape:nk_v1

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 3 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	air.com.wn.CastleFairyEscape
Framework API call	javax.crypto.Cipher.doFinal	air.com.wn.CastleFairyEscape:nk_v1
Framework API call	javax.crypto.Cipher.doFinal	air.com.wn.CastleFairyEscape:nk_v1

air.com.wn.CastleFairyEscape
1⤵
- Loads dropped Dex/Jar
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4252
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/air.com.wn.CastleFairyEscape/app_push_lib/plugin-deploy.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/air.com.wn.CastleFairyEscape/app_push_lib/oat/x86/plugin-deploy.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4278
- getprop apps.customerservice.device
  2⤵
  PID:4305
- ping -c 1 -w 100 www.511233553523565.com
  2⤵
  PID:4342

air.com.wn.CastleFairyEscape:nk_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4366

air.com.wn.CastleFairyEscape:nk_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4463
- ping -c 1 -w 100 www.511233553523565.com
  2⤵
  PID:4517
- ping -c 1 -w 100 www.heywhutsup.com
  2⤵
  PID:4537
- ping -c 1 -w 100 www.wqnmlgb2015.com
  2⤵
  PID:4557
- ping -c 1 -w 100 www.damaopush.com
  2⤵
  PID:4581

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Credential Access

Discovery

System Network Connections Discovery

1

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/air.com.wn.CastleFairyEscape/app_push_lib/plugin-deploy.jar

Filesize
213KB

MD5
e70723b8f6c4c7c09a6019733022cf53

SHA1
e3ca32166c65e4dc73c21347ab22d54a7b5a9a83

SHA256
32d35cd80b0302e3fcdd7349b4ff9a7b689ce080435109607ff79a834ff710d5

SHA512
461c0499193c5ef5aa4e2e5d358031e7d28c98c8e1e38d22b710271bf3b561c28232bfaadbc2c275357e31b7b0ad6bca798008328ac3cff3701c1c9cca2ddddd

Download Submit
/data/data/air.com.wn.CastleFairyEscape/app_push_lib/plugin-deploy.key

Filesize
174B

MD5
5d65595881b619ce4eca8ee6bb92fb32

SHA1
85066f1532dcdec3936529d8be9e876706f6dab4

SHA256
0d8d69ebd1fc5929f4dc790d7340f8e0201891b2c0e59cd0279f7ed087917718

SHA512
fc80eaf04978e314076f6730751040cb1811b2f71cbef5d8d2d5209fa6aa9029dbc2fccd0b8c1fa8ee78c1e6d8b5e59ecd229d08d6bb8ee714af71be35d0bcea

Download Submit
/data/data/air.com.wn.CastleFairyEscape/files/cache.info

Filesize
64B

MD5
b4994d91ed21a9e75df4de3599ddc560

SHA1
55057996deeb8a99d680a8e1ce5a6d6fe24199c7

SHA256
00d4f067d00f504116c5da678aea273a679e976430bed51fa83592a619aa8910

SHA512
72f7482827d543f1e60d7a217e4d3cc3011fcc517567bbb93ccaf07b6db8028a146438056900ade2bcb278cc4d46fceae452697e0e16b95ce276453f52e4b4de

Download Submit
/data/data/air.com.wn.CastleFairyEscape/files/cache.info

Filesize
65B

MD5
e508cc1ec14a0921baa4bc67de5a74d1

SHA1
83cd9bb4032b7e7270feca73262d3dc3acbf26d8

SHA256
ad50e060963dd12258f0e20c7f82b53d941cf9e6def0abf8ec19df4ec03672c3

SHA512
a53e4d4d9ebd224c658ea69b2f0e4c78d7219a32ab51fecdc3bb5532dedc626f98e1a525683611a0044e96368a5363167eb05914d1fe917f3712f6944d6c08d2

Download Submit
/data/data/air.com.wn.CastleFairyEscape/files/cache.info

Filesize
26B

MD5
29acce78a18aa3ff0764889da6ced98b

SHA1
015d1645d30f042c3932efc6e0ea9c39c21d9a80

SHA256
7d4c26df6a1047f666a38be2d955a28e860bfb59e0c45c0df13f4ab1002b73d2

SHA512
ddd77949bb83f1bd61600de8c81df01c0f93d837d5627f94ea610183d591d67e2b38511c4c4247590e5b67f5b4c77bef162fe66768a1b4e0b311fc13fe275276

Download Submit
/data/user/0/air.com.wn.CastleFairyEscape/app_push_lib/plugin-deploy.jar

Filesize
530KB

MD5
5597a541eabd3fb792c581587550dc4a

SHA1
6500b0ff20c75717e1cb67dcee76b4641a4e8a35

SHA256
473b02216f8d2b5ffb26571e51ff322e3ce04ba45418408452bea103576ee8e2

SHA512
39b4acd82f67f11140cd1b0b4291e656a4a46ba63064509977f3f1de24a931dce83964f031e16ccab95cf0540ac5f613ca87d7665ce99f1c1ee4a0778e2c19e2

Download Submit
/data/user/0/air.com.wn.CastleFairyEscape/app_push_lib/plugin-deploy.jar

Filesize
530KB

MD5
bdfa71feb08b80b649fddcd7488b03b4

SHA1
bcacf11199fd2c353034a7271b5dbfe2dd4cbddb

SHA256
f8bd07a7afce2d102976afaadd33dc70336a0b06682ac8d6fe9544a08d086d1d

SHA512
37dc848b995def498d0c832a76ed0ad429db18f26a5e9659c2b77a63bff555560160b6be4d22387eb529b2291bb27ae21718ddadb315bd1aa4c092d6330f049a

Download Submit
/storage/emulated/0/DMKJ_LLBX/deskshortcutrecord.info

Filesize
28B

MD5
7867e0af94c41e8bc79321106246b95c

SHA1
906040f17672c7b9b90955a7124d02d55a3a8d61

SHA256
81e2e8cfae61e5439f54456fca6147b2c7811d9b40780c8500aa589fe664f48e

SHA512
e2b31d713e9834f14caf209cf5bf34d21a9b307dfca29d2cd30f57415fda26f31f2a6b4996821ed9ae295b18e55d2eed801085e65c9113ade8113ad88de8923d

Download Submit

Analysis

Sharing