c41c57e40e3e80ccff0436f9fc96e7a15c5009fac264fad678db4c478e295de0

Analysis

max time kernel
145s
max time network
156s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
21/09/2024, 03:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ef014423aae9726d763f110f32d928b6_JaffaCakes118.apk
Size

12.3MB
MD5

ef014423aae9726d763f110f32d928b6
SHA1

afdc80aa667d5eb116f263490a6a28c01d08bd9e
SHA256

c41c57e40e3e80ccff0436f9fc96e7a15c5009fac264fad678db4c478e295de0
SHA512

9fb02e35d01ea0687b8811d879ee23b4f95c5057f9e4e6d9af753a8cdd08d3aa70826c957be4b79676a62d6c06be510ff41c9c8fed40d48e5be1c6cfc3931d9b
SSDEEP

393216:aH7x93LhQIBuwGT1C4QBpMdT0slTKUT8uCLm:aywuhT1C3BmJ0GTKRa

Score

8^/10

collection discovery evasion execution impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 12 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/sbin/su	com.sogou.androidtool
/sbin/su	com.sogou.androidtool:remote_proxy
/sbin/su	com.sogou.androidtool:push_service
/sbin/su	com.sogou.androidtool:channel
/sbin/su	com.sogou.androidtool:push_service
/sbin/su	/system/bin/sh -c type su
/system/app/Superuser.apk	com.sogou.androidtool:remote_proxy
/sbin/su	/system/bin/sh -c type su
/sbin/su	com.sogou.androidtool:push_service
/system/app/Superuser.apk	com.sogou.androidtool:channel
/sbin/su	/system/bin/sh -c type su
/system/app/Superuser.apk	com.sogou.androidtool:push_service

Queries information about running processes on the device 1 TTPs 6 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.sogou.androidtool:push_service
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.sogou.androidtool:push_service
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.sogou.androidtool
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.sogou.androidtool:remote_proxy
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.sogou.androidtool:push_service
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.sogou.androidtool:channel

Requests cell location 2 TTPs 6 IoCs

Uses Android APIs to to get current cell location.

collection discovery evasion

Location Tracking

T1430

Geofencing

T1627.001

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.sogou.androidtool
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.sogou.androidtool:remote_proxy
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.sogou.androidtool:push_service
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.sogou.androidtool:channel
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.sogou.androidtool:push_service
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.sogou.androidtool:push_service

Queries information about active data network 1 TTPs 6 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.sogou.androidtool:push_service
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.sogou.androidtool
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.sogou.androidtool:remote_proxy
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.sogou.androidtool:push_service
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.sogou.androidtool:channel
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.sogou.androidtool:push_service

Queries information about the current Wi-Fi connection 1 TTPs 6 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.sogou.androidtool
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.sogou.androidtool:remote_proxy
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.sogou.androidtool:push_service
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.sogou.androidtool:channel
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.sogou.androidtool:push_service
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.sogou.androidtool:push_service

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 5 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.sogou.androidtool
Framework service call	android.app.IActivityManager.registerReceiver	com.sogou.androidtool:remote_proxy
Framework service call	android.app.IActivityManager.registerReceiver	com.sogou.androidtool:push_service
Framework service call	android.app.IActivityManager.registerReceiver	com.sogou.androidtool:channel
Framework service call	android.app.IActivityManager.registerReceiver	com.sogou.androidtool:push_service

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.sogou.androidtool:channel

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 3 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.sogou.androidtool:remote_proxy
Framework API call	javax.crypto.Cipher.doFinal	com.sogou.androidtool:push_service
Framework API call	javax.crypto.Cipher.doFinal	com.sogou.androidtool:channel

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.sogou.androidtool

Checks memory information 2 TTPs 4 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.sogou.androidtool:remote_proxy
File opened for read	/proc/meminfo	com.sogou.androidtool:channel
File opened for read	/proc/meminfo	com.sogou.androidtool:push_service
File opened for read	/proc/meminfo	com.sogou.androidtool

com.sogou.androidtool
1⤵
- Checks if the Android device is rooted.
- Queries information about running processes on the device
- Requests cell location
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4263
- chmod 777 /data/user/0/com.sogou.androidtool/cache
  2⤵
  PID:4293
- chmod 777 /data/user/0/com.sogou.androidtool/cache
  2⤵
  PID:4316

com.sogou.androidtool:remote_proxy
1⤵
- Checks if the Android device is rooted.
- Queries information about running processes on the device
- Requests cell location
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks memory information
PID:4481
- chmod 777 /data/user/0/com.sogou.androidtool/cache
  2⤵
  PID:4627
- getprop ro.build.version.opporom
  2⤵
  PID:4774
- getprop ro.vivo.os.version
  2⤵
  PID:4799
- getprop ro.smartisan.version
  2⤵
  PID:4848
- /system/bin/sh -c getprop ro.board.platform
  2⤵
  PID:4941
- getprop ro.board.platform
  2⤵
  PID:4941
- /system/bin/sh -c type su
  2⤵
  - Checks if the Android device is rooted.
  PID:4966

com.sogou.androidtool:push_service
1⤵
- Checks if the Android device is rooted.
- Queries information about running processes on the device
- Requests cell location
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4741
- chmod 777 /data/user/0/com.sogou.androidtool/cache
  2⤵
  PID:4812

com.sogou.androidtool:channel
1⤵
- Checks if the Android device is rooted.
- Queries information about running processes on the device
- Requests cell location
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks memory information
PID:4988
- chmod 777 /data/user/0/com.sogou.androidtool/cache
  2⤵
  PID:5039
- chmod 777 /data/user/0/com.sogou.androidtool/files
  2⤵
  PID:5089
- /system/bin/sh -c getprop ro.board.platform
  2⤵
  PID:5236
- getprop ro.board.platform
  2⤵
  PID:5236
- /system/bin/sh -c type su
  2⤵
  - Checks if the Android device is rooted.
  PID:5260

com.sogou.androidtool:push_service
1⤵
- Checks if the Android device is rooted.
- Queries information about running processes on the device
- Requests cell location
- Queries information about active data network
- Queries information about the current Wi-Fi connection
PID:5135
- chmod 777 /data/user/0/com.sogou.androidtool/cache
  2⤵
  PID:5163

com.sogou.androidtool:push_service
1⤵
- Checks if the Android device is rooted.
- Queries information about running processes on the device
- Requests cell location
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks memory information
PID:5285
- chmod 777 /data/user/0/com.sogou.androidtool/cache
  2⤵
  PID:5323
- getprop ro.miui.ui.version.name
  2⤵
  PID:5358
- chmod 777 /data/user/0/com.sogou.androidtool/files
  2⤵
  PID:5390
- getprop ro.vivo.os.version
  2⤵
  PID:5469
- getprop ro.smartisan.version
  2⤵
  PID:5494
- /system/bin/sh -c getprop ro.board.platform
  2⤵
  PID:5527
- getprop ro.board.platform
  2⤵
  PID:5527
- /system/bin/sh -c type su
  2⤵
  - Checks if the Android device is rooted.
  PID:5552

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Execution Guardrails

T1627

Geofencing

T1627.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Location Tracking

T1430

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.sogou.androidtool/databases/MessageStore.db-journal

Filesize
512B

MD5
ff9107a3c2bfbc9db3a475376235a32e

SHA1
6547f9a400a448334aa8c243c1cb1df55764b977

SHA256
2ca521060450e7465a1770cd0ba7ca4e93f38ecbaf6ae88fc53a9155e3ea60b6

SHA512
a2b3a8a82d03970d4b0d363289a5bb80204885818b308b1238f572c4a9670ddfd415758efcf11e8390a25e86798560ccb010efe86067ecf0ee4aa1ef49cfbe5f

Download Submit
/data/data/com.sogou.androidtool/databases/MessageStore.db-shm

Filesize
28KB

MD5
5aa329fdd385905d4cbef74d3a208b9c

SHA1
0255523cbc20f2380fb48ea320d27ff0512916b8

SHA256
6464c4f5886a81f0b8154d2f27ebc3d399540d5d969259e8947eea6e2673c86c

SHA512
beb839c91d29f42daca2bbc11bb40e497f3dba04b7a32ee99edefc1f23db39e24c50a38a6faec9c7bd80bf4db2a1108b8f12d3eb76296e3fb558744e6349cabb

Download Submit
/data/data/com.sogou.androidtool/databases/MessageStore.db-wal

Filesize
48KB

MD5
28aa3d7dd9f9ab318615022c41e924d6

SHA1
b1b000e8740d6c46b442538f2a86e3e202d4c4ec

SHA256
6b18e2015c0021bc2f3e377365f8a2846eb757d72b8ef0718094fc55155ea40d

SHA512
cdee34c734c512ba505f9df87afae43f41d096489b2fda32a4e0ece7bdf6d483d75540a475dd5ba6905a6e2e7d0f74066d24d8074ca55f402ffd18b20fc4af0e

Download Submit
/data/data/com.sogou.androidtool/databases/MsgLogStore.db-journal

Filesize
512B

MD5
daa26eded8697ec0e9718a992ab17af0

SHA1
13f80455dd6c7c88f24dba0db6ae4c3532ff124d

SHA256
4feeedc29293a9410b0c596afa5d6d01ac6026bdaf26a6c48d9a44ee38cab2e6

SHA512
431e5c302ce1d598b24440e9c2621c64ddd19f2d57301a78226ba8ea48084869de657d5ddbee94b44793ec7d9226115b2db1c9188b5f85e7a8f2563976f9be02

Download Submit
/data/data/com.sogou.androidtool/databases/MsgLogStore.db-shm

Filesize
36KB

MD5
1ac7b33a9143b2bf5acbb92e5630d52c

SHA1
df87391df254f5007decfaf1ae0a387cbb5a5725

SHA256
2b2e85a4225c348b46ab40dc1e16cb194b10cfa936e40b530bebeca39b25086c

SHA512
282102cf3674e03bbf3dc1fe0e65cd28faf4f0dcf1695108b859cfed87f588fae7219d247d9c68f004945a295e47a80459ba8c847f593bea1ec964a12151c783

Download Submit
/data/data/com.sogou.androidtool/databases/MsgLogStore.db-wal

Filesize
68KB

MD5
add92cb0c92a2159856180c68f0c7609

SHA1
5d717e9d0bf51135a1d4df5cb5ce20f71561dc3c

SHA256
f91e682946b91ba83fd0691d7dacb9fe6d3b4a2f16b315994312275270f616bb

SHA512
3d7f01f97309bc1e1a227b99018696e42dfc62b0e368a1eb69ff3ca4445067a1a91b6140981df449a39c749eb7db75be8257fd1a2306be5c9b85dffd1bd3aac2

Download Submit
/data/data/com.sogou.androidtool/databases/account.db-journal

Filesize
512B

MD5
c410a75f6056a7a1604e91487bb7aab8

SHA1
b49600da908037ca2fa077d236bb69c2696e208c

SHA256
8b24abc2dd5bbe150f5ed29f911232395c4b59aa1ea8b4ef2e811a6bc1f0ef45

SHA512
639756f850342c90a8eef2d9f40454608b307660fab1ef0642fdef51dab87bf1c031ec20cf6fdc59d4f398065b62c89e53467860c0413dff791597114a5ab220

Download Submit
/data/data/com.sogou.androidtool/databases/account.db-wal

Filesize
16KB

MD5
3a239688c6d61b7a7cad84bacc896b9f

SHA1
99a634571d9b23198a5e8955720288f30374673b

SHA256
9e7dc72d255299861a1ccfc2c0814b9c408bb0b30ef9d274336a870304bcadf7

SHA512
8894de183fb2bd0474e1f4cd3e2c5e33d45900db3303c17eae610e9affd9e367a3f0ca8b3e1d6898b1fc1bca93229a49ffe709a8d40cfa3f8eeef621c3a565c0

Download Submit
/data/data/com.sogou.androidtool/databases/bugly_db_

Filesize
4KB

MD5
0a8447fb58ee1ec1558d173297b6db15

SHA1
f9948b96d3c0238c4be2ab65ec5836a78a0e27b2

SHA256
7a247bd279c80b514b5861af8cd910dcdf2374f5bba8060cc855c4bc9a8c8efe

SHA512
5a7ddc425c7bffddc19aadd09238f4086e54619bca694b480276db8d520373b11afc4900db10acc19d34445ee6263a59e1c7a916d9d759d678c3b3de987053c0

Download Submit
/data/data/com.sogou.androidtool/databases/bugly_db_-journal

Filesize
48KB

MD5
2b4f58fe9c9b203248b219e14225f782

SHA1
c6a3556a4291ac7b80a016400e7bf789fb2a5f12

SHA256
dc958ba976e92d196d5c6db6b13cb46cc951c6d9b9a7f60bfee8701a7d4784b0

SHA512
a7d5a29cda1e81c17d1aa2b49f4e8583fb18951262c19c2e2db2570fd8ab148e7c10734af66818fe1da284673e267cdcf22a38d6dc177b57bad86b6968398bd3

Download Submit
/data/data/com.sogou.androidtool/databases/bugly_db_-wal

Filesize
96KB

MD5
af333e124d343ca2b5a23a73d54a7fe7

SHA1
d30c528a7064462b588c0ec047b3aff4c08b2606

SHA256
b06bfb410ebe9024ec21695b18156ce5ce56ff6a85e46fdc754c11f643fae7ff

SHA512
954b68f3783ea892b7c8c3cca55bceb30a3641488b0f9a273fc9b16ef8e10dddd28ee0c1776a04f674e22d6e1e4e6e2b3c19f9eee5a86133c3fb2a800ed6fa83

Download Submit
/data/data/com.sogou.androidtool/databases/downloads_classic.db

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.sogou.androidtool/databases/downloads_classic.db-journal

Filesize
305KB

MD5
b3946272983706a96ceba6076e081027

SHA1
a4a7408709dd00d7bc7ae0595424d451f2041954

SHA256
f9c40084bc38d1f1180e50d62504302a61f8eca706c8de4d0138c91773c64263

SHA512
1d66ea1cad8d9dc885962a96350d08d5776f9c93127d28cf19fc8283fbcc68481ff66548341d7d51eb38361d054419edee18f974e4e75920eee98c8085d30a26

Download Submit
/data/data/com.sogou.androidtool/databases/downloads_classic.db-shm

Filesize
28KB

MD5
cf845a781c107ec1346e849c9dd1b7e8

SHA1
b44ccc7f7d519352422e59ee8b0bdbac881768a7

SHA256
18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

SHA512
4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

Download Submit
/data/data/com.sogou.androidtool/databases/downloads_classic.db-wal

Filesize
40KB

MD5
961fc44985b242feb81ea161cad1e624

SHA1
caf4873d85c663a681c8678daf56f1769b20bbd7

SHA256
0b0f9f1a2751daa0fe7aa7a6e510a4a17872b062622a3660b4f2751b4d15043d

SHA512
1c2b907991c18b70efda0eb04cee7ef870fef4188fe30fcd458557ced43ceb34b071ce5f48945d5ca87508ce8a826b868052bd57ae11521b08a74a19b3835b00

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads