Analysis
-
max time kernel
63s -
max time network
132s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
01-10-2024 01:19
Static task
static1
Behavioral task
behavioral1
Sample
03df6d51535847b17f543b7e92d4522d_JaffaCakes118.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
03df6d51535847b17f543b7e92d4522d_JaffaCakes118.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
03df6d51535847b17f543b7e92d4522d_JaffaCakes118.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
03df6d51535847b17f543b7e92d4522d_JaffaCakes118.apk
-
Size
3.0MB
-
MD5
03df6d51535847b17f543b7e92d4522d
-
SHA1
04b256b3fe13865bc67c10ac2315daa347211573
-
SHA256
056d2705bced05e78209e95c0fd5314f1714ed9de7103fe39ae769b0ec42188b
-
SHA512
2cdf413b50befc35fde51bcf1addb0a0276d637edf797a2da7305efd3f9e425dea79d40fc916b8559eb701b480cbe5c5753c4789229485ae7de529c300b4015b
-
SSDEEP
49152:CrgwsjNyjDq+k66/NMCk6V5Dx5NHbBoPO7ftgHdh1dEgwKPwfTbnScR3/CN+F:C4YjDO6+NE6V1Lh50hgzwwfXnSzNI
Malware Config
Extracted
cerberus
http://somsombaba.xyz
Signatures
-
pid Process 4630 segment.coral.blanket -
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/segment.coral.blanket/app_DynamicOptDex/QOy.json 4630 segment.coral.blanket /data/user/0/segment.coral.blanket/app_DynamicOptDex/QOy.json 4630 segment.coral.blanket /data/data/segment.coral.blanket/app_DynamicOptDex/QOy.json 4630 segment.coral.blanket /data/data/segment.coral.blanket/app_DynamicOptDex/QOy.json 4630 segment.coral.blanket -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId segment.coral.blanket Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId segment.coral.blanket -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener segment.coral.blanket -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction segment.coral.blanket android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction segment.coral.blanket android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction segment.coral.blanket android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction segment.coral.blanket -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone segment.coral.blanket -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS segment.coral.blanket -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener segment.coral.blanket -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo segment.coral.blanket -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo segment.coral.blanket
Processes
-
segment.coral.blanket1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
- Checks CPU information
- Checks memory information
PID:4630
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
803KB
MD5c491975251d44cd5e3d6cfa6a33c1663
SHA19d798814784079777416242317997df0bea0e87b
SHA256063a40c99b625c031a1d8ea606e3314b1d6b1947a619147a1c4f3b117aa7c151
SHA512499fa353d17b1776acf0dd301ebaed29e1acfaa49cef1078b78b359d88c5e531ff5ccf92d176d903bcb73dae873a96fb97656f4e0a8d7cbdecd90e8e55aefb9f
-
Filesize
803KB
MD5564410a68f6618918d6d0cef70d28372
SHA1824e31fd757e9f45b6d67c9c2a4af9eceeb084d9
SHA2563545266dfbad88144667f432ccf9073129a61110a787f3f03ef4732a906490f0
SHA512f7ae7c093e740563a33e2e7eb2ed7f772f0433c2db9c58f02441fd522a055efd987eef8a7b44f425ea3b7d0014e62b4f930b9124edc70b5352da96a8a2ea7615
-
Filesize
253B
MD556c6f5f8c830782faf5ae1ca8097bc5e
SHA11d55c3896a226d3bfe5d92189fdf0b26b1475443
SHA256fe57ca1037dc8a2b402c2d5b5eebf5be01631100d21d288ec14cb032bf233c11
SHA512f8e4286e284b86d4f8afdfa3715919c845b7a721285981bba4aa6e8fddf7a0bcb24616ade313296e4877e5f39dd42a94106ecffe4bfd6808abb5c483eefa3615