Analysis
-
max time kernel
136s -
max time network
157s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
17/10/2024, 01:04
Static task
static1
Behavioral task
behavioral1
Sample
50066ec70c0fceac4ce35db59af9fd3b_JaffaCakes118.apk
Resource
android-x86-arm-20240624-en
General
-
Target
50066ec70c0fceac4ce35db59af9fd3b_JaffaCakes118.apk
-
Size
11.0MB
-
MD5
50066ec70c0fceac4ce35db59af9fd3b
-
SHA1
034831dd478f8fc07339625be29c52096361c5c8
-
SHA256
5c2e5d7ea9655ce93316bdfa2825e1e800a5219ba23cec04fd590a4b115d1f36
-
SHA512
e73a98c1d5e689f7dea88528242dfc6a312be4fe1d95e9e1f947d8f6ec9dcb58906e4f9d2e711e7ddd5364efa9a7e216ef8ef7d4aa1d6fbe02eda8e7b3c6307d
-
SSDEEP
196608:Yc2gs4xXXG5EMnR9J8HEfOUJdhEr1TzZYxNpoAveNU1bO6Tx971mA5+6g7Qu:YmRxXXyn72UOrUpvveNU1i6Tx970T66
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/data/com.chinamobile.contacts.im/com.cmcc.sso.SsoService/test.jar 4780 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.chinamobile.contacts.im/com.cmcc.sso.SsoService/test.jar --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/data/com.chinamobile.contacts.im/com.cmcc.sso.SsoService/oat/x86/test.odex --compiler-filter=quicken --class-loader-context=& /data/data/com.chinamobile.contacts.im/com.cmcc.sso.SsoService/test.jar 4747 com.cmcc.sso.SsoService -
Queries information about running processes on the device 1 TTPs 4 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.chinamobile.contacts.im:remote Framework service call android.app.IActivityManager.getRunningAppProcesses com.cmcc.aoe.AOEService Framework service call android.app.IActivityManager.getRunningAppProcesses com.cmcc.sso.SsoService Framework service call android.app.IActivityManager.getRunningAppProcesses com.chinamobile.contacts.im -
Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
description ioc Process Framework service call android.net.wifi.IWifiManager.getScanResults com.chinamobile.contacts.im:remote -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 2 IoCs
description ioc Process URI accessed for read content://com.android.contacts/contacts com.chinamobile.contacts.im URI accessed for read content://com.android.contacts/contacts com.cmcc.aoe.AOEService -
Reads the content of SMS inbox messages. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://sms/inbox com.cmcc.aoe.AOEService -
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.chinamobile.contacts.im:remote -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
flow ioc 9 alog.umeng.com -
Queries information about active data network 1 TTPs 3 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.cmcc.aoe.AOEService Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.cmcc.sso.SsoService Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.chinamobile.contacts.im:remote -
Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.chinamobile.contacts.im Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.cmcc.aoe.AOEService -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 3 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.chinamobile.contacts.im Framework service call android.app.IActivityManager.registerReceiver com.chinamobile.contacts.im:remote Framework service call android.app.IActivityManager.registerReceiver com.cmcc.aoe.AOEService -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.chinamobile.contacts.im:remote -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.cmcc.aoe.AOEService
Processes
-
com.chinamobile.contacts.im1⤵
- Queries information about running processes on the device
- Reads the contacts stored on the device.
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4262
-
com.chinamobile.contacts.im:remote1⤵
- Queries information about running processes on the device
- Queries information about the current nearby Wi-Fi networks
- Requests cell location
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4398
-
com.cmcc.aoe.AOEService1⤵
- Queries information about running processes on the device
- Reads the contacts stored on the device.
- Reads the content of SMS inbox messages.
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
PID:4476 -
ps2⤵PID:4510
-
-
/system/bin/sh -c kill -9 >/dev/null 2>&12⤵PID:4530
-
-
/system/bin/chmod 755 /data/user/0/com.chinamobile.contacts.im/files/com.cmcc.aoe.keepalive2⤵PID:4548
-
-
/system/bin/ndk_translation_program_runner_binfmt_misc /data/user/0/com.chinamobile.contacts.im/files/com.cmcc.aoe.keepalive /data/user/0/com.chinamobile.contacts.im/files/com.cmcc.aoe.keepalive com.chinamobile.contacts.im 02⤵PID:4569
-
-
ps2⤵PID:4590
-
-
/system/bin/sh -c kill -9 >/dev/null 2>&12⤵PID:4609
-
-
/system/bin/chmod 755 /data/user/0/com.chinamobile.contacts.im/files/com.cmcc.aoe.keepalive.pie2⤵PID:4627
-
-
/system/bin/ndk_translation_program_runner_binfmt_misc /data/user/0/com.chinamobile.contacts.im/files/com.cmcc.aoe.keepalive.pie /data/user/0/com.chinamobile.contacts.im/files/com.cmcc.aoe.keepalive.pie com.chinamobile.contacts.im 02⤵PID:4648
-
sh -c /system/bin/ps3⤵PID:4693
-
-
/system/bin/ps3⤵PID:4693
-
-
-
com.cmcc.sso.SsoService1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
PID:4747 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.chinamobile.contacts.im/com.cmcc.sso.SsoService/test.jar --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/data/com.chinamobile.contacts.im/com.cmcc.sso.SsoService/oat/x86/test.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4780
-
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Execution Guardrails
1Geofencing
1Virtualization/Sandbox Evasion
1System Checks
1Discovery
Location Tracking
1Process Discovery
1System Information Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
568KB
MD525dd996c70c5c44ba0e432b24dafe71c
SHA1544630e433f32bf9fcfd32369bfd746bea1ee033
SHA256bbfe0838264391a036db7b91916085c8c77829aaad2ad980c734d3a62a9416d3
SHA51216491e2deb6d258a7a66d2d89937235370ad77572fd5e805d8282332761b49f87ef479e5dfd16cf2a13e6079cb13fc54b2c025b54277314d0be8f0b8c6c4737d
-
Filesize
68KB
MD5c57e629b8b5d88679ead62cc7e3f0cd4
SHA1e9e5754c639fbb09b4d02271bf1f222abb302aa3
SHA2569a350bfa59e5b5254d4f16aec570e85e27aa275363b375b825ffd2e31993a740
SHA512bf54539c3d5b524fcf2c79d18c205c88ec07be0c91bd36a6078e4c7b914833b9efba424a64b84740e4700b4fdfb02a1a6f1cabdcb1f7a7854de075818899d1cd
-
Filesize
718B
MD5640f67e0b70a4a56e504a7b1513c4987
SHA148b6c60f35bdb5b5c826ce09e234c38b23931670
SHA2562429342a6c7bb095c14a26affe05bd3c5f810e7135f7f282ed9e0981c1d47db7
SHA51258c286e1829b593bb72212301a8224db70ccefce18970abd56315d5cdb2e170d67af505402e4fa66e5836e3b7c44dd426fdf5dd44d285568d4e62aba456dc0c4
-
Filesize
33KB
MD530203c0645b1aa939656bd2cdf723470
SHA10fe918455f486873ea5f740171c3dce2118391b1
SHA25681f75fe46b8211b4eeb4181b3c5240cddaf1be50de9a16e839017ccc846b5c64
SHA51202b4019130f552d8e48cc12f91ce230d7e88395486897e165c28803eba1431b2ffdc885e6d08b4fabd996ee25f3563f5e5ab24fe89a24e1997ea83c17aac192c
-
Filesize
157KB
MD5e66d92f3a7be4ff6efe5d25f7c2509a7
SHA17bf5519e89f82e70a3b04d89c6526549b88684f9
SHA2565ccd36568a847d57bf7e488144c44e22882c95cbe87b00ce4ddf1eee12ceb699
SHA512c3e37b3ecd4d63be18a0d8348bf83381705a395fe6ebbe93929ae8ea9b5ef5a15e6237e80e8fcbc3719898838ec27c868425f3c044200190cc93728f3f0f28cd
-
Filesize
157KB
MD581db8fa13b8cd632b5de67ff35fdbacc
SHA1c7ce60ef2310489bb9f2ab4fa9b11cd01ab161e2
SHA2560437d2c2103ce311fa1fa50cc1cf71fe14a6456550e248444893cf84f4388748
SHA51213a0c2a6a8f54b3d5b689fe1f4079750e187df946c63f2b550f2b57eba3d5c4e7ed39f7e47cdd833813a40fe01a21f50a75f726ba1231099e67113e28f1194ab
-
Filesize
32KB
MD540e10b72e6cd15a2e81f667745395bb9
SHA143d89ce268153523d372b67751a3c98be3d72156
SHA2561877553a2ca289d41066b1e03e58a374391e0435b283741fb4f2df7b91e41537
SHA512b27d3a5621205637f52b6fbbe6bbaf1abd5765ca3ff548710bcc9eec7f3b414b9ce51e2dd0b5d37fecfbbe1f85e0dc1350c05045cc55386e31a4d130a20b885a
-
Filesize
28KB
MD5e0e1e6b09efd4c928c13fe88f0d6c82d
SHA1e341fe31cc0347cd8be5ccdcf93b37970026d076
SHA256d4abed1d405f4c6d2971c1f4fe1263f7a6e5f746fc2ae1b47988031cf43d5d06
SHA5129aa10cbdd2e6a4a6ea3842ed4505f82f4cc1e319fc89a1bc5fa0374ea2b1d828377649c4264f0b9b9e7f8748a1b299e956618240d9a0931abda617d835a79b2f
-
Filesize
24KB
MD5d72a6dd9004fb80b4c00b6bb709f1785
SHA1e7e52d79784e3fd28d2a9306a458190f5e742b33
SHA25640bd8648d0e181d6705ef53e5cfa3097e3240ebc19a905cbc928e2f494530310
SHA5128da010135f1f3c576772bf9c9e5f4a55e7a56a2b1e0bcfe282a678eb67117d7d9f0ca63474482776a4e16e342988f3be39996e0e49d150c8339ae39a9e880f83
-
Filesize
4KB
MD5fbfd45ba7279dad4d4bcaa36611d3dec
SHA1bdf0a1459fa9f31e0711f3b6d7c465fa1110c459
SHA2565d6ba82ae693ed072094e4f34b3dbed693b7575aadd78948d9dc6b15478dcf32
SHA5122218cb4bf3879cea4f7cb550c0d538c9a2cb6d4c02fe857cba77dc84d3b93e1e580b0d0136d57efa4fa6b05041677a247fcfdad4dc4675a14f5e0d3910eb3962
-
Filesize
4KB
MD5d2984c107ff98d271a3cdc0e7318a6a0
SHA1571b4351b0af24c3bbd83289e51371b1b51285d8
SHA256ea76d91b49d5fe5110633870fdd14dec38c3b98d536b2336f76bab1b6f05e46a
SHA512691829283deec442c0bcb32aa21600b8f1ef8eb625d39f7662c6be45e3dc4d9a37a5a2c80bb51749a193fe2fd74a1125bdc262d869471ee91f2f4df60888d62d
-
Filesize
52KB
MD57b92ec5962c8ba29dbde1aaeaa154fd3
SHA1c05e925d2033227adc1e5c5ab79030c4600b0e3e
SHA256bc8349d5101fd388a30816d556097a35e0ac0d525c2359aee89a807e3f964cba
SHA512f1d6d05db1bdabd6325a54508af2ef38828304d9fccb470e896ce6e2d4010c6e375540b008e8329de6bcb1c4f96b681bc0342eb2bcce8dfd1986a460501589be
-
Filesize
28KB
MD5cf845a781c107ec1346e849c9dd1b7e8
SHA1b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA25618619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA5124802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612
-
Filesize
32KB
MD5ba7dbce27575f1db495fb1f79b981183
SHA10492657dbecca4177bd67ff9749d47b1776ad045
SHA256ee331436aae8470d15e1cf87580b57e416d545aadd4c7bf832d9d2463e380a16
SHA512021f733ab6b419f36128d3aa8b2b72a9581d4d3138d4a65b1efc7af63d45298774e507bb37f2db0013ede373d9407d94b327929d89de288c79a7b8cae587c97f
-
Filesize
237KB
MD52f22a79d16210a6b1b32eb837ce6529c
SHA1ea99083b7a8a6ccd0d8aca9a527a5b6ab187b67a
SHA2566f9fe9f968d814544e2cc851b7f85cd7f02d5b26b2e9db1496aba8d43c3042ee
SHA51264c488b4a3d89d00cb926e495b01fc9cb19d2307e58797c9bec32b1718faf1577b1cf5be3c84e0043580ad535a6788d11352df8765d7e75ecbe88563c3cc8610
-
Filesize
13KB
MD5473b337bca6ba765a28435407d312c94
SHA1c5b4c63be30d41e564e2ee4fb49b3d948c1210d4
SHA256fc145b4d09aa68ff77199731fae514adc3499063f4dc4d06c206dc05fb6fcdd2
SHA5125fe7652c0773a5fc9674b4ef845863d6d07496f2d8e6536789b9bb387e045df01b1035c85400ae389165df11cc1e2678a7e6cae1656b76b00055461e3d580924
-
Filesize
68KB
MD571eb4f1d9d79d32fcfd592d3ab4c5c78
SHA12f8f63a8c0ef2e497d514d0622a3f623c818320d
SHA2563c86f566c1373ed6f607261771df16b9450e59e51c77d2c3df8976629508fe85
SHA51232efcf39afa1db84b95e4c0d0d3354145afcee649addc1e33a94c59d78c67c92d3bc31440407594ea1357caa60d6e95ef38a0567389701a121993789c4ed5c75
-
Filesize
8KB
MD50eaeb299a02ed6674ea081eb086fc815
SHA18d7c79f0746721ceca1ce3f4059da0c62e7dc119
SHA256954afb55a8313bc0f40dd4060f60facebc821a8b8bb25c17cb9420d4fe162513
SHA5125212550f9f9b83f85b355914faf26181fc7beb03a2fc5ee6c2ea8db7b1c4527564f1ae9c12de16aaf15541b5842f7ff4008e5888aa8dea57dfbd68b258581638
-
Filesize
24B
MD5a936690571e9104e1922dda4a0ba5bd1
SHA165f49c57edde2f96be2a1dbdfc3f7351f1e66554
SHA256f0f5049c51879dd7da0ce4a43349b5b34ce053d072a0ca704f62cf22ba4a8412
SHA5123be1c3693963aebdfc04e86b1c820ee0ec3cf0b200e6a4788ef1141f39fd6c2f77f4227247ae4affa66c0a6c027df8466cc0dcec1e67ebfb953e36bee97de394
-
Filesize
4KB
MD5401ad25928d3260da089ac8788d25653
SHA1c06ed96118749893e1088bee977763e9ad02a8a6
SHA256d3c09079eec2cc14163ac742ea801d85cd4d0e818e92735affb822caeb886f0b
SHA5127c1970296553c3e0aaf26e5503297075116c6ba59bbd39e22bc8c6b33441c8218b35640cc484604ad2dd9d091970b3d06c2514f6731bd43b201fb93aa4c6a45e
-
Filesize
568KB
MD596fe21cb931cd442070fdf88e35402ed
SHA1a7ae3ef43ac12cb3263ab0321c73a78cefc69adf
SHA256881634cebf4629d1ad83b58cb89ea4892ae679b11742358bcc10365698a72ba5
SHA51222744ba8aae11e5dc6227ce87a5f8a258672748cc8d89f1791afe4504c61f6639553bf9261594267a3a284a25de8827a4651429bad3df14ed0629f50c19a124d
-
Filesize
6KB
MD51ad27fe36b770c681a61f4a9a3aa7a66
SHA1b91e0a4bb4a9570f9b2b0712081ee51f63d2879f
SHA2566fb86b95b2040972d7bf2ea3987d3b6c166bd0207d43b2e93024a1b44f172a18
SHA512595508354c8038ebb3dd9ba3cab54c271a9486d8bbd327e2e752299d37e2ebbd885118465e7750499b2e8be8e3c305388722faff4607a8e602e68808189f1802
-
Filesize
36KB
MD5d30aa29af341c5fae71590b91dccb410
SHA1c209586fbba27fb58af3127d52f688de5d5a13e3
SHA256abe5f655743fbfaeebe0c23af8d216f1d5ba2856e197490ba0f1a35d03476483
SHA51290a1724d23ca647030d8da2ef4fc4488071becf302de3ba24927e8c574a8b8647ec36d1743aef2b687788d86b453db6404e4bef2bba601f954ad454b1c580e4f