Overview
overview
8Static
static
652354a200c...18.apk
android-9-x86
852354a200c...18.apk
android-10-x64
8com.skymob...17.apk
android-9-x86
1com.skymob...17.apk
android-10-x64
1com.skymob...17.apk
android-11-x64
1com.skymob...11.apk
android-9-x86
1com.skymob...11.apk
android-10-x64
1com.skymob...11.apk
android-11-x64
1com.skymob...44.apk
android-9-x86
com.skymob...44.apk
android-10-x64
com.skymob...44.apk
android-11-x64
skymobi_pa...in.apk
android-9-x86
4skymobi_pa...in.apk
android-10-x64
4skymobi_pa...in.apk
android-11-x64
1unicom_resource.apk
android-9-x86
1unicom_resource.apk
android-10-x64
1unicom_resource.apk
android-11-x64
1Analysis
-
max time kernel
26s -
max time network
143s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
17/10/2024, 13:23
Static task
static1
Behavioral task
behavioral1
Sample
52354a200ce30fb3090681a62757be30_JaffaCakes118.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
52354a200ce30fb3090681a62757be30_JaffaCakes118.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
com.skymobi.pay.plugin.main_v10017.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral4
Sample
com.skymobi.pay.plugin.main_v10017.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral5
Sample
com.skymobi.pay.plugin.main_v10017.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral6
Sample
com.skymobi.pay.plugin.recordupload_v10011.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral7
Sample
com.skymobi.pay.plugin.recordupload_v10011.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral8
Sample
com.skymobi.pay.plugin.recordupload_v10011.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral9
Sample
com.skymobi.pay.plugin.smspay_v10044.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral10
Sample
com.skymobi.pay.plugin.smspay_v10044.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral11
Sample
com.skymobi.pay.plugin.smspay_v10044.apk
Resource
android-x64-arm64-20240910-en
Behavioral task
behavioral12
Sample
skymobi_pay_wxplugin.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral13
Sample
skymobi_pay_wxplugin.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral14
Sample
skymobi_pay_wxplugin.apk
Resource
android-x64-arm64-20240910-en
Behavioral task
behavioral15
Sample
unicom_resource.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral16
Sample
unicom_resource.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral17
Sample
unicom_resource.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
52354a200ce30fb3090681a62757be30_JaffaCakes118.apk
-
Size
3.1MB
-
MD5
52354a200ce30fb3090681a62757be30
-
SHA1
14c32b32947f5cb5ecaca09b7fb73fd45cb7274e
-
SHA256
0002604f9aa167ee58757e61d3cbbd1052c71e57d5258ed1f315f540a2feb3b5
-
SHA512
df687304d320fbe03eb7e218d532c8f5d75f2cfdd61513e88128da740aec31f50e24de0997bf84e8f852924ae5392df841e1a0d89f7777943a5d32009427b285
-
SSDEEP
98304:FWOhK2Th2h1bhWR2SandOODS8Bmmci6KT:p9u1bhbtTDzvEQ
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/bin/su uUcYa.MRSx.YaGiNfF /system/xbin/su uUcYa.MRSx.YaGiNfF -
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/uUcYa.MRSx.YaGiNfF/files/.ca/WkIrrol.jar 4266 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/uUcYa.MRSx.YaGiNfF/files/.ca/WkIrrol.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/uUcYa.MRSx.YaGiNfF/files/.ca/oat/x86/WkIrrol.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/uUcYa.MRSx.YaGiNfF/files/.ca/WkIrrol.jar 4239 uUcYa.MRSx.YaGiNfF /data/user/0/uUcYa.MRSx.YaGiNfF/app_workbench90962/apk.zip 4320 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/uUcYa.MRSx.YaGiNfF/app_workbench90962/apk.zip --output-vdex-fd=56 --oat-fd=57 --oat-location=/data/user/0/uUcYa.MRSx.YaGiNfF/app_workbench90962/oat/x86/apk.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/uUcYa.MRSx.YaGiNfF/app_workbench90962/apk.zip 4239 uUcYa.MRSx.YaGiNfF -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses uUcYa.MRSx.YaGiNfF -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver uUcYa.MRSx.YaGiNfF
Processes
-
uUcYa.MRSx.YaGiNfF1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4239 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/uUcYa.MRSx.YaGiNfF/files/.ca/WkIrrol.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/uUcYa.MRSx.YaGiNfF/files/.ca/oat/x86/WkIrrol.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4266
-
-
chmod 666 /storage/emulated/0/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.main.data2⤵PID:4302
-
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/uUcYa.MRSx.YaGiNfF/app_workbench90962/apk.zip --output-vdex-fd=56 --oat-fd=57 --oat-location=/data/user/0/uUcYa.MRSx.YaGiNfF/app_workbench90962/oat/x86/apk.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4320
-
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5e5c7a2493cfcc1b10a320783c64829ad
SHA15d5de62c4e6452edd09943657565f42dc8fc43c4
SHA256d89d8625402783e416ea5225d1cece21136ccbe725a639f33ff1778971be3202
SHA512c6dfee50d510bce6e413aaa2dc81849964ec80c90def49d993842c9cd0a8d2d53c90f348e21839402718ae971ed035ebfefcd0083973d850d44694a5897cb58a
-
Filesize
1.1MB
MD50c2e19956411d8713c5e5f6d48c5f61d
SHA10452c731f9998952213187a199e949dc110f34b4
SHA2564e1bccfbc5dced4cc24e4640573105b1d97e59b5fc23d5d8bbd1b136cedd22ec
SHA512d985afe4a06e274175461cfc3af73a4a0cac0632c9bd47e22057c7739a7aee20e6a2daaf292e635a6adeda7214fadc3a9c39615f99b3cf99340d376848f5c372
-
Filesize
122KB
MD57a641640f741fba907ae2cd40dcd6e7a
SHA14480dbc586c07a8ce2d08181e685db60639c768f
SHA2566e788c4501f82820a6c4032f830eee7d4d3c7096092bfa31b466da83c3a4d3d3
SHA51268c30f03b7a98de5e7d2b05d195981fd8dfbac87e1c601360b87e95d80046aac5bb36736b62985e3a62afb454098375e60d3714ee7eea2cd270082f864529ef4
-
Filesize
122KB
MD54345f43f2fc52fbe20e12b82d8e31bf0
SHA1dcad5abd9cfc51d2f464fbb87785030502f9d6d5
SHA2567cf51ec8e9adddbb737bc9cf487a7d4fb3d9f0a274a9c5e7ca785289736cd302
SHA512c2b1ce1a623453eb35646daf1f794589974ed69510e1a8a0c956419217127290db1ca04a7cd1d0d338b4ab2156b2e9e4aa4f77d4d5a7e72be3b41c20e4a2e4f6
-
Filesize
3.1MB
MD57c5010549bad81bb14068dae5e2de47f
SHA184ae0f16756a173c8762b0c2c890db6b2f1c6d0e
SHA2565ac746dd35fbb18a7f6f84c7180a2bb26c85cfb6f3946489b5a50015e768ec68
SHA5120307195d8996ae081682d340b5db9504d261b382fe64fe4f59dde6fc2338d42edb9afddbb58f7c9b4b43957a98145bcf0b30ff1045b400ce1757692aa5123b77
-
Filesize
3.1MB
MD5eccfaded8c2391e45d60188f4bf19d60
SHA1c3bfa41bc912ba9dd6f623d86e722d84fa46c17f
SHA256bed93afb93828d884106a47aa40971b879a5e63ecba267c9df53445dfcbe9d82
SHA512f95cbb22270e4ea54c080d2b86eaf648592f889cf06b0996889f351e1991c20c96f34ba22676550b447e678af85713547f30667aa73757382dcb9199f45e1485
-
Filesize
59KB
MD54fe57f0dbc1364a52f9616aca9623ee8
SHA1d3fbaaafd79ff09ec88ad343e46258cfbda4139b
SHA256c4a8a02e900f4fb066a0e8d4c9e2976c9a0f252729058b2915fdc93eae65af49
SHA512e08aec2c36ccddc5b16409bf2d62ed6aa5e2ef468025779b400997f86c0b0943fbe16012e21be8e99685e743b3ef77adfa74b4c7bc03d30f6a506520c0edf17d
-
Filesize
5B
MD584650374b6526aeab39b489f2622673a
SHA17f8e6a153c28f94d7bcdab583678fc097d3fb37d
SHA256b4e7329e133808103bcb5b336735976bc8548fef1e3f66f823733dcdf74df5bf
SHA51260f6ec3ea7b42df365b103417f95561812bbcebdfae135d57d1aaeccede2c0bcef9624dc36acc2dcd92ddcd01fc848ba34915882c44c6d4748f4a31c4d09b789