Analysis
-
max time kernel
5s -
max time network
136s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
18/10/2024, 23:30
Behavioral task
behavioral1
Sample
59d14ddf677045e7ce1388fca3bf6b4e_JaffaCakes118.apk
Resource
android-x86-arm-20240624-en
General
-
Target
59d14ddf677045e7ce1388fca3bf6b4e_JaffaCakes118.apk
-
Size
5.9MB
-
MD5
59d14ddf677045e7ce1388fca3bf6b4e
-
SHA1
221adb579160bb1fc5b8e3a6586f2c2e2c5bb94b
-
SHA256
9cc019f2dbf820e49cebdf19731104f8eb1904c18f15ac7e20ea1042f2b21851
-
SHA512
ce3a1f51557fc5480921a49bac9117e884e265563cefb6ba3f037f5135dd533d129f470ce1e7af29d41d0acf4146227d435827305298beee90c044eca45bb8ff
-
SSDEEP
98304:ZLDRT+UaVP5Jbu7ge94ooYwB/yHLIh6C7Mp4LhOSJZHEQ9uXNydAAmOzm23NRNgp:ZLR8TEUQMh6C7MGREQcX45ba23NkY0TF
Malware Config
Signatures
-
BadMirror
BadMirror is an Android infostealer first seen in March 2016.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses org.funcity.runrunner.yh.zx1 -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the SMS messages. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://sms/ org.funcity.runrunner.yh.zx1 -
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation org.funcity.runrunner.yh.zx1 -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo org.funcity.runrunner.yh.zx1 -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo org.funcity.runrunner.yh.zx1 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone org.funcity.runrunner.yh.zx1 -
Reads information about phone network operator. 1 TTPs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener org.funcity.runrunner.yh.zx1 -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver org.funcity.runrunner.yh.zx1 -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo org.funcity.runrunner.yh.zx1 -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo org.funcity.runrunner.yh.zx1
Processes
-
org.funcity.runrunner.yh.zx11⤵
- Queries information about running processes on the device
- Reads the content of the SMS messages.
- Requests cell location
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4261
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Execution Guardrails
1Geofencing
1Hide Artifacts
1User Evasion
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD560125b9607d1609023067a2a542b8235
SHA1173e069331d01a8469b3586437da38cc3f121f72
SHA2564a579637acf83b2b51f15922feb7dfd84c64593ff19f3428de45b37c06c19c78
SHA512774af0dfdb10a2f127a31a5699e832bc52a6edb35560e3eef887fb29cf1ec6a0ba284751387dee11957d629b9f0d09bfa211449bc6cd03f8cb71d3b762ea59bd
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD597f2d78a41c5a92addd98dd1c9d21483
SHA139f81c9412cb46ea34407560d3ab9189b0fd7d70
SHA256359a4f3894ad95b3ef837f5a8514fc98efe956b887335068d49142dd93076f50
SHA512390495f8ecc591077724cd46a1792b17199d060a5f9a01081dfc9d43d3b571509eaea0f2c444414ffe377f0d793868d86b989a3402da3f211a1a9c8122158cf2
-
Filesize
28KB
MD5cf845a781c107ec1346e849c9dd1b7e8
SHA1b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA25618619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA5124802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612
-
Filesize
56KB
MD58c48b8b841d9d66f8a89f46326a64d91
SHA163d3fdd1fc8c56cfc1f8926bbe9b2956df8edace
SHA2569b93058a2149c34bd5936d0808c9890de8860020c290dfb5ada911b17a0056f2
SHA512355e5dd6adcf4c96354fedb96449254118f453eb7faba752d7605eed9d17f54f7264fe9831c95f59734d693fdaefde5315707efed849f3b2b591f300a5a7ac7e