Analysis
-
max time kernel
148s -
max time network
159s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
18/10/2024, 15:00
Static task
static1
Behavioral task
behavioral1
Sample
58126b67676dacede73e09c7f79880da_JaffaCakes118.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
58126b67676dacede73e09c7f79880da_JaffaCakes118.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
dump.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral4
Sample
dump.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral5
Sample
dump.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral6
Sample
rooter.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral7
Sample
rooter.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral8
Sample
rooter.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
58126b67676dacede73e09c7f79880da_JaffaCakes118.apk
-
Size
6.3MB
-
MD5
58126b67676dacede73e09c7f79880da
-
SHA1
40c1c3914dffb76d63e33598119d70ee4779811f
-
SHA256
dd172f66012c1b72e6955a8de8a07e7d49a493479affe4985e86072d3ec48792
-
SHA512
2e89a147e6467be2e00291abd6421c212e430e63c78914aa37593faa20c2df24b338e36ccd98699683593c5740be789074a338e4379c9402226548a4a33911f5
-
SSDEEP
98304:i9hGH/oneU/d0jczSslhut/viRAMtNKGzVxJREy+KJfKvqAkBwxlXqXZv:i9hyAyEkt/antNJz5JXFKStp
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
ioc Process /sbin/su com.qihoo.appstore:permmgr -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.qihoo.appstore/files/rooter.jar 4811 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qihoo.appstore/files/rooter.jar --output-vdex-fd=75 --oat-fd=76 --oat-location=/data/user/0/com.qihoo.appstore/files/oat/x86/rooter.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.qihoo.appstore/files/rooter.jar 4710 com.qihoo.appstore /data/user/0/com.qihoo.appstore/files/rooter.jar 4902 com.qihoo.appstore:permmgr -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 5 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.qihoo.appstore Framework service call android.app.IActivityManager.getRunningAppProcesses com.qihoo.appstore:permmgr Framework service call android.app.IActivityManager.getRunningAppProcesses com.qihoo.appstore Framework service call android.app.IActivityManager.getRunningAppProcesses com.qihoo.daemon Framework service call android.app.IActivityManager.getRunningAppProcesses com.qihoo.appstore:critical -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.qihoo.daemon -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.qihoo.daemon -
Queries information about active data network 1 TTPs 4 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.qihoo.daemon Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.qihoo.appstore Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.qihoo.appstore:permmgr Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.qihoo.appstore -
Queries information about the current Wi-Fi connection 1 TTPs 3 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.qihoo.daemon Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.qihoo.appstore Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.qihoo.appstore:permmgr -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 5 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.qihoo.appstore Framework service call android.app.IActivityManager.registerReceiver com.qihoo.daemon Framework service call android.app.IActivityManager.registerReceiver com.qihoo.appstore:critical Framework service call android.app.IActivityManager.registerReceiver com.qihoo.appstore Framework service call android.app.IActivityManager.registerReceiver com.qihoo.appstore:permmgr -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.qihoo.daemon -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 3 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.qihoo.daemon Framework API call javax.crypto.Cipher.doFinal com.qihoo.appstore Framework API call javax.crypto.Cipher.doFinal com.qihoo.appstore:permmgr -
Checks CPU information 2 TTPs 3 IoCs
description ioc Process File opened for read /proc/cpuinfo com.qihoo.appstore File opened for read /proc/cpuinfo com.qihoo.daemon File opened for read /proc/cpuinfo com.qihoo.appstore
Processes
-
com.qihoo.appstore1⤵
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
PID:4314
-
com.qihoo.daemon1⤵
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:4344 -
/system/bin/sh2⤵PID:4479
-
-
cat /proc/version2⤵PID:4547
-
-
com.qihoo.appstore:critical1⤵
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4517
-
app_process32 / com.qihoo.appstore.rootcommand.persistent.CoreDaemon --nice-name=com.qihoo.appstore_CoreDaemon --daemon1⤵PID:4566
-
com.qihoo.appstore1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:4710 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qihoo.appstore/files/rooter.jar --output-vdex-fd=75 --oat-fd=76 --oat-location=/data/user/0/com.qihoo.appstore/files/oat/x86/rooter.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4811
-
-
su2⤵PID:4863
-
-
com.qihoo.appstore:permmgr1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4902 -
chmod 755 /data/user/0/com.qihoo.appstore/files/permmgr2⤵PID:4955
-
-
cat /proc/version2⤵PID:4975
-
-
getenforce2⤵PID:5008
-
-
cat /sys/class/android_usb/android0/idVendor2⤵PID:5030
-
-
cat /sys/class/android_usb/android0/idProduct2⤵PID:5062
-
-
getprop2⤵PID:5081
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
1KB
MD5b05a416cf8fe7aea9d717a7d6a989ea8
SHA18f3e3efa16580747482f18aeace57e33528665df
SHA256939094f5e1b2c7fe3eb90d592686268b6c5dd0f979aec9e476d9f8181b7a61d6
SHA5120da3611866dc142676a87286c4d2c97fd394bb34e7e10b3e225edf7bd8b8f9a4320288178488751b6a0361386eaa6271dfcc62ea62efd5171a25820f48701928
-
Filesize
32KB
MD5b2273e767673f6ad08b9aa068a039e4a
SHA19c7a0ab71b275cd05f5062ebc6795feab68e5216
SHA256132378395dd38fa770ac424f63511e5fc70a08bbfdfe27f526e52ca382b0533f
SHA51254377f6815cce32d7c179ae337e81dec425b4e095092dfdd0bd2013a6160a7fc63525f0b96c2ad43adcf0a3135b941fe9ca5581a65d818146239ab1df789ca2c
-
Filesize
32KB
MD5b69fea5cb41d0f1fa5b6b7da3ab83e96
SHA17d8d407d35c43d81b33e657505fb6b3c62135dde
SHA2569c915105bdda8c97614e4c751d5619926331b107905a17272d6a97f929ad67c2
SHA512557a6d27d24ac01034c4dd5a29258e50c977979a4f07079d59c8302263f184ad42a8f7d8deb90e95d9dd1e4dc3c52a6d2d8399880386ec879068e1ce4b9764a6
-
Filesize
32KB
MD52f708a551fcac2cc9612fcf9f991a7df
SHA17371222da2233c5cad1d2ccde7d6b41a8b66e3f8
SHA256e79ab4206c0252f9344974a64548cede04ae2d6c687b473527aae8f237fd180a
SHA5125c58d7f92f6ffb0bdda604a868ead357c2b9031729b677f412e7b99083739e128bfc55d6983a3d40af87ee52f43bf62f70e08c56a06d3a86bab5c44fb11d2366
-
Filesize
512B
MD569c703030efd98d0641c0af71eec1fe1
SHA19c679b09397e256027af8eff1b24e1df628c4a96
SHA25648e5c7d9e2260bcaf5bee96e319d38175066d1f845c25e4bcca2c90eac50b7fa
SHA512ee0d44ae05e04be42845284e16946907f45ea58e87349fdc80429db706daf2843700f2df0726bc9996addc3536e7acf2bdab1b01d72f2adc297e19ad2ce73c2c
-
Filesize
28KB
MD52baaeb483db79574bec5280927ca0eea
SHA1f51f239b7d135316ac135a65c0c3fd16be7d4f73
SHA25602d66d2d4086686a7161e5b249cd01fc76946da577c71dac1d8f5be8707b4738
SHA51246ebf1d050ea162d5ab33dc2a67d92c7820baaf7f9c461cce529c965e9a8e3f74b1aa59da4b518e65387693cb26df548b045d52662344be5896289e34cc573ab
-
Filesize
32KB
MD50b4822ed079bfb2e83d032df77fa02ba
SHA1f9b4010270e7f57852673cb99f202484d4ba2a84
SHA256d8ee5145fd62b8dd4e302d27c166274aaa60ea6bab2f6e8690518c6becc95065
SHA51232ac404ea55e861322f405bb62e0387febcade3edac88426c92a2acbd5aa4edd784caebfd88ec19021cba185d641dbab73931438d429ac4a98a7f31c8fd064ef
-
Filesize
12KB
MD53fe30614d7e0d11db870b4624f6c50e0
SHA1053ff0fc621ab40f2afeddb3e7b4a73ee41ec533
SHA25667c532f0324228dd33b445cd399c1426e3a0e0cdc7b9358c66b402c5d40a838d
SHA512c7c09e97a408e88aacaf8099ad4d1fa604d58113393500a384eb3c2eb7c3c105af41314934b86eca2f088045cbab5a20d768bbb295448dc1ae6cb6c3f59821ae
-
Filesize
20KB
MD5544cba5e2b2e9ba602cdd65f4f3a05ea
SHA1edc1f65b37f8a3f6dfcc4471df8196c5dd0f07fe
SHA256adc464f01f8244bc5f4e284e6d9c1c9915d9d1a382202f53033992af0afea29d
SHA512ce6cea0eb6813a1da203ecf966cf4fd36fb3602a6f4429db30ad0b09abbcd5f7355046c4e1e3a27f11a36bbfb6a828a7b98206ab85097f0c46385fb2bc9decd6
-
Filesize
512B
MD5dc7a3da9041ba890d74551df604e379f
SHA131f61008873aa13f19d3c4722b1f4f39f676881a
SHA256f28b9f4893d6e89d843cc97d11c5bd23df81fcd9a5f82548c5ff9a0bfa987230
SHA512bdf152f52dc59608c740621b3aa41a2205d625dadbb1e58fa64613f72b510b7f14ee615d3bc8fb5de6cf14784a2f4c47cfc8c0fa73daf451140d3fee8fefabd2
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
20KB
MD5c8d94d8e8731fc1a9652e70b77623313
SHA1594eab3cdb540659ba66d8a08fc6be2fec17b15b
SHA256f53b178839b9994cf2785fb4ed1ba66c2bf8d1f536250a4055175a6243496205
SHA5127054e570d8b82d9c460501e44f5126be5cee373c367489b9844d0e7265417e82fef3ac42cb504f4fa36d37b893bf8d7533e516e30c3eeed904e97727518a39e7
-
Filesize
20KB
MD5691e5cd229d84eee6c3d178b8c427ce4
SHA193906ddc4d8f536377c904344e721048984c27f7
SHA256d66b292eda2a372fccdd51b3a5778cd044e6cd5a532fe7eccd044e699ec75772
SHA51290a9eddedf61d965f0d1460ef5d5eae685d1ae5548ced19ee824980307ecd46fa27a2bce3672d1fd4c57509b133a08611ca7cd709087b6662eaf93b83e3e41b9
-
Filesize
98KB
MD5dcd7b4ecd6b5b75fde80d66880b8757c
SHA1a5f926eb632c94599be0355a9cf6ea9742a014df
SHA25633ded700b32448ea8564eb14257c67dfc8e0e4ba09652efd2af9ab8d90b0b6e5
SHA51215506fec5f86d57328e28fb892419601253f5f6b1ff61ce01202bd50c4a870b4df6feabe12b5c742a70503b22fb114aa8b5f338b72e0f56c513cde8723bc5fad
-
Filesize
230KB
MD579bb88c51f6592fa6b36d76c5e2f9dc9
SHA1ab6d2b103c3d86cff02f2ca6175ab8060f557ed9
SHA256c1ed6649dd3114d92836520c61480a38308dfb2eed5869a5d296fbcb48fac233
SHA512f2c5951dee97bb24b4ef8249f1d13e2056ce36e5f27647670635ce80b5976926f382255c01ecc0b318cc7e1233d83d8fb8e03ae747cfba9d9c7d39b26550152c
-
Filesize
512B
MD5ad2aebccbe017db9004b90cb5b477837
SHA1fa712a418fb54f355c1e9283d3bbd0a53e0c9862
SHA2562e22195cb588abceccb1b233d30ebf7a7de7be09e2d9a8573db5de79cbb53466
SHA5123eb4848483dd63256b626388826d408fe47d8b56339e1945b68052ff7c36a928504024c57c8ca4feb0fb00224b6888e11d0c456be79863ed6a61326a77bb20bb
-
Filesize
28KB
MD5da575869327980abb859c2ba5b67f219
SHA1d0732ac794e814ecff6095992aaf7c7572e6c8bc
SHA25679b25a386b89d12fea56a2ae2af3692582968a0a35bd00d50c176972398417eb
SHA5120b60c312619cdb814a57ec4f867923268683f9e662af20f8fd7e41b201c774f2c4eb5faf042146708bcd7a04247022ddec46c25b00d319fb4bf537e7bb8df81d
-
Filesize
16KB
MD5f93db9ca9a0b9927d5a3e99efef6a5f2
SHA154a687d9724356b55cfee8b8872bc6b73a3632be
SHA256c0d13059d3420130b0a8a5a238ff3fc8d99b8aeca782b12f4187e02163beaf0b
SHA51259d88654f99a688d2b652c6cd268927f086db0cad9352ecb76d00c12873fbf1670655123e6b6b4671a98e6c5019b69b4d14d1fe5170137fe0022d592321eb755
-
Filesize
20KB
MD5c0b24a5c2bcf9e375408df6a47038a4e
SHA1d5aac2082ac180d11384c677279ca0eef435e0bc
SHA256d173d6dad25d335c2b0df9aacf74f2de49e254dd53ec7be5f90e3e9ba81de795
SHA512540e61c99bd1d6c9279b77614aa0e4e0c22bb3ddc864c147235de694eb298d0c144ffae7cd9be11c0312e11adfc25d3edd1ceb7efef5dcb36151204c707ccbb7
-
Filesize
796B
MD5929e853495204c482890405649f9841c
SHA103d82f7b2a3707534a8e6c435df9ed71b7987817
SHA256e136f087b9f51e595aa63a4eee906880dec55ab4651bf6f1c1565baa04deb6b5
SHA512005c35d03265cdb73d746b1745eeec828315fb3107277519490d69bee7ef2b9467d27ded2a9ff4477c3a183ccd23605cf8a4bb1fd336710b207713d69cc0aaa0
-
Filesize
28KB
MD59d7bdf5e26cf2277ff55569253301df4
SHA169a32063a629af4f011c83910fcc5de6c319c305
SHA256ebfda438f1a623fa111845f4807271af0b2ea4a1767862cfd04c0928ea3ad54e
SHA51285ab374f89b4e518b05482dc3184def345302ecf6b4d9f79c5f2a270d9b55510b11df861f8c0aaa0f870d36ca9a535b0eadfc8ab1e049a6970c22922dff0b389
-
Filesize
32KB
MD5e6debef1b9e125452da484b6fe8a3403
SHA14b8f8c2a4a608bca27d38d730ff917c16c653791
SHA2563198f54da00f10b8c98525d908192b0974dc782ef224fd14862f3c44c7543b7a
SHA5125467e05a52d03abd356de2c56bb6496122bb68a3060c5740f4e5a12417106e114c67d66c48ad93b7c032c557b2e40e18261023ccfbb2fa4adbbd0e72fc9cf856
-
Filesize
500B
MD5f12644a9672a761297e4ff818ced8225
SHA152d698fa6fb4226f1303db89047a8c8a742119c2
SHA256d5d68294ea437ef727be14ad35938b9fc405603a3db7103bae625ea22e1e499f
SHA51299e010ffeb9a69a48450dc5cd160ff319f3ef8831f293047d6bf423b21dde70464ddbe1435c3c648f81f0d66ba43a0d32ccd4f9f8ad0c54e639fb9dca6c9572c
-
Filesize
552B
MD51fd290ecea7cffa982146b241eb43e33
SHA17d250a5a4de028b77620481ff9b57b94a73f6e82
SHA25661019efb778a5647c0c68a4fccbf085c11bd64c5919710c32f0868c497442346
SHA51264bbb6f20363177c4b972904621532e6aa4eb16f931ff85e7606b4ad1c04adc14344324710cf2fcbca6462a6624cf0a1213409162bc349ad63ebd3bcd16b1937
-
Filesize
576B
MD5e055a10b0c351799950a3fc5d1e60b2c
SHA1a697a624bc8f936ef45349a37f9a91d70b3f58c2
SHA2563051f57fd2d6c4fff96f853eb2a745fb5cdcf6cd4f87415a972235921251b3be
SHA5124097a022afadaed5ecb31cf5ce5e64421387b8bc480730ef5e6481e3bb77e7e55e8811e570a7615bf1503146d64115d832c2b2cfeedf3d2d78a683f2821f5594
-
Filesize
130KB
MD525efecf530d00ff7ac94d602e7876ce6
SHA1240a3382dfc438b4aa939f84a6f9a7022053a1c1
SHA2567a4c7a934727b6ba4824f739fcc12bd190373a2afad71ae28150a1299bcbc5c1
SHA5126a1587b095de64e220077455300346b53056a5830e0a88643104607460a88754f4e14bce93b9591b689b59e1a965af5ef5c4e2ceb5c11f168d00864ef2e6cc3d
-
Filesize
130KB
MD5e6beb4e66852e393f6560e87cb757635
SHA180a65db419468db4e69f9fe12d9eea1976a00de4
SHA25626fafeafdb66c57aabed31fb2973fdb6d999812de4fe61296c5cc5ee74e0548c
SHA512de3b1234b0ea20c0c04f229a72d4b46e8aebca6670dd1af3a02741b0d9c33317dfe52c1b498310b7d0c2c1624f3fbbe8c7320f72699bd1713fc6f644876751a5