Analysis
-
max time kernel
145s -
max time network
160s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
18/10/2024, 15:00
Static task
static1
Behavioral task
behavioral1
Sample
58126b67676dacede73e09c7f79880da_JaffaCakes118.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
58126b67676dacede73e09c7f79880da_JaffaCakes118.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
dump.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral4
Sample
dump.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral5
Sample
dump.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral6
Sample
rooter.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral7
Sample
rooter.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral8
Sample
rooter.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
58126b67676dacede73e09c7f79880da_JaffaCakes118.apk
-
Size
6.3MB
-
MD5
58126b67676dacede73e09c7f79880da
-
SHA1
40c1c3914dffb76d63e33598119d70ee4779811f
-
SHA256
dd172f66012c1b72e6955a8de8a07e7d49a493479affe4985e86072d3ec48792
-
SHA512
2e89a147e6467be2e00291abd6421c212e430e63c78914aa37593faa20c2df24b338e36ccd98699683593c5740be789074a338e4379c9402226548a4a33911f5
-
SSDEEP
98304:i9hGH/oneU/d0jczSslhut/viRAMtNKGzVxJREy+KJfKvqAkBwxlXqXZv:i9hyAyEkt/antNJz5JXFKStp
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.qihoo.appstore/files/rooter.jar 5500 com.qihoo.appstore /data/user/0/com.qihoo.appstore/files/rooter.jar 5688 com.qihoo.appstore:permmgr -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 5 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.qihoo.appstore Framework service call android.app.IActivityManager.getRunningAppProcesses com.qihoo.daemon Framework service call android.app.IActivityManager.getRunningAppProcesses com.qihoo.appstore:critical Framework service call android.app.IActivityManager.getRunningAppProcesses com.qihoo.appstore Framework service call android.app.IActivityManager.getRunningAppProcesses com.qihoo.appstore:permmgr -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.qihoo.daemon -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.qihoo.daemon -
Queries information about active data network 1 TTPs 3 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.qihoo.appstore Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.qihoo.daemon Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.qihoo.appstore -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.qihoo.appstore -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 5 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.qihoo.appstore Framework service call android.app.IActivityManager.registerReceiver com.qihoo.daemon Framework service call android.app.IActivityManager.registerReceiver com.qihoo.appstore:critical Framework service call android.app.IActivityManager.registerReceiver com.qihoo.appstore Framework service call android.app.IActivityManager.registerReceiver com.qihoo.appstore:permmgr -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.qihoo.daemon -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.qihoo.daemon Framework API call javax.crypto.Cipher.doFinal com.qihoo.appstore -
Checks CPU information 2 TTPs 3 IoCs
description ioc Process File opened for read /proc/cpuinfo com.qihoo.daemon File opened for read /proc/cpuinfo com.qihoo.appstore File opened for read /proc/cpuinfo com.qihoo.appstore
Processes
-
com.qihoo.appstore1⤵
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
PID:5070
-
com.qihoo.daemon1⤵
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:5108
-
com.qihoo.appstore:critical1⤵
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:5353
-
com.qihoo.appstore1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:5500
-
com.qihoo.appstore:permmgr1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:5688
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD56c2ae16842e9538570ed90a183a41441
SHA1d1d5f76fe2b3f173360f8eb3bd6740143e7b09aa
SHA2569c047a0ade2623183d3178d618a7b304bc87aed212d6dd3b9a8f44be51ff2447
SHA51230136b1712f0cb36ae71926f9e4568d99100a2bff4bb56af2fcc23bb6cb0dcd3a815dcac4bb7899bab610713c050fa487a0cfda217c36072321e5edc9f4f8367
-
Filesize
660B
MD54e4fcbd88ad6771847ec9710fbb19323
SHA1a07a6e47da0b62225a04eca3562636d98ba09bdf
SHA25614989f4dfebce428cf5b5041c29719eccaf7c4d53b40df3c8645cd740dd9b725
SHA512a427c88fe063861a427f5aea35111be74c7df62ba22781288376c89fdb8b98ce30ab128ea1cfc8bf495445d3ff9aeb703bf0cf9f0283c4cbd5ea79bb20a95396
-
Filesize
230KB
MD579bb88c51f6592fa6b36d76c5e2f9dc9
SHA1ab6d2b103c3d86cff02f2ca6175ab8060f557ed9
SHA256c1ed6649dd3114d92836520c61480a38308dfb2eed5869a5d296fbcb48fac233
SHA512f2c5951dee97bb24b4ef8249f1d13e2056ce36e5f27647670635ce80b5976926f382255c01ecc0b318cc7e1233d83d8fb8e03ae747cfba9d9c7d39b26550152c
-
Filesize
12KB
MD56da302a2e5fc0263420684f38a00e3fd
SHA19e1c35e91c3b84600dd8ebc10e072ccb91b5895a
SHA256a9b2f6227429fd83edc4db9e62c5e3f8c45b55598f7b10c3132d6b339283c8d2
SHA5126e91d3076e4f382a5e4119e6429b90bd4d604c858acb4914e8b67226f4ad0626e29726e09d12965f075ac6aebc49eb22faf0f5c6a286913aad9515887f91fa1b
-
Filesize
20KB
MD565184bad62e83fb0f76cf4228ee2e1b2
SHA1023d34eae92412643d4e1d4436a9c252abffe4ee
SHA256805f1b0b48abb9672155ac88aa619597c1b6065b8588908d2144dcdffbce75fb
SHA512c20ef309824515e1559031168063aef34a90a152ba30648776eb18c668f762722712980e3b64def4cabfa6bf78daa31b7948b0695c46f7d7d6a304337054ed14
-
Filesize
1KB
MD516af8f20dc5fbe5a83b44c3e80eeb057
SHA15ad02095b763b6dad53b627f25446a1646c9d06b
SHA256d89164aee2ae0105d9cf0776d1ca72a6e0ac60bf311233c692f8545f0cf7e6df
SHA512ea86415ba4623fa8ea1dcf3c26f6329aa1f6d4ab96ef2753edd22cdb6aede14ee976adcb136b077002232fe33ee32e287ffe2d70496b81542922d00d803f23d4
-
Filesize
8KB
MD5e9588ab25416035881163a4aafaa2dae
SHA150e98c0ae356c75f3a20c25c3dd7d56302128720
SHA25628694eeb0a6436005c2b34076979522a7ed411ee8d2fe7effce47c46d048a881
SHA5121825c935d835ff0eaf1fd13c34aacfea9d3e07cc0bfd692ce6ba2f31e3dcd8a1676f8e56a4b6fddad6119ba5b88573323f537fe0bec11df443c21551ac070b82
-
Filesize
8KB
MD57e0a37e8187a9287984b1b7d6492573e
SHA13a1be592acc95ffd1b7984903eeeb5d72d4d7500
SHA25641faf40a754df45ac6f05b092b5de87855bded262e2a3f2da2f5e44260d1a8ea
SHA5120a5cbe31ec4e3a71aac862eb662fcd82ea152594b219d1a2d58d6f24df5db838f313057ae592f7734169e0c2d58c18fa22a7026ca402b763b6cefa6c9f6c3f86
-
Filesize
12KB
MD5e14f30415c4234dd9dddb3c6ef96a7ab
SHA13fdd2b7cd701c3d6aa4ab74e4e22aebeb6e3a98e
SHA2560c571cadd625eb37a0b64729126f2373c44c76e95e0f1e39547690775eefa7a4
SHA512e2cc8b9152a0b7be2aeebb18fcef9ff3d91d2ef578eeb15bab7ea34e0295cdb182eaa1dfeb28b4c69c5882585e9aacdd69abb49967522b3fa270813675ff87b4
-
Filesize
96KB
MD545f3c9c0f1d2e8281534f9e5f8d73ec7
SHA126de4b20289b97ad1cde921ae207e6f2f978d193
SHA25639c83fe8e17e9639450e684ab0cd8b31220ff7f265b88d4bee199717d134f806
SHA512d9a41028d6d7a7556d1884db0f75aa3a0ee8783c659aafb3a099a87d0a6f45896fbf3cde607b49603fa147d8246ddee5e59f3cfc07f1a9bedf9fee798393f4f9
-
Filesize
16KB
MD54b0999ed86aaa8d056fa4ba72c66510b
SHA17f49e69644e2c1e0d17388badbdfa54dfbe738ed
SHA2562432e4c23d1e9926223578a141766fc478289da12fbba57a8fc506d37a69f601
SHA5124756793b9e7003bf96d2a4fb7d104e4d1daffc566ec7a04d5bffa27c73613148ea023026e9b409a769f9f085a02a319de7fd90555fbcb5c9efcb97b6e89fd4ff
-
Filesize
5KB
MD54ecb8133dd363edc09f152069cad9708
SHA14c55ca4bba8c05e7d9610c0283c4edd18ab325fa
SHA2562f464e988e1da4ec070b6f9f6db46ce687cb4abdf3276f18a61ef84859fa8ad0
SHA512e16c1d35f89cb0fc9fc858626a34b4da5fe807cf1192bfff096864d80d00f3c1aade99e71b5eef0de3976effe34059080f6d35234cbb06ce6fde5aaaf1d7d9de
-
Filesize
98KB
MD5dcd7b4ecd6b5b75fde80d66880b8757c
SHA1a5f926eb632c94599be0355a9cf6ea9742a014df
SHA25633ded700b32448ea8564eb14257c67dfc8e0e4ba09652efd2af9ab8d90b0b6e5
SHA51215506fec5f86d57328e28fb892419601253f5f6b1ff61ce01202bd50c4a870b4df6feabe12b5c742a70503b22fb114aa8b5f338b72e0f56c513cde8723bc5fad
-
Filesize
8KB
MD5b0943d6fb6ad8c59c9c13706707ed07b
SHA19ecffeb4293449bedc907e80c49b5f0eb4e5a3f7
SHA25627ab7bd440a8d77336fabef3daef136916537ae4094b7ec28ad01dc63e40ecb8
SHA512015d00916471ba4529a7652bad5b00f8df08604f78c79a868e4f3ad181084de1a04264850886b99221afd8ea6d9c07d69d8fa898d1cc9aa9f1c301e6d745da4f
-
Filesize
4KB
MD52b969deb7a82511f82d04eadd02648ea
SHA16368cae4001a647c9bf79d5bf986c67faa12ba1f
SHA2565b4ff66745b698b914676f07b4927152d8f0b1e3963c045f209aa39e354fa16b
SHA512ccfcb1467806d0ca6de44c42d06383b85e7cf4f314afd0695359fd34333a92c94132d3049d1a9ebca8c7ab1c3594e3bd6d5d2a0c0b82c98569db3f3e1e61b52e
-
Filesize
8KB
MD5e01323f55191778fdb5c627cebc92df9
SHA1dbcafbbf8b6ea10585abb787f5297e1b2f4fd79b
SHA256086d8f1aef4d45e2709398e29b062cad0876c08465875c41cea208700699b43f
SHA51297cfee9e43501f089a285a0d91b2a68fc99b941072a77ca92f45d8592d74bee37f3cb32b665f6a7f4f1c0629f4f5ac3730ecdddede6461c1203a7a8616c3e4ea
-
Filesize
12KB
MD5023e6c2c7de2f5375dcc92d4354e765d
SHA1591f9b29df574c9fd9c13820aefb8dca1781e264
SHA25606134d771da07985421af60c1fa0c79a3e45c647adfc8e52071860702adabd9a
SHA51260f2e00b09f4882e474ad3a30303c8c8a57d442de73385724d4cf411256a07061df3666659f9ed2ec5506037b4b87135ad5056ee75dd2c30303b8148323d43a6
-
Filesize
8KB
MD58b17b54c35e7152216d29f4b7cee7eaa
SHA1d95acd536889117c381e04154ff77f5e6a236b89
SHA256e7300cd1568ee0e119313de6f769f91e1941500fafe26aca5d671d8a1c7948ee
SHA5128958bbe66c2e536f5a8c70146fcadcfe543e128beea3896eb6053ff80ecad4eeb00ac1f50922abf2d1303a9da234f9317fbe62f9131b12a7af037117df00b30d
-
Filesize
8KB
MD57a07d452ddfb257a30b240d4bfa93e33
SHA1853510f3e5517684b6cbd9513e1d230f6add33c4
SHA256226764cae887737cd61840c80bf51b866cf2f527367744341f361e6f9b667f30
SHA51233b3e8a9bad2999df89ca42f90381d3b3f943a91c266ca77bf35f2f166355812ae1cd83c2e55a93a30c46df94e153fa60e2597e1aa62a8ffa383d4725bce976e
-
Filesize
20KB
MD5f33ca769a2800880f6ce092ac81a64d6
SHA1b9da3e5d37badc2af4b74d25b9eb50516dc46d83
SHA256f13f73faab704399c4352dcdbfba4dcb7c171bb2a1de767fd961455569c58d8c
SHA512ac77c136433a472f3357fc2ec6faa072bd1ca62067cd75f8b522cdcdddfcf07dc88e7f3e8513329e88a0d721eabb7da71f6d2f75480df3594010641cf51bd86b
-
Filesize
568B
MD5be4929a7a7dca27064be492af6be62fb
SHA1b240d0ae01d5d59e18bd3643bb11bb4a78bb23df
SHA256b5fac1e0a2a5d26718ca2abfd4ce1b4593f426602d60d3cc3be393954f922823
SHA51228f5bc19061b70f97c310171eeed2b42a8dc838a26acb4b34aacc40c50d4ae633b0993c9c6fa2c45a6d3221a9036b039f1d00c6243cc5fbccfeac6e16d93ea02
-
Filesize
8KB
MD53d93f39dac6107b3fafd990a73f395cc
SHA1fb7f7e5c484475486d25d0e6ad47635ca9a47fd0
SHA2567858eefa192cf5ba14661b1f63c40fcbd6a60015717d524934aeea2c9256ee96
SHA5128964ec6da64a56f3e73f92fe2eb98726415ffab191e620e4f4cf92e67fc467766b86d786f42437e8fffd0663c56af4b3998e90917c831b7626058edc4271613a
-
Filesize
8KB
MD514eb929984a420239395e83f160e27c4
SHA1d1b54367922e2a915837af7bb569482b040daa8f
SHA256c856487bce2b6e86d142bdaf689c6716edc54f5bd881bd10b669903a9bc86bdf
SHA512adcc19b3b419308884ad78d6129b625dbd59ce7a3f8acc34a5a2a6baa6cbd4dd28256a320d3c49885f472f610d826bdf8d0549445ed2cc8218d0c4c779614f7d
-
Filesize
500B
MD5e91115f4d4f055b51b52e5559e18f52b
SHA13ae679bfa4a17e18ff44ea79907eb829412d3008
SHA2568009cdc5b12de6db697b4012cba8279f497622a6d864b4f9c7310a05d8b23313
SHA512005607d176f64c748158bb72350c5e7fcf7b19050ff17a46bd1caf45266323677033c0a477b0ade0ed92dd58d068ac96d654b4e65b752242c6329daf8ca2c610
-
Filesize
130KB
MD5e6beb4e66852e393f6560e87cb757635
SHA180a65db419468db4e69f9fe12d9eea1976a00de4
SHA25626fafeafdb66c57aabed31fb2973fdb6d999812de4fe61296c5cc5ee74e0548c
SHA512de3b1234b0ea20c0c04f229a72d4b46e8aebca6670dd1af3a02741b0d9c33317dfe52c1b498310b7d0c2c1624f3fbbe8c7320f72699bd1713fc6f644876751a5