Analysis
-
max time kernel
149s -
max time network
159s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
02/11/2024, 23:38
Static task
static1
Behavioral task
behavioral1
Sample
8873436c80ff14237fb4407af7ed781e_JaffaCakes118.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
8873436c80ff14237fb4407af7ed781e_JaffaCakes118.apk
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral3
Sample
dump.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral4
Sample
dump.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral5
Sample
dump.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
8873436c80ff14237fb4407af7ed781e_JaffaCakes118.apk
-
Size
6.7MB
-
MD5
8873436c80ff14237fb4407af7ed781e
-
SHA1
7375ef333167e8e8343a78b018d182b8853a34ff
-
SHA256
221d5ed99d465d96de767db904eca84e478d80f26ee9cb4cd9130a6d63ef7965
-
SHA512
79f311bc644846043d11c9086dfccce3a96b7367efca9c134aac5984c423d20c826b3aea88f97a145f840bea057023f4e1f2e7e70e2006f01e728665906d0927
-
SSDEEP
196608:W9BZESfl0u+kLJlE5HSSQu0bC5GMCTz7TZSw:0Z4kLJlErI6eT3L
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
ioc Process /sbin/su com.qihoo.daemon -
Checks known Qemu files. 1 TTPs 3 IoCs
Checks for known Qemu files that exist on Android virtual device images.
ioc Process /system/lib/libc_malloc_debug_qemu.so com.qihoo.daemon /sys/qemu_trace com.qihoo.daemon /system/bin/qemu-props com.qihoo.daemon -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.qihoo.appstore Framework service call android.app.IActivityManager.getRunningAppProcesses com.qihoo.daemon -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.qihoo.daemon -
Queries information about active data network 1 TTPs 2 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.qihoo.appstore Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.qihoo.daemon -
Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.qihoo.appstore Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.qihoo.daemon -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 3 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.qihoo.appstore Framework service call android.app.IActivityManager.registerReceiver com.qihoo.daemon Framework service call android.app.IActivityManager.registerReceiver com.qihoo.appstore:critical -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.qihoo.daemon -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.qihoo.appstore Framework API call javax.crypto.Cipher.doFinal com.qihoo.daemon -
Checks CPU information 2 TTPs 2 IoCs
description ioc Process File opened for read /proc/cpuinfo com.qihoo.appstore File opened for read /proc/cpuinfo com.qihoo.daemon
Processes
-
com.qihoo.appstore1⤵
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:4249 -
/system/bin/ping -i 0.5 -s 56 -w 10 -c 10 221.130.199.882⤵PID:4680
-
-
/system/bin/ping -i 0.5 -s 56 -w 10 -c 10 221.130.199.882⤵PID:4791
-
-
/system/bin/ping -i 0.5 -s 56 -w 10 -c 10 221.130.199.882⤵PID:4825
-
-
/system/bin/ping -i 0.5 -s 56 -w 10 -c 10 221.130.199.882⤵PID:4874
-
-
com.qihoo.daemon1⤵
- Checks if the Android device is rooted.
- Checks known Qemu files.
- Queries information about running processes on the device
- Acquires the wake lock
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:4279 -
/system/bin/sh2⤵PID:4403
-
-
/system/bin/sh /system/bin/pm list packages2⤵PID:4468
-
cmd package list packages3⤵PID:4501
-
-
-
com.qihoo.appstore:critical1⤵
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4422
-
app_process32 / com.qihoo.appstore.rootcommand.persistent.CoreDaemon --nice-name=com.qihoo.appstore_CoreDaemon --daemon1⤵PID:4460
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5fb3f5307102bfb95a4d8dc31558af09a
SHA15238cae8189e7e261be9424f0681ca8526c55ea6
SHA256ad3a2d3f0504a574a8203cd0cb1ff2504ffb492acae02f4bc9c06292fc14a929
SHA512a2b5b72c1ab47b3b69370faa44c3604c30b41ca432a155ccd65561a638b2419aeb95d395cdc59ca599273c55a040f7a113f712efe802052ac488a7229f002fa2
-
Filesize
20KB
MD5195fd7ab3fa09afcb44f08527653f9d2
SHA182a30b4e8aeb8e7a58020ef7a717cbc1b28ff904
SHA256a091c507e28a85e18875eb3cd6e956c2e50a1751ea06f8a1e55f20178b981d9f
SHA5125b1ac7c2ca2e7a1060a6eba4588c0812755b33c0761791f8078ba133f3a1af73103c036e2b7959cb326888f35b6a228cf3b89520e959409c108dd9dc69b89e97
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5f3c00b27cdfa7d8ce50cc892f11e9fad
SHA178047a6fe0468ca1dc321779aae82ca430abd336
SHA2560fdd55da9489388da440329133c37a5934fe50dd8bb02dd7c7788902a14a436a
SHA5128baa22bb1dfeb55ef8ac27cfaa379f8b17432a49f7e87efa88e11f8b14c8313416c755ce09cb02b16a7d2fbfdeb2f3f7ba6699c7a5e3a0e2579d06b1c5707643
-
Filesize
32KB
MD5c9b9c68f5445dc86719b1a33de4c1eca
SHA1753412d9c946050fa089747e867337d464731c88
SHA2561a8532c7cbb0c05ef5d1aa7b298574fdd6d1de262a2d07d59f6b7c0938fb3e37
SHA51270b4f8abec5f39eba616780fa877ff8bbafb0ee3f567113c428cc771a66b052e864a66d8feb4a4184451910a78079a8af9bfa7d054710749fb3e8a4abc55c038
-
Filesize
4KB
MD5908c3e77354be74e5c4f41cf9ef69eba
SHA16815cc47ddc033fbefe926b212a68c2af9812acd
SHA256490b84cdf2f4aa33fc2d9ae0ec4259b83e5798fd9545e4d38b9a1e263d087e34
SHA512a87ed6c79ea6614293d378d17bfee6c95930678e58e1f44d3d2dd6fd9b8016ea94e0def96d9bc7f76460bf61ec2bc285af72ccfee94d3949d134b40173ed3dfc
-
Filesize
540B
MD531e65866cbdc0ac5ef6a113b53ac9ebd
SHA18b5f274c92b64739e0f0196510e8aa3b190f3e33
SHA2562263fe8fa41561d622d9c4fe17c12c01bb22e6471540ce6f2b55bfa0ae0432c1
SHA512c4dc7b0dd8b5fe9d29d40f28114daa4cd2967b50933c1b9eb632f562c6a1af5a16bafcb43262353e5ea2c5955f22f5632834dca38ae51af1da7554a362542293
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
32KB
MD51713b7f6d340992fb3c713d96a2c83ea
SHA1f266eed6a27052cecfae1bc70b27a07fb54d2429
SHA256e361e4e1dfa865de0f49fc24fe3af93fe0610a17864ffe19e42458d2b9e3d71c
SHA512ed5df315470d7d33f09237c1eb8ac25f26e2ab36453ecfe93b08fd8235f7a512e35d43dc7fe5419b19be86bcacf882ea9fd56c0e1a40da0eba00b8c79ac69e1d
-
Filesize
12KB
MD53fe30614d7e0d11db870b4624f6c50e0
SHA1053ff0fc621ab40f2afeddb3e7b4a73ee41ec533
SHA25667c532f0324228dd33b445cd399c1426e3a0e0cdc7b9358c66b402c5d40a838d
SHA512c7c09e97a408e88aacaf8099ad4d1fa604d58113393500a384eb3c2eb7c3c105af41314934b86eca2f088045cbab5a20d768bbb295448dc1ae6cb6c3f59821ae
-
Filesize
512B
MD5f6981bdafb86f0d591a9b551d7c17b73
SHA10c5b1f4910f3e093a12d2bb92e8f13c2fe11e526
SHA256b18bc7a69872504ce07e099d8a36b8ce2ae5b5049a182c93a7967594055d4652
SHA512d6f710e9e420cbff008a03a01abaf3922bdf74c5336ad55f4392664b4063a693adcbfd2644214bf0ac0c213aa011a9b7e32a7a49a9bddbf19fc3cab04d258694
-
Filesize
16KB
MD52482c79d6602bcf2f179dddedc8b410b
SHA1f0a658c055e38776f59f20d6b96e23fa7ac76ac4
SHA25648eaa83435a117fe6d075ace8a9c9c554ab74e5898489160af7525b1f77fe388
SHA51237200e4f3a71bd9e8fe86ea0634e885ce924608fd191fe8da375076ad61304194e9970fd50e652658b28ef03d9c0c586ea6383bc7927a5903d6ab349ae00eb47
-
Filesize
1B
MD5c81e728d9d4c2f636f067f89cc14862c
SHA1da4b9237bacccdf19c0760cab7aec4a8359010b0
SHA256d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35
SHA51240b244112641dd78dd4f93b6c9190dd46e0099194d5a44257b7efad6ef9ff4683da1eda0244448cb343aa688f5d3efd7314dafe580ac0bcbf115aeca9e8dc114
-
Filesize
520B
MD520133fef35d18a5bfc2a27863c9f93aa
SHA160dd93afcd18951d16f976cbba4e4ec5c9e0b89b
SHA256eafb19915011eb9bd8d879ab54564507eab9f623e6ebe9116b9c16442fbbed8a
SHA512a4b0dc8fc4c0a538685a61b78444a0520b1070f6027be390c2e4c9909562f7686610c08c629587749cd1af620a4537b5b57371bae3aa4ab8d4320555437c21fb
-
Filesize
632B
MD566c108415a6dd3a64192d648991a724d
SHA1e35e3309004c734c1acce4281cb1eb28541c10cf
SHA25622bb6c68d7ea2840ab5afda912bc70342737dfe3bef708d429f6d9509b89ed38
SHA512482648691a0cb063804762bc69a4c8c8fcb970ddb62fa8bb61d57f8b552bc0b3cf06b6232ae38cf6f9589d1af178914524c64c46791de4d531dbc483852fb496
-
Filesize
77KB
MD5f113a25b26661f5dd6da8d6da00d8da7
SHA18d1ab96cb2f584814129f1f0daaf46e9990b3e9d
SHA25663b1c36df33ebbebf6af6f7610e99acc658daf4a8d2b7ddf517227dc1688bbb7
SHA512a2af435bcb7c2f653b038b67b3200a0c5b212447ad14d2aa2beb3a58ac5f89d0c0eaa0acfcaefaa1ea227058f02cf8a8ebfd0c9b1ece8c5298f7dd560d5483ad