Analysis

  • max time kernel
    47s
  • max time network
    132s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    03/11/2024, 21:34

General

  • Target

    8d9c78499d2277796005b0cf6f392f42_JaffaCakes118.apk

  • Size

    187KB

  • MD5

    8d9c78499d2277796005b0cf6f392f42

  • SHA1

    1de975eaf9631971eefbe02c82350c4966ce9d0b

  • SHA256

    2e38f52d536045ae46c828eb2f54e9289237de71d5243952afde4959b4ea5984

  • SHA512

    ff5c20ded73026c5624e4acc96cc79681c6a339ca2928f9e584715370b33709d25c3679d293dce4a8e3ace020df103453359f6270b032624d114f43def360ad5

  • SSDEEP

    3072:ugxda8wyyw+qWmK440T1Seax7zyxxhfMcmzVWOPdfOpbj6Z406OAR9C7tu8seXqO:VxdYyN+N440Qeax/y7h0cmzVTdfOpXs7

Malware Config

Signatures

  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
  • Checks Android system properties for emulator presence. 1 TTPs 2 IoCs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Acquires the wake lock 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.lexa.fakegps
    1⤵
    • Checks Android system properties for emulator presence.
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks memory information
    PID:4275
    • /system/bin/sh
      2⤵
        PID:4345
        • stat /sbin/su
          3⤵
          • Checks if the Android device is rooted.
          PID:4391
        • stat /system/sbin/su
          3⤵
            PID:4411
          • stat /system/bin/su
            3⤵
            • Checks if the Android device is rooted.
            PID:4431
          • stat /system/xbin/su
            3⤵
            • Checks if the Android device is rooted.
            PID:4451
          • stat /odm/bin/su
            3⤵
              PID:4471

        Network

        MITRE ATT&CK Mobile v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/com.lexa.fakegps/databases/fakegps

          Filesize

          4KB

          MD5

          ad73d8317b8f111273411cdabec10aca

          SHA1

          0b1357e4f248cafe34472f3fbfaa4816f4b637a9

          SHA256

          e07b6c67ba455440e2dc9b8743c78000a0a8b647cc4bafe89ab411a8450df7b3

          SHA512

          2d5c3173c1f75ab42094f1f54becb768a28315f4563416bc5bb22e8ff62af11ebfa60626b4a648749931d24cae240ee67f2b1d72df3ca6a9c35e075c9be85ee9

        • /data/data/com.lexa.fakegps/databases/fakegps-journal

          Filesize

          512B

          MD5

          776233b4b6baba83e6f7563f1f3e6649

          SHA1

          99062963eb8d50cfe0422ed1d37359a24f19f76b

          SHA256

          052b186951f460bbdb88c3c38931157f3264c96234e94666abd88375f6888d15

          SHA512

          de97095b17435ddaf66ab9a5746ab555458706e32213757e377f29edd5cdc7394bea2adc1d422beb05342bcc6e129372fbba3e53c0511b44187085a26ea35d73

        • /data/data/com.lexa.fakegps/databases/fakegps-shm

          Filesize

          32KB

          MD5

          bb7df04e1b0a2570657527a7e108ae23

          SHA1

          5188431849b4613152fd7bdba6a3ff0a4fd6424b

          SHA256

          c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

          SHA512

          768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

        • /data/data/com.lexa.fakegps/databases/fakegps-wal

          Filesize

          36KB

          MD5

          90f94adf3e1cae989ebecbe7cb2d99d5

          SHA1

          88cbf05d3185cefd3c9a10b44e203ef334bdae39

          SHA256

          c106807d4525daefec73b1e759b2bf5e693ce468951ff6a29040b6bdb8d250a3

          SHA512

          c9b70aaa12795fc7b61b51e8a842bc21fab42b60e85a5e768a033f99b61a0e67497cdbb5428d0767ffb457c2acc5b1a85798ecfdf2f6f826a875f08bbe7033b7

        • /data/data/com.lexa.fakegps/files/DATA_Preferences

          Filesize

          1KB

          MD5

          cf40a1de3f93b4a025409b5efa5aa210

          SHA1

          c66bf56ddabc2021b84d3ae2755d0ab05ff0c99e

          SHA256

          2da42fb1d7bd8524e83d5a1e332bad697c8769ba430770a19bec630eb8ffcaa8

          SHA512

          a4f042e43d4db61c4ed35d966210b12d9b0afabcff358f4d07691c948c0e308068a5a9a7ee52a7329d78c9d9bbf7e06133d79334e53c9bde3c011c954fabf144

        • /data/data/com.lexa.fakegps/files/DATA_Preferences

          Filesize

          1KB

          MD5

          a63fb3e802601bc3bc9437527304859a

          SHA1

          87b2aae49503bb1d8a6f2a1198dda99cd2255ffa

          SHA256

          6d91a179751a207d7a668c605c4b846bc87dd0d097e61b2385019597dcc2001a

          SHA512

          4ecb6f03143f5d2eae928fe6c68ea87ce51fad7174410b385fb822a2e02e248e2be183c4cc6637720dd5cf283f1da316ef75190c3e2583b47ae8b5afa1af246a

        • /data/data/com.lexa.fakegps/files/ID.txt

          Filesize

          47B

          MD5

          55291fa24e7b0760e63b98ce4fe45da4

          SHA1

          1656655b5809f9fb45dcd39530003fd2116e0031

          SHA256

          b8a58f588c12c921f78b9393cab959a2c38f9dfd2649617d9ea047f54374c909

          SHA512

          b213af2d196550026733fe0c4889584f657c0b4a4f6960608cfa04468c5e94ae6061727f297df62ad12454bc92a0195a9e843078f71fe31aae2c67c68149da46