Analysis
-
max time kernel
8s -
max time network
133s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
03/11/2024, 05:10
Static task
static1
Behavioral task
behavioral1
Sample
89c6e193d596ba6cae7fb32dabdebb99_JaffaCakes118.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
com.skymobi.pay.plugin.main_v10014.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral3
Sample
com.skymobi.pay.plugin.main_v10014.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral4
Sample
com.skymobi.pay.plugin.main_v10014.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral5
Sample
com.skymobi.pay.plugin.recordupload_v10009.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral6
Sample
com.skymobi.pay.plugin.recordupload_v10009.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral7
Sample
com.skymobi.pay.plugin.recordupload_v10009.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
89c6e193d596ba6cae7fb32dabdebb99_JaffaCakes118.apk
-
Size
1.3MB
-
MD5
89c6e193d596ba6cae7fb32dabdebb99
-
SHA1
7e1e6c28cb2a41d992bf8c3006660f2379659659
-
SHA256
6d5a8e3508ae018363cbdd537d76586613090915d6850fe7a9ac09d3b9fbabf7
-
SHA512
1bbb5640e8873f29ffce2b88f6a9cd0a51e299e60036268f24b6440887717addc7c4556ad43197d25cf5e439040b9d100b64ddb3cbdbedf6f576552ce62593cf
-
SSDEEP
24576:HZtRgZL0/71xeZ9zmvnH8ufRfri0pIdU8U2q59M2AfF:H1QakhmPpfrDpISDqfF
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/bin/su com.jqpa.loan.qyk /system/xbin/su com.jqpa.loan.qyk -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.jqpa.loan.qyk/app_workbench32274/apk.zip 4310 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.jqpa.loan.qyk/app_workbench32274/apk.zip --output-vdex-fd=68 --oat-fd=70 --oat-location=/data/user/0/com.jqpa.loan.qyk/app_workbench32274/oat/x86/apk.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.jqpa.loan.qyk/app_workbench32274/apk.zip 4249 com.jqpa.loan.qyk -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.jqpa.loan.qyk -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of SMS inbox messages. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://sms/inbox com.jqpa.loan.qyk -
Reads the content of the SMS messages. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://sms/ com.jqpa.loan.qyk -
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.jqpa.loan.qyk -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.jqpa.loan.qyk -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.jqpa.loan.qyk -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.jqpa.loan.qyk -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.jqpa.loan.qyk -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.jqpa.loan.qyk -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.jqpa.loan.qyk -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.jqpa.loan.qyk
Processes
-
com.jqpa.loan.qyk1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Reads the content of SMS inbox messages.
- Reads the content of the SMS messages.
- Requests cell location
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4249 -
chmod 666 /storage/emulated/0/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.main.apk2⤵PID:4291
-
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.jqpa.loan.qyk/app_workbench32274/apk.zip --output-vdex-fd=68 --oat-fd=70 --oat-location=/data/user/0/com.jqpa.loan.qyk/app_workbench32274/oat/x86/apk.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4310
-
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Execution Guardrails
1Geofencing
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD57aeb1d2fa82938b504b8dfe4f0f88e15
SHA1594b71ccfe14b401d0f714decff5fd233efa417a
SHA256cc14dbf934faa2ec007caf8cfa82fd746269f5239aff2d74ab79a015ea27d206
SHA512c4b58efbcdc02abca3eb579e529889bd4d8ea207bc0b85a1fa02bdf71598567b1576ac8d4e59ad848d8f514e93ad7cd351f4bcde3f3f9a2bbb041a5a61536057
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD525aaaed683c8819eba09b79cb096261b
SHA1ca9165a99275331399854c0823e211bf487301cb
SHA2563215e810b86ffe01d047ae1d288279a4273a6ce6ca422174d83283f04601ef4f
SHA5129fd328accd1fe620972a5e2882dc3488d3649184dbc5624ade3e4a2e38a47b6a5f4b3dac95818f8d80b44f959f22fb1c2ac6f4b0e8814d73a6d98eaa989426dd
-
Filesize
28KB
MD5cf845a781c107ec1346e849c9dd1b7e8
SHA1b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA25618619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA5124802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612
-
Filesize
44KB
MD5850e736878ad676a950e9fdb65f8ceb0
SHA1fa262d311dddbe0267475201244def028c047793
SHA256e66f8b0424336bc28d684bb72bb5f2f476ba98c3ff2e66395c56f5dc7d9b6fe7
SHA512ee37672a2f57d55377bd6535916386533a97cd3d5692f3928f07e7575287687e988769f83f0cc9da62726e7328b89cdda6abd24122703cd19bd4cef02e3616bd
-
Filesize
512B
MD59027bede69815c936d2636243f76980e
SHA1abbc605600d1db191f2bd6508be1407315ee6a0b
SHA2560ae5f7b3dedbf7c2a09db962316bb93bb7a7962bbdad2de31fd1e351cd3c8b6e
SHA5128b69940f5b6afb4f14b2bf4bf4141d25eab3435351fa65d7056508032f9ce0d5c5f5f7af47174d34aa6c5cf8427897f117d0b9ff618191df403fb0c1caef8787
-
Filesize
44KB
MD5c7b9bff684e055c34339de290a445e88
SHA19dffa0ac388606c5ad268931527c1336479b0eb0
SHA2567a63d1bdd6ecf261dc32d008d6ca4ef9e1ed941eae8e4b5ae97a33b9f83847a8
SHA5129fea8f24d11d7b914d7c4562b3646b764f01de89767ff7064f1d952c39e4cae5eaf50a1103eaf2c053078bf1ff2ba798d2c74ae191c3adeb0961bd0d374c47dd
-
Filesize
88KB
MD5eb6a07c02a4503a237a35d449de23e45
SHA1c8dfa2dea667659ec567dd111cb1ee47903f6e49
SHA256d76989d5c52ee0bdb508b1a6217fdabba45873e2d832538c9a407850c845da77
SHA512ff3f8acebe881b8dac8c41f3a0d2ea5ffb6a936e9fa88e279aecef25470ed95693921ec1bc2ea618e06189893bdbd62f73a49e4bc847819dc4a216727db7be86
-
Filesize
512B
MD587110fed4cfe41dd31c68cf9096601b7
SHA1d69a1eb7a7ab610c3a9493660150c694f0841d13
SHA256a953368e9c4a3991b6cc37ee0d638f9ba7323f1f899f2e91f12b7d28ba1b76f2
SHA51251e96cc6af000d51535707ecc6da599d3679f3868c3e654b8c904b1fbae5964cbf76e3cdb3a6dc9bdadd78d991163eb3a40c5dcfc6072379ec50a08da8bbe8e9
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
100KB
MD59159ede056de28dc8aaa801dddacb46d
SHA1ba77c728d8496252d9a6657d681651a0a1b618c5
SHA256908aa3334ecccbe2d30e03d9c29a152eaba972920dd445c467ff24a85ae7d71d
SHA512caaaef6174e218a7e6f6cbd5446db5dc55fda5610d743e71608fdddc1f0bf6a9cb0925a3be1e1e90b008db6d3e279fbeded932bfe5df5bafe9841b045e67b598
-
Filesize
9KB
MD5ab3aec529c0a0d751f43cf6de904809a
SHA1a7ad041ad68cb887d74a4454475693d06dbc3d10
SHA2563604015d5d2a3d8a7c3b06fa5c9d2302bbcd0e7ea5ccaf24dd98f99f89b0e8ba
SHA5127950c3df10a8941a690e83a7e7829bf744f9a64ca7b0863af625c10a15975cfb9d8876dd9918a0cb9d852c631f811db742f0b69ef031dc7a2d093a98f4b4439c
-
Filesize
122KB
MD5b756c9d5df53eb070e37165a8e71425c
SHA1fcb2d12dae7f1f857afb83eb389efaad2f3fdaba
SHA256b0e5cbcff5c39f8185c43b7fbf8891b6a94d3cba02052c3e566978949371e808
SHA5123562fc3ee96742d9ddb4b3fb77b6a14c5ed8a2fa628448283c3e81273427467efbff8945ff1b0863ddd7d08763216c5205dd5778e49afabdae2e10e4b7719356
-
Filesize
122KB
MD54664de668b3277f9bec7ff8c620df68b
SHA1fb7a22c912a43c1ac08cfcee610914846735879c
SHA256a4dd5ecf1378c5f6ba31fac733821a9d3ae6f0d5a1349a9776430ac687ccf393
SHA512574c6ea868d7f475b9d8f199406dca9d9c16a649f49d9fc2823635bf043cea67b37de37f4f4c706f0167c5ecd526b9a7e68364e90a730e0c172e1a6db40041d5
-
Filesize
454B
MD5f4eb13ea807f00b4622d896aa12c7f33
SHA14496df1d7f93acd4b3aacc523a2122ddb2dff970
SHA2564d4f10b0f8ba253690d3d733b48843e4c7f2ef723895f33380e28e0c33524c67
SHA5121e0f94bbfd05e43ccd2b75d3d798850a31f3f02d19ea7067022ad99e69c3c44bc37110e978617e5bd3903710a4399b766d351265cf75d64a70d864b5cfc9ad51
-
Filesize
58KB
MD5b0a39aaa44ac82ec0fd321914f6aa668
SHA110a20428675480d68cbc64a5a4be12bde81aaca2
SHA256e44f6d6dc173a53f4d7e4bbcbc92bf991ffea14af1612ee29b81f56c33b6d5ef
SHA512fde8a61b36e3a27acd98ce24b594b71690456c40f76785dac0a4809f66570d4196b60e1e47616cf9855faac18822fe6d953b59534a39506daa15c7a285d70999
-
/storage/emulated/0/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.recordupload.apk
Filesize38KB
MD555c24dc00f667f62ee0cc0dfca41fc28
SHA11811dd0ba5f5bdfeef743332b7ef1b8e4097a23c
SHA2568199c84eb1412ac9f13edc3bff4cd66e788847143bd0c8497ce7f699a0d68e77
SHA512b5a5269065f4bcf05c560315255c49dc7eafc015458eca425f6b44eec0ee74c3e1d481e06df70deca25056a8fd070efb5adcf364061a8e5c1e26fb8e102caf69