1f36b7ed839329a34ec235dfaab84dbed11f16d551dede24125c7ed6b3794ba0

Analysis

max time kernel
134s
max time network
150s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
25-11-2024 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e8c8f86af07d42d19a8cdeec8f48660_JaffaCakes118.apk
Size

10.1MB
MD5

9e8c8f86af07d42d19a8cdeec8f48660
SHA1

aa99bd026a1c08b6c835be58314d0423ac1de13c
SHA256

1f36b7ed839329a34ec235dfaab84dbed11f16d551dede24125c7ed6b3794ba0
SHA512

cac8a406b337173d0f34a5119005954c91d9ea4c813bd6a573e076dacdf41ad6d5bc9118af97619342906eaefa8674f38ccf4100c3155685f9e68e7ce4dccdc3
SSDEEP

196608:AB76KgY6HEpiM500DTutnKFdk6UalUuGn7PewO4xB/zLfP:+7TqHEhve0d4ajG7PewBn

Score

8^/10

banker collection discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 4 IoCs

evasion

System Information Discovery

T1426

Processes:

com.zimadaicom.zimadai:bdservice_v1

ioc	Process
/system/bin/su	com.zimadai
/system/xbin/su	com.zimadai
/system/bin/su	com.zimadai:bdservice_v1
/system/xbin/su	com.zimadai:bdservice_v1

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

discovery

System Network Connections Discovery

T1421

Processes:

com.zimadai

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getScanResults	com.zimadai

Requests cell location 2 TTPs 1 IoCs

Uses Android APIs to to get current cell location.

collection discovery evasion

Location Tracking

T1430

Geofencing

T1627.001

Processes:

com.zimadai

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.zimadai

Queries information about active data network 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

Processes:

com.zimadaicom.zimadai:bdservice_v1

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.zimadai
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.zimadai:bdservice_v1

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

Processes:

com.zimadai

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.zimadai

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs

persistence

Broadcast Receivers

T1624.001

Processes:

com.zimadaicom.zimadai:bdservice_v1

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.zimadai
Framework service call	android.app.IActivityManager.registerReceiver	com.zimadai:bdservice_v1

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 2 IoCs

impact

Data Encrypted for Impact

T1471

Processes:

com.zimadaicom.zimadai:bdservice_v1

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.zimadai
Framework API call	javax.crypto.Cipher.doFinal	com.zimadai:bdservice_v1

Checks CPU information 2 TTPs 2 IoCs

System Checks

T1633.001

System Information Discovery

T1426

Processes:

com.zimadai:bdservice_v1com.zimadai

description	ioc	Process
File opened for read	/proc/cpuinfo	com.zimadai:bdservice_v1
File opened for read	/proc/cpuinfo	com.zimadai

com.zimadai
1⤵
- Checks if the Android device is rooted.
- Queries information about the current nearby Wi-Fi networks
- Requests cell location
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:4252

com.zimadai:bdservice_v1
1⤵
- Checks if the Android device is rooted.
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:4294

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Execution Guardrails

T1627

Geofencing

T1627.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.zimadai/files/__local_last_session.json

Filesize
512B

MD5
463fe47ed2b3075731bd6de998f35014

SHA1
27c1276776162b40cd30658b27a681e10df33986

SHA256
c8e637a45575b5d4137a507d75402198305bf96a65bd58314fda7e77ba9ac147

SHA512
294f446a0896f388b0afb83e55a24a56e8926407714fc192a068b2009982c95c87ce7c36ddae33c8c17af3893202163233990917ad72158c907f2a22cbfe304a

Download Submit
/data/data/com.zimadai/files/__local_stat_cache.json

Filesize
60KB

MD5
4904f0624f14e135813b6ee1ca634d03

SHA1
d863404da009bee23d749848fb2fbc9f9fdc4027

SHA256
1303642d86a3faea888e0a6d595a4215d55c227fe22adad2da6588c6a70988a3

SHA512
64906442446ca31877edd5a1e5117c180444ebb44ba7b559e2bbe1cad326def9e5875e46d017f3233e6e0968f2ff462bdb02df21e70366e16f8bf00eacfab606

Download Submit
/storage/emulated/0/backups/.SystemConfig/.cuid

Filesize
160B

MD5
9429fb7bfea74030bc6c556cfec503a6

SHA1
74faebaf7ccf3265286f5f80218d60df2a167b87

SHA256
c819a8b1260d6f8cab03445d112a923c0553cfcc58d4872490aaa151af8ed45f

SHA512
e0ed343bb2fdb7f61e31ee726a6961289e379469416b5a0f15def3c3531bdc1ff29d4fc63aad7a747a4f738d5268506fe622039fa26f09da7b31975acde951f4

Download Submit
/storage/emulated/0/baidu/pushservice/database/storage/emulated/0/baidu/pushservice/database/pushstat_4.5.1.db

Filesize
44KB

MD5
3e388550a6a5d7e15ab9c3da1e47f11f

SHA1
6ae18ecf78e7a439f1788187cd474834a9d24d59

SHA256
18f12596bed658af8e1a9c835095610fd5ad37ff1e6f8879e335d19043088993

SHA512
b9319078c4723f2f024c2eef257d507a5647d6482f7ce8574f0d3123fed39af2ba4233fe3535155e829a29fad31cbbcd99538eb5b59026e4c36c21ee70237ed1

Download Submit
/storage/emulated/0/baidu/pushservice/database/storage/emulated/0/baidu/pushservice/database/pushstat_4.5.1.db

Filesize
24KB

MD5
ce27dcae6017bafb838b8a32c6717c20

SHA1
999ee1051a72656bfe6dd96d1b575993a8ae5490

SHA256
0fd6ea73166f8afab567d8038c068bd12e423253f5e86063025792eed4f42927

SHA512
5267c20c7301b5ca117c684e1793b67212107b8cf87d83bf55ed34f284d84315fc53aa224a7f1f30c793ab0c1b0087e4a4e0aebc666ebafc385f6a2499f1c77a

Download Submit
/storage/emulated/0/baidu/pushservice/database/storage/emulated/0/baidu/pushservice/database/pushstat_4.5.1.db-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/storage/emulated/0/baidu/pushservice/database/storage/emulated/0/baidu/pushservice/database/pushstat_4.5.1.db-wal

Filesize
80KB

MD5
9abf2e8d42886b8cd8355455e74101fb

SHA1
f5812206f5e505307f9d5f366f404674c2a49e90

SHA256
e533900c7cb00b5cfb6ed561de273b2d4af9a24c6344497eab2d6350ebe02d69

SHA512
7a761d171ffb31dc66992ac0ca71b72575fda25acce4353aba584c86ee05974fcb6f6a2f308df690ef159f8c00ea5e4c0463ef02c328f8d0ccd9f1879e62bdf5

Download Submit
/storage/emulated/0/baidu/pushservice/database/storage/emulated/0/baidu/pushservice/database/pushstat_4.5.1.db-wal

Filesize
12KB

MD5
54792f554b9c1921d5ef6dd32776e30a

SHA1
e266405e0a67bc16cba453b9844eb860851933fe

SHA256
7800b67406962a388e991992bbf737fe4adb49d40a1aba5a386d10a79e31ef48

SHA512
627b0715582d415a60bf5464f127e5389086671909396f921bc13de731a11e6b8dfb9840ba5292751acd1957a0858680ac3b66781c55cd1f7762937a4a3c8bbd

Download Submit
/storage/emulated/0/baidu/pushservice/database/storage/emulated/0/baidu/pushservice/database/pushstat_4.5.1.db-wal

Filesize
8KB

MD5
56d2813f5742b2401c96fc8d971f578d

SHA1
fa46484190f7db06af88f3243fbb13c70462e1ed

SHA256
e89b181c04be32e12c0dc608ec53887295b47fba2652490883377d38a83e9f9a

SHA512
b1d111a86172864d37f96ec342b34a9e2e13fe7c60a946e8a4c0e669855f7f25484099c9f3e5c9f69deaf3f0e8b1b55f7f5ce36719b8e302a78bc1388bf72774

Download Submit