Analysis
-
max time kernel
176s -
max time network
184s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system -
submitted
01-07-2024 10:07
Static task
static1
Behavioral task
behavioral1
Sample
1ae1b75dd2f5f25b080f7c61620ec879_JaffaCakes118.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
1ae1b75dd2f5f25b080f7c61620ec879_JaffaCakes118.apk
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral3
Sample
res.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral4
Sample
res.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral5
Sample
res.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
1ae1b75dd2f5f25b080f7c61620ec879_JaffaCakes118.apk
-
Size
3.0MB
-
MD5
1ae1b75dd2f5f25b080f7c61620ec879
-
SHA1
9ddd1e796dce1636b69173cb54b70411f15bd0e4
-
SHA256
60d72131839de9f12c9bafbbd12973b2e8f2c07574ea120e81442b6abb3238a9
-
SHA512
31023596c9ee5ecc4b3af58d717aa90322b38ab8b87d630436862d66012da8c8b1a7b622de13beb7cc849beba3e62d99e4b884fc166a6f64c68df4e024eba844
-
SSDEEP
98304:TyShn42D6nAwnFoW4pRjuftK0nWbD6qBalqBau:GShn5GA8FoKfXGqNu
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
Processes:
com.jy2gbb.bt.qipacom.snowfish.a.a.bgioc process /system/bin/su com.jy2gbb.bt.qipa /system/bin/su com.snowfish.a.a.bg -
Checks known Qemu files. 1 TTPs 2 IoCs
Checks for known Qemu files that exist on Android virtual device images.
Processes:
com.jy2gbb.bt.qipacom.snowfish.a.a.bgioc process /sys/qemu_trace com.jy2gbb.bt.qipa /sys/qemu_trace com.snowfish.a.a.bg -
Checks known Qemu pipes. 1 TTPs 2 IoCs
Checks for known pipes used by the Android emulator to communicate with the host.
Processes:
com.jy2gbb.bt.qipacom.snowfish.a.a.bgioc process /dev/socket/qemud com.jy2gbb.bt.qipa /dev/socket/qemud com.snowfish.a.a.bg -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.jy2gbb.bt.qipacom.snowfish.a.a.bgioc pid process /storage/emulated/0/Sonnenblume/res.apk 4319 com.jy2gbb.bt.qipa /storage/emulated/0/Sonnenblume/res.apk 4639 com.snowfish.a.a.bg -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Queries information about active data network 1 TTPs 1 IoCs
Processes:
com.jy2gbb.bt.qipadescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.jy2gbb.bt.qipa -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
Processes:
com.jy2gbb.bt.qipadescription ioc process Framework API call android.hardware.SensorManager.registerListener com.jy2gbb.bt.qipa -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.jy2gbb.bt.qipadescription ioc process Framework API call javax.crypto.Cipher.doFinal com.jy2gbb.bt.qipa -
Checks CPU information 2 TTPs 2 IoCs
-
Checks memory information 2 TTPs 2 IoCs
Processes
-
com.jy2gbb.bt.qipa1⤵
- Checks if the Android device is rooted.
- Checks known Qemu files.
- Checks known Qemu pipes.
- Loads dropped Dex/Jar
- Obtains sensitive information copied to the device clipboard
- Queries information about active data network
- Listens for changes in the sensor environment (might be used to detect emulation)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
-
com.snowfish.a.a.bg1⤵
- Checks if the Android device is rooted.
- Checks known Qemu files.
- Checks known Qemu pipes.
- Loads dropped Dex/Jar
- Checks CPU information
- Checks memory information
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/com.jy2gbb.bt.qipa/app_tbs/core_private/debug.confFilesize
101B
MD5fdd6bfd583923416ead0a4af7677b804
SHA16191ebc27235d2a89e36e7dd999fd3c6a684cf07
SHA2569c44604f42f8c0490e6f16a7292fbf081a371409949f674ec525fbf1e9b83084
SHA512648379d771b61cd40ee23163741cfe68c8f781e0dbabc516732c5d9ba5ee1f9d76fb3ddac4a44e62ed9fe6117dc534f8f8224ab158fb05f87f99f3bf92f6d39b
-
/data/user/0/com.jy2gbb.bt.qipa/databases/outdbName.dbFilesize
36KB
MD561dd02b32afac0acec4567622ad36dd4
SHA19ca96464709fbb2fa2b7bcac15a66f61e9f3986d
SHA25629de2c0e67eac82b07ccb50d5bdb70481a5b54965483d3a27db36fab48135cf1
SHA512aeeb4911fab686bc5b80647bc5a932680f49b3520305d1b45ae46e7007d6078020c966e7942231565845e29893d2f55ccbf56710edda57fd302723b40d77115a
-
/data/user/0/com.jy2gbb.bt.qipa/databases/outdbName.db-journalFilesize
512B
MD55ac637527942c3ec2276981472da0f62
SHA1145499d3de8f33e1b50a7ad2351a35473923dc2f
SHA2569eb3bba661b7d5ad1c49795d43c6db5182c082d1a2d046394a541da46ab5c8ae
SHA512c807e13a265724477813013e34dbf9523d2678654bca95acc514306ebace17d1d2934eb7e60b6eb189c1080b86bc70403981f80a642185e5e7774660c4ff41e3
-
/data/user/0/com.jy2gbb.bt.qipa/databases/outdbName.db-journalFilesize
8KB
MD58530e2865849d5e4a109d1d5b90395b9
SHA1b7a418aea42e226757d55f89e7cd2382141d0212
SHA25613f4193e8613a0aa34ee23833b901535bda6a10a1b095e8f9ef86d222a117b25
SHA512110d60e0fccc9858ea99688b774ddd86ae208eb8bed88fcc2c165da73ed668b45de4aa6504962ba8a0e5aef2e253d67380fb74bced5b4c6ceb2c6d3c6f9f980f
-
/data/user/0/com.jy2gbb.bt.qipa/databases/outdbName.db-journalFilesize
8KB
MD52439f5982eba163a5c0a15ba9d3808b4
SHA1c690741bc162ff316808dcb60c54e87e7b22e7cc
SHA256db56c5f41e210ee61e74fff469b5ace319678f171299a8a1dfa5328670aed810
SHA5128873507fc8d6c61a0f3491b34130157333aacc13ffeea7e77b0bf98f53748460848c0b73c0d894341c2412203d44e2af422050670744710d052305ff83caba9b
-
/data/user/0/com.jy2gbb.bt.qipa/files/durationFilesize
12B
MD537afb0c21352c464e6f2706899920c02
SHA1fbf2224d316e6f81de498c7ecd5d658e97e5aa69
SHA256fe8e177f3f139992e4e54068495fd1863f59c2542db81a6354ac69f92a34f4c5
SHA5129c47519fa9d1bbcc96e3817753b6231c38d721b835988c872309415efe932ea2d8be84584ed2e19e337ad8ab861b4e5aebb812dc517675b91edcb0efae10146a
-
/data/user/0/com.jy2gbb.bt.qipa/files/durationFilesize
12B
MD5773e10e858a5efc21468beeb91fc6a9a
SHA1c49fef2163fbc0592a8d8e980291ed8451013fa3
SHA2569d3b6957355a78774a4c51f714c5b21cf5446f778899341028ef0165cc0504e9
SHA5125dcd9879ea58e2ed5ae25502c33379093dc3836acc2bca99f93e5e2a45b0b2e71dc3ebba496178f6e6b5b038148add460f6db9bc3931dc4505538a24b7dd28cf
-
/data/user/0/com.jy2gbb.bt.qipa/files/durationFilesize
12B
MD5c60d10614436521b84a9db08919003e6
SHA1682744ff710d99496d79a3dedf9faf3649568ad8
SHA2560e5f03d34fc2a9d1b7fd9493b76fdd52940e0c0fc2805884e936776848bad7bd
SHA512ec595a629d92e6ad245ac243787166ba1f1951f034a6931b411713c69ebf5d8332c0771fd0eb56f0c9358e540b95a31d19d7a71dca5ff986bbe14ef5d67c0538
-
/data/user/0/com.jy2gbb.bt.qipa/files/durationFilesize
12B
MD55aaf463309474062987673c9421df3b5
SHA1d1ef2cd5f38f189627248d4f805a2e1efe782412
SHA25635f6468276c3946232b830e873c77937255c3134ccabe741dc00ac5b90eb0e7f
SHA512e8a7cf068eaccc0ac5b64d20a1d3e9959e0c732f5a2b58c63d95a549df54db676a4e8da30f6155adc1e07e513a66f6eba05f3c830748d53d0b5a9bebfeb493ef
-
/data/user/0/com.jy2gbb.bt.qipa/files/durationFilesize
12B
MD536d99c4ea209bd654348fb0d12a7bcd0
SHA1978b2694da6a4c580065840b7e4d27879be02dbc
SHA256e8b5386a807b42ebead06b5e4cf27724bcb12d5c6480ed6523e80db4ea792b43
SHA51252f5e1a7ae9e7bec51c81504c0f6c23b1fb572bb807635e250d269466caf9e42f46ac5b60b365986e5b55bccaa1636e439d24a36b5562109d379b287eff203da
-
/data/user/0/com.jy2gbb.bt.qipa/files/durationFilesize
12B
MD5a9b113285391cbd595ad0c7a3b8922f8
SHA1bb37a7654a497c4f84c49bbd24a0b1311a125f72
SHA2567dfae74eb3f6ed495c76524083c24f965be6f6372add70f5d1dc9e1a9c515b9f
SHA5124274f396f0b8652356d17f72be3bd918731878c43f5709a90aab09f19fe98497ef22e5c43a916d1f2ca6f38cb596e3b5cefa58610ccd4ff6b84e98f8756d2cd6
-
/data/user/0/com.jy2gbb.bt.qipa/files/st_database.dbFilesize
28KB
MD5b4796b4f539187b2db81ccb62c251de0
SHA1f19cd044e00920e0eccc3d9638b6be82701aa52f
SHA2564176583280ead1e38f999cab285219396459a554dda49a8a0d78fdec1459c677
SHA512b120a5f7c82bd3b633a9dcd1b8fbaaf6d7a43eb3338df6779cd84b9663988b4cea696be9e8a065c65180b723e12adb870d630c221aa61e1d76fd462396d8b825
-
/data/user/0/com.jy2gbb.bt.qipa/files/st_database.db-journalFilesize
512B
MD506b660a398da0004408113550167dffb
SHA14df4cf0f48e0ca54882d64f2a00ccb4406a43a8b
SHA256d215345b281044485409e26d942b534a953150242f028262011a9099a965b34a
SHA512b28f6c4cfcc91423364c29a49e3885097400f842773f90b34eaff9cb86c5ed67a746e192157ccee8462c81261f0ea59913fc9c2c8ad49d78b4a34035ce11e875
-
/data/user/0/com.jy2gbb.bt.qipa/files/st_database.db-journalFilesize
8KB
MD5d0604a6526288d8b151446956493b176
SHA166dee805fcb44dc998879ecc1ea852744ad4897c
SHA25681c14d858c5491f9bed8ab629c499f6ee1f29fb97a3880555cfb4238d27c76d4
SHA51222ddc1c3696d068be6731d1ed8ade0c4cf413bf719d64ff31f15fc45532f70f99fdda40cae4f65cb5828a36bd56150bf3d535afafdef12432c2a6d0e3800df69
-
/data/user/0/com.jy2gbb.bt.qipa/files/st_database.db-journalFilesize
8KB
MD5c55a4c87aff4886ccd310a29fc8a5075
SHA180d56413a0771f0acf0d6308dc254e9e6e894e53
SHA256f615004b57dac6102d3516f7f1b4ce4524f2980f4f6eed558d3eaa07b388d1f4
SHA5128c4b68f5c9d6d3c7d5153db1b7f50a8ad096a6ddffab6c221fe583ba96ab8ee562e12b0344f153785fbe3239ebc1c14823b414fcf07d1254f6b39ff93e223a5e
-
/data/user/0/com.jy2gbb.bt.qipa/files/st_database.db-journalFilesize
12KB
MD5127ab6e75226c391329007aa1fe11157
SHA11ff911a952524926754801c0c4ad6abde763ee3e
SHA25623099522dafbd49ab6952b609051bdb9ca7603e4c2b7b2d82896b25835869f7a
SHA512047c933c048ee80a01b14829da8719b9f4637c1bfda3d00d7465559ab7ff0f2a2dca4f272fe291439d131e3a8c5942a255873309d0a162b2dfd80ac060beac38
-
/storage/emulated/0/Android/data/com.jy2gbb.bt.qipa/files/tbslog/tbslog.txt (deleted)Filesize
8KB
MD5bf2a6d41d3f7d2ce24f74e13bece317e
SHA115525581e0350baf7be5dc5328eedd4d8ee90a46
SHA256e3724667cb669cbb68d6e0603b95a32b726a37d172312fd8587ff07205a8215c
SHA51269c198c2b4d285ed18602d98217261e81a5b5b6366c7ffd9ac616c110af5361b112ce7ee4f76765ad60215a070651906a35a1467d15e3a5ba3a8c015582ff98e
-
/storage/emulated/0/Sonnenblume/4A72F2DFFDBD84EB0C5C797BB76AFC44Filesize
129B
MD5497a4832059cdfff54db30f9e410c746
SHA1589d663616cd668a2534bb4c9483b809515e3fbb
SHA2563b4a4a590186be86d590df0d26aba9e7885f017b672ae2b4859931882af64c6e
SHA512bfac611ba44864877fe5b641d04fc48efc562b2deff2a67b3bada8c5c14c9146f6635219ac4f8516650e202a9111a3c62ad1771f2a2891a3bbbe8f0f27dcfd78
-
/storage/emulated/0/Sonnenblume/EE53AF5B170264468E95E783E26D76C2Filesize
317B
MD507c98b387cdc56fca803c10614c65ae5
SHA13890f536d958d65a24d4bbf1ea6afb621e4e10ee
SHA256a41028c8cf77ce28da38707935d30da5468bb227833256eaa8a9d0449e7c702c
SHA512014c70057d023312084e5d3b3e346ede164696c4697271e736129e9823783ae9312b1b33b47e72f4d8b0501ae7ae878bdd6f558da520b1f376eead73db1b8b60
-
/storage/emulated/0/Sonnenblume/kb_sn.iniFilesize
40B
MD5bb266441eae2a53a7c83222f93d15eb7
SHA1f812d8dbbb318ed970b637b704f05b10e02673c3
SHA256c20a14bb04b4b4d31c74593206c07d045f2df10c928401a94ef8eccfa23d73d6
SHA512c5296aceb9d9453a25bb781537e3b521a1a8065ead8bd305fa483f837825d715444943a4faa883e657c767502239838073c9271715fb8cec8d5f80d3afaf0d53
-
/storage/emulated/0/Sonnenblume/res.apkFilesize
433KB
MD52639a7fafd82266d6313f59ac1c927cd
SHA11a0d135ed060c236ec35aedf25ae2b481e0c226f
SHA256e653eba8ee86ca07139b427c3366b10245abb9e694db6412a1811726381830f2
SHA512e0578d5369a81710ee3ccb2b5dfe5633e830caba079f41761fff94480ff7b33fd965aaa75a17b839e377a640404a2aff2b4c503ebf06a8c78f428541ef60c00e
-
/storage/emulated/0/Sonnenblume/res.apk.uFilesize
205KB
MD5dafb7d4b90ea8d376128c625183dd9ad
SHA1883c9b0586e740e9fb976d27a437e84fc26e92fd
SHA25607be7e035e50b372d700b7cc148515a26b0775b2b485e50895988753fe24b12b
SHA51256deefb30f358f2d404c93725f331374f0878b8121d95412ab1b1299364b2eea2b7fe179e21bbe96f4076300556a09f55825118ff67b401504c2f3b82af6b13b
-
/storage/emulated/0/system_hs/303/outdbName.dbFilesize
36KB
MD5ffe2f40ab25acc273fd669a203608468
SHA1ae0b67b24ec2a81a6a738e3d48cca5228111fa68
SHA256dc19be2c949bcf172da306007a5deb126daae406129c174b573d3858d04f2f83
SHA512191ed7bb5d2d0c083143271da4d8dc03663370dfd0a5537a240fa8bca73cc7c943f12ffc822b55bdfd553314548e98728e97b9e5358ec78630171594a3bc8004