Analysis
-
max time kernel
178s -
max time network
186s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
22-05-2024 16:38
Static task
static1
Behavioral task
behavioral1
Sample
67e84dd8c7f2a6262641abe48d71aba4_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
67e84dd8c7f2a6262641abe48d71aba4_JaffaCakes118.apk
Resource
android-x64-20240514-en
General
-
Target
67e84dd8c7f2a6262641abe48d71aba4_JaffaCakes118.apk
-
Size
11.3MB
-
MD5
67e84dd8c7f2a6262641abe48d71aba4
-
SHA1
a47dea52dc80790f71455d46ab618fa4fb7f7bb9
-
SHA256
9dd491c7b307356ab2f8261f31bddbba04d924191ea4ae549dc648e9b6ccba70
-
SHA512
878cbfb963ba5523ff0a9b483f9029444b67a32616af46687f0cab27b7de375477a537bdebf69dbf1d90195beef56fcb0719bd97e26e265fbf3fdd05fb0653a6
-
SSDEEP
196608:bgahbthTS63r5kVHzh1eQe4lf0GZhGYpaw/5c4Qksa1kLuSYBMwo9zmM+GPoS:bgahRhOsWOw0Gfac5c4MI8eUI7GPl
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
Processes:
com.qy.clztcioc process /system/bin/su com.qy.clztc /system/xbin/su com.qy.clztc /sbin/su com.qy.clztc -
Checks known Qemu files. 1 TTPs 3 IoCs
Checks for known Qemu files that exist on Android virtual device images.
Processes:
com.qy.clztcioc process /sys/qemu_trace com.qy.clztc /system/bin/qemu-props com.qy.clztc /system/lib/libc_malloc_debug_qemu.so com.qy.clztc -
Checks known Qemu pipes. 1 TTPs 2 IoCs
Checks for known pipes used by the Android emulator to communicate with the host.
Processes:
com.qy.clztcioc process /dev/qemu_pipe com.qy.clztc /dev/socket/qemud com.qy.clztc -
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.qy.clztcdescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.qy.clztc -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.qy.clztcdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.qy.clztc -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.qy.clztcdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.qy.clztc -
Checks if the internet connection is available 1 TTPs 1 IoCs
Processes:
com.qy.clztcdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.qy.clztc -
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.qy.clztcdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.qy.clztc
Processes
-
com.qy.clztc1⤵
- Checks if the Android device is rooted.
- Checks known Qemu files.
- Checks known Qemu pipes.
- Checks memory information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.qy.clztc/app_crashrecord/1004Filesize
58B
MD50d210bfb2a0e1f1b4c082a6a0f79de07
SHA1bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1
-
/data/data/com.qy.clztc/app_crashrecord/1004Filesize
221B
MD5517073762cea33c0de897e90555bc239
SHA109c75d4201cdb7238e6b67f2fef69cfd2d99b81a
SHA256c11eacf084ad96c96d1621d308f0b251c329b74082044ed506e35b238761b86f
SHA51294ac09936aa840f3d04c66eeca5459a69ebf0246ca3ed1690655294ce542ac0beadea4bc514a1ecc61f3cc1f3cd9f2f79e22094d71351a948631047497b1ea2a
-
/data/data/com.qy.clztc/databases/bugly_db_Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
/data/data/com.qy.clztc/databases/bugly_db_-journalFilesize
512B
MD544e4c6db6cc81ee8338c6735bdec3f1a
SHA154d14bfff11cc90ba366989a1d8cda3cd2881f6e
SHA256d81591153a689f6b7cce63792f30c59ee821f1a7e10b9839a8e647feeed5de5f
SHA51294f6c09ab62b9148879f7860ac1ff43945199c7ef6cc86ed666ea14c388b185b4d4259cba496d1e821f6aba714ec4dcc1b72a59822e4d0f06cdf1959c24a4822
-
/data/data/com.qy.clztc/databases/bugly_db_-shmFilesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
/data/data/com.qy.clztc/databases/bugly_db_-walFilesize
76KB
MD5f74723fcc4542a744b3dd106919c5797
SHA17330f1a5cbad3e702ce910aba25f6afc44a8bb71
SHA256208b9be73239ea2f24570387b0a6b5ac32be7c5cb5202315590e7f385a7c6f8d
SHA5124991b688fc2c5f8850cde8a5db84ca98755d3d0b6f64d35738bc0c8a8271282d361d970cc5cc575fa8b05f903779747b212b4168111dac4278731c55e9aafe06
-
/data/data/com.qy.clztc/databases/tencent_analysis.db-journalFilesize
512B
MD5f8f90d2b9da67ea8c72987a73961a17b
SHA1435a41e62c1934dc146a7d7a98ec0114d7408097
SHA256e41ea9eae145dabf7fe4fbacbf257cce614226dbf62f25d4fa2060b4ddbea2f9
SHA51265a2567c721815639a430b84f11105986a6ec5c506e941f91711397a6f33e184997e762146619113764e7ad82b70f66c44e0cdbf1cb5835f7e9d3126176c7124
-
/data/data/com.qy.clztc/databases/tencent_analysis.db-walFilesize
60KB
MD570b561fb167e7c6befe12956f7b9461c
SHA152377f8e1188d8fe9597dd7db96c909da65a887f
SHA2562d45cf4e9c9e58c124aa1fdee1d1758493a87a0ebf8a4dc984187900c4f923e5
SHA5121de2ae8df11a08beb7debd1a49c4c5b7d159bd5499510fce43c5ecbdea3cb5b3d828ac6bbfb55bf0cc100d56ddea2b9f424dda63a24253a4084df01554ad5bed
-
/data/data/com.qy.clztc/files/com.tencent.open.config.json.1108944078Filesize
1KB
MD5f526172de1566b34fdcea744710d9559
SHA1000cb54d9a008a807a1c5a3fd2b2e7cb41e7939d
SHA2568572be02b59f4d514000939ec04a9b4e2380c55265256b724a617d8d0f4c6940
SHA512dc81f0fe345b18c96b1638c67b9ef4c5e60059dfc4a02f3c30a23645d4847abeef46cf467d044c42597115c48052ce0e8ea24328382114a544c5dfd039a95e7d
-
/data/data/com.qy.clztc/files/jpush_stat_history/active_user/nowrap/d4be915a-9fe5-4c13-b579-88c07f1ae225Filesize
159B
MD597b47284eed20b9b9780ad16edcc404f
SHA1980a2b630499b52cfd8693990f172ece0e7e645e
SHA256dc4f32ed58d7266c2b532aee155ef5824f0d34c2b90bf8f04639e7f5a6da3e23
SHA51247b574c3a233fa3700ed01da9ade50851ccdb6f5a5d5956f28133a0d2ad1a39bb104911eb89060e0a1159bd6bfb9665bab29cb4501531976f65e421c12fd9112
-
/data/data/com.qy.clztc/files/jpush_stat_history/normal/nowrap/01fa3ec6-776b-4584-88e6-11c1ee547ed6Filesize
202B
MD5b5c0f5116ffcd9bceba05dcf1c56f09e
SHA1fc8a5c203ec16c841b724fd42f8f340f2c16de3c
SHA2568adc369f33c7fac052317428e0724032ff62ac6a5d0de124a90cc7e5ed771a00
SHA512e173c879e4896d95270980d57e2bafa3adabbe0008b3e1b6ebf00d03053bc3a71bd7ed6a604c391f2593609b28182e0701282726cdc1cebac8d311c4840c8337
-
/data/data/com.qy.clztc/lib-main/dso_depsFilesize
264B
MD544fe7815c223030a29733756e31b8640
SHA1ba45c425fbd38c343a9c373e85bbc3f584b63268
SHA2565c934be130a3c9f21e2e4b7df3068cac2ce2f9553d1358e4ef56711bdc55e843
SHA512f7ba24129f94e08396fe3a4839d4c594c95e65a69dac7eae5ad3fb03923df27f8abf3c11312b03ac1f873ba07136705651d1e2924da0cf2ae6d4023b874d49f0
-
/data/data/com.qy.clztc/lib-main/dso_manifestFilesize
5B
MD5c06857e9ea338f3f3a24bb78f8fbdf6f
SHA1c5a0a2529d2deb60fec041b4fbd722a2ebe31702
SHA256957b88b12730e646e0f33d3618b77dfa579e8231e3c59c7104be7165611c8027
SHA51229f61516876c25379a7bf4faa2b3ca6f6b53eac90e7de47671fec4a818d51441b4025cd7909f7c0a0d113ab6c5ff00cb3700c286bac7319185b77905feec4fb1
-
/data/data/com.qy.clztc/lib-main/dso_stateFilesize
1B
MD593b885adfe0da089cdf634904fd59f71
SHA15ba93c9db0cff93f52b521d7420e43f6eda2784f
SHA2566e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d
SHA512b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee
-
/data/data/com.qy.clztc/lib-main/dso_stateFilesize
1B
MD555a54008ad1ba589aa210d2629c1df41
SHA1bf8b4530d8d246dd74ac53a13471bba17941dff7
SHA2564bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a
SHA5127b54b66836c1fbdd13d2441d9e1434dc62ca677fb68f5fe66a464baadecdbd00576f8d6b5ac3bcc80844b7d50b1cc6603444bbe7cfcf8fc0aa1ee3c636d9e339
-
/data/data/com.qy.clztc/no_backup/com.google.InstanceId.propertiesFilesize
2KB
MD578ae697fb9d3ed0a53f67722fe74bb77
SHA1ddf00f599dfc4b9ceea5717b4076f77e36dc1edd
SHA2560de61c9f629e64d9de2f570b96937105b50392d5cc6f6ab9a75e82c39c021db9
SHA5128e9921a7d0cd4434a947ea60452af2fcb3703668e8d5c2818ead736fb9182fedb96781d5af6cb64514c20712195cc1a7e356767ffb443aa3fa2a5c45799bd9b7
-
/storage/emulated/0/data/.push_deviceidFilesize
32B
MD5f83545c5d403030974824620a4816723
SHA17c2ef8562b2251746f3b7366b8ca6e7d0477fca3
SHA256529ce67a209a88f0a745c800c23f6e3d32fea9dd0dced618c1db513c8b55dd30
SHA512dc3a0cb14cba6d67dfb72930b378b17e2dd2fc2cc1b09666bcb9955623127b1eb5f80ca96097712607390d831df42561dc0bd2e36addf2700709260a56237313