Analysis
-
max time kernel
179s -
max time network
139s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
23-05-2024 23:00
Static task
static1
Behavioral task
behavioral1
Sample
6c8c5ee755b8c13adde612c32c5483fd_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
monkey.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral3
Sample
monkey.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral4
Sample
monkey.apk
Resource
android-x64-arm64-20240514-en
Behavioral task
behavioral5
Sample
gdtad.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral6
Sample
gdtad.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral7
Sample
gdtad.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
6c8c5ee755b8c13adde612c32c5483fd_JaffaCakes118.apk
-
Size
1.8MB
-
MD5
6c8c5ee755b8c13adde612c32c5483fd
-
SHA1
da914950b7882c9b0503d75eec3e8fee807d7a86
-
SHA256
ccc1f3b420bf31873185ae52a0404e8b8c0416fcf170a0bbe7531f77e8a637c0
-
SHA512
a632eb3385f031b5b2f90aa6514d3729d5e28bd92c0aff14d7f7ee88db1a77b3fc7bb2bba1778e8e318996e879617a192e656a0e5c0d81747011403ab234f97f
-
SSDEEP
49152:9u0Gtim4MuvOtBhrBSk+sLB0GtX0rmdgOavqGm1Q31B:90imFuvYBb+sL5krq/7E1B
Malware Config
Signatures
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
sniss.esfd.trvpddescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId sniss.esfd.trvpd Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText sniss.esfd.trvpd -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
Processes:
sniss.esfd.trvpddescription ioc process File opened for read /proc/cpuinfo sniss.esfd.trvpd -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
sniss.esfd.trvpdioc pid process /data/user/0/sniss.esfd.trvpd/app_ariqe/classes.jar 4259 sniss.esfd.trvpd /data/user/0/sniss.esfd.trvpd/app_ariqe/classes.jar 4259 sniss.esfd.trvpd -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
sniss.esfd.trvpddescription ioc process Framework service call android.app.IActivityManager.setServiceForeground sniss.esfd.trvpd -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
sniss.esfd.trvpddescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo sniss.esfd.trvpd -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
sniss.esfd.trvpddescription ioc process Framework service call android.app.IActivityManager.registerReceiver sniss.esfd.trvpd -
Checks if the internet connection is available 1 TTPs 1 IoCs
Processes:
sniss.esfd.trvpddescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo sniss.esfd.trvpd -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
Processes:
flow ioc 9 alog.umeng.com -
Reads information about phone network operator. 1 TTPs
-
Requests dangerous framework permissions 3 IoCs
Processes:
description ioc Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
sniss.esfd.trvpddescription ioc process Framework API call javax.crypto.Cipher.doFinal sniss.esfd.trvpd
Processes
-
sniss.esfd.trvpd1⤵
- Makes use of the framework's Accessibility service
- Checks CPU information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4259
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
1System Checks
1Discovery
System Information Discovery
1System Network Configuration Discovery
1System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/sniss.esfd.trvpd/app_ariqe/classes.jarFilesize
70KB
MD5d9c5bcd8c6a7f570faafd30c061e52e2
SHA1104d861968bb4e2d4a1c6168edeb43ac83b57fde
SHA2568e6ccaa25db68ccff78aa94a9dbb30693d446e8f80d2dd33f0f11a531b903713
SHA51291e57402fc0cb8d8093c65356c818bf7d0dc7ec6d35fdef404b0e69844f6fe5b8280d5c388880d44cb2cf168d4708a3efcbb33e57fa6dc85eba2e411e3087014
-
/data/data/sniss.esfd.trvpd/app_ariqe/oat/classes.jar.cur.profFilesize
241B
MD55deb60c646836268e0ab87d673496998
SHA19f3ff6f70555b6daf82d1bd1cbdd51527f4f5782
SHA256aa8bd1d3b9c0d11c8b505e3c0c29651b66de67f19297ecd0109817b06092d599
SHA512cc35b8971402c63fa81b4ac693993cc3f7b40bf5e1e9d4e483295775211f2a7eb8985652f4585e6476eabff1011f69560d82dba6913378c3da3b9fb6d1b854c2
-
/data/data/sniss.esfd.trvpd/app_bin/daemonFilesize
13KB
MD5826396608fe8f50d57c82682dbc5699f
SHA1415ab4019f3f0d5e49f15656c579f143a4f13459
SHA2567a0ca85904df1f5a669bb7ac061738ff5350cd3cf472f858c942e53d74c337a7
SHA51259f1c75a99daa7986c42bec130b66cd7be8a41749a58dce1aa911b7ca9376902cbf63c3b4c3b1ee67e1792b42e3f82a5949a8fd05204acdc8dec42f69529709c
-
/data/data/sniss.esfd.trvpd/databases/dblfcFilesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
/data/data/sniss.esfd.trvpd/databases/dblfc-journalFilesize
512B
MD5df8da2a61cfe729aa9ece02bcda61d0b
SHA16de79915b8c234151bae968861fca06e8bbca793
SHA256d2db2ff6b317f7a5a441b7d6655eca119162de6c0ac9ed352bbcbec368cf2291
SHA512db5199adb14d1279f2f9d98efaee20126cbc3b16d3d899bf2f286a82f8223560b4f8b25a5161ea2f731a8b1516f4672e00894d93e78299596f99d9eddafd8786
-
/data/data/sniss.esfd.trvpd/databases/dblfc-shmFilesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
/data/data/sniss.esfd.trvpd/databases/dblfc-walFilesize
221KB
MD5afc91cba71a91401c1d4b05fa05087f6
SHA19159978b84b38444d878434855ae152e9b1d91f4
SHA256c7ca61922f653271c2b66671692cbcd194b393f0e1ee457b0257e5b6de697f36
SHA5123ec003e741ac24204513d8c449c07f8b1bd313501c9027158cb1500b9a8a6533dea1c8260d7306b05572c62ac4bfcd9be721ee763d15f03b133a2ea726391bce
-
/data/data/sniss.esfd.trvpd/files/.um/um_cache_1716505307130.envFilesize
603B
MD526995ebf28c4ce0db3c74499f2e66460
SHA16925a51be40430890210beef081b22607978b34a
SHA256bb38e239d65827f1299793de12b7bee08422e3748c92451bd043423ccf8d7676
SHA51249b8a980fd208f246a12f11509996225c9b3de53fff5b5daf5e548c37c7ac51b0d599d4a15b58ce653e3911e24cc1fc0affc6fba44d635479427a0e11e76c531
-
/data/data/sniss.esfd.trvpd/files/umeng_it.cacheFilesize
310B
MD5d51d876d08063f5504fd03d8a5f302e8
SHA1fa9f2cb4b69d74ef1d331705cd0ca41f8540be59
SHA2564dd5982cf3fe4d6927e175ca87fdf96c85651fa5fe84b54fa0f46065932b9e4d
SHA51208c888c6331b7c03d2a4f48a82391c7a7fecc2106d44eb1b8ad95d28d7204a8d0f68f792a6e4e5e8bef04112c064ccdc8f5903053106c9b0f589db462a486c08
-
/data/user/0/sniss.esfd.trvpd/app_ariqe/classes.jarFilesize
166KB
MD54aaa8fc3aeda5693668d47ad5d083b47
SHA14edbdf41127a8912a79bc37633905c8408747981
SHA256abb2b05fa723a309c0dd8cbf5d2e0b9139acd836db2257c6ab156ee331a22b1d
SHA5127fd49d13bf9e48f169501155cab15bd6b3a0156b80815580dc32c3bfe46f244a22327b5dfe8a983e94c32f995afdb5524fd9e4cca3faabc4feab4dfe44c1b81a
-
/storage/emulated/0/apk/ad.apkFilesize
139KB
MD55f0944504b514eefc15612d33d6aef01
SHA113d3dfd0b368c7b7bdac29b30131a2ca74f1736a
SHA256b5c5b1351a962a2e001ea75516734d1ed4c3a8c9c39dc8c498d4b68c9ceb55c2
SHA51206b28c505bff8b431faaa411b15028e9d33e2be806e20e62071fbf78257f2a358e3010347d71a3a4a53d30d99986604f54884941bb6b3975fe57dbb763db35af