455358563692c9b51e9ab8605dfd77b29bf07ef62c95c63500ea6dbba5cd9196

Analysis

max time kernel
177s
max time network
185s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
24/05/2024, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fcae32cd56b5b6b17d1d4367722c0b1_JaffaCakes118.apk
Size

24.6MB
MD5

6fcae32cd56b5b6b17d1d4367722c0b1
SHA1

c5ce08c9f6db0d4b877c68da91677d633614bb0e
SHA256

455358563692c9b51e9ab8605dfd77b29bf07ef62c95c63500ea6dbba5cd9196
SHA512

7ec9ce2fe44c6fae9ae3f75a1614c881fa41a0f1edb6738fdcf0bb1a451d5bd32b51c8addfc401c391f4844de45fee0d5eb5896011161534dc81eea2175cc63e
SSDEEP

786432:Rp6RZMquMX3Xa8OMsgbH+0fipk+YS+9whOZp:upCMeVpk+YS+Ie

Score

8^/10

collection discovery evasion impact persistence

Malware Config

Signatures

Requests cell location 2 TTPs 1 IoCs

Uses Android APIs to to get current cell location.

collection discovery evasion

Location Tracking

T1430

Geofencing

T1627.001

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.yzzs

Checks CPU information 2 TTPs 1 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.yzzs

Queries information about running processes on the device 1 TTPs 3 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.yzzs
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.yzzs:ipc
Framework service call	android.app.IActivityManager.getRunningAppProcesses	io.rong.push

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.yzzs

Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getScanResults	com.yzzs

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.yzzs:ipc
Framework service call	android.app.IActivityManager.registerReceiver	com.yzzs

Acquires the wake lock 2 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.yzzs
Framework service call	android.os.IPowerManager.acquireWakeLock	io.rong.push

Checks if the internet connection is available 1 TTPs 3 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.yzzs
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.yzzs:ipc
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	io.rong.push

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs

flow	ioc
16	alog.umeng.com

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.yzzs

com.yzzs
1⤵
- Requests cell location
- Checks CPU information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4268

com.yzzs:ipc
1⤵
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:4301

io.rong.push
1⤵
- Queries information about running processes on the device
- Acquires the wake lock
- Checks if the internet connection is available
PID:4323

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Execution Guardrails

T1627

Geofencing

T1627.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Location Tracking

T1430

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.yzzs/databases/UmengLocalNotificationStore.db

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.yzzs/databases/UmengLocalNotificationStore.db-journal

Filesize
512B

MD5
5e83d730a2442fad60cbd59f3f911504

SHA1
99983a6000edc4d92ba5ffd0d7f0fb64846aa62d

SHA256
ceed82f19573503665fb0a31e916a5e697a6089dcbe319543ef8208331b1bdab

SHA512
7e9107c8fb6f3e032d0c7fca68da85f1438418011cd57e5d66b59773a4c402a830da01486e215b1ba914536534c337f3dbcf03e2d6ad944915c2cd8d29d89a1f

Download Submit
/data/data/com.yzzs/databases/UmengLocalNotificationStore.db-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.yzzs/databases/UmengLocalNotificationStore.db-wal

Filesize
40KB

MD5
d19ef26515cb9c582f1451370003ff87

SHA1
27ee9a4ed31d5849318df79129d2c75669c4c353

SHA256
9a6a7a7ff4f3a32aed43ddcb96a53a4f7ce5086d3d0577e9428f112508cf3462

SHA512
57667cb39f97cfe10e43ba40315167b052f086ac1f8990fe45556ffa86e5e454061475450bad8518e9ae1deb110442cc0a4f707ec7988edd17a2188cad46d096

Download Submit
/data/data/com.yzzs/databases/hmdb

Filesize
12KB

MD5
3fe30614d7e0d11db870b4624f6c50e0

SHA1
053ff0fc621ab40f2afeddb3e7b4a73ee41ec533

SHA256
67c532f0324228dd33b445cd399c1426e3a0e0cdc7b9358c66b402c5d40a838d

SHA512
c7c09e97a408e88aacaf8099ad4d1fa604d58113393500a384eb3c2eb7c3c105af41314934b86eca2f088045cbab5a20d768bbb295448dc1ae6cb6c3f59821ae

Download Submit
/data/data/com.yzzs/databases/hmdb-journal

Filesize
512B

MD5
b615d2977a05f16d4a5d6921cde42b16

SHA1
a70248662e9395616a37a00c58289453f7adc55c

SHA256
e5abf25fb15b611dfb8a59b12b1d7d04b4a27ebd989123663240a5e5282ee945

SHA512
08a7d4105bf2768bb7241b42ac847d490c7fed55c28a494bbc874aa9d94762637a31fd193e90c791f6274916fa941ea0c8cf19300704450c3bbbcc0716b8791c

Download Submit
/data/data/com.yzzs/databases/hmdb-wal

Filesize
16KB

MD5
8cb8a7aa087bb9426dbfe99df69fa40b

SHA1
b4a48ae98267a187df324ea871e02c5788cc9a60

SHA256
8fca4f5a7b38b715c6fa8d9352fb94f5c2f2db3c1dfef7cc6dabb0ea83911624

SHA512
e004d6f71a27ba97bf58121ea6e8ba9ad9cf257b09c0d91bd4d5362fea4767e01496551a5ef2d471949aeb51314591bddb6f7722c98c0be3aa0466f84c53bc83

Download Submit
/data/data/com.yzzs/databases/rong_version.db-journal

Filesize
512B

MD5
7ff1d98a3b202fca66802c3598bd7084

SHA1
5554e9ed3746081ea53466fed62a888dc8bb541b

SHA256
1a6336d7985dab459b4fe28034796dbd53ed5cb8f12ca2cc47b98f558112999f

SHA512
981c6f053dfc7c284517ac4ee80a52ee84b85a4bd927852807468c322ca841741fe99a7362146e838070bd28bc42f32b506b41905c59ee565e14cae86dc1be56

Download Submit
/data/data/com.yzzs/files/.um/um_cache_1716583573430.env

Filesize
609B

MD5
74cc38cacf4514746da209510493b338

SHA1
3dd5267c486e6b1cffc9ba6f82784b21df44ede5

SHA256
be00aac3aa1377d7e751ce3f8e8deb59933fe2bca81a04ec65c52eab38ac1464

SHA512
e573f8fb011ae8b8e44537a24e25b436dce42a5161cb1b369f86f2729e859573cbfd11710e0ac4ed82f0ba163684a306c7f3890810872d68f2c63e8650739e24

Download Submit
/data/data/com.yzzs/files/umeng_it.cache

Filesize
393B

MD5
daacd6e378c3d912bb3f6b174eca8ac6

SHA1
683f21dc51061d3972a73c2aab680b99ed12f4e5

SHA256
eb216915a80facbc4af32b7b5153d13195a4890f50cbcbb9b93a2614d9f9e445

SHA512
574bdcb0186f8197e4dc77b4f02ae246933bc5d66db8d36d48e62505bc770e627b9ad8e00222dc5b73c40c67a042abc8fe4ccbaaee8fa6c973d4dd20ca070237

Download Submit
/storage/emulated/0/.DataStorage/ContextData.xml

Filesize
65B

MD5
9781ca003f10f8d0c9c1945b63fdca7f

SHA1
4156cf5dc8d71dbab734d25e5e1598b37a5456f4

SHA256
3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793

SHA512
25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

Download Submit
/storage/emulated/0/.DataStorage/ContextData.xml

Filesize
111B

MD5
3aa496057483e700aa2cb7ccc6837446

SHA1
482bdd8489114722f56c3d7e17a67d5ed281ee90

SHA256
b13dfe0770eabbba56131a7eadb80ac1508bcdd9b12a831b34ef9b708c3874ae

SHA512
ed8095911b064ff332e799fe96b5d8933d8130cd107ca963d82a585ce8da69ec6eaa21ea380727d5c837db146fd17d32bb6bef382f3a1e598e070102deba0089

Download Submit
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

Filesize
56KB

MD5
080dd281296ad10d723e618d28ef0425

SHA1
3bcb7e5149ef5eac10e1643f56707ea13bd7a828

SHA256
d9ccd333b0af05d9705e86116e2af90c372f4750a496ff3e2f3365a8b5799212

SHA512
a726fd0d1355828021f08911af6440d85ab89ec20c0a3081a8ec4484ad0f9d26340ff39f276f5bb5221d1c897e2099dd782626d817e4141393d23bb2a2fcb19a

Download Submit
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

Filesize
32KB

MD5
6b0172c317d80c2474a17ec55f50255f

SHA1
0da30459071e6949db585e724aaabaa98f6bbb63

SHA256
35db182dc37e6838f6417d18062f5952202ff0a468a0595806fec7452ee50736

SHA512
ea866f4cbf4cd3d1edf735e8f6d3ce37ecc43a6562e2a5fc3fa12a0b3ff55feb46c6333a70ba93a47323763fb34808c362275d554254d0335624fc3bdb605443

Download Submit
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

Filesize
381B

MD5
4af3cc031ed05b6c01f382926f67bad5

SHA1
011bd3b55d1552549be4af3df9f0dad45d1f1222

SHA256
540a9b955f240583956128c1d8fc825f28cb23cff0d32d42f3c9a485d4c606fc

SHA512
97671426a810b6f8c0307b86dd8f078074e377112cba99884f1e18d25f233750f5b4a62ea321c6d2dca4a7f39241823f46fcf9edd6ee198b28c6889ad0498dab

Download Submit
/storage/emulated/0/Android/data/com.yzzs/cache/kit/journal.tmp

Filesize
28KB

MD5
a173c2dc03658d79bc4ce54d5f2f7202

SHA1
f8078c09894569f428620f1e5e61f7a01f44432f

SHA256
93c16a254c5e2eb3a3532fcfa16f50838c15e720c2a33858ec8618196c54b4d1

SHA512
e8ef4e8f80969fa60a78be498e413edb643cfe07b71e6e5d58ed7f34eef873195ebd8a5af03588f3b23ea1b327f8f0dee7078230bd56fbf73823d26a291d3140

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads