99fd4397853f9858fa1cac86414ff2d671cbc4ca75bb95b2633db5bbb5f9abee

Analysis

max time kernel
178s
max time network
181s
platform
android_x64
resource
android-x64-arm64-20240514-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system
submitted
25-05-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72c97d9a34bb1088759ed49067ec62bf_JaffaCakes118.apk
Size

1.3MB
MD5

72c97d9a34bb1088759ed49067ec62bf
SHA1

55acc083624c90f25c90e875b89a04e134b80fe9
SHA256

99fd4397853f9858fa1cac86414ff2d671cbc4ca75bb95b2633db5bbb5f9abee
SHA512

0bfab357bda569fb730c4161a3e15efd4e1a064a8cec57571e26e5eddc7eba2d07441c444310c32395d8bbf0581ca36cda2a9c8146766809758cc8d1129e470a
SSDEEP

24576:JoL0otaYtXMjG6dJZXs+bS8oaPnDAUCxFMMjfo+B4jVAnq/13tdHbZKm51Ob83J1:CQ7YtSdJZJboaPDAUcFzjjyjVAnq/1Xj

Score

8^/10

banker collection discovery evasion stealth trojan

Malware Config

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.nmhs.tpjr.yopk

pid process

4526 com.nmhs.tpjr.yopk
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.nmhs.tpjr.yopk

description ioc process

File opened for read /proc/cpuinfo com.nmhs.tpjr.yopk

pid	process
4526	com.nmhs.tpjr.yopk

description	ioc	process
File opened for read	/proc/cpuinfo	com.nmhs.tpjr.yopk

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.nmhs.tpjr.yopkcom.nmhs.tpjr.yopk:daemon

ioc	pid	process
/data/user/0/com.nmhs.tpjr.yopk/app_mjf/dz.jar	4526	com.nmhs.tpjr.yopk
/data/user/0/com.nmhs.tpjr.yopk/app_mjf/dz.jar	4592	com.nmhs.tpjr.yopk:daemon

Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

Stored Application Data
T1409

Processes:

com.nmhs.tpjr.yopk

description ioc process

Framework service call android.accounts.IAccountManager.getAccountsAsUser com.nmhs.tpjr.yopk
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

Process Discovery
T1424

Processes:

com.nmhs.tpjr.yopk

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.nmhs.tpjr.yopk
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.nmhs.tpjr.yopk

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.nmhs.tpjr.yopk
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.nmhs.tpjr.yopk

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.nmhs.tpjr.yopk
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 2 IoCs

Processes:

flow ioc

48 alog.umeng.com
62 alog.umeng.com
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.nmhs.tpjr.yopk

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.nmhs.tpjr.yopk

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.nmhs.tpjr.yopk

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.nmhs.tpjr.yopk

flow	ioc
48	alog.umeng.com
62	alog.umeng.com

com.nmhs.tpjr.yopk
1⤵
- Removes its main activity from the application launcher
- Checks CPU information
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Checks if the internet connection is available
PID:4526

com.nmhs.tpjr.yopk:daemon
1⤵
- Loads dropped Dex/Jar
PID:4592

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Process Discovery

T1424

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.nmhs.tpjr.yopk/app_mjf/ddz.jar

Filesize
105KB

MD5
23ba0b249042b7ba33e92c0199b0ea4a

SHA1
99b13ee9f7307316c2337953fceed87e9942b794

SHA256
1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2

SHA512
0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

Download Submit
/data/user/0/com.nmhs.tpjr.yopk/app_mjf/dz.jar

Filesize
248KB

MD5
a54a18b58c6720991c021f433dfb2a46

SHA1
d2ffa07919f92b6e04914e39843f08fdb2a75b68

SHA256
3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3

SHA512
e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

Download Submit
/data/user/0/com.nmhs.tpjr.yopk/app_mjf/tdz.jar

Filesize
105KB

MD5
293ea5f01e27975bed5179ba79d80eac

SHA1
c5b0806a537fd1cb753e11f1a9684933317716b8

SHA256
8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b

SHA512
c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

Download Submit
/data/user/0/com.nmhs.tpjr.yopk/databases/lezzd

Filesize
28KB

MD5
fdb8a92e5060ce104e8f0faca55a47ce

SHA1
270d7ca30673e18cec1d2b9add71cba96dc426fe

SHA256
194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a

SHA512
ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

Download Submit
/data/user/0/com.nmhs.tpjr.yopk/databases/lezzd-journal

Filesize
8KB

MD5
697cb8af659028956e67d042c4f6f60c

SHA1
f9d652d2561ac7a26889595a0736d5ba7447ae22

SHA256
e5a3880bc676e8d77978dca5ec40b877e59a2a0fd3120f9daaca1dcf2688f5a1

SHA512
52986db6e2b4034e12ecd20980b319cdd20efae790907ddda1281ce0b2a5f5ec0f24834ab565a1a8d750038931146f8ab6cec4c809e3659315258b5cd507fe11

Download Submit
/data/user/0/com.nmhs.tpjr.yopk/databases/lezzd-journal

Filesize
512B

MD5
1384cfc8a276bd6be009987d73c991ac

SHA1
68451bc18a7b33d6e9b8fd91bec3e576348d6a1f

SHA256
a6cd3167e717491f2f2f9a30dd280492264d66ae83b7b8ba9ccd5b071300cc6f

SHA512
4c80941b8b0651a2f90299aeb7414965a53f5c6eb6669c45696115f278e790843f43bdad24b59ef7a038e8ab834445a5c31bcc5b53f6f93ae798110e996e89be

Download Submit
/data/user/0/com.nmhs.tpjr.yopk/databases/lezzd-journal

Filesize
8KB

MD5
3f59c27e3260b45e8371ea20186a917d

SHA1
46fcfffb3291ade8afe6ae83e867ef149cde9617

SHA256
8db3fb67d318d022006bac7030a1eef083e9eecdbb7cadd2c1a4d2c210920e5e

SHA512
b85de22e69b31d786e2b2aab7186d45a56379134c4b41667acb0d610b632ecc394a9474f1c682f35939e1e55e67bb556cc20ad8a665880de22a4bd24aa946459

Download Submit
/data/user/0/com.nmhs.tpjr.yopk/databases/lezzd-journal

Filesize
4KB

MD5
6ea761bf81bbe87fe225199452887343

SHA1
3d368b7bed91cc55173408f556d8464b10f8c46c

SHA256
2353bbd4872bfb42739877da209e12bf72a5512b90d405089938880edb5a750a

SHA512
dfcd715b6c25530cc81935fbb1ec52c0f68b1ecde36329988641ff1e735df37b62aeae9e120a2b3ffcce89df4f94e56ca847a1f1dee68db978b27ebc3b3338a4

Download Submit
/data/user/0/com.nmhs.tpjr.yopk/databases/lezzd-journal

Filesize
8KB

MD5
a3e9865386b68b3c1e9aedaa2ed843e4

SHA1
34b2879c413afdcee8996a1275ccaf19987b9614

SHA256
9884bffc0d0d5601c8828a52b2e39c515b0cdcab0f9d06e41ae92f889d20341a

SHA512
da2f573ce201403bc1a9949c218c2da70531623f2a74cc396793213329a7422550825112a3e7b11357076f80528146bf3d81d8d271c2fc36744f7dc5b2179b09

Download Submit
/data/user/0/com.nmhs.tpjr.yopk/databases/lezzd-journal

Filesize
8KB

MD5
2dbe366b2981c721237ce7e7c91f6a20

SHA1
16734a48c36d83d8d7c7f355f32e230ca4d464ab

SHA256
cd90b4385b1ed9b29e2dd1cf33cc901e39ed9fe48d2085ed8b462eaf3f75f5fc

SHA512
7c66a15019660ef77cba9e57ad3578c1d992c2bb3290dd8394c3ab2144034448ee0810c018af4112d1db87b79856ed1de1d30723bf578a58bdbb50fc742aedca

Download Submit
/data/user/0/com.nmhs.tpjr.yopk/files/.um/um_cache_1716659938701.env

Filesize
654B

MD5
cb69ccd4744ee5f6d0c56c10e1abdddd

SHA1
895d740b20a43479fe9d98c36f76d10c138d7eab

SHA256
b9fe3a4e30d56576110671aeea5d1956ddc8d4c3811cddd5664058272b3a964a

SHA512
b63892d0d88164c20eefa102954fdfeb1698437bd016cc3a17898fe0591ed7063f7018a7f5310295325755813d441ddf1092db21270ae20db7ef560b1898aaba

Download Submit
/data/user/0/com.nmhs.tpjr.yopk/files/.umeng/exchangeIdentity.json

Filesize
162B

MD5
f71cf58d5bc6925b99e38ef109ccd671

SHA1
fe4bed04764c94d22121f1656113dc49ccc66a7c

SHA256
56e037a63a649f7127814e8e90a9b0f7e3389a142a6b33d65ebe468e35a51853

SHA512
e7eb2a1551b7fbcf430e113d5268ad82726a22a3dfc4f49192fd9dd0381d20f580a3346ccb659f4a63be084b8fff589c4aaac01a29cce247a9a74a742ea41fcd

Download Submit
/data/user/0/com.nmhs.tpjr.yopk/files/mobclick_agent_cached_com.nmhs.tpjr.yopk1

Filesize
791B

MD5
635885c0d4e5cdeef2becc2a457a47ef

SHA1
9cd8d72ee58fb9ad2bcc7b8d4a6be469d44699d5

SHA256
60164aa318538673a98084da9d21531adaacfd442a73426e50dbbf73733977f5

SHA512
f26c3e1367d12d227706d84c23c7f6edc6ab398eaea8934512ae015ae2cf0898458eebf78bb4a23663d990a4f4c34b3130e42f7798632535f012b3cc4889500a

Download Submit
/data/user/0/com.nmhs.tpjr.yopk/files/umeng_it.cache

Filesize
348B

MD5
9b14dc4e947926eb1b2d381c1b5d8c46

SHA1
e6db31b75b493d4f6e94ec951b37a6c350b59c5a

SHA256
d4c6624df0ed9f63250ca8b026d6f63daf78e6e81849f8ad3717d7ec190e8a13

SHA512
beac64eb8cdef4323756a1a5c6afcb2c3156a0c4a98afa4b786e8035492e6097a3f058930bd4d451ef8350378ad0bfa572bc4670cc93f3e596b22361731d70e1

Download Submit