58579539ba7e436b87df78c209d223b68c231bb90a72993cd7a66ad160d777ac

Analysis

max time kernel
179s
max time network
179s
platform
android_x64
resource
android-x64-20240514-en
resource tags

androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system
submitted
27-05-2024 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7809c2c95d3b403511658e60f86c982e_JaffaCakes118.apk
Size

1.3MB
MD5

7809c2c95d3b403511658e60f86c982e
SHA1

16cc8926dfb0584e29e4cc0bc19ea7d083fc33ca
SHA256

58579539ba7e436b87df78c209d223b68c231bb90a72993cd7a66ad160d777ac
SHA512

8bc85bc94a87be05a43450c90ee67d73816473271aced7427eb3f4e49d3d4390e5fa39ece9bb32fcd4386f7babbd0bafa2789fbb29a2854df2df4e2978e2325f
SSDEEP

24576:lKtoL0otaYtXMuq9sDU0YIVWerxR8jfo+CkjWBKq/13tdHbZKm51Ob83/:PQ7Ytfq94UoWoD8jjDjWBKq/1XHNKmjz

Score

8^/10

banker collection discovery evasion persistence stealth trojan

Malware Config

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.yfil.aaxa.snld

pid process

5094 com.yfil.aaxa.snld
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.yfil.aaxa.snld

description ioc process

File opened for read /proc/cpuinfo com.yfil.aaxa.snld

pid	process
5094	com.yfil.aaxa.snld

description	ioc	process
File opened for read	/proc/cpuinfo	com.yfil.aaxa.snld

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.yfil.aaxa.snldcom.yfil.aaxa.snld:daemon

ioc	pid	process
/data/user/0/com.yfil.aaxa.snld/app_mjf/dz.jar	5094	com.yfil.aaxa.snld
/data/user/0/com.yfil.aaxa.snld/app_mjf/dz.jar	5172	com.yfil.aaxa.snld:daemon

Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

Stored Application Data
T1409

Processes:

com.yfil.aaxa.snld

description ioc process

Framework service call android.accounts.IAccountManager.getAccountsAsUser com.yfil.aaxa.snld
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

Process Discovery
T1424

Processes:

com.yfil.aaxa.snld

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.yfil.aaxa.snld
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.yfil.aaxa.snld

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.yfil.aaxa.snld
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.yfil.aaxa.snld

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.yfil.aaxa.snld
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.yfil.aaxa.snld

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.yfil.aaxa.snld
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs

Processes:

flow ioc

30 alog.umeng.com
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.yfil.aaxa.snld

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.yfil.aaxa.snld

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.yfil.aaxa.snld

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.yfil.aaxa.snld

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.yfil.aaxa.snld

flow	ioc
30	alog.umeng.com

com.yfil.aaxa.snld
1⤵
- Removes its main activity from the application launcher
- Checks CPU information
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:5094

com.yfil.aaxa.snld:daemon
1⤵
- Loads dropped Dex/Jar
PID:5172

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Process Discovery

T1424

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.yfil.aaxa.snld/app_mjf/ddz.jar

Filesize
105KB

MD5
23ba0b249042b7ba33e92c0199b0ea4a

SHA1
99b13ee9f7307316c2337953fceed87e9942b794

SHA256
1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2

SHA512
0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

Download Submit
/data/data/com.yfil.aaxa.snld/app_mjf/oat/dz.jar.cur.prof

Filesize
724B

MD5
df1ff980a354417d0c471130c49de84a

SHA1
ec6f5a0c8501b74abb9b35ee5e72cc245be59a6f

SHA256
8628b7439382f5cf1d2ffc743a19cfb34ab6444186c21755c919b23586967cad

SHA512
4b1761a91eb352dcafad7e33405e9416028ad859e975a16d8a72cda68e9f6a10ba09de0e77e9a6d7518dc747d33546d31f9aa63803b319676bf0fa092e19e889

Download Submit
/data/data/com.yfil.aaxa.snld/app_mjf/tdz.jar

Filesize
105KB

MD5
293ea5f01e27975bed5179ba79d80eac

SHA1
c5b0806a537fd1cb753e11f1a9684933317716b8

SHA256
8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b

SHA512
c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

Download Submit
/data/data/com.yfil.aaxa.snld/databases/lezzd

Filesize
28KB

MD5
dae68dcffc3d522a79f98ebbc3b6d457

SHA1
6df5dce9a50f12044a2d20b8d1742ae47b82ee03

SHA256
56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286

SHA512
23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

Download Submit
/data/data/com.yfil.aaxa.snld/databases/lezzd-journal

Filesize
8KB

MD5
2265dc991148595952d52ad0abf0da08

SHA1
09abd72c186bf56325cb9d7587a5114b5a66b016

SHA256
b4eb20bca60b00af5c6e741d977ff2664ee61d2073061deb4c1d4cc1a49b6e2b

SHA512
26c07e1aa5a762bb0a01468c3d0bac30eb5f85b7879cbdc859f74fd57bd25cf7fcdf77e62392feb6dc7fac1c26659deb3725b6c349fb9e3429f3e16f4f5b8787

Download Submit
/data/data/com.yfil.aaxa.snld/databases/lezzd-journal

Filesize
512B

MD5
a1ec7a46ce7127ff630959f04007bb41

SHA1
ced4ccb2efe83ad818a49e41ce286d1ac8a22783

SHA256
8c8db785e3d15ee829067ed2d28ce6ae1946756614980cc83f0a6eacf44faea3

SHA512
98aa98a45c2010705fb444ff8005e7ee755935dcc68bd9eb9275f53b9fe2ccb5f9bc84554087144866239e0ccf6f97a5e28a96231a9e6a0473acc8a1335905bc

Download Submit
/data/data/com.yfil.aaxa.snld/databases/lezzd-journal

Filesize
8KB

MD5
2e63d9d8862509a3797b58316b729c34

SHA1
5eeeea997aac430137fcc38455d7a9f667fd2d78

SHA256
45aa06efbb407f358a6878dc6f981aa2becd7b093b70cde8e5ed6a82686d41f9

SHA512
a9f196dd1925d079af504bf53c3c2d53f3b6a818809169677798030b87b7dfd6b446da2e4a035c901ef3b149eabfc90e22c04916d7e426d57d4bdb5c64cb94b6

Download Submit
/data/data/com.yfil.aaxa.snld/databases/lezzd-journal

Filesize
4KB

MD5
946767f7736ffabd814368ee1b199fc1

SHA1
0f2abae57f7b50a40fe433224d543fe4445245dc

SHA256
cceaad424d01758b6939a0110c98d8758b6ea1c8840903806bc8e3f0d69a10f3

SHA512
1b70d9426d93d9031ce67b8506a9ed91cc9373856c430d6ce9a5c1449d91e1b6c867ed70c8903a67ce5a18248edb2ae3b7fad68d0a87dec908ecb5f5b8488674

Download Submit
/data/data/com.yfil.aaxa.snld/databases/lezzd-journal

Filesize
8KB

MD5
25c931fe1146e203cc304629f19adc0e

SHA1
c77e74406fbda31439e6c342879e374d45584332

SHA256
0860b0a59da2ce6d57f8fa67d1978018e48e5bc73d8025c891f832ae9831a54c

SHA512
1def0326d4a9c98fe443227ca65456d69d584d0e368423dd74120624929934e9e29e8579f944fee6fa8f6c68c447c721d6c6d6714e34f3b2ca421d2155720ea6

Download Submit
/data/data/com.yfil.aaxa.snld/databases/lezzd-journal

Filesize
8KB

MD5
871e22a94ac142f33c1ce3c44eb9d847

SHA1
884721fe5652eb6343adcbcf63f90554a4303cf5

SHA256
703854004f3fa3382238a8d3dfb0c3b8d39f7790df5c4a98569bdbd76e9a17cc

SHA512
e3c931fa10b50992d90a602826f11a052ac94a3993e338f59593fe9092d53ff2c0417a13a60cd62e15bd3dbb4a77722d501f5185b9ce749fbb58d9fe42a17e47

Download Submit
/data/data/com.yfil.aaxa.snld/files/.um/um_cache_1716787469469.env

Filesize
655B

MD5
7c72f2011868c69603ba8ae2a29b7da3

SHA1
f12b8a970c408a7e0cd3e30d0d540fd6d726a97a

SHA256
1c8b20ca669a18577f90c24c57f51bfbb7e2cc6fdfa102296e31fd2ad0e25055

SHA512
0d61c63ae118d0ba67f0cb50a0b75c5311ae12e89756281d8ed3d4cd8dd41bca76725e545008aabf58a0cee6f145edebedfcf2a61ace67dc8bed24c17517e843

Download Submit
/data/data/com.yfil.aaxa.snld/files/.umeng/exchangeIdentity.json

Filesize
162B

MD5
19d9e1e9effedf9cddd7786d92ab68ee

SHA1
7d36694c272d6a283885a8eb78159eba0e854944

SHA256
cc45cb5b2ec00eb38f4cb10b87f701ce9e817932adf7801bf1eb00e32f4999de

SHA512
e932e2eeec431b68f5ef9e8b6967417742766cec2a7e7f832063132f5815511a1890b12525f92f0979b26a101c1378fdca99ec195c5deea6fe16aaf976727cc1

Download Submit
/data/data/com.yfil.aaxa.snld/files/mobclick_agent_cached_com.yfil.aaxa.snld1

Filesize
794B

MD5
6b230b2314bca6d8daec6f09efb94e8d

SHA1
40795de910f9305261fd7fb935c9c90da3160d4a

SHA256
1c79ab8ffd1ece567fb59cf1b7390aaad39e040a0039c17728a6093a436d9f2f

SHA512
83c9bbd127f4b3aabe393fd6fd6f25873d3e0faff1d4837ac6d8e518b9ffb3e89b2f3f7ec5b8fd57bb3a7837fc630386e8ecdf17db867f4fea856ed4b4f2ead5

Download Submit
/data/data/com.yfil.aaxa.snld/files/umeng_it.cache

Filesize
350B

MD5
bfd80b87966053dca00e69272510141b

SHA1
7142f00b3a88904b2581870d4f0fd98450f3552e

SHA256
04f4aadc75d41858625eb530288518ba0b127264230b3f516ce4de1946149c94

SHA512
61947b1829126980a93224c67e2e8bb26e25ed0e7b5f63498100f348fe46984d8ffafcca1ac466964cd3371f88092652492db271c0c592a7bb129bca1cb03bc8

Download Submit
/data/user/0/com.yfil.aaxa.snld/app_mjf/dz.jar

Filesize
248KB

MD5
a54a18b58c6720991c021f433dfb2a46

SHA1
d2ffa07919f92b6e04914e39843f08fdb2a75b68

SHA256
3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3

SHA512
e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

Download Submit