Analysis

  • max time kernel
    177s
  • max time network
    185s
  • platform
    android_x86
  • resource
    android-x86-arm-20240514-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
  • submitted
    30-05-2024 12:43

General

  • Target

    842ff30cd70fba929c539407c1c4af68_JaffaCakes118.apk

  • Size

    8.3MB

  • MD5

    842ff30cd70fba929c539407c1c4af68

  • SHA1

    2fbce155f7b0ad780668768d479cf5c0cbb104a7

  • SHA256

    ee9bff07320ae9d5f43f8d83f443afd3da75df2f233fc18f957c39d1ef88107a

  • SHA512

    44b5535ad792d5db644ef51246459f7b8984c7da74cb984139c2636718bbe7ee16e1302d7596f504688f58ae18db49d3e888df248951210fdf741f6f55c1b2d9

  • SSDEEP

    196608:bxEDczNNUVra4axAfdUWa+612ca4Euebyv6+WCet:9EDoNaFfdbl9X5yv6+g

Malware Config

Signatures

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

  • Queries information about running processes on the device 1 TTPs 2 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
  • Acquires the wake lock 1 IoCs
  • Checks if the internet connection is available 1 TTPs 2 IoCs
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.anysoft.tyyd
    1⤵
    • Checks CPU information
    • Queries information about running processes on the device
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks if the internet connection is available
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4305
    • logcat -v time
      2⤵
        PID:4345
    • com.anysoft.tyyd:pushservice
      1⤵
      • Queries information about running processes on the device
      • Registers a broadcast receiver at runtime (usually for listening for system events)
      • Acquires the wake lock
      • Checks if the internet connection is available
      PID:4527

    Network

    MITRE ATT&CK Mobile v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /data/data/com.anysoft.tyyd/databases/ListenRecords.db-journal

      Filesize

      512B

      MD5

      d4f37c840d33da8f9ccc640232399ace

      SHA1

      58b7c01040121feb1db5f56eda37b5ea58dc6025

      SHA256

      617079fbe2828728bf5e71c19ae12580dfb74e09e7922bd9d5fa00e4e31cbd52

      SHA512

      fa21027cdb02cd7a141af174cf8f69d190d198fda7b163d355ff2c82710d1b7cb339adc34f4c202142dc81c81747efaed570f7adbcb0a56f61cc57ef9f61b1f5

    • /data/data/com.anysoft.tyyd/databases/ListenRecords.db-wal

      Filesize

      28KB

      MD5

      e05e790b0809f775152ae76490dd2c06

      SHA1

      39d89673b11bb1f5af96958fca53e614973ce475

      SHA256

      aee33cddbdc276d867ae4a8cefc0cf0c31d4cc4c0f1dfe2130df117545328012

      SHA512

      5c8e84711ee7a12cb6dfc897a5d847c5ae4c653e8c5d6aee15d54f389c2a7b89e58b06eed5439d6dfb50f7ebb276aad23cba03e412d43fec4da57300eab2dae7

    • /data/data/com.anysoft.tyyd/databases/netstat.db

      Filesize

      40KB

      MD5

      6d2b32a2d87ec9260feef7e90c638df5

      SHA1

      a493b495f56df82f5b49c04d99cd254849b8e0e7

      SHA256

      db7f817c6e17ecf469715147d6c2650c1c10b25d00049063c49cf72606b51f6b

      SHA512

      fcf2fab0b8bd88ab2cba64eee385501bb04696499b8d24f75eed36a6f28643427efa065ddde143162d50e91bcf822660392219509aa29945dfb94aa316c44f34

    • /data/data/com.anysoft.tyyd/databases/netstat.db

      Filesize

      20KB

      MD5

      22052245b5ebbc3db408cec1aaa5bd99

      SHA1

      fd7ee3655ee0a326a2b755ebe6cbf0addf4e32ad

      SHA256

      69985939522217dc4972c035070113b618980d1debac6de5795a49eff4009c0e

      SHA512

      af022a6e777729aaed05802e905134778c25db338bc448cf700ae3f34bb6a66d3aef63b3c119cd4b3f482d19b613c9e20eae84d9239360eb4e12c7bc6ee07f3b

    • /data/data/com.anysoft.tyyd/databases/netstat.db

      Filesize

      36KB

      MD5

      29a055c7fd7b0e4447ea1eba5e217bf5

      SHA1

      1a93dbdbc55c13b95285aac1032d5262e4e1faf6

      SHA256

      d44fd4d792dc4e5bcae9883635ffb238834062b1883c07c884286ec8c7f7f92e

      SHA512

      a4fb91a8774c2e843155532ab8b95cf1018e0634dc0a6faaf7e26f59a86aac1ca942f12b4f43fc282f899c6bfccb1010c42b2999fab4919c6b341ccff3374079

    • /data/data/com.anysoft.tyyd/databases/netstat.db

      Filesize

      32KB

      MD5

      415b95fd30e2512a313fe52f10b57202

      SHA1

      be23a910ed86e82e6dd9ce4d0022637e5b326a51

      SHA256

      9b7e6988f8e5563261d12fced418cce0f2b076c1f7c26203a3c712bc03f4554d

      SHA512

      673b96e1b2c1fd699b02cf73b2498492255f2812a25f8336f5d3d4a068f573fa644ffc3928eadd180d5a69f81a34b2e159c0e658495c9e66d65848df330b0927

    • /data/data/com.anysoft.tyyd/databases/netstat.db

      Filesize

      44KB

      MD5

      5f55d1e842ca1f502e1aad8be2562fce

      SHA1

      c041ec56cd63cbc9e5ce3c4b21d20904ee1eebf1

      SHA256

      323d44e236ea03e5b68df34cfc4f3ce2646f584702f1c2e48b5bce682c423e58

      SHA512

      df2f62ded3d0f81e69084eef4c63fded446b436e9e23241b22612719199ae82c7f94957bef81242e0ba4b4e421a0d63f48848950e7390434517602929d5e72a5

    • /data/data/com.anysoft.tyyd/databases/netstat.db-journal

      Filesize

      512B

      MD5

      66219c6de0761b1a3cdea19a27e10b70

      SHA1

      25826234d2fd0d8f8dd88ad3c2d23d914fce0328

      SHA256

      9ecdd9281e0c6793ccab1c9ef5cbc414aa7d7b8f53b53562174c48c1dc1b4838

      SHA512

      9f33a6f5a1ae456b86fd03d8a8e9ae8239e1024f82033eee290feeef89803b53f532c51a6c00f0efc342634d418bf3dfae304aea4ecffd6ac263bc5156b98009

    • /data/data/com.anysoft.tyyd/databases/netstat.db-wal

      Filesize

      56KB

      MD5

      4091d2a2bf09574c8d7b2be19b9cab6e

      SHA1

      9f63c5ed93a9f73bee3b59dfd5802965e8072502

      SHA256

      fc51a7a3a7ef03dd9d9f7b4aa61d4c201c5e15f225312634b3ee492c929fb31a

      SHA512

      fcf07a47b8886b07637277a6f4bb19a31276d98e618710bd22df523e8ef09e2007e8432af85368357a398e23ccf0cab422e3803fe3955eeecf119aa4eea59c9a

    • /data/data/com.anysoft.tyyd/databases/netstat.db-wal

      Filesize

      8KB

      MD5

      a017c3284ae10b15db444227a536d7ad

      SHA1

      77b5f8462eb3f5077771d08ec5dcdf0f0c74089f

      SHA256

      a152c86fc8eeaf714b44404cfddd3df4a2d7da71422fa0be0fb017849764213c

      SHA512

      646abb2fbbd8d26d7b2207166f0f75345a7137eeb862190c3d89cdec8220be05a917497f6ceec10af574706c12a5829b4fd040615543571858e92665f04b7960

    • /data/data/com.anysoft.tyyd/databases/netstat.db-wal

      Filesize

      8KB

      MD5

      8e2046b8d0f4b34808a1fb94aec8afa8

      SHA1

      789c2d3c07f757419d196ff7a254c32a818dcbb8

      SHA256

      746b453f5d17d681b41131eaea12782b16611a72807abd21bdb16bea2be84b3d

      SHA512

      f24e7edb91af88145c430438a26058efb471ee333e30a41dc85399169220bad489ef02ec92c7373b66a75efb08883295224f8d2abad0aa2858f6698efb248e23

    • /data/data/com.anysoft.tyyd/databases/netstat.db-wal

      Filesize

      8KB

      MD5

      72ab2126e5694068eb145a8bc23a000b

      SHA1

      9d2a8e9e54133c9d63ef65223877418ebb82ec30

      SHA256

      7a677943d38f833b6965c4744cb5f752a5994e18717b234d579687983a687172

      SHA512

      aef7b1e577add58d93084c5a720d61341bdfe58c5a3dca168dbe2e322c86ae9dd682bfb0a4b93dca05c5d8592582c3c0d197fff2537fee368d0fe061ca368c33

    • /data/data/com.anysoft.tyyd/databases/netstat.db-wal

      Filesize

      8KB

      MD5

      5b8e8a4e398734e97aa3678274d9790f

      SHA1

      3bf9f8c2d39d853b8533870331d34f18ece05748

      SHA256

      b06b150e90bce51b3f6237f80d42e5f6e83d9d45f04695ceae6db740e50ba44b

      SHA512

      093c7877ec47bf1718e5266887d8affc7688a88179134565cf7e0b8b8f7fe2e9712e7c4bf94d58e26eaab05fe97f87af9166b8aa80c80b2ac03e9017b6743cda

    • /data/data/com.anysoft.tyyd/databases/tyydprovider.db

      Filesize

      4KB

      MD5

      f2b4b0190b9f384ca885f0c8c9b14700

      SHA1

      934ff2646757b5b6e7f20f6a0aa76c7f995d9361

      SHA256

      0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

      SHA512

      ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    • /data/data/com.anysoft.tyyd/databases/tyydprovider.db-journal

      Filesize

      512B

      MD5

      dc08f48965d93f373b7d24a127d8c642

      SHA1

      a1251daa4f482428e87ad918e96e2f03a68b18bf

      SHA256

      be5ef2fcde105348f5be03efe47988f0abb30dc63a047a941da94cb62e317724

      SHA512

      5597ce24bbb169518c89cf7ca8e136a654535ded888bf6a458941d66c5b57fe7acacc7ad527d63dae8295e6085fbec75c3d53aa309b90f950cd6b013c663179e

    • /data/data/com.anysoft.tyyd/databases/tyydprovider.db-shm

      Filesize

      32KB

      MD5

      bb7df04e1b0a2570657527a7e108ae23

      SHA1

      5188431849b4613152fd7bdba6a3ff0a4fd6424b

      SHA256

      c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

      SHA512

      768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    • /data/data/com.anysoft.tyyd/databases/tyydprovider.db-wal

      Filesize

      128KB

      MD5

      c9752b7f0d52557a988e7f15cf02b0e1

      SHA1

      199ecce2622eb9893d4ef32ae4cd8b2afb470cda

      SHA256

      cb398edc4325d9f59faf60cef375dd63718da5b5a9ef04788027429f73f5cf95

      SHA512

      f7af9e2efa775701a863af33ed8faf7695dc4c7f8fb7b79cea545afc6125df75e40b7f3d95b840b7b93d503069c565a474c268ef5b30961bb089ae24ff420495

    • /data/data/com.anysoft.tyyd/files/.filelog_pv

      Filesize

      176B

      MD5

      a363a42c6d243652010371902fe526a3

      SHA1

      c82d12134fc9b29d298b102ab741198b575abc24

      SHA256

      9c95dfc46d4be4bb7fedd1b4690228568aee964090de05599a5f962bced5ddca

      SHA512

      89d8ee46362e0006714258efe67f75a5f8a8e28828a38093c0cf0656bf402b920ae09953305c6f9a45b6751ec873d7f1e8095da4aac085b06775566b78dea683

    • /data/data/com.anysoft.tyyd/files/weibo_sdk_aid1

      Filesize

      46B

      MD5

      4028c8b91f544d6bd51a266683ff791e

      SHA1

      d8bacd93b5724c8500f66cc46632704115635afd

      SHA256

      7cda4149bb95d3c082f01b19b365228fd339ce4fcfa02969294e13bdae41270b

      SHA512

      a8fdcbe785c7f9eabff76f227db4e8c1d099dc8adc81a41283f8fbf118fd0fbff93be1aaacd3c966888f30f247215125317efa56495f022486f5262cd2cc3831

    • /storage/emulated/0/Android/data/com.anysoft.tyyd/c/u-i/62flme2d2m9gz0hcz7ijf9nnj

      Filesize

      2KB

      MD5

      2969359625c1e16cec7e19510327ebb4

      SHA1

      e39cc90e5519ff387e5f244618a9ad01bcccad8c

      SHA256

      e92258e35c3b3610f1c5bbaf0a90185f913e2f5a0d9f3112222775f0bc9c5d1a

      SHA512

      a59e87d69e0e0cea7c1821355b1ef71f1c6c4fb1fd0399376d8e9e7cb7e25952562dbec93e17de21ef684bc932ee6cc32ec39f7b097dbd4b95ff197ea65e1bf1

    • /storage/emulated/0/Android/data/com.anysoft.tyyd/tytslog.tmp

      Filesize

      25KB

      MD5

      0936843f1b5fdf81c7203e271b1a31c0

      SHA1

      ee7d7f631526a5690ba0fac6f24b7d84513a72f5

      SHA256

      6a07c8db13597f4032733ee209fc555e3fa68edb70763b1ecc43068225043fe3

      SHA512

      2cf566bf00b4a99e1b65b7a2a681df9c96cb631d5e1cae4a4e488b877e0b540420c3ba6192d00f6bf8dd0bc793196d959c23f4374bd798690ac2801842723905