Analysis
-
max time kernel
178s -
max time network
177s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
02-06-2024 23:15
Static task
static1
Behavioral task
behavioral1
Sample
8fc642358c5aeb7ec649b35d938d847d_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
8fc642358c5aeb7ec649b35d938d847d_JaffaCakes118.apk
Resource
android-x64-20240514-en
General
-
Target
8fc642358c5aeb7ec649b35d938d847d_JaffaCakes118.apk
-
Size
1.3MB
-
MD5
8fc642358c5aeb7ec649b35d938d847d
-
SHA1
b89275e530a5e630b24902013e13ae3447b8493c
-
SHA256
aefa3f59d16797388f909c9e278f8d36d33f5363f978fe2eff640a22797726b7
-
SHA512
0fca0dad44fd656dc0e0c2f9791d78f52801f87f06ec8548397099a5d074179b1a089752fd816ff2113bbe7316c80cbe30c1e105f444ac9ed763ca8de6c2d0ca
-
SSDEEP
24576:d4AhVXSHyjVhugAB2GMQAv3Q95o+vsjXiJq/13tdHbZKm51Ob83+s:XhvfDujiQ9pEjXiJq/1XHNKmjbOs
Malware Config
Signatures
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
Processes:
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.mckt.dtlp.iexh/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.mckt.dtlp.iexh/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&com.mckt.dtlp.iexhcom.mckt.dtlp.iexh:daemonioc pid process /data/user/0/com.mckt.dtlp.iexh/app_mjf/dz.jar 4319 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.mckt.dtlp.iexh/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.mckt.dtlp.iexh/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.mckt.dtlp.iexh/app_mjf/dz.jar 4286 com.mckt.dtlp.iexh /data/user/0/com.mckt.dtlp.iexh/app_mjf/dz.jar 4443 com.mckt.dtlp.iexh:daemon -
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
Processes:
com.mckt.dtlp.iexhdescription ioc process Framework service call android.accounts.IAccountManager.getAccountsAsUser com.mckt.dtlp.iexh -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.mckt.dtlp.iexhdescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.mckt.dtlp.iexh -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.mckt.dtlp.iexhdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.mckt.dtlp.iexh -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.mckt.dtlp.iexhdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.mckt.dtlp.iexh -
Checks if the internet connection is available 1 TTPs 1 IoCs
Processes:
com.mckt.dtlp.iexhdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.mckt.dtlp.iexh -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
Processes:
flow ioc 37 alog.umeng.com -
Reads information about phone network operator. 1 TTPs
Processes
-
com.mckt.dtlp.iexh1⤵
- Removes its main activity from the application launcher
- Checks CPU information
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.mckt.dtlp.iexh/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.mckt.dtlp.iexh/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
com.mckt.dtlp.iexh:daemon1⤵
- Loads dropped Dex/Jar
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.mckt.dtlp.iexh/app_mjf/ddz.jarFilesize
104KB
MD574516f682123a65190e15ca51fea94e2
SHA14625bc1052913470b74a0d2eedcb5d1b597cfcab
SHA2569b0a7ac6b3eae5984f76f9096d2037d7228008c77d63e85f4a0fcc6ad766874d
SHA5129a9045e8a3ecfeb50632b4f205ccecb3b9104da04d110623b59b73d62d5da2e345f3259ba706ffdc341cec2f16a734b3dfd856a20333b3434dec0ea577ddaaae
-
/data/data/com.mckt.dtlp.iexh/app_mjf/tdz.jarFilesize
104KB
MD5c34a960ee8657fb632c516c1616ca810
SHA19aa3a6cf76f595769a52b40a4189c5371a84674c
SHA2562bb381984f485a4803c2ed4c80ebf1ab3f327fc918ce36ddd67326a249ba77c6
SHA5122bfeb1a74504f9c5c978e19041a3c6ccbab2eb77f7fd35c38e45207d2d50af0fe3ae28aaa7373cb4eb69b8f3d9c118d0813c2d7336f2f3f26e8c6a8e34e3504a
-
/data/data/com.mckt.dtlp.iexh/databases/lezzdFilesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
/data/data/com.mckt.dtlp.iexh/databases/lezzd-journalFilesize
512B
MD50573122f87a0a9c6c6cc6a4505963883
SHA1803bdf14fe44a1e8db02c94b74e135a62da84a50
SHA256eb57069f252c06b4011aaca0e1f28b1c81d2e86ffa602fb9650e0c0e2be50b32
SHA5126910581a58c63eaba4255cdb880cf3f9cd06c96110001dcb9614f2d2aeb3d5dbdd4232eb3be009131c31b1360ee7432118d62a59ae56bc4d5dd224a0dc7d7858
-
/data/data/com.mckt.dtlp.iexh/databases/lezzd-shmFilesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
/data/data/com.mckt.dtlp.iexh/databases/lezzd-walFilesize
60KB
MD57630847475276f43a50a641bfa19d4b3
SHA1a797512348fc82ba3e6b217739c4d59af617fd5b
SHA25660a49aa701400234703e3444ffca1afd3c87c340e5442abcc077ba9fa073e1cb
SHA512d3f9c17d4108cadb2c234e532bc46fd3a05334e1c1e3733aabf1205c3936d926a5821c694a34d1cabc79f854fbfb53c3725c563dea256122939af881f127c57c
-
/data/data/com.mckt.dtlp.iexh/files/.um/um_cache_1717370262054.envFilesize
688B
MD576e2348d45898c78d893481d3775cf87
SHA1dab1cc320f70c640f8dbe3ab9cc0c747a6eb2fbd
SHA256008b83e57fc3bb3ebec2dfd9211e5fc3fb2e30b4f0bd95d9ad75db2c3736e819
SHA512df569585b233c287a3825cda4d5dc4560c4dcd6f378dc47c0e366dfe56adb9b2d81fa1eb3c084c92d79fe02336e1a212afd1ebf96902d6a2bffcd89d8444caca
-
/data/data/com.mckt.dtlp.iexh/files/.umeng/exchangeIdentity.jsonFilesize
162B
MD55281f3a78e07665aeb8e8820cb370ad8
SHA1901b0d73b56a3050ae3c69444c0c6f27f195aa76
SHA256b9a60c81846e91e9967ded1457c172ab82c2b48b5f80c67dc17b314624a54e3f
SHA51251c4071301ec74a682d5aa0884e6c47d5ce889f2d9b29dcbe4937a33005491ed6ea3649135dcfe03e3bbc984e2793a659af2e2f617b324f29760247a0a7527b0
-
/data/data/com.mckt.dtlp.iexh/files/mobclick_agent_cached_com.mckt.dtlp.iexh1Filesize
862B
MD598f34d07d55a5398860ab3499513c673
SHA1f1fb0cb5e7752547242771efd23ee13ea4e63c7f
SHA256d74a04f60805f1e005f5d4ff0f27993d9c00a30b2cb79474b41263d0543c435b
SHA51259844f450f24049d75e107eb5b7a998cdb871a39e1c6c263df381c9ef16f450f4d3fd353fd244100f5af0168edc8816aa04ba936ad2701823e75bdb8d7d54dc2
-
/data/data/com.mckt.dtlp.iexh/files/umeng_it.cacheFilesize
415B
MD5ad41e272f78efa6dbcb1f0a88f885952
SHA1a7cb3ef4daeb9d8cfc093281906fabf4fa4895fd
SHA256b0e5f72a0dc0bfd89d8afb8e069d1f602cf361e632de8d9ac27ea95dc8639672
SHA512e7ed619d83334dfbd82b323f4ef44400fd20e66687717216ca081cdbcdfc481e645c1c2849bea442e5fc1fd030dfeb3da8798a72a8e37581e9e9bd03fec7a723
-
/data/user/0/com.mckt.dtlp.iexh/app_mjf/dz.jarFilesize
247KB
MD540235bd85137ac67997ebd98c3ee5336
SHA1c0ab0d0d39c13fc76c22f11642920003a34a6a8e
SHA256a6cdc6d2747ca2979c9959fae17a4c00dd66bd336315ce2e69348bff551976f4
SHA51280193d98b9db86270ebdb3217ad5000dc93f36fec15c06925df1938bd7bc89e9a1a056fcfc0a3a3108daa7dfc5b9856b22832bcc7654ac5e0197bdc45a08cdab
-
/data/user/0/com.mckt.dtlp.iexh/app_mjf/dz.jarFilesize
247KB
MD5f94e137d7aa3ec510782c58f1089ef39
SHA1f1b5f4b422d4fb5071e41a3fe9b7cf99ec13c217
SHA25689c661a75becb3a99788c1deecf430f54c045e044f30c5fa7dd7f11e93e2a5cc
SHA512743beef1e59c24cb6662c19dab6e6629a30d6bf6e2e014f2f68258a58acacb868f6a7a2a527123170f92b03ba517d8b48cb2a290a963d2b86130444820b0be6a