Analysis

  • max time kernel
    179s
  • max time network
    164s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240603-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240603-enlocale:en-usos:android-11-x64system
  • submitted
    04-06-2024 03:23

General

  • Target

    937d686eca77928a3b8ea974e2b3dd76_JaffaCakes118.apk

  • Size

    1.3MB

  • MD5

    937d686eca77928a3b8ea974e2b3dd76

  • SHA1

    91464678205a52f02050106bcee52079a78dfc1f

  • SHA256

    485959428ca353d404fdf264486ae95d0b48f92ff2a5870ec004103d332fbcc5

  • SHA512

    e4204366748898067d2f80d5d0310a78d7686e7704733de44e9c3ae0a09f0b222352580e4658b3362094dea564aa1dcacf617253fcb590f969d0783b18f234e1

  • SSDEEP

    24576:PucEoL0otaYtXM3SprkM4FqD5Bl0ZHqU+1j/o+m0jKt2q/13tdHbZKm51Ob83W:PNQ7YtprkruBl0ZHojDnjKt2q/1XHNK7

Malware Config

Signatures

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Checks if the internet connection is available 1 TTPs 1 IoCs
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
  • Reads information about phone network operator. 1 TTPs

Processes

  • com.rojg.hanu.gsnx
    1⤵
    • Removes its main activity from the application launcher
    • Checks CPU information
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Queries information about running processes on the device
    • Queries information about the current Wi-Fi connection
    • Checks if the internet connection is available
    PID:4464
  • com.rojg.hanu.gsnx:daemon
    1⤵
    • Loads dropped Dex/Jar
    PID:4527

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.rojg.hanu.gsnx/app_mjf/ddz.jar
    Filesize

    105KB

    MD5

    23ba0b249042b7ba33e92c0199b0ea4a

    SHA1

    99b13ee9f7307316c2337953fceed87e9942b794

    SHA256

    1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2

    SHA512

    0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

  • /data/user/0/com.rojg.hanu.gsnx/app_mjf/dz.jar
    Filesize

    248KB

    MD5

    a54a18b58c6720991c021f433dfb2a46

    SHA1

    d2ffa07919f92b6e04914e39843f08fdb2a75b68

    SHA256

    3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3

    SHA512

    e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

  • /data/user/0/com.rojg.hanu.gsnx/app_mjf/tdz.jar
    Filesize

    105KB

    MD5

    293ea5f01e27975bed5179ba79d80eac

    SHA1

    c5b0806a537fd1cb753e11f1a9684933317716b8

    SHA256

    8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b

    SHA512

    c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

  • /data/user/0/com.rojg.hanu.gsnx/databases/lezzd
    Filesize

    28KB

    MD5

    fdb8a92e5060ce104e8f0faca55a47ce

    SHA1

    270d7ca30673e18cec1d2b9add71cba96dc426fe

    SHA256

    194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a

    SHA512

    ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

  • /data/user/0/com.rojg.hanu.gsnx/databases/lezzd-journal
    Filesize

    8KB

    MD5

    4b02a38013990c66b7a79243132c7ed9

    SHA1

    2f4c3bd29036ddf64467a11a345917f2ed3b71c7

    SHA256

    2bab6f3fc29b66deda75dd2612f0411f936c07510e3d7f530db3ae477c2e11d1

    SHA512

    5c859613ca76eac19483e58840341dfba418017a354e0088824f240a66efb93686ef85f39b43a71347e2bc74db2fa28e48b4daebbd7ca55ffe2f8080eacd486e

  • /data/user/0/com.rojg.hanu.gsnx/databases/lezzd-journal
    Filesize

    512B

    MD5

    54eccf3de08410de80efc3825906e6ee

    SHA1

    0dd452b0b9268a147f28c5235471c7480e4af317

    SHA256

    37b119c45febabbe8232617ba17addea91b876064bebc2cb083fe50c944148d3

    SHA512

    b0d332a25f34c2089a3d2c6fed357faa731cee8caa667c754e1d7341e7ffe91eb40eab9e2556ac4ca229d66ac70f97ec5898b11b833ee4031d2e09eddfd76452

  • /data/user/0/com.rojg.hanu.gsnx/databases/lezzd-journal
    Filesize

    8KB

    MD5

    18a781f4698801cd3b35ac57314ce438

    SHA1

    6a98c3be63508c1d2362b0560eb55ea640350027

    SHA256

    57508fea9daa3782fd4ed406f228dc5e27cbeec174f93537a6d1e43f19dea26d

    SHA512

    91a83553f2384d6e59f4100df8f3476b40f06c3b21020e49bc79f83969c3ac1c6a631b7e8ee01cb8a90bbe368ffc43a8644b0fdec2325860bf6d1526bda3a2cc

  • /data/user/0/com.rojg.hanu.gsnx/databases/lezzd-journal
    Filesize

    4KB

    MD5

    2d3550908705101ae30dfd5680625438

    SHA1

    55f0919b496e05ef46bd5e838e19048f00c751b1

    SHA256

    50b94ff25a4329625df150df67719ca71ac390bc5daa3c07fb010a18e07e39e0

    SHA512

    ec03ceab28903ba0741a2e20fd7c4bf9ec5e4fd73659ce425217cf83daf5edefcee33b38bb4193eb43225a3ae404fb868c4f187ec952efc9bef07f478109dd34

  • /data/user/0/com.rojg.hanu.gsnx/databases/lezzd-journal
    Filesize

    8KB

    MD5

    b176f4ecb16236a293688f23615ac406

    SHA1

    0e701343358e4f5e0ab44f2d6ee99ce691f94a43

    SHA256

    a5cd10cd5bf430d503cc1c8f4cf15deef300103ef9d94eec64cab7f3d95f80d6

    SHA512

    c244f5fce1a3c3e411def360c267b572e928c8e7193c1f3668f798e1bebd67a6bfe3a563323f33950bc6e1d6e95c2e8381674aef82794b5d821335e637b4d14b

  • /data/user/0/com.rojg.hanu.gsnx/databases/lezzd-journal
    Filesize

    8KB

    MD5

    0cfc2a6aa0a9b405cea8c1186594c7b1

    SHA1

    2fb25e4aec2a7f5c77849cecc5612fa4635dd2f7

    SHA256

    05d2620b4deb6c2a827f8a27be44c8866c8056204f9fbea6614e198b52c7df7f

    SHA512

    e926075077979cb66871df0021e1df9b66ff3775a40530a7d0f0ab3c00a181bcd92890d9177c1bf97e08bcd98c12f7e1eeb2854e354d8bc5029a9a30c83976e5

  • /data/user/0/com.rojg.hanu.gsnx/files/.imprint
    Filesize

    943B

    MD5

    d511dec34b2fda97ac347ba181b01359

    SHA1

    7fd0a91953fa4d7a21ba860baf42874a4406b706

    SHA256

    3713b01f76dbc9f2af99c40ff28e23589c3c4ab8d68013c178263c917fca97fb

    SHA512

    238b63ce77c74fcf36414f495053d20a1f78dc4b48b4c97663a8363dbea9862c1804b65f18d0740c33472ce88dd8c7dd219ed6855a3e769680c0f207fa049e41

  • /data/user/0/com.rojg.hanu.gsnx/files/.um/um_cache_1717471525426.env
    Filesize

    654B

    MD5

    cca00ccea67ad16c75f6cf3764999809

    SHA1

    04a31ffb6da5580ee11fd180b0e01f166ecf0c70

    SHA256

    398ae274b7dc21e0a42addea491ca0a756f71cc183ffc22c1508d3b5538c213d

    SHA512

    a72edb71ce15d3a963976cfcaa3a4d683294b67d617679bf6663ec073658985f611174276d8a5e765d09a8f8613812071a79e0f3d72efffd18682e4e55d39809

  • /data/user/0/com.rojg.hanu.gsnx/files/.umeng/exchangeIdentity.json
    Filesize

    162B

    MD5

    de38fa43bf82bfeaf26bd2a18359af4d

    SHA1

    da92dc9bd24c319cf45d305b5acdf6269f2b1baf

    SHA256

    4351553d47264e75f9dd78df1ff795e5c8e47cfaf707987a504c3d2170de504a

    SHA512

    2db902b91824d68502cf6786cb87a86c434b7ff776cd63f36f944d8498c07ae842cd625b3a410836ae4cb43d9cfeea66cb503f5705af30795312c6133724b712

  • /data/user/0/com.rojg.hanu.gsnx/files/mobclick_agent_cached_com.rojg.hanu.gsnx1
    Filesize

    1KB

    MD5

    91f85f396a90ef834991a3b9988c11a6

    SHA1

    de1c1c34e5ebf9e08c19a08564cb2c7dfa3bf857

    SHA256

    723a0e3fc21275f99fa76ffd7756bca5845cc0d627d78aae24ac2bea69dc1816

    SHA512

    1c0cfe65f28f4730ce811c8f5563047a91ccf76bb05ea00a5407520ce24ae4bde6ce9ade1505e7f7ef55582bba23d08b727479b89751d956c5df9bb8a955cb92

  • /data/user/0/com.rojg.hanu.gsnx/files/umeng_it.cache
    Filesize

    348B

    MD5

    2faec314368e780d50ec8406fc4518d4

    SHA1

    afc75ea8520f680d73c03278b2c758890c636e6f

    SHA256

    dacad87442228b8a3a1ba95998022918abbbcf75d4b6949c2856ea309e6c763f

    SHA512

    47c4a9ac7d171401765bb3bf99b07f8a8750eb7508b92c3a615f767e3aece702a7b3dcb1705035ba13706b6d48e0b7f960c6b32f2a4d9bf42b47384a7b163930