Analysis
-
max time kernel
179s -
max time network
182s -
platform
android_x64 -
resource
android-x64-20240603-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240603-enlocale:en-usos:android-10-x64system -
submitted
04-06-2024 16:47
Static task
static1
Behavioral task
behavioral1
Sample
9593080db00f63d0c50cf0e65d047d48_JaffaCakes118.apk
Resource
android-x86-arm-20240603-en
Behavioral task
behavioral2
Sample
9593080db00f63d0c50cf0e65d047d48_JaffaCakes118.apk
Resource
android-x64-20240603-en
General
-
Target
9593080db00f63d0c50cf0e65d047d48_JaffaCakes118.apk
-
Size
1.3MB
-
MD5
9593080db00f63d0c50cf0e65d047d48
-
SHA1
e15a151d65307f1a36c6c3e16110cc981892a7d5
-
SHA256
c5f838031bed0eb95c285d23125b42edca38916ca6a6457c5440a2ca4f6fd944
-
SHA512
445902e371abd59933981cf8cf559c605db415b9387f71a2a0c0292d20a576bf93764b26f8ca6ce8db342f84e38c295654bde4d50fb1a5e9abbf1ba4a8d7525b
-
SSDEEP
24576:FKcEoL0otaYtXMzSprkM4FqD5Bl0ZHqU+AjPo+5wj9I/q/13tdHbZKm51Ob83/EX:FxQ7YtFrkruBl0ZHdjzij9I/q/1XHNK1
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.phqm.obvo.onsdcom.phqm.obvo.onsd:daemonioc pid process /data/user/0/com.phqm.obvo.onsd/app_mjf/dz.jar 4997 com.phqm.obvo.onsd /data/user/0/com.phqm.obvo.onsd/app_mjf/dz.jar 5100 com.phqm.obvo.onsd:daemon -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
Processes:
com.phqm.obvo.onsddescription ioc process Framework service call android.accounts.IAccountManager.getAccountsAsUser com.phqm.obvo.onsd -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.phqm.obvo.onsddescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.phqm.obvo.onsd -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
Processes:
flow ioc 28 alog.umeng.com -
Queries information about active data network 1 TTPs 1 IoCs
Processes:
com.phqm.obvo.onsddescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.phqm.obvo.onsd -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.phqm.obvo.onsddescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.phqm.obvo.onsd -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.phqm.obvo.onsddescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.phqm.obvo.onsd -
Checks CPU information 2 TTPs 1 IoCs
Processes
-
com.phqm.obvo.onsd1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
-
com.phqm.obvo.onsd:daemon1⤵
- Loads dropped Dex/Jar
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.phqm.obvo.onsd/app_mjf/ddz.jarFilesize
105KB
MD523ba0b249042b7ba33e92c0199b0ea4a
SHA199b13ee9f7307316c2337953fceed87e9942b794
SHA2561ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA5120cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861
-
/data/data/com.phqm.obvo.onsd/app_mjf/oat/dz.jar.cur.profFilesize
724B
MD5df1ff980a354417d0c471130c49de84a
SHA1ec6f5a0c8501b74abb9b35ee5e72cc245be59a6f
SHA2568628b7439382f5cf1d2ffc743a19cfb34ab6444186c21755c919b23586967cad
SHA5124b1761a91eb352dcafad7e33405e9416028ad859e975a16d8a72cda68e9f6a10ba09de0e77e9a6d7518dc747d33546d31f9aa63803b319676bf0fa092e19e889
-
/data/data/com.phqm.obvo.onsd/app_mjf/tdz.jarFilesize
105KB
MD5293ea5f01e27975bed5179ba79d80eac
SHA1c5b0806a537fd1cb753e11f1a9684933317716b8
SHA2568d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53
-
/data/data/com.phqm.obvo.onsd/databases/lezzdFilesize
28KB
MD5dae68dcffc3d522a79f98ebbc3b6d457
SHA16df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA25656cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA51223b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd
-
/data/data/com.phqm.obvo.onsd/databases/lezzd-journalFilesize
8KB
MD578aee0e542ffbe249623ec3f6547c3dd
SHA1d708e427d97b18b210322c51f362456911a725f4
SHA25649cf17edaacc50274df6fe72cd74e23a64c42cc8b131a1263319ef7041aa1d15
SHA512f7d401189aa950bc6eaf3282ab0e68ecd48e789e301a7029c7278214edcf3b1f95fad32723594558ec42f1d7cfc1fda97a78f33893b954cec1315ee08fef56ea
-
/data/data/com.phqm.obvo.onsd/databases/lezzd-journalFilesize
512B
MD53b67dfe1c82e8a1ee1191441fe7553a2
SHA11798a7f19a90e95d415d396f1ff16b1fc8623f9e
SHA256b88bf94e91ee2cc81c27d89e1cf65273a7e8e2193676754445d304b3f3c9bb64
SHA512f07ab51a71c95ed8ebf9aa09562031b1fb66f2b80d460e4cc59a534cca85c938e9cc04ce49cde3520d283c17ea3a8bb42be07e7edc48b518a8db4691e9ce5350
-
/data/data/com.phqm.obvo.onsd/databases/lezzd-journalFilesize
8KB
MD5221b1e4a7fc4304c1e6c72eaebb4c96b
SHA1135e5d0b45abce7cd1c17bf1e84b5edfbf0e22f1
SHA2567bd3c1fe60854027e2d5860fe0a2523b791daabd660858557615fca1bae8f512
SHA5122abc18e250040bf0089067b2fa1454ef9428502a6eb4990d842d587b5e4140b3b05dab43836384a757f4ac9797370792ddac6624530aa514c80ed2dee69dab37
-
/data/data/com.phqm.obvo.onsd/databases/lezzd-journalFilesize
4KB
MD5ad59dc06d8006af313cfa558db11a5b4
SHA1e4da4182a103d29fb78828bbd33def3bb0eaac2e
SHA25667f6c158a7e8bed2bbd1c384275b08c63b5774d180daf58ee7ee26b18b7c3775
SHA51254fe2625a8ab8d77f77d7c25a5bc373069d2e3de654c8367fd46637db7e635588c508d9404868de3c07b040141cdfcc212a9c0e49e3b3ad194f6f801a1efbb4d
-
/data/data/com.phqm.obvo.onsd/databases/lezzd-journalFilesize
8KB
MD53d28ce012efa54d727ae810c26166509
SHA16a9c4621d8598f6a23601303b28527302642fd43
SHA2567a2c1108acc67da88b07539d990f42a0c0ac96afa785980ad8831f8a3bd633e1
SHA5123b1423aa746abc4eac665cac9cfb0764f5a3b416636ddc29557899d0e5efea18304e737839f11ac2b686ee1425ef235bca52f3253eaee8d9dad73edda3627ee6
-
/data/data/com.phqm.obvo.onsd/databases/lezzd-journalFilesize
8KB
MD5a612eec55d84201d0d3da515c2936957
SHA10cd077e2bbbaff12f15096844118cbcc190f914c
SHA256f5ba9d19012e9c202eb20ebde206a87ef8085da6e689056bcfff2dc2306fa52e
SHA5122885f399d23facd8fe225bb2e758753aec8be46fb42c8633c9a1b8a3d6ca7a37d195fbb949bcc94d3a6915808bbaacb6bb4ec5e0d769ed009a0fce0e06f15140
-
/data/data/com.phqm.obvo.onsd/files/.um/um_cache_1717519794801.envFilesize
655B
MD59063f810b55cfd4dc91e46af6115538a
SHA131b238d8efa4ad2be512b731d9388c614b12d155
SHA256768da298c2e47651620345504fd8f7d68a37adbdeb02723ad79cb6ff39e55872
SHA5121c7e8cb6899c5b6d8b9e89321f2e80e4346e02a3e2554ffe2d79177aa2f6102e05be66e46e6bf2f0c741268789b30a43788fe66ae13c200b7f26217dc1b83995
-
/data/data/com.phqm.obvo.onsd/files/.umeng/exchangeIdentity.jsonFilesize
162B
MD5bcd82ffef4bb632ff85966b4ec4da158
SHA1fa04087dd7c61759549fd744cfe8c68bfe7e26b8
SHA25643b4bb035b341a69c9afd8013ff7e904994415d2241948ed308d8ff45826a6ef
SHA51268a3d9580508cf1c99dd36747164211f28f59414530e600105a448e1481b8761778b1269479f600342ef08d6ea1f3a9c3df11966ddf0b2f51b9169ffb97426f3
-
/data/data/com.phqm.obvo.onsd/files/mobclick_agent_cached_com.phqm.obvo.onsd1Filesize
788B
MD5727508e7da19e2f0277d74c91f3ab330
SHA1c1fa35a68891bb5ac4dbd975e443e52d804a7a41
SHA2566fca8589afda2e78183e65bc941b62c6f4d58df58de731676335d0f9229519dc
SHA512be6343ef93c493e1616b7714689bb5b638e6f000c3ac4ede61013e6bbafe1f26123f81e8a5cc613ffb090fe11b518bf66364dc23ac89f01d70966dbd31ff8881
-
/data/data/com.phqm.obvo.onsd/files/umeng_it.cacheFilesize
346B
MD5d5587f9a0efff3060878a69c520eb7ac
SHA1c4f0ac82dda7fb4c13568cd462c274750861ce69
SHA25671b23dd1754918634b5fd1948f52a2cd39cd3d42e17967ac36ed8e6497ce4791
SHA5122554cede508a4254cf7b39ad2573bcb4f183ec02fe7cd87bff9fd11fc14560ba03d5c20745a3894216ec14c573efc7b69899498bddef98550a973c4e93ff7129
-
/data/user/0/com.phqm.obvo.onsd/app_mjf/dz.jarFilesize
248KB
MD5a54a18b58c6720991c021f433dfb2a46
SHA1d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA2563dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc