Analysis
-
max time kernel
179s -
max time network
178s -
platform
android_x64 -
resource
android-x64-arm64-20240603-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240603-enlocale:en-usos:android-11-x64system -
submitted
04-06-2024 16:47
Static task
static1
Behavioral task
behavioral1
Sample
9593080db00f63d0c50cf0e65d047d48_JaffaCakes118.apk
Resource
android-x86-arm-20240603-en
Behavioral task
behavioral2
Sample
9593080db00f63d0c50cf0e65d047d48_JaffaCakes118.apk
Resource
android-x64-20240603-en
General
-
Target
9593080db00f63d0c50cf0e65d047d48_JaffaCakes118.apk
-
Size
1.3MB
-
MD5
9593080db00f63d0c50cf0e65d047d48
-
SHA1
e15a151d65307f1a36c6c3e16110cc981892a7d5
-
SHA256
c5f838031bed0eb95c285d23125b42edca38916ca6a6457c5440a2ca4f6fd944
-
SHA512
445902e371abd59933981cf8cf559c605db415b9387f71a2a0c0292d20a576bf93764b26f8ca6ce8db342f84e38c295654bde4d50fb1a5e9abbf1ba4a8d7525b
-
SSDEEP
24576:FKcEoL0otaYtXMzSprkM4FqD5Bl0ZHqU+AjPo+5wj9I/q/13tdHbZKm51Ob83/EX:FxQ7YtFrkruBl0ZHdjzij9I/q/1XHNK1
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.phqm.obvo.onsdcom.phqm.obvo.onsd:daemonioc pid process /data/user/0/com.phqm.obvo.onsd/app_mjf/dz.jar 4485 com.phqm.obvo.onsd /data/user/0/com.phqm.obvo.onsd/app_mjf/dz.jar 4542 com.phqm.obvo.onsd:daemon -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
Processes:
com.phqm.obvo.onsddescription ioc process Framework service call android.accounts.IAccountManager.getAccountsAsUser com.phqm.obvo.onsd -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.phqm.obvo.onsddescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.phqm.obvo.onsd -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
Processes:
flow ioc 37 alog.umeng.com -
Queries information about active data network 1 TTPs 1 IoCs
Processes:
com.phqm.obvo.onsddescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.phqm.obvo.onsd -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.phqm.obvo.onsddescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.phqm.obvo.onsd -
Reads information about phone network operator. 1 TTPs
-
Checks CPU information 2 TTPs 1 IoCs
Processes
-
com.phqm.obvo.onsd1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Checks CPU information
-
com.phqm.obvo.onsd:daemon1⤵
- Loads dropped Dex/Jar
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/com.phqm.obvo.onsd/app_mjf/ddz.jarFilesize
105KB
MD523ba0b249042b7ba33e92c0199b0ea4a
SHA199b13ee9f7307316c2337953fceed87e9942b794
SHA2561ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA5120cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861
-
/data/user/0/com.phqm.obvo.onsd/app_mjf/dz.jarFilesize
248KB
MD5a54a18b58c6720991c021f433dfb2a46
SHA1d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA2563dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc
-
/data/user/0/com.phqm.obvo.onsd/app_mjf/tdz.jarFilesize
105KB
MD5293ea5f01e27975bed5179ba79d80eac
SHA1c5b0806a537fd1cb753e11f1a9684933317716b8
SHA2568d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53
-
/data/user/0/com.phqm.obvo.onsd/databases/lezzdFilesize
28KB
MD5fdb8a92e5060ce104e8f0faca55a47ce
SHA1270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122
-
/data/user/0/com.phqm.obvo.onsd/databases/lezzd-journalFilesize
8KB
MD5020b9f1f020608fe8ea692f8c004a535
SHA10cdaf3ab5fc28c2e568c1c9fd0b0209e3c6e09ea
SHA2563c6124b4d065f42107de93cfb88b802f4a04777b23aa3a49f69c61b145aff033
SHA512926c55373e347075eb141adb0a1024e31a8a1a2c6568f7c74346f99bb27f7c5aa1a340403a59c81cc8d34f69783e9528c58bb03845a5e884ef1914d687e71f6b
-
/data/user/0/com.phqm.obvo.onsd/databases/lezzd-journalFilesize
512B
MD5484bc1e641077e6d9d5a247d48ab6a84
SHA17d8f3c71518003634873eba0c2d8f81a7258ea6d
SHA256f0f4012bb7552072469a413e6455b94ba3a4dd69d55937c9fa308a2573559057
SHA512d1cbc7883b9569cee9480cb988d3940c856e5081c5ee1324ce1309ccea1ae7a9d41ce855d2c0b4cc32c1ef7fd71560c0c2136664fca19ac29c82322c1d1b589b
-
/data/user/0/com.phqm.obvo.onsd/databases/lezzd-journalFilesize
8KB
MD5c396b7fd19c4f914801241fe9b2c7e4d
SHA153f4fd5530fc29a6ebb695ed895f50f30ca1950c
SHA256de172d6167a0abf86505203b6fe706b2ed89532eff8675208ad3945fc707a178
SHA512a9339f03e57209fead61fde65cfd600aaa1d25a68851ebfc344ae1a9125fa340d30a7167a4a05a4738468da3f07f5402777dcaa2d7452588cf29ac9024315c6e
-
/data/user/0/com.phqm.obvo.onsd/databases/lezzd-journalFilesize
4KB
MD541aaf2d5e08c8756a54b71f0ce50623a
SHA1f75d66777a3b17c79a6e2cc55a13221a0c1f1433
SHA256d160b38af4d6504b273199d32bd6206af32b573e8579cc2bfb18383432a43f59
SHA5128fef9042c74278e65a009d350011d094ca67d8c80be37c2758b88f13f89fda1d18729acb3438e9b8c540c1d1209f00533c7f84f2eae7c51a26a9707692584384
-
/data/user/0/com.phqm.obvo.onsd/databases/lezzd-journalFilesize
8KB
MD561b3263ce93b7e3a071f07f6c663449f
SHA1d39c82b800ffc31579c1d19fa935e2c10e59ecb1
SHA256e0d8999f9ace0788ba25f5ea69c6eb2cfd48bc7e7f00d4e10c280e526f3f5870
SHA512ca8dba8454d9dcc04c4a9e99047301d8843b9e8ac8e858e2514dca8c8a859f5841bf163aeb0eb9efe6cf3eb959ad7697538fad5e6836d06bd6c3f43f86d53566
-
/data/user/0/com.phqm.obvo.onsd/databases/lezzd-journalFilesize
8KB
MD54732b9ab25975d3a50ea6f7864a0b317
SHA1ff449a3525e63cedc44d4fde4960b714745cc4f4
SHA25698bddaee7afeed1672799378803b3e9a5146a3a5d4094e4787cd997fa91df751
SHA5127f3c7ab0fe31e95f65d603981599c303f583c3bfcbeae2fcdbdc7305b124f925d133b13e254f644f8d84e661035a2c8670aec58be9e5465fd072048cebb1d5b5
-
/data/user/0/com.phqm.obvo.onsd/files/.um/um_cache_1717519794365.envFilesize
649B
MD569e835c6831668de22280733c7bfbec1
SHA1879f5a33ba7d4c401d8d19ccc4a03e4835ad840f
SHA25623245ef76c81010bc153f9818794ebf3c308a1db67de4aa1eee962951ab1eca9
SHA51208a065bf789690364dd4a6e247f0de0b8f9d237f1b84f88af831e28054a5872f49882ebfb69c7674b8f5459ead9411196fb64333449e3832c4025e1b495779ac
-
/data/user/0/com.phqm.obvo.onsd/files/.umeng/exchangeIdentity.jsonFilesize
162B
MD514645e199052d97ca4b3f7b52bca8a98
SHA131c463bb8b35bf41de79a908400549b9521db793
SHA256cc9da2a0884a177c1be8f552b03242a21d214f8b89f4d049020dc04d82141155
SHA5129813a711512ab2eb372010f605ea32b33de2356e2bd625325e8b3fff10cd3ab078f7141fea10a91500983f548e866f0bf19a9193acf8363a77c8232e17281ecb
-
/data/user/0/com.phqm.obvo.onsd/files/mobclick_agent_cached_com.phqm.obvo.onsd1Filesize
785B
MD53cdd0efb9c08189bf31779fc1f3ef3fe
SHA1467e889f578ac73dda0df47ce2e5c569fc628d51
SHA256c7bad8637bd8effd7c385e89c8c0999b8b17552caa47361a16408d580511ff2e
SHA5123df390c0c98ebc9fffb41073b9e47a50ca854028f4d3beffbe7d1312d4a478906321f592b0a5f5ec354ccc4b7700b6b68b6dad7f1e8c073eede66a5e30eac0d1
-
/data/user/0/com.phqm.obvo.onsd/files/umeng_it.cacheFilesize
344B
MD549abfeceb3df29a3503803bdf8361e52
SHA1c408ca8d67eb398f49780e56aac3a4025c089c1d
SHA25697c40ab6f8aaf61659fc5ab4a408fb414fb7b71d449c608c6dc58ae23f991b73
SHA512aa052bfe4ad9f819e24b1ad91fbfa5e841c6af89afdd8891be9257806d03f73790f0defe5ef607391406665b49f741ad8dd8e3ac8a379067524c98ef3d98a6b2