Analysis
-
max time kernel
178s -
max time network
181s -
platform
android_x64 -
resource
android-x64-arm64-20240603-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240603-enlocale:en-usos:android-11-x64system -
submitted
05-06-2024 00:17
Static task
static1
Behavioral task
behavioral1
Sample
96bc915d76ea99ec620669e6110d69c4_JaffaCakes118.apk
Resource
android-x86-arm-20240603-en
Behavioral task
behavioral2
Sample
96bc915d76ea99ec620669e6110d69c4_JaffaCakes118.apk
Resource
android-x64-20240603-en
General
-
Target
96bc915d76ea99ec620669e6110d69c4_JaffaCakes118.apk
-
Size
1.3MB
-
MD5
96bc915d76ea99ec620669e6110d69c4
-
SHA1
955591102ba2c78af6d485eb4d0c07a259c1e032
-
SHA256
88a7e7a00810df1b5364458c66ccaf38cda9c6bc7494dbe0354c6fd25b7412b9
-
SHA512
3d78469556775b36718b89e94acbe0ec59ab4ac9bd0dd1e24836c107a8a4dccedb959e5d1e2178e585e303b9bf884f23c6029601967e313acdee1156ff1ea48f
-
SSDEEP
24576:VoL0otaYtXMhen8X3lUKfcfIkuovSp04jDo+f8jf6Zq/13tdHbZKm51Ob83G:mQ7YtyX1wvTvSpbjPkjf6Zq/1XHNKmji
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.lwqv.qkqh.epdecom.lwqv.qkqh.epde:daemonioc pid process /data/user/0/com.lwqv.qkqh.epde/app_mjf/dz.jar 4584 com.lwqv.qkqh.epde /data/user/0/com.lwqv.qkqh.epde/app_mjf/dz.jar 4642 com.lwqv.qkqh.epde:daemon -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
Processes:
com.lwqv.qkqh.epdedescription ioc process Framework service call android.accounts.IAccountManager.getAccountsAsUser com.lwqv.qkqh.epde -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.lwqv.qkqh.epdedescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.lwqv.qkqh.epde -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 2 IoCs
Processes:
flow ioc 37 alog.umeng.com 53 alog.umeng.com -
Queries information about active data network 1 TTPs 1 IoCs
Processes:
com.lwqv.qkqh.epdedescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.lwqv.qkqh.epde -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.lwqv.qkqh.epdedescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.lwqv.qkqh.epde -
Reads information about phone network operator. 1 TTPs
-
Checks CPU information 2 TTPs 1 IoCs
Processes
-
com.lwqv.qkqh.epde1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Checks CPU information
-
com.lwqv.qkqh.epde:daemon1⤵
- Loads dropped Dex/Jar
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/com.lwqv.qkqh.epde/app_mjf/ddz.jarFilesize
105KB
MD523ba0b249042b7ba33e92c0199b0ea4a
SHA199b13ee9f7307316c2337953fceed87e9942b794
SHA2561ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA5120cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861
-
/data/user/0/com.lwqv.qkqh.epde/app_mjf/dz.jarFilesize
248KB
MD5a54a18b58c6720991c021f433dfb2a46
SHA1d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA2563dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc
-
/data/user/0/com.lwqv.qkqh.epde/app_mjf/tdz.jarFilesize
105KB
MD5293ea5f01e27975bed5179ba79d80eac
SHA1c5b0806a537fd1cb753e11f1a9684933317716b8
SHA2568d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53
-
/data/user/0/com.lwqv.qkqh.epde/databases/lezzdFilesize
28KB
MD5fdb8a92e5060ce104e8f0faca55a47ce
SHA1270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122
-
/data/user/0/com.lwqv.qkqh.epde/databases/lezzd-journalFilesize
8KB
MD57a1389efb2adc46b5da69581030f3a59
SHA13b300c9ebf95ae337f83ba7253606e8106f1f081
SHA256e3cd5045a9a96c53c7b0d98078f375be1088d18e8223f50dad3fb3e843642d86
SHA512360748c7e537e9146656f855d6b73fab30c0d0b8d82881ac0f29dfd8c1bd27e9e438a5ab2df610439cc45e12a9cf349db5797da1a419cc38eef9462f0e38725a
-
/data/user/0/com.lwqv.qkqh.epde/databases/lezzd-journalFilesize
512B
MD52b689ed0cd3362a660db41f3f66953bb
SHA1e58bcae51f729b83eca622b6aaad188e2ad7c78f
SHA256351e6c6866ad1ffd10a1674e27342bca46bc965198e766bd25c7c6f704c190cc
SHA512c77ae2497990c7868cd62e7e09f86b62e12c366028fefb14dfc78d3d332168c1f9500911183dd571c1cbe011c622a8bfb00b191113966641028dd329ae151a84
-
/data/user/0/com.lwqv.qkqh.epde/databases/lezzd-journalFilesize
8KB
MD5b184c872b7de0f9b6325cba6bbdc49c5
SHA1932491433a6abc03134d5cb37465956306e8d193
SHA256807f3294726ae735d88f3a76b7c2a593a1a5854f1d9aef8710f600364ffc39b8
SHA512f126a887051d316211b4d0f3225ebfe4278063a3dfec8877552812f712bcc6c59a6d275a2ca96283d8cf95940a34e8385c6ce15dca78b8019e99b33259cfb51a
-
/data/user/0/com.lwqv.qkqh.epde/databases/lezzd-journalFilesize
4KB
MD5699194eb35b52cd894b0c4a816245f22
SHA1722a6ff08dd92b136b0cacc5dbf1dfef6fab4d95
SHA256e28b3b4cb1654ef35bcdd943eee497aa6a9c1634726f028f518a12956bfa9ef2
SHA512c442eb3128c64d42f9bd8a1b198ab09d44219b3234e68026a686b1ef0f52afdd6f19e656bb599d89937a3145e41499bfa6dcac1f0ab73f0108a6830ba447b2b8
-
/data/user/0/com.lwqv.qkqh.epde/databases/lezzd-journalFilesize
8KB
MD5e3d7ad8f813d4991c6040e61baec5428
SHA1792a94d954a8eb4c7ef16706985d5029faf80dbd
SHA256e49b89e92d3ced806301f1153d97128301522ea1b4d6e946bc01b29f1e5e1b6d
SHA512bdee8d941b78ca4ed54f3be11dd8c5e5ea38801873057f4ef97a9577b869a17f1a0bc03bda3aff3d8ed2b1c6d5b9b92b08e6cc65c6d11240c0f9cf08eeb6a95a
-
/data/user/0/com.lwqv.qkqh.epde/databases/lezzd-journalFilesize
8KB
MD5337f5c25c60fb16b81a295969e76a944
SHA1ed7bdf7866eb20cf953d3fac34c076c3bcb2f2c8
SHA256b512165f52b953e4fdf8ad154919ece47c44d532445215c819a7392a9a73f5ff
SHA5122e618973e37382803681b254f5ed00224e7755ee88fb65b9b1016322c4de99ef5ee59e68b3554f3de901951c7e7ba84d5b6f66c2d5db4fc290a5138e18e47c33
-
/data/user/0/com.lwqv.qkqh.epde/files/.um/um_cache_1717546801543.envFilesize
656B
MD559ad9faf97ecf2d43b8c70bc48623d5c
SHA193cd6224861b1702e5198e54ee36aaf5ac79a531
SHA256ce296044aa5320b7912b989e176b7f1936f41bb72dc3c2d9c744ac3aa82cab41
SHA5123a1ebcafc3c4b167e0c49b4f22217558276c28cba026f137b5a5daecca7a6646571f94992f8579c0dd1621bac60dcc966513b20cf6b74407fdbf23673677d425
-
/data/user/0/com.lwqv.qkqh.epde/files/.umeng/exchangeIdentity.jsonFilesize
162B
MD5a53c14cc8e9428afa5f477e03ff6e6cd
SHA11ffcf4b110e538b68eef0d98dd4528493bd2c773
SHA2569a30986229cdcf84926b01cc6703dc7aa60dd86bdf5034c4fa4eeb4c3642e26e
SHA5123ef649ff1601b628c3e2f1d6f647554c13c2a3a63913f5190bfe42642f16ce86145ce64cd5f4309bb1cb532d8eb324a0ef3ffa09f2f261049be4da5308b20090
-
/data/user/0/com.lwqv.qkqh.epde/files/mobclick_agent_cached_com.lwqv.qkqh.epde1Filesize
791B
MD52445599aeaf1b08ca1fd7bd230d23118
SHA1b0b92c412b8e7f4877e75d8c995cb87ee4fd8ce0
SHA2564f5ec4575776e7579448137eb1b556e96bebd6f59eec4f62831bf3a5b287e22f
SHA512e7a61670b54214db42d7a4cf4243765e28246d28304d10f95798eb9b4183091b8f9b575be8bcf65e0a614e75a14a58906d3bbc83ce238c5406f5a706ae3b873a
-
/data/user/0/com.lwqv.qkqh.epde/files/umeng_it.cacheFilesize
348B
MD5bf488c989feb7d6b4227c8f57faba9a1
SHA112f869d67c53f6fc375498349f6f98dae1d5f42f
SHA25669ce2bfc181d22974f1933eb45ab6ecfbba977af882c250de453d8d10b1def71
SHA512924368f48ecd1937b4810f26e7ff9e8a531a26a2d5b337547a494ef328468a19baf4b4461d92f86b3cdd5e56d2149e4d3e5e2b4caf4fad49edfa03d368dc687d