Analysis
-
max time kernel
12s -
max time network
139s -
platform
android_x86 -
resource
android-x86-arm-20240603-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240603-enlocale:en-usos:android-9-x86system -
submitted
05/06/2024, 12:22
Static task
static1
Behavioral task
behavioral1
Sample
98259a82fe4baeeddfa28d2d623646ae_JaffaCakes118.apk
Resource
android-x86-arm-20240603-en
Behavioral task
behavioral2
Sample
plugin-deploy.apk
Resource
android-x86-arm-20240603-en
Behavioral task
behavioral3
Sample
plugin-deploy.apk
Resource
android-x64-20240603-en
Behavioral task
behavioral4
Sample
plugin-deploy.apk
Resource
android-x64-arm64-20240603-en
General
-
Target
98259a82fe4baeeddfa28d2d623646ae_JaffaCakes118.apk
-
Size
22.5MB
-
MD5
98259a82fe4baeeddfa28d2d623646ae
-
SHA1
9d54e33f85513b124794ee6fccd0610df7592ac1
-
SHA256
cfb2633b38c78083cca88ca9df54a2b7f9efd9085ef6f5f03e97f42b755d8954
-
SHA512
60bbf9e70638034b04e8af0d1d41ada960367fec50a61dc6655e1d0c79acdf7b18dd78206dff0e4080f06b3c9a5b7c4b95eed955aa30b02420336288960a7607
-
SSDEEP
393216:wrph/2jIpRFkvMr6oSF4Eau1FPUXN4hZHn3H0ab4V3eqKuGMmpZYnQBgLOQ8:Cph/jpRFkvaJSF4MtUXN4hOab4IqHnAf
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 8 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/data/cn.qcast.snowman/dex/qcast_sdk_core_server.dex 4399 cn.qcast.snowman:castlinkerservice /data/data/cn.qcast.snowman/dex/qcast_sdk_core_server.dex 4399 cn.qcast.snowman:castlinkerservice /data/data/cn.qcast.snowman/dex/qcast_sdk_core_server.dex 4399 cn.qcast.snowman:castlinkerservice /data/data/cn.qcast.snowman/dex/qcast_sdk_core_server.dex 4399 cn.qcast.snowman:castlinkerservice /data/data/cn.qcast.snowman/dex/qcast_sdk_core_server.dex 4518 cn.qcast.snowman:castlinkerservice /data/data/cn.qcast.snowman/dex/qcast_sdk_core_server.dex 4518 cn.qcast.snowman:castlinkerservice /data/data/cn.qcast.snowman/dex/qcast_sdk_core_server.dex 4518 cn.qcast.snowman:castlinkerservice /data/data/cn.qcast.snowman/dex/qcast_sdk_core_server.dex 4518 cn.qcast.snowman:castlinkerservice -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
flow ioc 12 alog.umeng.com -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo cn.qcast.snowman:castlinkerservice -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver cn.qcast.snowman:castlinkerservice
Processes
-
cn.qcast.snowman1⤵PID:4226
-
cn.qcast.snowman:castlinkerservice1⤵
- Loads dropped Dex/Jar
PID:4399
-
cn.qcast.snowman:sandboxed_process01⤵PID:4433
-
cn.qcast.snowman:sandboxed_process11⤵PID:4445
-
cn.qcast.snowman:castlinkerservice1⤵
- Loads dropped Dex/Jar
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4518
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD561f1d8c51b85db21799a1439fdc32179
SHA1b466a366fe09bb474d27eece29aee1e025d3249c
SHA2562dc90abd8b7a95e740202a1eb1a5ab4f84aa83a2b8175553297d75b08a0aca5a
SHA512e749f3fccee3bcdf8ee4e93d073ed3f9888858913f146fc61ed9fb7a50b12980c5ba5e931d6134d2b8c2820637a9ae5f328c5235c86d1652154353433ac574e3
-
Filesize
20KB
MD58abe7714524b685dd33a26f2146a29f0
SHA1fbb8c6166e6c9f8457947fb16a73d14005a50389
SHA256a7c606f1d3bc7ee848bc9a4b25fed2063d07270659a09b1fd85281606849ce93
SHA5124806d0b1a4e3f4dfe92f3a5e448185844e8dfaecdbcb4ec851cd61d6c851bed06671f67505967ef1e0d06fe0b7ed1b561df863e2ff2fab06d197c8c36004d0df
-
Filesize
2KB
MD56ac16cf569886dbc8344e8ed665a43b8
SHA1ff3fc8808806b83cabccbff52bb60bdfa2923b4b
SHA256f93fa469afa7a0f5b671dedc7be7b52da8c0df3e8a1d90dc3620149741dd550d
SHA5123c166fb237cfa195d32653be23fdc329c41a95b4f4b526ab90a0b82e4bb1129f0766f5431bbe68f8d55bc439f5378b099de2b2bb8ae5bc39f8cf3dc2299ac22f
-
Filesize
28KB
MD5670d8bc46551c40a1fb9ff8ec4b72092
SHA182253b089122b4d8c7ae61dbbeabd9d037ddd49c
SHA256ca2684e4da544d08c906c70f147d8dbc91da3a7972d255e6a00e1c99419f78e2
SHA5124977d35230c533e26162cb0e4da38345a23a87ff41510685e755a52152fc78d0b027e8e8942fe10ae28fe332b16bb9a7ba0c0644ec0efd635d579515c3d5df67
-
Filesize
512B
MD5cd0a9cba8800f09f18b7a2f473176bdb
SHA16d11eaf681f1fe6955ab0a742a30f1eaf3e45a63
SHA2563577db9a8842610ca978a08a6206e37e2ed288531bd4c9c2a481259818b0279d
SHA5122ef89553a8e0beb4711e37dca08e370a6f67c5b57e696b10cfa0208adcf3c66c0d18cc647d73c86c634512b8dc8368612ef7bed198da9cc05407bcf53d3be63b
-
Filesize
32KB
MD5522d31f6bc9452ce917a9e315e215ea0
SHA1c0e5c7624eff196c9174a22d738155188a6d7785
SHA2563a670333fd55b7b72fe4a125b978ec2a4b77a04ab419a8f2d24b4229e12ad9d7
SHA5127e933a72aa7c8f283100f535b231ce5edebc5c57fe2865a38b91133a50888142b00838ca12f208219dde71b01fd5c92d96213042d17337f0904a8a14528df0d8
-
Filesize
12KB
MD5be9a7db36ad0caeb5cfde8c5bec0659c
SHA1fe58521de39e986b4a9e381823cc7df774b21ce2
SHA2562d5eccf2a690c2be1d8b03e516fca7e4792ec096985639e123d0c20fb79e14ec
SHA512e36071d580d434346085669b740809b8ef90de57334020a414e718801e627b7cc4c37ef3fc54b7fd01577e15318bb638df716b45ad425954783cb43459607041
-
Filesize
394KB
MD5bd91fdb7782acc7e9f4727d8d97fe6fc
SHA1bd01dc79a2f64c4d80e3710202c745b503a94cdc
SHA25655da7214f348176a0deda2b58109089363196cf7780b665318dff8184168f448
SHA51227d7ddcaa1820ec11522addb5948db502a33c4881ab960e59d4f96d3d553b3349cbae5bfa3a9d2430002be28526906e579be63eac86e1a731c4ef8f35f66b2e3