cfb2633b38c78083cca88ca9df54a2b7f9efd9085ef6f5f03e97f42b755d8954

General

Target

98259a82fe4baeeddfa28d2d623646ae_JaffaCakes118.apk
Size

22.5MB
MD5

98259a82fe4baeeddfa28d2d623646ae
SHA1

9d54e33f85513b124794ee6fccd0610df7592ac1
SHA256

cfb2633b38c78083cca88ca9df54a2b7f9efd9085ef6f5f03e97f42b755d8954
SHA512

60bbf9e70638034b04e8af0d1d41ada960367fec50a61dc6655e1d0c79acdf7b18dd78206dff0e4080f06b3c9a5b7c4b95eed955aa30b02420336288960a7607
SSDEEP

393216:wrph/2jIpRFkvMr6oSF4Eau1FPUXN4hZHn3H0ab4V3eqKuGMmpZYnQBgLOQ8:Cph/jpRFkvaJSF4MtUXN4hOab4IqHnAf

Score

7^/10

banker discovery evasion persistence

Malware Config

Signatures

Loads dropped Dex/Jar 1 TTPs 8 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/data/cn.qcast.snowman/dex/qcast_sdk_core_server.dex	4399	cn.qcast.snowman:castlinkerservice
/data/data/cn.qcast.snowman/dex/qcast_sdk_core_server.dex	4399	cn.qcast.snowman:castlinkerservice
/data/data/cn.qcast.snowman/dex/qcast_sdk_core_server.dex	4399	cn.qcast.snowman:castlinkerservice
/data/data/cn.qcast.snowman/dex/qcast_sdk_core_server.dex	4399	cn.qcast.snowman:castlinkerservice
/data/data/cn.qcast.snowman/dex/qcast_sdk_core_server.dex	4518	cn.qcast.snowman:castlinkerservice
/data/data/cn.qcast.snowman/dex/qcast_sdk_core_server.dex	4518	cn.qcast.snowman:castlinkerservice
/data/data/cn.qcast.snowman/dex/qcast_sdk_core_server.dex	4518	cn.qcast.snowman:castlinkerservice
/data/data/cn.qcast.snowman/dex/qcast_sdk_core_server.dex	4518	cn.qcast.snowman:castlinkerservice

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs

flow	ioc
12	alog.umeng.com

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	cn.qcast.snowman:castlinkerservice

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	cn.qcast.snowman:castlinkerservice

cn.qcast.snowman
1⤵
PID:4226

cn.qcast.snowman:castlinkerservice
1⤵
- Loads dropped Dex/Jar
PID:4399

cn.qcast.snowman:sandboxed_process0
1⤵
PID:4433

cn.qcast.snowman:sandboxed_process1
1⤵
PID:4445

cn.qcast.snowman:castlinkerservice
1⤵
- Loads dropped Dex/Jar
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4518

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Credential Access

Discovery

Software Discovery

1

T1418

Security Software Discovery

1

T1418.001

System Network Connections Discovery

1

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/cn.qcast.snowman/app_content_shell/paks/content_shell.pak

Filesize
256KB

MD5
61f1d8c51b85db21799a1439fdc32179

SHA1
b466a366fe09bb474d27eece29aee1e025d3249c

SHA256
2dc90abd8b7a95e740202a1eb1a5ab4f84aa83a2b8175553297d75b08a0aca5a

SHA512
e749f3fccee3bcdf8ee4e93d073ed3f9888858913f146fc61ed9fb7a50b12980c5ba5e931d6134d2b8c2820637a9ae5f328c5235c86d1652154353433ac574e3

Download Submit
/data/data/cn.qcast.snowman/asset_res/blank.html

Filesize
20KB

MD5
8abe7714524b685dd33a26f2146a29f0

SHA1
fbb8c6166e6c9f8457947fb16a73d14005a50389

SHA256
a7c606f1d3bc7ee848bc9a4b25fed2063d07270659a09b1fd85281606849ce93

SHA512
4806d0b1a4e3f4dfe92f3a5e448185844e8dfaecdbcb4ec851cd61d6c851bed06671f67505967ef1e0d06fe0b7ed1b561df863e2ff2fab06d197c8c36004d0df

Download Submit
/data/data/cn.qcast.snowman/asset_res/my_app.html

Filesize
2KB

MD5
6ac16cf569886dbc8344e8ed665a43b8

SHA1
ff3fc8808806b83cabccbff52bb60bdfa2923b4b

SHA256
f93fa469afa7a0f5b671dedc7be7b52da8c0df3e8a1d90dc3620149741dd550d

SHA512
3c166fb237cfa195d32653be23fdc329c41a95b4f4b526ab90a0b82e4bb1129f0766f5431bbe68f8d55bc439f5378b099de2b2bb8ae5bc39f8cf3dc2299ac22f

Download Submit
/data/data/cn.qcast.snowman/databases/background_download_v2.db

Filesize
28KB

MD5
670d8bc46551c40a1fb9ff8ec4b72092

SHA1
82253b089122b4d8c7ae61dbbeabd9d037ddd49c

SHA256
ca2684e4da544d08c906c70f147d8dbc91da3a7972d255e6a00e1c99419f78e2

SHA512
4977d35230c533e26162cb0e4da38345a23a87ff41510685e755a52152fc78d0b027e8e8942fe10ae28fe332b16bb9a7ba0c0644ec0efd635d579515c3d5df67

Download Submit
/data/data/cn.qcast.snowman/databases/background_download_v2.db-journal

Filesize
512B

MD5
cd0a9cba8800f09f18b7a2f473176bdb

SHA1
6d11eaf681f1fe6955ab0a742a30f1eaf3e45a63

SHA256
3577db9a8842610ca978a08a6206e37e2ed288531bd4c9c2a481259818b0279d

SHA512
2ef89553a8e0beb4711e37dca08e370a6f67c5b57e696b10cfa0208adcf3c66c0d18cc647d73c86c634512b8dc8368612ef7bed198da9cc05407bcf53d3be63b

Download Submit
/data/data/cn.qcast.snowman/databases/background_download_v2.db-wal

Filesize
32KB

MD5
522d31f6bc9452ce917a9e315e215ea0

SHA1
c0e5c7624eff196c9174a22d738155188a6d7785

SHA256
3a670333fd55b7b72fe4a125b978ec2a4b77a04ab419a8f2d24b4229e12ad9d7

SHA512
7e933a72aa7c8f283100f535b231ce5edebc5c57fe2865a38b91133a50888142b00838ca12f208219dde71b01fd5c92d96213042d17337f0904a8a14528df0d8

Download Submit
/data/data/cn.qcast.snowman/databases/background_download_v2.db-wal

Filesize
12KB

MD5
be9a7db36ad0caeb5cfde8c5bec0659c

SHA1
fe58521de39e986b4a9e381823cc7df774b21ce2

SHA256
2d5eccf2a690c2be1d8b03e516fca7e4792ec096985639e123d0c20fb79e14ec

SHA512
e36071d580d434346085669b740809b8ef90de57334020a414e718801e627b7cc4c37ef3fc54b7fd01577e15318bb638df716b45ad425954783cb43459607041

Download Submit
/data/data/cn.qcast.snowman/dex/qcast_sdk_core_server.dex

Filesize
394KB

MD5
bd91fdb7782acc7e9f4727d8d97fe6fc

SHA1
bd01dc79a2f64c4d80e3710202c745b503a94cdc

SHA256
55da7214f348176a0deda2b58109089363196cf7780b665318dff8184168f448

SHA512
27d7ddcaa1820ec11522addb5948db502a33c4881ab960e59d4f96d3d553b3349cbae5bfa3a9d2430002be28526906e579be63eac86e1a731c4ef8f35f66b2e3

Download Submit

Analysis

Sharing