Analysis

  • max time kernel
    178s
  • max time network
    190s
  • platform
    android_x86
  • resource
    android-x86-arm-20240603-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240603-enlocale:en-usos:android-9-x86system
  • submitted
    05-06-2024 15:19

General

  • Target

    987b9a74ebb1c1c7c4a63d1783edd345_JaffaCakes118.apk

  • Size

    14.9MB

  • MD5

    987b9a74ebb1c1c7c4a63d1783edd345

  • SHA1

    0b54e19a109a8929d84c79257e81565813e1588f

  • SHA256

    fcd9e1fe740e58df6f733687ad6aef5e8ab8d8caab48717b1c8f018df4730765

  • SHA512

    f01f6ee85fe1222979aaebc6d023c54a38be79d1225487c0213d97275565b562dad252759ab075d15c560b248e494c0ea5f68bb3d757ed80873a21dd9fbafd2d

  • SSDEEP

    393216:4j2KJjKwmMnMs0XJH/kJZdV4YehgzyUNw8wzaZW88QeE:O2KJ+wmMMs0XJf4VneqOFza488TE

Malware Config

Signatures

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries information about running processes on the device 1 TTPs 2 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
  • Queries information about active data network 1 TTPs 2 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • com.wufan.test20183063884216
    1⤵
    • Queries information about running processes on the device
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    PID:4291
    • cat /sys/class/net/wlan0/address
      2⤵
        PID:4428
      • cat /sys/class/net/wlan0/address
        2⤵
          PID:4469
        • cat /sys/class/net/wlan0/address
          2⤵
            PID:4494
          • cat /sys/class/net/wlan0/address
            2⤵
              PID:4550
            • cat /sys/class/net/wlan0/address
              2⤵
                PID:4569
              • cat /sys/class/net/wlan0/address
                2⤵
                  PID:4591
                • cat /sys/class/net/wlan0/address
                  2⤵
                    PID:4606
                  • cat /sys/class/net/wlan0/address
                    2⤵
                      PID:4631
                  • com.wufan.test20183063884216:lebian.base
                    1⤵
                    • Queries information about running processes on the device
                    • Queries information about active data network
                    PID:4321

                  Network

                  MITRE ATT&CK Mobile v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • /data/data/com.wufan.test20183063884216/databases/ThrowalbeLog.db

                    Filesize

                    4KB

                    MD5

                    f2b4b0190b9f384ca885f0c8c9b14700

                    SHA1

                    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

                    SHA256

                    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

                    SHA512

                    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

                  • /data/data/com.wufan.test20183063884216/databases/ThrowalbeLog.db-journal

                    Filesize

                    512B

                    MD5

                    7d2f8178de23e0571b05c1f5f2f53754

                    SHA1

                    de82c13a76dd2146e53ceca056b77a89213e065a

                    SHA256

                    c4563a1c8217ed13e5d6a7c887e61baed9498ce1b3b4742ba8b0580ff050238b

                    SHA512

                    3338ff9890cb989fef720c3401a8e1769abee3cfb4decea85c1b4e1f8dc73df540e65dc6f80fb279aa32d47554943066bcd91941673b68d1d9ff4ca77ebc1b4a

                  • /data/data/com.wufan.test20183063884216/databases/ThrowalbeLog.db-wal

                    Filesize

                    112KB

                    MD5

                    4de1750dfcb300c55fdf4c805131c20a

                    SHA1

                    5dc988700c7c196bbb676d7d961f47a5405d0626

                    SHA256

                    f2bb909fe5d26566f0ae91cdba297daafa751cc6e7fe49828c5decda5ae01826

                    SHA512

                    8bcd20ded34d4fd977237deaab60fcea906d30092cdf6e6a4580578780f86be408f425a8fb9d5b44e27f933b8d6d7d41e15d081e4268ad2674af3bcb79469f55

                  • /data/data/com.wufan.test20183063884216/databases/mgdb

                    Filesize

                    260KB

                    MD5

                    f19ad37702199ffbe9ea075d2e1f4418

                    SHA1

                    bdb621263c6319b387602e9f758832f02d7e49b2

                    SHA256

                    456d1dd37a67a3ec9c9373078b4a05a50dc0efff725da5ea9c8e24ff9cc0ee80

                    SHA512

                    ecc51c5b72c235899de2a3e3648b5c5de8c6c4ee78a9214c938a2a60baca39b8f8256f53a975a10208abecfc6b37454f2eddacbe1389f1e7d4328ca31877e8c8

                  • /data/data/com.wufan.test20183063884216/databases/mgdb-journal

                    Filesize

                    512B

                    MD5

                    57727ec46fa1b20e42122b5a861121c5

                    SHA1

                    76deb7fc115920d7d892dad7656e5dd255aba567

                    SHA256

                    05074c78eac015bc7f38c3db4ec40c919e9e496ffade74be619ca20ff9e0e1b5

                    SHA512

                    dce40dfccd1c6cd48fda61fe771f6cb6b018e70a4d71815a1f0b2fed7fa1c17e2d2d3505564416d19144ef168970571bdd8609926072ad73783f1c68a897074e

                  • /data/data/com.wufan.test20183063884216/databases/mgdb-wal

                    Filesize

                    402KB

                    MD5

                    1638e89095417639e6d7afc007658eff

                    SHA1

                    7273db2687157314913e312d322f0453736b07e2

                    SHA256

                    8c58ef4158201d0738e503b7a46d44b0a4cc8fd6157a14b49a869704259f9bab

                    SHA512

                    54550ff9c362f486800cd1dd8d0bc0c97a667606a1a52e6f2e31e3036160dca303a8571c00b0f37fc49ca8df0181e42518dbc5529fbfacbc4c165ff5b2ad3dde

                  • /data/data/com.wufan.test20183063884216/databases/papa_stat.db

                    Filesize

                    28KB

                    MD5

                    3166f8cb52c45a1332ea41d6ab94e5b8

                    SHA1

                    aff7dee287f4d4e5fa0e6ca55773b3ac6bdde4c5

                    SHA256

                    3f636427d297bf7be079eda728e3f8a6c878f3c3073497a0b7d82c27ea25cbf6

                    SHA512

                    ed076f9b955646d38ab405933593d598bb71a3c31b3f4fc2ed6838510ca980d99be457f9a9d433404c18d285f5f305734815312abcf26aa10fdbb5daffceb00c

                  • /data/data/com.wufan.test20183063884216/databases/papa_stat.db-journal

                    Filesize

                    512B

                    MD5

                    5e26bd4b765516bc62e3c79ea2a5481e

                    SHA1

                    17873185e5d939c42d4a8929cd254334225afac1

                    SHA256

                    31bf31fdad335b7fdae0b5aba6e9c04c7ba19ab22b7c4513d2967f98fdc9a81d

                    SHA512

                    d97cca2030e403762ff7eddac8e3cdea28ce4a9f753f78211869cd0fcf722be2f2d0a1bbd013c0d4c1840c440468f3a0a3dfef9e0b1d86bd6242e9408b205707

                  • /data/data/com.wufan.test20183063884216/databases/papa_stat.db-shm

                    Filesize

                    32KB

                    MD5

                    bb7df04e1b0a2570657527a7e108ae23

                    SHA1

                    5188431849b4613152fd7bdba6a3ff0a4fd6424b

                    SHA256

                    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

                    SHA512

                    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

                  • /data/data/com.wufan.test20183063884216/databases/papa_stat.db-wal

                    Filesize

                    406KB

                    MD5

                    9d9ca82cefe64ab29b6fd8dc89ef96fb

                    SHA1

                    bada02213fe3b1101c1c7264aca5059f87e3f7aa

                    SHA256

                    147b85efdeaebb70e9335415e49771f9a05378bef4388ee6e51b9f8af86b1b1c

                    SHA512

                    b0b37589e50ebb9c5383b70eec20c3c2ee3f2b4280b9c911b785fe2a45b783778c6eb4a9644bf5400bb5a4eb819fb1be0ed8cf38011175926519e57b9f9f4f8c

                  • /data/data/com.wufan.test20183063884216/files/.um/um_cache_1717600877110.env

                    Filesize

                    675B

                    MD5

                    e9143ed09bce3317460077dbe8e14867

                    SHA1

                    14b74276dccc4963eda38bbf68c79255a933a56f

                    SHA256

                    681ebeadafc5e07e99923807e0c45c0f4a7facb431ee12957a3db811f93ff812

                    SHA512

                    ac5491a797e54c3badc86f2e1ebd1e116a4aea47278d5b4771cdc3f0034951f3268fa1bab0b8776e46cd1407677541310665c6b317f472f432e28c312c1502c6

                  • /data/data/com.wufan.test20183063884216/files/Mob/mob_commons_1

                    Filesize

                    2B

                    MD5

                    99914b932bd37a50b983c5e7c90ae93b

                    SHA1

                    bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                    SHA256

                    44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                    SHA512

                    27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                  • /data/data/com.wufan.test20183063884216/files/Mob/share_sdk_1

                    Filesize

                    40B

                    MD5

                    0893c2281cdd5524505717f5b1433e00

                    SHA1

                    3ac7944efc9aedbe2a29850138cf68c5d63ef0be

                    SHA256

                    cbc83598fb00ebd5eef1234a828ec5ea6ff13919376205bd345ad818280af0dd

                    SHA512

                    d4a8aae5ec2fcb685158479f5fabc1c5e906d270ed5f00308e0f314a6a6fe7feb7e08866d8921e1dbcf890a063e4239ba8cfa8aad2d3437deb5945f5a03d640f

                  • /data/data/com.wufan.test20183063884216/files/Mob/share_sdk_1

                    Filesize

                    64B

                    MD5

                    19cc3c1dd1e5abdf0fff5687e63dd024

                    SHA1

                    39f9bed7eaa70c1a4c13ab06a3fb3604b7d92e9e

                    SHA256

                    8d710e3ff4ae66c8a2a8dd20d59b79377c409701953c58cba66724b214886bfc

                    SHA512

                    306112885c64692476cac532ca47d0179b6ac0f153d7fc3ffc7665fc11a7e4ed7bfb1beeee755313c49cb43c9af60542753eab53ee39b105165812c5569da0d1

                  • /data/data/com.wufan.test20183063884216/files/umeng_it.cache

                    Filesize

                    310B

                    MD5

                    614400ded8f685b92cb7b13398fea439

                    SHA1

                    8df3ff57b604c1938822dd84e042104109771e81

                    SHA256

                    8ead907cd205757f8bd768e031618d485d1ab43be0e6ee33beb8eeed1df285fa

                    SHA512

                    3fd4494a1f537d8d6fee7937cb671da7f968bfc7e6675e91a10606aeac17754f443c1281ef50ca2464bdabdabc54f013b4e1aeb5384f7b8f265eb9c368defcc5

                  • /storage/emulated/0/.papakey

                    Filesize

                    36B

                    MD5

                    c0a94a8f07c7ceae1dc98ebdf53e7c90

                    SHA1

                    4e3c7d0b57cadf465906c8d8895c953488d22cd5

                    SHA256

                    e18b41a53760e45a9dcc691e2dfb770cf98badfb20c9423489cec275052d9db7

                    SHA512

                    5276f79bb3d16caebc970b014ab5a8af8d73313385de9a7f5f473ef38364f2e14d682d81fd8421182523f09cf0ac90f335e18cd28444a9cfec29e0f807b456a6

                  • /storage/emulated/0/Android/obb/com.wufan.test20183063884216/sdkinfo.txt

                    Filesize

                    6B

                    MD5

                    c7c8d45e0fc1a2ac188f9b0a62f1a797

                    SHA1

                    ffe2c07fa6f7f6b99e9be07d89c766dc029b846b

                    SHA256

                    91bf44d0a10bdb192c372abd8362e5089b7da61c9dbb2dffc0d936b0f33b5caf

                    SHA512

                    6abc5570f847c76a8f091301c26679321be9e27ea4fd07d067227937b3ee7d1a4c6e0020e4bffa769ea0d9355604e390ca29d2c998c2ca49a9341cec57a54755

                  • /storage/emulated/0/Mob/.iew

                    Filesize

                    64B

                    MD5

                    d62b25791b9f8972176645601373ffbf

                    SHA1

                    03bb840c1867ffda55c486a53fc36a9ad95ef4fc

                    SHA256

                    2050f5a0e4bce2cc95fedb74e8438f87814131057ba93f8b5e175be144bd5ae9

                    SHA512

                    21de1d2fced190df5709a7444cc2300c850537aa91a26a2ddb6d87fe59321f54e1b96e616ad1462f41a1d73db837beaa36333bcd6b7e2be29dd25c261e29c112

                  • /storage/emulated/0/Mob/.slw

                    Filesize

                    66B

                    MD5

                    19402718bfb1c685a726b4e1d846ad98

                    SHA1

                    02a7e30044a67085f2f1da24e16e4ecfede65b72

                    SHA256

                    079f790e6a1934a94542559f53a89a824aafd3173d956b6019291955aeeb33d0

                    SHA512

                    25254318c22cfd301c8bcd479f45797d502b6ab5f14265dadfa3d87b4dd1942a629d3cbc2f0b600cf73b4fe910e3773432f56a0a7b4343e280e20c5a6af0320b

                  • /storage/emulated/0/Mob/com.wufan.test20183063884216/cache/comm/.mps

                    Filesize

                    26B

                    MD5

                    840eaa01e5d03fffee257ed5ce4fba9e

                    SHA1

                    886bd732b29f6dbdd94b890a2b203c5a276ae773

                    SHA256

                    7648e772307acf936c331c4ea9d92872b1af6367cbf83f33f569ac204df65595

                    SHA512

                    b0a4f9238c4b60bec0cca9c72e551a702a95210a735bd8176c1d5ba741e264d2f1e885d65ed07a88086afd74f69c5e02a92db8068b222a62c6f56762a26b7d4d

                  • /storage/emulated/0/Mob/comm/.di

                    Filesize

                    57B

                    MD5

                    70a42cba408700f9a6c01c7941a8829e

                    SHA1

                    eab01cc2c0671538795fb0b1146017dc099d0984

                    SHA256

                    499576707ce2623293166979e59c832be5b8636c64ad39aa63ebcf961910c35f

                    SHA512

                    8900d4dc8eed0430babbacb72942401bd22ef7fe5430cad90d3ce0c2c53010220d666aa0e2eb1026f3ec81d574c7fa12585b49222a5f15b01637f6ba134fe70c

                  • /storage/emulated/0/Mob/comm/dbs/.duid

                    Filesize

                    613B

                    MD5

                    d7169fd90624dabf58efd145a4669768

                    SHA1

                    1df041f4bbd8fca00002dc112243246bc850d38a

                    SHA256

                    b6404a5781e12bfdc9d691562247e14f51015ec2e7a7a0eb1511660643dc1979

                    SHA512

                    d7366ae23944473c15383f02d848d73d8f44a4920c6c79ca2497c68610c79b45fc9364f0dd0cde69ec74c01319cb8e1aa47ae7d3821655505d958e3e85e2f0c6

                  • /storage/emulated/0/aray/cache/devices/.DEVICES

                    Filesize

                    32B

                    MD5

                    ee6220ff537d6952ec496d32f27270d2

                    SHA1

                    c1b54295002c2d103c1c5320b5c31308b8fac846

                    SHA256

                    7e61c5c1af591b9b8a934d90b2611958955700bca4b5354d5eccedd9eb3d8b5c

                    SHA512

                    9046f9b0390b57aa41cc5b08795bdaf083c460471770ac6af7446f2556a8c0246050f13835785dd08ec110569340fb21c5965f8ddeb272b0af13b9a5195e57fe