Analysis

  • max time kernel
    178s
  • max time network
    182s
  • platform
    android_x64
  • resource
    android-x64-20240603-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240603-enlocale:en-usos:android-10-x64system
  • submitted
    06-06-2024 01:33

General

  • Target

    99b7db88471aaf69942819f40f9a4f38_JaffaCakes118.apk

  • Size

    1.3MB

  • MD5

    99b7db88471aaf69942819f40f9a4f38

  • SHA1

    6dd2ade3896b0ce715efcb0348de03398a0a3b81

  • SHA256

    a65ce10c3d8db06c2e451c837766ed2c8e517e4b953e940aca5c2e6d1d3faf88

  • SHA512

    b84304a072ac842c32064277c63a2dee8250ac0340fd50f0d0860e36e6ebe01242f67aec21cb54dfd0413c838191677a09abe7458ca71b073c10885879f90cee

  • SSDEEP

    24576:oncEoL0otaYtXMfSprkM4FqD5Bl0ZHqU+IjXo+B4jtgnq/13tdHbZKm51Ob838:jQ7YthrkruBl0ZHtjrCjtgnq/1XHNKmU

Malware Config

Signatures

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • com.dwob.qwlv.wigm
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Queries information about running processes on the device
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    PID:4972
  • com.dwob.qwlv.wigm:daemon
    1⤵
    • Loads dropped Dex/Jar
    PID:5042

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.dwob.qwlv.wigm/app_mjf/ddz.jar
    Filesize

    105KB

    MD5

    23ba0b249042b7ba33e92c0199b0ea4a

    SHA1

    99b13ee9f7307316c2337953fceed87e9942b794

    SHA256

    1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2

    SHA512

    0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

  • /data/data/com.dwob.qwlv.wigm/app_mjf/oat/dz.jar.cur.prof
    Filesize

    728B

    MD5

    a87dc1222e6546c25bd22b812f178fe6

    SHA1

    a7ff038b70956810393286e7548b0520db8b0fec

    SHA256

    6c57fb585b9619a0b77b41356f48ffe452d24bc8824eb273facb7952e208997f

    SHA512

    4fd4fc5fb5cad953ac9e1240526c3ad3f864d197b08bf98713b70992ba1d5def64aa3d104786fd16828cb5e064cd931893c11189b4f8d82bc701d01a62bb4d1d

  • /data/data/com.dwob.qwlv.wigm/app_mjf/tdz.jar
    Filesize

    105KB

    MD5

    293ea5f01e27975bed5179ba79d80eac

    SHA1

    c5b0806a537fd1cb753e11f1a9684933317716b8

    SHA256

    8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b

    SHA512

    c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

  • /data/data/com.dwob.qwlv.wigm/databases/lezzd
    Filesize

    28KB

    MD5

    dae68dcffc3d522a79f98ebbc3b6d457

    SHA1

    6df5dce9a50f12044a2d20b8d1742ae47b82ee03

    SHA256

    56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286

    SHA512

    23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

  • /data/data/com.dwob.qwlv.wigm/databases/lezzd-journal
    Filesize

    8KB

    MD5

    6c4e9273d6ea46726066d4e1076f9c17

    SHA1

    6753b722b4f0cdf45201b4a5d32b41641c00391f

    SHA256

    b924f6a57e437f1d5e2c1f8ea77d408caff697b3a7a6f31a3a387b824b41d5dd

    SHA512

    69bd1d61c0f54de2b7fcfa16c2cd8995bc022df4e2ff80d92a9bc9f6869e65edf6f8ec0b0ccae61c89a2a7f368c5543402264052ddb5fac1587ebeffcbc94510

  • /data/data/com.dwob.qwlv.wigm/databases/lezzd-journal
    Filesize

    512B

    MD5

    fbb9848e0f701366af35a2b19e527eb5

    SHA1

    a54e0f31932432f77db542261c61804e48e5811f

    SHA256

    1c181bd7a73e56fac387a60050fc433dd41e5a44e840c622df3c27e4732b171f

    SHA512

    81e505bf0f806c564a96f444e949197f2a865d22f3566cd74825469c812cab66a46daeee1aa7fcc03343e957914d091cba38bea48778b5bf3e7648ed54719df0

  • /data/data/com.dwob.qwlv.wigm/databases/lezzd-journal
    Filesize

    8KB

    MD5

    be1ba59983bd9d919765a8385fb75ee5

    SHA1

    2e8ced0174b526fb7820e206c8973f1a38f3fe67

    SHA256

    9af9772e28f026a1f0f8e8916cda232c5663052e00544f2957fe78013b650c57

    SHA512

    732bf88a22c1384f3eac55096b83cd70d590dbd0b9d8127869e97ea4a7c59e0822187d67dd4a9497cb5bb9200e821e31289bf9cded95d1fc5a44a4e24a674559

  • /data/data/com.dwob.qwlv.wigm/databases/lezzd-journal
    Filesize

    4KB

    MD5

    bf90759baef450eb2da94e21c02a0af5

    SHA1

    a8744d9ce623c1a3c97dcc199f9475e3fdf8078d

    SHA256

    a8b6100c1048dfc018946eb1957dacb3095d3ae51a353589f7fa8c4bb698ff6a

    SHA512

    8cc6bcf96fa0e1aea635d41852e5e63295077ed3020919eddd6e798734d2bc855ce7482db6ca31f53c8dd8c1c80e2c1e2a55b4c656c7dc42e06960d58cf9621e

  • /data/data/com.dwob.qwlv.wigm/databases/lezzd-journal
    Filesize

    8KB

    MD5

    3541c059326f067e773f0fe070d7e9a4

    SHA1

    c4c0603749e0cc91e7a1434a8bdc13b7650f2814

    SHA256

    ccd948104a6e8547ba7df06265329870d5b1183e1e691de9ed639fcfe74f485d

    SHA512

    1bb730e7cc03287d16d31cb6b95ede05c926782869a62322b83fd7eb6a8e4de1ed0089eb90bf063c86586f761af11674a398db6da11aa61ec2efaf1291faa002

  • /data/data/com.dwob.qwlv.wigm/databases/lezzd-journal
    Filesize

    8KB

    MD5

    f1b9edb01d635d7102585d7f90affa26

    SHA1

    1f8be84e1e5efac8c0eeb5b168a0925c46cc4a2b

    SHA256

    dd3bce054a0a00c1007970540ca36de607a400368e5962df0a5348c031d7a798

    SHA512

    e36d9147c051d83c12d1fdec213e9c02b21c8ec49a805fc57a9ac9fd8fac82510a94aa0a63dc2894cd5e0c70a0cf5b4a10f4f0b260dc65d8ad7ccf693670706c

  • /data/data/com.dwob.qwlv.wigm/files/.imprint
    Filesize

    945B

    MD5

    110db57693fc688a6853ae1c0d743d8f

    SHA1

    b57f77c43e069303343770089d060ff6090391d1

    SHA256

    9d81fece09d532a5180cac2b67bbcebcfbdbb50a2d61fc37a5845bdc6eca831b

    SHA512

    7aed59ebba0c965794e927f1194aac5e40cee9d28913234db5ea77551c828160d97cfb4f56e151aaa0b642a0f154a2baa582a7111d428d25dc12960ff97436e4

  • /data/data/com.dwob.qwlv.wigm/files/.um/um_cache_1717637768467.env
    Filesize

    1KB

    MD5

    629d37ec51e101b6b4e232c2fa87ce6b

    SHA1

    249bef2540414392bb886b8ef9a42364d256cc45

    SHA256

    6d8b2745a762b6f5d244342fded42db93e33ae1f7ae25c4e84e9ff4e496862b4

    SHA512

    8387b1cd85b1b88cf19c0f625e95d9d8cde4c8bf0a9d4f92b6e8e960c2900b45b659d1a49e14f0a78964a19301934f957c7f4f5d1f4a39162529b2ee77fec867

  • /data/data/com.dwob.qwlv.wigm/files/.umeng/exchangeIdentity.json
    Filesize

    162B

    MD5

    5f64feeebc851c83668283f8232329bd

    SHA1

    777f53452f7e976ff060c418a63d49c158e9cc88

    SHA256

    14f2245c43109b034e47cc584a98ce9a05ee8b17edde8947bf6fe79a894dc288

    SHA512

    c36d443663b70d9e5e891f29bfb76651d092e486f5a882f8e48a8dd377effedea07c86745c7ebdf222c55c19a3c6322f598f2124500a76ee62ab14e2ad02e372

  • /data/data/com.dwob.qwlv.wigm/files/.umeng/exchangeIdentity.json
    Filesize

    204B

    MD5

    11714c60af36f3c6b5e1e2d2df387ace

    SHA1

    3eedef4496c1cc3e130f9f7358e444f7141e3b22

    SHA256

    82e16be2b80eea68dad37b89834e278c9285e7d010df699ad694b2c29ae9ba2b

    SHA512

    191471f53e41d676f6fc4454c82f3b4ac96b18a2536455e76a61a6ca3b137aa888ad8b6d3e62cf1ac9abf8ff68cc69814bb813d45295a2b45c9a3fbb5af09034

  • /data/data/com.dwob.qwlv.wigm/files/umeng_it.cache
    Filesize

    352B

    MD5

    4e3a801aaedaadb1f46e3dd358f5cf2e

    SHA1

    69f9c0918f1fb54e2a8c08a0583451bbe74b5fff

    SHA256

    906498ba4a292399dc6a58d721b18eabceb9975dbf842cbfeb71d576d9fc11b9

    SHA512

    e107ab48f5a41e19383cf5c2f6117e5bd587521cc6803f31fe54ca627f78a818b6c671e8bf91befbd885f7c00009d27872316e61a41cfa2a982a42625f70a3ae

  • /data/data/com.dwob.qwlv.wigm/files/umeng_it.cache
    Filesize

    179B

    MD5

    ae91f7517960c1302c8dee3b6b669095

    SHA1

    2918eee284fd8781b74465ecefc2001b997d673d

    SHA256

    550f8928bc1dd3e190c5fd2bb7157142886175e935e4a44e25d65d7d768e9868

    SHA512

    bcdfb36c10ec3596dffed552eaa2c8abd19073f3cc04de740ebbd5584fbe1607b9ec5353b1f9bc733851129f77072cc4f07781ccb5bfe24f4e3593dd5c374bd3

  • /data/user/0/com.dwob.qwlv.wigm/app_mjf/dz.jar
    Filesize

    248KB

    MD5

    a54a18b58c6720991c021f433dfb2a46

    SHA1

    d2ffa07919f92b6e04914e39843f08fdb2a75b68

    SHA256

    3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3

    SHA512

    e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc