fa9e9ae2d63bbb55c4f2560d3dd55b9754501b40a8a88d468edcfa22951cb756

Analysis

max time kernel
174s
max time network
131s
platform
android_x86
resource
android-x86-arm-20240611-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240611-enlocale:en-usos:android-9-x86system
submitted
11-06-2024 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f44a11b57bb3ff5e1b10272952b6a88_JaffaCakes118.apk
Size

5.3MB
MD5

9f44a11b57bb3ff5e1b10272952b6a88
SHA1

16bdd6613c0ade912f8e70d3a045e3a02b40a98a
SHA256

fa9e9ae2d63bbb55c4f2560d3dd55b9754501b40a8a88d468edcfa22951cb756
SHA512

6cd24dab229026fbcc87a20b9af0152ebe4f38e2b441bbac45be250e3e326ce435b55f50f688eed090b278e7cae71999893875007c0dfd7c636b4a538f2f7d21
SSDEEP

98304:vI4vdkb+0tvsLmXAjy5xRKySO+Da5dlOF3gkks3QwUI8hVuK72hzf7mp:Z1kbZvKmf5yzOC3gkPoruK72VM

Score

7^/10

discovery evasion impact persistence

Malware Config

Signatures

Loads dropped Dex/Jar 1 TTPs 29 IoCs

Runs executable file dropped to the device during analysis.

evasion

T1407

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar --output-vdex-fd=106 --oat-fd=115 --oat-location=/data/user/0/com.daye.beauty.activity/app_push_lib/oat/x86/plugin-deploy.odex --compiler-filter=quicken --class-loader-context=&com.daye.beauty.activitycom.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1

ioc	pid	process
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	4379	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar --output-vdex-fd=106 --oat-fd=115 --oat-location=/data/user/0/com.daye.beauty.activity/app_push_lib/oat/x86/plugin-deploy.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	4248	com.daye.beauty.activity
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	4430	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	4515	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	4554	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	4586	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	4619	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	4655	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	4695	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	4739	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	4783	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	4816	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	4850	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	4888	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	4920	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	4954	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	4986	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	5025	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	5061	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	5093	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	5127	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	5161	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	5194	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	5232	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	5266	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	5298	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	5334	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	5366	com.daye.beauty.activity:bdservice_v1
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar	5400	com.daye.beauty.activity:bdservice_v1

Queries information about running processes on the device 1 TTPs 28 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

T1424

Processes:

com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activitycom.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.daye.beauty.activity:bdservice_v1

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs

Processes:

flow ioc

24 alog.umeng.com

flow	ioc
24	alog.umeng.com

Queries information about active data network 1 TTPs 28 IoCs

discovery

T1421

Processes:

com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activitycom.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.daye.beauty.activity:bdservice_v1

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

T1421

Processes:

com.daye.beauty.activity

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.daye.beauty.activity
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

T1422

Processes:

com.daye.beauty.activity

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.daye.beauty.activity

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.daye.beauty.activity

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.daye.beauty.activity

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 28 IoCs

persistence

T1624.001

Processes:

com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activitycom.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1
Framework service call	android.app.IActivityManager.registerReceiver	com.daye.beauty.activity:bdservice_v1

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 28 IoCs

impact

T1471

Processes:

com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activitycom.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1com.daye.beauty.activity:bdservice_v1

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1
Framework API call	javax.crypto.Cipher.doFinal	com.daye.beauty.activity:bdservice_v1

Checks CPU information 2 TTPs 1 IoCs

T1633.001

T1426

Processes:

com.daye.beauty.activity

description ioc process

File opened for read /proc/cpuinfo com.daye.beauty.activity
Checks memory information 2 TTPs 1 IoCs

T1633.001

T1426

Processes:

com.daye.beauty.activity

description ioc process

File opened for read /proc/meminfo com.daye.beauty.activity

description	ioc	process
File opened for read	/proc/cpuinfo	com.daye.beauty.activity

description	ioc	process
File opened for read	/proc/meminfo	com.daye.beauty.activity

com.daye.beauty.activity
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4248

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar --output-vdex-fd=106 --oat-fd=115 --oat-location=/data/user/0/com.daye.beauty.activity/app_push_lib/oat/x86/plugin-deploy.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4379

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4430

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4515

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4554

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4586

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4619

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4655

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4695

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4739

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4783

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4816

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4850

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4888

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4920

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4954

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4986

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:5025

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:5061

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:5093

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:5127

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:5161

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:5194

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:5232

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:5266

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:5298

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:5334

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:5366

com.daye.beauty.activity:bdservice_v1
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:5400

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar
Filesize
180KB

MD5
73221f224e5d32e4f130dbe57ad395c0

SHA1
1a8f63b73dede50dd56f469d0ee9bffa84eb9d63

SHA256
8911616ac34f9c9508d25ad55183ab06dd05f1f80793d70fdf225cd56bf4ad55

SHA512
58a1203866c0c376cfedfb493c21b8733f4796f6743414b810a63aa144b1af0acd9797d132684b8f255b9ebd76ba5405d0b5518c0c353c4a9b8839939a9c5c8a

Download Submit
/data/data/com.daye.beauty.activity/app_push_lib/plugin-deploy.key
Filesize
72KB

MD5
9d1a04b8ab5b51cc9115613f8d493560

SHA1
96be9dc210c3d4a4a48c0ebccdf6785b8115b72f

SHA256
9cb03cbcb9a9c03d5cc6c270f14970db2524eac1423182258464e6634bc2dd2b

SHA512
405f844df2c865725cf0c73eb5fb6052dbe61661c41e633d0e32098133de9509c485165324e0ff49ad9507adc92e868b9c99b62b27ca5291b51946333a52a133

Download Submit
/data/data/com.daye.beauty.activity/files/mobclick_agent_cached_com.daye.beauty.activity
Filesize
197B

MD5
68a52c9ab38b1b557944184b49fe1c3a

SHA1
e6aaede6377549ca9fabb2b31ec5e9b92372a0d8

SHA256
b0dad6d36736029331a44de96f18d9ecb8e95f92e4bc778c2e32c03eecd5aaf7

SHA512
1e465ce86fc8fd3dc90fad25cdeae951afee6a3eb1e106ca114e0ae830c75377ac7a4173044c764106e5cf45f1cfdd49c7123723e84a13aba2561b1239bb2728

Download Submit
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar
Filesize
454KB

MD5
86f78d7f51c3b0e113430319411c2a28

SHA1
b83fe95671ff7322fbf2b72fef0306f8531dc83f

SHA256
488aca21878d63b04052c887a3db9a0916e88fe8db036e2e00200a964268c755

SHA512
4facde88a8971000642953f8f64cdd7beb2ab587463ecc0d5d2c4508e90cc77b4bec8c4cb04f7c43f52f05130d29b950bd8f884a5faca56d129af621512ed4fc

Download Submit
/data/user/0/com.daye.beauty.activity/app_push_lib/plugin-deploy.jar
Filesize
454KB

MD5
eb172940bb27c649684cc12131db7b7d

SHA1
d022b7d97614de236196d48c40e59625938626b3

SHA256
a641935e2fd81e51e844010c860337a14815605dcc78c96bfb6d8620c47bc55a

SHA512
989219b70ab58fd40111920151d87128c4b18b086074d1ee0d95ac73258f3155a9ca93fa74e702d57a3a881e9e408b5571c4db9fdae6faedce677ae50f2bdd9e

Download Submit
/storage/emulated/0/baidu/pushservice/database/storage/emulated/0/baidu/pushservice/database/pushstat_3.4.db
Filesize
24KB

MD5
8b7197af34d3ff11df3904d58bf49db2

SHA1
5c93048455f81ca11d25fb9152251dc3e9188027

SHA256
363728c5a2717083401a2d0f78300faf6753a3b363e1fc01cc948c2962976af3

SHA512
83781376b7fbce215e24fdb1e567c8e0fe4aaadb0c8147371b478785a9b7e3310782ec207221a629070cab9839ef5cadc66dbbb618091753297e64b5722566a6

Download Submit
/storage/emulated/0/baidu/pushservice/database/storage/emulated/0/baidu/pushservice/database/pushstat_3.4.db
Filesize
44KB

MD5
40f725076e1f7e7dc4be161586113596

SHA1
41f1fc0e2f4ed5f650c5bd957fa222f1acc8cf0e

SHA256
99b8876995598dc16cb8af87b0d1ce4835580f85c66b854eebd08abbf42397ac

SHA512
4dac07e7b990d18a3450c977d3c34020e378e1f50932619de907dbe1d31375f1fdc81963718c6449a3e44df525992ba3ddec87580d97b2d55013ddb6d95a1b84

Download Submit
/storage/emulated/0/baidu/pushservice/database/storage/emulated/0/baidu/pushservice/database/pushstat_3.4.db-journal
Filesize
28KB

MD5
360a73d089792c5220e8f40607550af2

SHA1
d4ec0b0f60473a977ae373cd165a22aa17ed7a4e

SHA256
9d8d084020c8bb42e7a14adb11bcb8f667090d79bba31017954bfc1d48387851

SHA512
fb55247583f12105f35e0b8127e602b1486d48e8bb38f2816b086d0aaefb7e342f732121355cd09b0f57fa826daa9d7a18752cc167d7f698d58d324281aeb60f

Download Submit
/storage/emulated/0/baidu/pushservice/database/storage/emulated/0/baidu/pushservice/database/pushstat_3.4.db-shm
Filesize
28KB

MD5
cf845a781c107ec1346e849c9dd1b7e8

SHA1
b44ccc7f7d519352422e59ee8b0bdbac881768a7

SHA256
18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

SHA512
4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

Download Submit
/storage/emulated/0/baidu/pushservice/database/storage/emulated/0/baidu/pushservice/database/pushstat_3.4.db-wal
Filesize
64KB

MD5
bcb3f04fedefaac6cf79a813e7277ab7

SHA1
05f0cbbed559eea5bf8923d7d10a0a94c372b5a8

SHA256
829ff73c4420526c58211c226c586b52eab56812bf3e287b0dd9625ae4297f2e

SHA512
bad67a3368e90f8426dc1ba8c98ac77af9e8fa188b84f3e3dee8f96c35cb476aab91158091dc2c31d412e6075ec4ca08b5b5fc463ef3ee29ef77d1363b1a2db8

Download Submit