Analysis

  • max time kernel
    174s
  • max time network
    183s
  • platform
    android_x86
  • resource
    android-x86-arm-20240611.1-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
  • submitted
    14-06-2024 07:44

General

  • Target

    a8940b31d9dfe1a827a633cff3e1f7e2_JaffaCakes118.apk

  • Size

    5.5MB

  • MD5

    a8940b31d9dfe1a827a633cff3e1f7e2

  • SHA1

    06ba0cdee52c35032ae9eb4cf653539d29b6cce7

  • SHA256

    c1e42f226ddd55b8096893f911faa71578fedd5812c79d556d82736b6db4592d

  • SHA512

    754e5a855e329ec309b33fd459448dade117c00fffa256fa834786c2566b4ae9931533963bdee4a11be3c93d81d23ee227c2d10e55cb1e3068d1b88fc681c571

  • SSDEEP

    98304:9tgdZjY5CThyIj+tyceNSwVGV6jPzNGjA/id16at8ySoXmcO3Vsb/J:9tgdZjuKLayceRGsjLNzidQCXDXlb/J

Malware Config

Signatures

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
  • Queries information about active data network 1 TTPs 2 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.wta.YdbDev.jiuwei129276
    1⤵
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4272
    • cat /sys/class/net/wlan0/address
      2⤵
        PID:4645
      • getprop ro.product.cpu.abi
        2⤵
          PID:4716
      • com.wta.YdbDev.jiuwei129276:pushservice
        1⤵
        • Acquires the wake lock
        • Queries information about active data network
        • Queries information about the current Wi-Fi connection
        • Registers a broadcast receiver at runtime (usually for listening for system events)
        PID:4424

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • /data/data/com.wta.YdbDev.jiuwei129276/app_tbs/core_private/debug.conf
        Filesize

        101B

        MD5

        f418f4932b9c478a59c81cad1e9a3579

        SHA1

        e3bee620e3d120d9e23acd623e00434a7d8a2cb7

        SHA256

        0196c278a54795f13ca9bb36f2fa141812185e38724614e1761eb7d37a61d5b2

        SHA512

        5abb90d57db23ea19e882deaaed9c284b91dccf7d850c2f1c39cf6e61e59cd4a44ba972aef7ca50d4c08fc05cae6da0d84940223779d54aef453640c8434770f

      • /data/data/com.wta.YdbDev.jiuwei129276/databases/ThrowalbeLog.db-journal
        Filesize

        512B

        MD5

        fbaabda2cd881e010611b99aa590da89

        SHA1

        7ec87fa047b85a8ac4b56e69c32f5948df770377

        SHA256

        8c598273d991835507fd2d63f09234fbfda34011cd2950c105df79467d812a4e

        SHA512

        140b0ecf7cba45f8bd70f62aeaad546e5345f9b1b9662d9f410e3d43c2da9b1ed4d1115b412a478c2dba286b878d96ec0ad814d6126179136009f019a0f128ec

      • /data/data/com.wta.YdbDev.jiuwei129276/databases/ThrowalbeLog.db-wal
        Filesize

        64KB

        MD5

        ba408895dd16c931689666bd1b9b0f04

        SHA1

        b55c86caa14205ae27787dfdf19e6c1218e0948a

        SHA256

        0d385cc752352b045b778a1dc08b3c3571502b8960b1485d118a49ff41acd7fc

        SHA512

        c63fd5f48f9e9c503c1fd67e5a44c94cf4e2a413b131dbfc3f1868eeaad016b619e6b5edbf82af89f60d5a6055979dfccf53a6f367d29c1f0e461518463d410f

      • /data/data/com.wta.YdbDev.jiuwei129276/databases/pushsdk.db
        Filesize

        4KB

        MD5

        f2b4b0190b9f384ca885f0c8c9b14700

        SHA1

        934ff2646757b5b6e7f20f6a0aa76c7f995d9361

        SHA256

        0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

        SHA512

        ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

      • /data/data/com.wta.YdbDev.jiuwei129276/databases/pushsdk.db-journal
        Filesize

        512B

        MD5

        5090ddabaeee0a81019387a11bad18ee

        SHA1

        d8453c254136f080e10faf0a4003c6eab98e2709

        SHA256

        4c5b78c39032a9d743e4c792aa54304a08b4c0ed20eb8acfe0bf82b9544b4f38

        SHA512

        89d17dac243a65d1b134bf09ae20549570abd5a2c51580175be8affe84e44da79cf265df8986dc6b36352dee45490d66d41dae50fb9c4c294b922412fffd546e

      • /data/data/com.wta.YdbDev.jiuwei129276/databases/pushsdk.db-shm
        Filesize

        32KB

        MD5

        bb7df04e1b0a2570657527a7e108ae23

        SHA1

        5188431849b4613152fd7bdba6a3ff0a4fd6424b

        SHA256

        c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

        SHA512

        768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

      • /data/data/com.wta.YdbDev.jiuwei129276/files/.um/um_cache_1718351151784.env
        Filesize

        607B

        MD5

        8ead3de247836a40dbb0cbbd06511bb1

        SHA1

        05c328dc912d4aba2a3bc5449e8f637dc59cf964

        SHA256

        08960f4cfa69785849c1e1529d200ee080dbaa17c1fe2dbb5633dd1b834ea91c

        SHA512

        d2e8694a688affdbc544c64521a5c717c4defdebbc955d34105b630488d8ee3c772505dd022c850c5e2cb6db4649e6c5e45efc20d2f7dc7ba181db2adaaea305

      • /data/data/com.wta.YdbDev.jiuwei129276/files/umeng_it.cache
        Filesize

        310B

        MD5

        6f3063dd099595edaf5c3484aac9fca0

        SHA1

        2b1b1db7926f41c27d0e36e9e8d9161d76eff458

        SHA256

        fd3038303dd5998837792ea28d408c56be889f72f2c8a5e54e21b210bfa39e71

        SHA512

        c7532557d0d7e9fe26e4784f60aba2cf23e55bb68b5aa10646d17f972d80ee89eae22c8072ad36852457d9168a35dce0929ae211963aa4258ecb25eab2f3b684

      • /storage/emulated/0/Android/data/com.wta.YdbDev.jiuwei129276/files/tbslog/tbslog.txt
        Filesize

        80KB

        MD5

        921166956a7184839674d3862088f7e8

        SHA1

        1114bc8839dffcd5590d6590a49efd702e595620

        SHA256

        df7cbe72d732f2b74705ef09116b7c2f97d40f3b13c9afd2b59faf0eb5c950e7

        SHA512

        3dbc61be717e23d6a8fae3ac819750bd09eb676ac21422070bed40d8acd20b77d75fd9bff88205139223806604593f28b10bba1d7fd3f1dd665b1c811f694b9b