Analysis

  • max time kernel
    175s
  • max time network
    138s
  • platform
    android_x86
  • resource
    android-x86-arm-20240611.1-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
  • submitted
    14-06-2024 09:41

General

  • Target

    a90341fc8a223ac9a71762bb762e191d_JaffaCakes118.apk

  • Size

    26.3MB

  • MD5

    a90341fc8a223ac9a71762bb762e191d

  • SHA1

    3ac10113916a9e2ceb68900639f9c0b6f5c6c2a5

  • SHA256

    42bb109ed9011f6c6cb0644b60dd69c13077b539e504755045a7b887e316ef2d

  • SHA512

    3366795a0c6b15d3294a69eb0fa8f42d5b97288bbaee7564bc627aacad1c1ee4f60388d18bab6ca9c74c13eda4b9f5dcf955650913a96d4a47e881e583f766a5

  • SSDEEP

    786432:OI1QFm9vZ0rojiJFb2krbomRoRhi0KZMoRAX3lG6LtTK:PIdojRk4RKZy3MSw

Malware Config

Signatures

  • Checks if the Android device is rooted. 1 TTPs 2 IoCs
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries information about running processes on the device 1 TTPs 4 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Requests cell location 2 TTPs 1 IoCs

    Uses Android APIs to to get current cell location.

  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • com.qingshu520.chat
    1⤵
    • Checks if the Android device is rooted.
    • Queries information about running processes on the device
    • Requests cell location
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    PID:4176
  • com.qingshu520.chat:core
    1⤵
    • Queries information about running processes on the device
    PID:4205
  • com.qingshu520.chat:cosine
    1⤵
    • Queries information about running processes on the device
    PID:4265
  • com.qingshu520.chat:QALSERVICE
    1⤵
    • Queries information about running processes on the device
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    PID:4311

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.qingshu520.chat/databases/tls_sdk.db
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.qingshu520.chat/databases/tls_sdk.db-journal
    Filesize

    512B

    MD5

    3576baaef9f1bb28fde37bcbdd389409

    SHA1

    8706a15ab169d2daf63fd273f95700887f052958

    SHA256

    8cf38a4217f7303bedda6dd6427db91d6f34df9db31904059dc224f86b01b6e2

    SHA512

    d8d63a7cb316fcc93dd93bf0b751bd76a93caa40f7b3fc7c43beae51f271080ba52453163be7b6c63d130f4a1bde7041da3aa9b5681c56e51c7ffbd91fcef0e4

  • /data/data/com.qingshu520.chat/databases/tls_sdk.db-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.qingshu520.chat/databases/tls_sdk.db-wal
    Filesize

    20KB

    MD5

    7e5296d06ebf4ca3ed424870d4b106ed

    SHA1

    a2ed59aea17e366ca8786468a269029cfc862fe6

    SHA256

    4953d1ecb1e72691151b4f13ab8397038bc8027dc659f3a4b870b1d92990d7aa

    SHA512

    a3fdeec21dbe0be3d6e953917de6906ddca68b0dda218a47e3cca12b7123f4278a45d65502870b881c64863b6494f349f9d798bdbb0009ee83ef832e94a8ac6f

  • /data/data/com.qingshu520.chat/files/.imprint
    Filesize

    998B

    MD5

    96ff701aaa34c34639b09b76332c4b44

    SHA1

    4898849b1c8cfb62d89784927eda7a3df00f2f0c

    SHA256

    8f89caf5124404c0a5e14d9cd7445ffdb8111c40617a56b3f288b63c2ca346ef

    SHA512

    d394088cf0b796e2e0cb5ea2f1158882d22be3b4ca31b168a6a301ab732d01ada09dbc096b4556149a78c626588d98028e33ff23cea558090c1da31e2ed1f07f

  • /data/data/com.qingshu520.chat/files/tls_device.dat
    Filesize

    16B

    MD5

    a23595bc985197f5702a8ea191a6361d

    SHA1

    317fae4b6f960f09518c38ebc915d283d7b62d4f

    SHA256

    2d7a72e157226e994e7801164b787280c78dc8a5aac3d8e81f582914f19662d7

    SHA512

    7fe8f98e4cda4f0d8e02c3176d25b4c663fce616d07f224adb16655db6e1447472f41e68c99425ff9db01066c250fd7943447385cbc7664fb50706ba66e084f2

  • /data/data/com.qingshu520.chat/files/umeng_it.cache
    Filesize

    211B

    MD5

    197bfc896c2575b88b20971419b9b65c

    SHA1

    cd27a2e6bf898263631c09cebfc0f0ae88ee0915

    SHA256

    810f0133d38c3b7ad8bd5eced74ea16b0460b68d7f95e4971cb324418d57c3d1

    SHA512

    66ce99cd8fe23d8332b7de588d8252d59d21605a7b4a798fc16db001154cd4ddda73e9cfa16aaf9f84a67dbd5009f289c29a445f3fa70d5ff124bda09171a86b

  • /data/data/com.qingshu520.chat/files/umeng_it.cache
    Filesize

    108B

    MD5

    2a6f0f95abb6dabf222d52f5f5b3e8fd

    SHA1

    de55cab861f5d180cbcb38a460194f6416bb4808

    SHA256

    a5e03c0c5e1889e7860154ac2824703c2f4f320e8896c7bac3d68c77bc912a7f

    SHA512

    70f36606db83f4d614a19dfb6cdc5daab3a8d5c7bd82879cdf2580553139c8054bf30f6c215e2481baf7c4443a380ecfc50b13715c40321514725c288dcda764

  • /storage/emulated/0/Tencent/imsdklogs/com/qingshu520/chat/ilivesdk_20240614.log
    Filesize

    212B

    MD5

    0681c082859adac4a1f2df7e514a0d9a

    SHA1

    175e9eb411fcad3558d1b3b35abf7321339818dd

    SHA256

    25221ec51ae749245700ca404d401182d411826fc9a27437313614192c4efd16

    SHA512

    1ea8a4976537a6b9f3cdd38922bce863d4dbc8fe272054139a497215501c8c3f6e48728f486009a63e4ae242e38782f4646ec8d8669c16ff8f262ee9668fb358

  • /storage/emulated/0/Tencent/imsdklogs/com/qingshu520/chat/imsdk_20240614.log
    Filesize

    2KB

    MD5

    856a3d642a60955cbd3e639188ee07d5

    SHA1

    f575fab64b40d4c0350ee31bc4b6b5c0e6292978

    SHA256

    f59c100bdb18d6d44375d006edff07af4ff6df703e45d2d94f210e41828d66c6

    SHA512

    9554ddb18bf8ce600f48f51de96c6bef97924edccf238492f36ad7cdf18a5a67c13b176c1075ed0a3b16c327591bb4d697abb694c5653f7aa30c77e6ccb5bdc9

  • /storage/emulated/0/Tencent/qalsdklogs/com/qingshu520/chat/sdk/sdk.24.06.14.09.log
    Filesize

    1KB

    MD5

    90074cf6ad8d78ea361db5efde0acc1a

    SHA1

    09df402c515afee2fd5efc16aa48612f0b48edf8

    SHA256

    13ac74c02579ad1c1aa35f5cda7a8af22a4a026bc9abb3895a59ce6ba4ffaa08

    SHA512

    ccdb00cf125c06d46413ca681d53df492f7e2dbe08eaf30faad3ac0deb5237c0bbd0862371f534de8025e74b44a684170ec52514d0e0ee9255fe90c69207f7e5

  • /storage/emulated/0/Tencent/qalsdklogs/com/qingshu520/chat/sdk/sdk.24.06.14.09.log
    Filesize

    10KB

    MD5

    a0726a95a01190866884dd10e74d6609

    SHA1

    f897c878bdc290978f32d8eb28f8772ee5155fe6

    SHA256

    ea7932c51b742d0a8598219baa041db01c23566c0e542daa7efe49bc2e15d77b

    SHA512

    1fc954581046f80aef64771df067d867be5beea0494a701411f6eb5235e8287e4c26de148164f7ad8e04f7220e704b1261d3d2b56e907b08c28966bb74245ec1

  • /storage/emulated/0/chat/cache/journal.tmp
    Filesize

    31B

    MD5

    8c92de9ce46d41a22f3b20f77404cc1d

    SHA1

    8671a6dca00edb72be47363a7071be65cf270373

    SHA256

    68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274

    SHA512

    30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

  • /storage/emulated/0/chat/cache/nim/log/nim_sdk.log
    Filesize

    123B

    MD5

    59deeeab181394630d9ec618c6f53af0

    SHA1

    0bbbaae6abadfe681eb1a1b5bae8f55b0d6bc352

    SHA256

    906493c1bd2d4eaa2e7b9fddad5530db75f9199ee98d30ff9d15bec3a74fe88d

    SHA512

    54b1c6ac59ce88c6d050769a8a0b9296cd87c506900da58616e87f4e7e0a7840bd68c1eee11f95bd992fbc8415e13cd468ed9b80fd0a39dd6d843575e9f75a78

  • /storage/emulated/0/chat/cache/nim/log/nim_sdk.log
    Filesize

    8KB

    MD5

    67d626b2311e260e0ca63f49f69f84dc

    SHA1

    33b6f81ad257e689f55924ca7004870f840f92fd

    SHA256

    b089a2e7980662956d33aed4cb32551f55c5d7d6ed7255b7e6038761e77f6824

    SHA512

    2d3d4221c451d5b37421162cef6431dfd1bd4b69290b8bb16bd4b522b7d7219c724b1102805328beef3c56f141d263ec77e2fbdc2f25c34c47b5a9e83ecbdacd

  • /storage/emulated/0/chat/cache/nim/log/nim_sdk.log
    Filesize

    59B

    MD5

    4a9d1a7419870ccdc4b07897278dbc1c

    SHA1

    10d5f11fe80eb1eb11771331d86d3acabf9bdc77

    SHA256

    101c9424652ac17386f26e6da53050bc261e78e51b0f9be53f7300b41ba3de14

    SHA512

    cbf45e97f987c25e8fd31428d3898acaa43239898983db0ffbbcf495c9193c09a29a150082d4031d06fdd0ae7ce8e4ab9c9d8eb557519e81ad810e9459029855

  • /storage/emulated/0/chat/cache/nim/log/nim_sdk.log
    Filesize

    158B

    MD5

    68af2b7b993e49ec7613c75dd78e3502

    SHA1

    a17aa939402b67b325153bce19bd921cfe2b6c36

    SHA256

    20f0c66f30fbc114c09b7816d39dccd6ff34287a54f7b36a128110fc6167f344

    SHA512

    f7dbf7e3ed4457bc7159d641737389123fc2092dc50a7b64373f5c01f53d76cc03c833dbd5155d4a5c0342eee6f11b57133e246aea16f2800fa4e3e49e6bc19f

  • /storage/emulated/0/chat/cache/nim/log/nim_sdk.log
    Filesize

    96B

    MD5

    8c297de67d53abba7d52f6e9fefc2181

    SHA1

    43609b1798d531a374f80cfc0fc387585dd6ebe2

    SHA256

    c1735836299092c571cce879f2cdecce3134f7957e5b82e66adcca426cc25cb8

    SHA512

    08debcc2580aed671fde38393dcc2f4f0e6911e1961aa6e1a8687091cbaed302718a74b6492f7ffaa8281fa8a8ad927b88eb915d0ff738be6b4b29475acb9943

  • /storage/emulated/0/chat/cache/nim/log/nim_sdk.log
    Filesize

    141B

    MD5

    a17baceab9c6e36df772a044df99dfd2

    SHA1

    a032f31bee741e0af7031893e0c4bc252c5ffea8

    SHA256

    54fbe631906eefbc8b235abf2902ba9a20fdf75cf01e9c5fc30638f4de08b0c1

    SHA512

    a0d1fb3ed35aaf932f616f3ba13e26db6575f7fe836b1f1544657ddc9315772c1a62e5837624d94524dc26ae98f9ab6a8996bcf57d0636c3045a1cce19b9d6c0

  • /storage/emulated/0/chat/cache/nim/log/nim_sdk.log
    Filesize

    144B

    MD5

    da53073fb9326ef85fa4eba1274fcb10

    SHA1

    dc2e936fb592bd216be40b66a1a4c9643d2b951f

    SHA256

    9e38e4ed71ed3a9b6f50069615ecaa1419c7e979e161b2ba93c34850646312a4

    SHA512

    2a2fe629f3480d259832dcbbbcde6ab87517ec2e9ea97691ca4a0c9e63bf9bda05444442fbaa50ec05ddfe66ae993021b2de5077d5207220fca9098b4fe4dc9b

  • /storage/emulated/0/chat/cache/nim/log/nim_sdk.log
    Filesize

    78B

    MD5

    3dc807aeff86640e1bf6255841f8a224

    SHA1

    74f221154b05acb4b06ea53d59d71f43e459f9d7

    SHA256

    882577a73faf58782bfffe28e6a0bb860825801728fa83837522558282f1a7c7

    SHA512

    c876dd9cc400ec125751b6fdd289423cac9ffedffc1226532c2017c5285f8345bdc33dcaa4d1b733d09e1442fbf19189964c0f26348760561ae081f2ce2aca5a

  • /storage/emulated/0/iapppay/statistics/com.qingshu520.chat/statistics.log
    Filesize

    116B

    MD5

    509e8f78fdb152c4a081853afc04bc86

    SHA1

    e4f27c4c4e60dcd996752e7e8188a2197c9ff473

    SHA256

    1d2e7146ec2713b2308f2d181a01186e1179560ebdd2e4389075940e09898899

    SHA512

    b5037738da74d3124c1ae66419992f542fb227dffd8c203a6645741694d8ec15f76d620465ececee447d20e3e2138c279535774ae4b79ac0b833a2b7f985b0b6