Analysis

  • max time kernel
    64s
  • max time network
    140s
  • platform
    android_x86
  • resource
    android-x86-arm-20240611.1-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
  • submitted
    14-06-2024 11:07

General

  • Target

    a9598a16e0f3c5b700a7690035b231ef_JaffaCakes118.apk

  • Size

    9.6MB

  • MD5

    a9598a16e0f3c5b700a7690035b231ef

  • SHA1

    8929ae63deb11fa5da1f8413e4b8035e3e66cb25

  • SHA256

    2a479e98b85f2f03704fd0c16b0c3ef358b6b76dc0ebb82c90a5601505e51746

  • SHA512

    03929fe3ecbd1f8b60307f91d795cef62dd95ea6f3388a8a435ffb219ce0065c5f94ccf85a1e107a91466f8c72755d4f5b0646479c9c3ba7121a5b5f3ee8231e

  • SSDEEP

    196608:6wiN7ktCB1s8yEK8iF2KFax7GQKdfAn2K/2Ky3Xd72K3gL2SH/2KG3:2JoCBK8ILaBAoQx

Malware Config

Signatures

  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries information about running processes on the device 1 TTPs 3 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Requests cell location 2 TTPs 1 IoCs

    Uses Android APIs to to get current cell location.

  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • com.xueqian.shizikahksioaguwetpfb
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about running processes on the device
    • Requests cell location
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    PID:4188
  • com.xueqian.shizikahksioaguwetpfb:service1
    1⤵
    • Queries information about running processes on the device
    PID:4249
  • com.xueqian.shizikahksioaguwetpfb:service2
    1⤵
    • Queries information about running processes on the device
    PID:4262

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.xueqian.shizikahksioaguwetpfb/files/__pasys_remote_banner.tmp.jar
    Filesize

    108KB

    MD5

    63ba17ca047dc71aa659c7ed8bb60de5

    SHA1

    675bd0556bce8d43cd29a6d9b3d996d41f3e0b2b

    SHA256

    2750f3af62f5b9d1d21f6a8215f529e472e7098ac16295b976a29115e8520a52

    SHA512

    5b70f6bc391276d2034a97e371adad0a635caafdfc33d32791db1432d4cca3f0364e1af6b10b574df5c8f3345bd5539a4d70455aa521f10b239e68216f5ddc39

  • /data/data/com.xueqian.shizikahksioaguwetpfb/files/mobclick_agent_sealed_com.xueqian.shizikahksioaguwetpfb
    Filesize

    585B

    MD5

    9df0643edef71b0bef16d6f15f4a3cd0

    SHA1

    a0044a7b405894a3daaf5abc29029cce092d85f2

    SHA256

    ec9c3fdc1986dde3f0a989a2b1150b9b16c513e5966a58a0c36350ddea93aabd

    SHA512

    bc70fdd7b2425e5dc3de6c1786d77265da1e2006cced4f66801a24a88ed77b6c014fc6266fe42dad5724b22da5d069658c6e6555f57d2a8945bc18a5015e1ca0

  • /data/data/com.xueqian.shizikahksioaguwetpfb/files/umeng_it.cache
    Filesize

    211B

    MD5

    934dc1d9af72044a3eaeae5e695f9a2c

    SHA1

    54d2c8d1656331c81e6111a348a4d7aea901e185

    SHA256

    76cd0845396c8e659d643f09270e9bdfc4d5a61d01a553b4eef39fd2908d7473

    SHA512

    9b004cd2ef742dd46c7a9a5f67d4bea8855e8de583b1c6af6738a6c5f771a0fd9f939aa6114abba5c128854d4e152c2e34f7f0874d6c5a821db9366aa5ad256b

  • /data/user/0/com.xueqian.shizikahksioaguwetpfb/files/__pasys_remote_banner.jar
    Filesize

    219KB

    MD5

    9c859e81e45f7d6f6d3a8b8cdaa650a2

    SHA1

    c6798ed55e37020cef4b4c76c095f45bbc404438

    SHA256

    028f5514443840c54d4b832d439a70cd732c4740bf2bedc3a8ba567268225fbe

    SHA512

    f01429687a0a9e85be068b7553a5e0928f7d7b4b306c1ba5823e7151be4e30f1f6a69bdc9d9fa3c5d0d722d8b46dafbfd956783fe4e27d52204c9a29e3092ee3

  • /storage/emulated/0/msc/55691c296e977bcc18b82c78c9fb6277/urec.data
    Filesize

    83B

    MD5

    97df500f09350fe6be0db55aa83b09d1

    SHA1

    5ed2e9ca26975ca050d6208cb9674d51df15572c

    SHA256

    2762c586d29dd3bfa7c1b899ff0297e93783b7500edb603d5c57dc8cf6400954

    SHA512

    ea450d0d3e9c8765fa199dfe56fbadfa4cc0827f744bf33143a57afb5e8447bf38135611fe836bc40e1b65cc762b9b1a57f65fa0a8f1129fc2da8359d0063cd0

  • /storage/emulated/0/msc/user.perf
    Filesize

    988B

    MD5

    bc2807a098c6d1e660e669967b40f4a8

    SHA1

    1da009bd1478deff7542e2abd26415a06526a2ed

    SHA256

    a8e87ac5748f45a868b58b1f512dfab16ac588c7d8e3d55aaa3441d72c90257e

    SHA512

    c6608a97a2d651ca1a5d48988886191bace9d19fa837160f0350474f8b44fce7f1210966f7d08f50df1d95edeeed4e52faf3c18c19efe13ce25794828edee498