Analysis
-
max time kernel
64s -
max time network
140s -
platform
android_x86 -
resource
android-x86-arm-20240611.1-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system -
submitted
14-06-2024 11:07
Static task
static1
Behavioral task
behavioral1
Sample
a9598a16e0f3c5b700a7690035b231ef_JaffaCakes118.apk
Resource
android-x86-arm-20240611.1-en
Behavioral task
behavioral2
Sample
__pasys_remote_banner.apk
Resource
android-x86-arm-20240611.1-en
Behavioral task
behavioral3
Sample
__pasys_remote_banner.apk
Resource
android-x64-20240611.1-en
Behavioral task
behavioral4
Sample
__pasys_remote_banner.apk
Resource
android-x64-arm64-20240611.1-en
Behavioral task
behavioral5
Sample
gdtadv2.apk
Resource
android-x86-arm-20240611.1-en
Behavioral task
behavioral6
Sample
gdtadv2.apk
Resource
android-x64-20240611.1-en
Behavioral task
behavioral7
Sample
gdtadv2.apk
Resource
android-x64-arm64-20240611.1-en
General
-
Target
a9598a16e0f3c5b700a7690035b231ef_JaffaCakes118.apk
-
Size
9.6MB
-
MD5
a9598a16e0f3c5b700a7690035b231ef
-
SHA1
8929ae63deb11fa5da1f8413e4b8035e3e66cb25
-
SHA256
2a479e98b85f2f03704fd0c16b0c3ef358b6b76dc0ebb82c90a5601505e51746
-
SHA512
03929fe3ecbd1f8b60307f91d795cef62dd95ea6f3388a8a435ffb219ce0065c5f94ccf85a1e107a91466f8c72755d4f5b0646479c9c3ba7121a5b5f3ee8231e
-
SSDEEP
196608:6wiN7ktCB1s8yEK8iF2KFax7GQKdfAn2K/2Ky3Xd72K3gL2SH/2KG3:2JoCBK8ILaBAoQx
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.xueqian.shizikahksioaguwetpfbioc pid process /data/user/0/com.xueqian.shizikahksioaguwetpfb/files/__pasys_remote_banner.jar 4188 com.xueqian.shizikahksioaguwetpfb -
Queries information about running processes on the device 1 TTPs 3 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.xueqian.shizikahksioaguwetpfbcom.xueqian.shizikahksioaguwetpfb:service1com.xueqian.shizikahksioaguwetpfb:service2description ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.xueqian.shizikahksioaguwetpfb Framework service call android.app.IActivityManager.getRunningAppProcesses com.xueqian.shizikahksioaguwetpfb:service1 Framework service call android.app.IActivityManager.getRunningAppProcesses com.xueqian.shizikahksioaguwetpfb:service2 -
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
-
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
Processes:
flow ioc 8 alog.umeng.com -
Queries information about active data network 1 TTPs 1 IoCs
Processes:
com.xueqian.shizikahksioaguwetpfbdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.xueqian.shizikahksioaguwetpfb -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.xueqian.shizikahksioaguwetpfbdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.xueqian.shizikahksioaguwetpfb -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.xueqian.shizikahksioaguwetpfbdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.xueqian.shizikahksioaguwetpfb -
Checks CPU information 2 TTPs 1 IoCs
Processes
-
com.xueqian.shizikahksioaguwetpfb1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Requests cell location
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
-
com.xueqian.shizikahksioaguwetpfb:service11⤵
- Queries information about running processes on the device
-
com.xueqian.shizikahksioaguwetpfb:service21⤵
- Queries information about running processes on the device
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.xueqian.shizikahksioaguwetpfb/files/__pasys_remote_banner.tmp.jarFilesize
108KB
MD563ba17ca047dc71aa659c7ed8bb60de5
SHA1675bd0556bce8d43cd29a6d9b3d996d41f3e0b2b
SHA2562750f3af62f5b9d1d21f6a8215f529e472e7098ac16295b976a29115e8520a52
SHA5125b70f6bc391276d2034a97e371adad0a635caafdfc33d32791db1432d4cca3f0364e1af6b10b574df5c8f3345bd5539a4d70455aa521f10b239e68216f5ddc39
-
/data/data/com.xueqian.shizikahksioaguwetpfb/files/mobclick_agent_sealed_com.xueqian.shizikahksioaguwetpfbFilesize
585B
MD59df0643edef71b0bef16d6f15f4a3cd0
SHA1a0044a7b405894a3daaf5abc29029cce092d85f2
SHA256ec9c3fdc1986dde3f0a989a2b1150b9b16c513e5966a58a0c36350ddea93aabd
SHA512bc70fdd7b2425e5dc3de6c1786d77265da1e2006cced4f66801a24a88ed77b6c014fc6266fe42dad5724b22da5d069658c6e6555f57d2a8945bc18a5015e1ca0
-
/data/data/com.xueqian.shizikahksioaguwetpfb/files/umeng_it.cacheFilesize
211B
MD5934dc1d9af72044a3eaeae5e695f9a2c
SHA154d2c8d1656331c81e6111a348a4d7aea901e185
SHA25676cd0845396c8e659d643f09270e9bdfc4d5a61d01a553b4eef39fd2908d7473
SHA5129b004cd2ef742dd46c7a9a5f67d4bea8855e8de583b1c6af6738a6c5f771a0fd9f939aa6114abba5c128854d4e152c2e34f7f0874d6c5a821db9366aa5ad256b
-
/data/user/0/com.xueqian.shizikahksioaguwetpfb/files/__pasys_remote_banner.jarFilesize
219KB
MD59c859e81e45f7d6f6d3a8b8cdaa650a2
SHA1c6798ed55e37020cef4b4c76c095f45bbc404438
SHA256028f5514443840c54d4b832d439a70cd732c4740bf2bedc3a8ba567268225fbe
SHA512f01429687a0a9e85be068b7553a5e0928f7d7b4b306c1ba5823e7151be4e30f1f6a69bdc9d9fa3c5d0d722d8b46dafbfd956783fe4e27d52204c9a29e3092ee3
-
/storage/emulated/0/msc/55691c296e977bcc18b82c78c9fb6277/urec.dataFilesize
83B
MD597df500f09350fe6be0db55aa83b09d1
SHA15ed2e9ca26975ca050d6208cb9674d51df15572c
SHA2562762c586d29dd3bfa7c1b899ff0297e93783b7500edb603d5c57dc8cf6400954
SHA512ea450d0d3e9c8765fa199dfe56fbadfa4cc0827f744bf33143a57afb5e8447bf38135611fe836bc40e1b65cc762b9b1a57f65fa0a8f1129fc2da8359d0063cd0
-
/storage/emulated/0/msc/user.perfFilesize
988B
MD5bc2807a098c6d1e660e669967b40f4a8
SHA11da009bd1478deff7542e2abd26415a06526a2ed
SHA256a8e87ac5748f45a868b58b1f512dfab16ac588c7d8e3d55aaa3441d72c90257e
SHA512c6608a97a2d651ca1a5d48988886191bace9d19fa837160f0350474f8b44fce7f1210966f7d08f50df1d95edeeed4e52faf3c18c19efe13ce25794828edee498