Analysis

  • max time kernel
    178s
  • max time network
    187s
  • platform
    android_x86
  • resource
    android-x86-arm-20240611.1-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
  • submitted
    15-06-2024 05:46

General

  • Target

    ad0c55cb117c947d6f07fa4c0e20e187_JaffaCakes118.apk

  • Size

    20.1MB

  • MD5

    ad0c55cb117c947d6f07fa4c0e20e187

  • SHA1

    e2d467a97d11e55d0893e835333d36f9772a08dd

  • SHA256

    caff1ef7db1aace2c053e041b94ffe1cf9d2c8635442eade4c6fd8e40ffc3fa6

  • SHA512

    3e93fcb710c93573327e2e3419d3d36a040a349858a540025f5d5211277e2f4c4b1760a2958bafb883195bac953ca5e448219748edb9aee1ade30bc297738af8

  • SSDEEP

    393216:SOwJtVd3Fuw94Ifqsz8MJduBjtriNF4cnAPoTCyH:SpTVdVAkjmjiNF4cnDTCyH

Malware Config

Signatures

  • Loads dropped Dex/Jar 1 TTPs 31 IoCs

    Runs executable file dropped to the device during analysis.

  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
  • Queries information about active data network 1 TTPs 30 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 30 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 30 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • utan.android.utanBaby
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4262
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/utan.android.utanBaby/app_push_lib_v3_120/plugin-deploy.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/utan.android.utanBaby/app_push_lib_v3_120/oat/x86/plugin-deploy.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4289
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4328
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4459
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4505
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4611
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4648
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4700
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4738
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4777
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4825
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4885
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4924
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5013
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5056
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5094
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5133
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5170
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5218
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5281
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5320
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5360
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5398
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5436
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5471
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5522
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5559
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5647
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5684
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5719
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/utan.android.utanBaby/app_push_lib_v3_120/oat/plugin-deploy.jar.cur.prof
    Filesize

    235B

    MD5

    1d094b14a61f9c23cf45024a0eb00f3c

    SHA1

    ae00d9a3dcd580bc90ad79ad5556fa291d050c31

    SHA256

    c3c1bf683af998bd6599eb5d8d7e02b766c309b039e8019f34d3ada17cc83ff8

    SHA512

    d8c3bd74fe23a1f656f11041bdcb8dfbf8c61e9beb3285586d429846d12375ed5038ca8af5c817aeec44394f76d0af9c2c896c41eead448ce026a265b4f7b406

  • /data/data/utan.android.utanBaby/app_push_lib_v3_120/plugin-deploy.jar
    Filesize

    203KB

    MD5

    928a6a05b730bcd02cc351d14659c20a

    SHA1

    0b6d81fcfb914408a1ccd450d121d7d644173467

    SHA256

    93a7c0114615c82d1c24e8067bd89a4d46c00693256a507137597eb34fe7be26

    SHA512

    ac5fb7f12c49db179e3ff3777bce3bdc209d94aac39486a2ea1d0b0b930ef388024ff0cbb708b87f4c2eb50a135d83260be03273423aa55d7d5c1ce5f0e625e5

  • /data/data/utan.android.utanBaby/app_push_lib_v3_120/plugin-deploy.key
    Filesize

    48KB

    MD5

    97f0f4b0f838653fb4f92152a62ef045

    SHA1

    402f1248656264a9f3578c8c529a2cae5f22f63b

    SHA256

    386d2ad18320f24b9b647a20bee68fc833867bd292656f2e79a93f0915590504

    SHA512

    d4d32a359dafd5e9fe26a250306322d71c43de74708159713b3f7cfb04304662b0555e48d7dee6882cd4a7d329508ba83756ba7d23c22134feeac8f51412104b

  • /data/data/utan.android.utanBaby/databases/account_db
    Filesize

    40KB

    MD5

    43e3362f3a6587f4adeb1fb366e368b6

    SHA1

    ea0b876af2d867f8c39414ec01049ba1d354b4bc

    SHA256

    1daf6e16ad9cd75605dc9e9ffbecaadc2b0673e601856ffafae3aeb835c27525

    SHA512

    38f70077b24843cf04412f97c9c1297fa98ffb9aea1e11088c0ede88af66f3e02ebe8d7578f06597956230de7d0f41d5ec273326be0458b99cc7c5d79add6594

  • /data/data/utan.android.utanBaby/databases/account_db-journal
    Filesize

    512B

    MD5

    4f6dd94c62afcec724a7392872ec7a08

    SHA1

    c8f637f2ea9bb6462f15e3e3f1ccd8ecfa1942fe

    SHA256

    181acf41c4f7bf508a770ddcf693e8b2456eea11f5f435ecdee297f4b1d3d3e9

    SHA512

    4ccb11632951498225b35cbe332e669b2435f1b383584010159182706635814beeaa556330e1ce07cec139ebf0588d712fc86164047b62c9e3f9024c3acf7ba4

  • /data/data/utan.android.utanBaby/databases/account_db-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/utan.android.utanBaby/databases/account_db-wal
    Filesize

    52KB

    MD5

    c32f7637617be27939c8c29b05ce88cf

    SHA1

    2afdfffa2c358032a7174b6e57475e07b983424b

    SHA256

    37d3a7dff7f0d5cd8e10f8a25ad67e6c662eb20a65db8d7e242b5e9af16d6ca7

    SHA512

    a305ad39117c189b3068e479f1b691eaf9d320cce17da8c117fd51332acacd2b29fd4ee554f6503be2e31c4b3c0a478b84b887fe559d21352158c207d4767030

  • /data/data/utan.android.utanBaby/files/mobclick_agent_sealed_utan.android.utanBaby
    Filesize

    550B

    MD5

    654a32c297dd1dfca55690aa354f5ec0

    SHA1

    bc1152686230f4b718360bd86a15075ccc10a855

    SHA256

    f1b639af854e932126598bb72e4690e6c93dbf9f7dc36775c2506168f9a24aeb

    SHA512

    8af2703794b6071be71638f79a5c299f8d1c04b2667dd5d3e76423cf92bba341150fef0f290ccdb724ca4d05d40c9d411e3d59d98279aff72a10154b647a928f

  • /data/data/utan.android.utanBaby/files/umeng_it.cache
    Filesize

    211B

    MD5

    acff539d98640084e31b808283a90c60

    SHA1

    5c30efb0fe9af6612ce008465c0c158002bdd55d

    SHA256

    6710328708a55d7b718badc7ebe2899b97817420aac16b9f0775078acfe91ddd

    SHA512

    2ada230d85fa8019715655b31961e38c28fc5283792ce0872b0af47392b24be26ee061a207386dfca333cae926257cd55300f8f081a44c04da6be57434d4d98e

  • /data/user/0/utan.android.utanBaby/app_push_lib_v3_120/plugin-deploy.jar
    Filesize

    509KB

    MD5

    c2a3947c92153fbe9fc4583f6685b8d7

    SHA1

    7a25e331acb63fd836d7c057ab790193fa27ca53

    SHA256

    3e2b54189f95559a122946f7dc9156fd04c2a277868909e05e7a5cde83b0559d

    SHA512

    54af12f3b448cea6a1a9e4e780133bc1ecfb1ff91eb77fe0b784e26539ae7c085c80ec5a3b34bb6a7945719ef541f4f6444b6dd10018dd56671936a323f6b3f6

  • /data/user/0/utan.android.utanBaby/app_push_lib_v3_120/plugin-deploy.jar
    Filesize

    509KB

    MD5

    06668bb6db75530052316ff93d8ed7c6

    SHA1

    55fa23910b5959262d954a081ef8b751573ed96c

    SHA256

    36fa8a0ba5d6f1a52ec833c524ea719e2cfb8260663819492c22e781b24b3b8f

    SHA512

    0604ceace7dc62f86bcae9d1dd9976d8c60b7c17411dd602c388f3848dafb4b7574a54088fb28c4d1d3a257b782f945b0acc626d26218dd02d32ef83cf1d8945

  • /storage/emulated/0/baidu/pushservice/database/storage/emulated/0/baidu/pushservice/database/pushstat_4.1.1.107.db-journal
    Filesize

    512B

    MD5

    76fc02986af710fbf3e728d5a3f4b4db

    SHA1

    becf8c7e2c5171b7c9b514676e13b17c24bc3a8d

    SHA256

    237f9afcef1b896ea0e4054728d0d7002807902a5fc88adfe7bfbf22881e47af

    SHA512

    959768c768582c9e8f9eacace3e560249155f811c94ff4d6a7f27f6292bf4b2134648a00c2d8817b9449940edc27613c7e6e3fd277d402d85d77e50a2e7593ac

  • /storage/emulated/0/baidu/pushservice/database/storage/emulated/0/baidu/pushservice/database/pushstat_4.1.1.107.db-wal
    Filesize

    68KB

    MD5

    5151338c2bcd35083ad917f28f37deba

    SHA1

    a528409fb06860fbf1719f0cfe879a86265ba6e0

    SHA256

    b22b35ed5e1bbe3257b6f478c958f1570e2cbef88df0207665c7e494521ae5dd

    SHA512

    f07cbcaba83fba8e65c4d67e55a40ecf1ee5dcc633de47c1f9fc33809958b29f6d840ab585be368f443cedab46d969b27947bffe59b47e7e8e3a4c44b8d83081