Analysis

  • max time kernel
    179s
  • max time network
    187s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240611.1-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240611.1-enlocale:en-usos:android-11-x64system
  • submitted
    15-06-2024 05:46

General

  • Target

    ad0c55cb117c947d6f07fa4c0e20e187_JaffaCakes118.apk

  • Size

    20.1MB

  • MD5

    ad0c55cb117c947d6f07fa4c0e20e187

  • SHA1

    e2d467a97d11e55d0893e835333d36f9772a08dd

  • SHA256

    caff1ef7db1aace2c053e041b94ffe1cf9d2c8635442eade4c6fd8e40ffc3fa6

  • SHA512

    3e93fcb710c93573327e2e3419d3d36a040a349858a540025f5d5211277e2f4c4b1760a2958bafb883195bac953ca5e448219748edb9aee1ade30bc297738af8

  • SSDEEP

    393216:SOwJtVd3Fuw94Ifqsz8MJduBjtriNF4cnAPoTCyH:SpTVdVAkjmjiNF4cnDTCyH

Malware Config

Signatures

  • Loads dropped Dex/Jar 1 TTPs 59 IoCs

    Runs executable file dropped to the device during analysis.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
  • Queries information about active data network 1 TTPs 59 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 59 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • utan.android.utanBaby
    1⤵
    • Loads dropped Dex/Jar
    • Obtains sensitive information copied to the device clipboard
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4577
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4630
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4769
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4811
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4908
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4976
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5017
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5060
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5103
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5143
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5183
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5230
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5272
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5315
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5508
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5551
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5591
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5684
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5730
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5770
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5810
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5852
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5897
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5938
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5978
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:6023
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:6063
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:6110
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:6156
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:6223
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:6263
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:6303
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:6349
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:6399
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:6440
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:6487
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:6527
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:6568
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:6608
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:6667
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:6707
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:6797
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:6841
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:6881
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:6926
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:6969
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:7009
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:7052
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:7092
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:7134
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:7175
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:7223
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:7263
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:7304
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:7371
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:7412
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:7452
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:7498
  • utan.android.utanBaby:bdservice_v1
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:7539

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/utan.android.utanBaby/app_push_lib_v3_120/oat/plugin-deploy.jar.cur.prof
    Filesize

    264B

    MD5

    a620e04e9b1a47c1df29e0ba150304e1

    SHA1

    35c61e590060048fecdc0013f641d5077d81ee39

    SHA256

    795b7befe87aa62f86d2764818adbcd9ffa6e21f5cc31129166c48e2cfe9aa9c

    SHA512

    3dc1824caf18eec58502e87153368cf90d8f913ecdb6378aac28f6379c07b58224a23f8e1b5d0ed7ac7a64912796598a734e6c0b8f9f08d0b9824cc3c50d55b4

  • /data/user/0/utan.android.utanBaby/app_push_lib_v3_120/plugin-deploy.jar
    Filesize

    203KB

    MD5

    f316e25c4f6d06eb6e68b8ae578d83d0

    SHA1

    88df0270959376eeeec74e60ba8ca78fdaf26afb

    SHA256

    ea42e318c45dfcc5889dc96a3061a3f47aa897ba04f09eecf09e0966927334fb

    SHA512

    f71080ac5ef8cb495bbe81badfd4dfba9c7e62e4e32dfc1141dabd055c908da3f3d4f6e0c81c9087287d29b3e560f96c11e64d860895d458f2c56f8b58750274

  • /data/user/0/utan.android.utanBaby/app_push_lib_v3_120/plugin-deploy.jar
    Filesize

    509KB

    MD5

    06668bb6db75530052316ff93d8ed7c6

    SHA1

    55fa23910b5959262d954a081ef8b751573ed96c

    SHA256

    36fa8a0ba5d6f1a52ec833c524ea719e2cfb8260663819492c22e781b24b3b8f

    SHA512

    0604ceace7dc62f86bcae9d1dd9976d8c60b7c17411dd602c388f3848dafb4b7574a54088fb28c4d1d3a257b782f945b0acc626d26218dd02d32ef83cf1d8945

  • /data/user/0/utan.android.utanBaby/app_push_lib_v3_120/plugin-deploy.key
    Filesize

    16KB

    MD5

    39f1c24d42679fb6e39a44da5eaa6cc7

    SHA1

    7f99e25b24b4e127f432548c1c41d063ea88d622

    SHA256

    51f49005dbe9114f10fee4509eb87e04085eb972512b40d9d67958b2283400e3

    SHA512

    86f251aabb8c872c9f229c735fd8aa7d490a12abf8d8d8d33999bf26da96428329dcd491186843296a60bd10f1f8bf6fb0d6be3737180ccf8b736e309d1f976f

  • /data/user/0/utan.android.utanBaby/databases/account_db
    Filesize

    40KB

    MD5

    8ffab31c1ab5dbf28ae245a051a893a8

    SHA1

    18aa031c9bed0aecd0edbd8bedb7e342dc802785

    SHA256

    70270593fcf64bc01bb0313bb884ddca8896e5615c9e157e34922e4b15a276d6

    SHA512

    158dfd0a4cabfe0350947c484992d41a05d6ae204d5eba4df8554c42a3139c7990eff7433e16957a5798da6e292850848a3f86b881bd3f41a7d185a89b0951b1

  • /data/user/0/utan.android.utanBaby/databases/account_db-journal
    Filesize

    512B

    MD5

    3da2c82a0f6d1f133f3ad4a177b15ea1

    SHA1

    0202ee92fa0c534050b5ce7d92de499e1c368b58

    SHA256

    966dbf29bccebfc2b743efa4e09dca76dddc15dc7bff48d88ab3491e6ca197ec

    SHA512

    701ce6622a5fbcf70486c79809d941f2574206ed66a8b46f455ee543940b9988e19702dd8f876e0c7e8728203cf842486983d6ddb498311e5f68a1a4c6cba9a7

  • /data/user/0/utan.android.utanBaby/databases/account_db-journal
    Filesize

    8KB

    MD5

    e619bc4448b7728cba745c552d8b2cb0

    SHA1

    a9344095ae0295e899e121752680a025d88847ae

    SHA256

    9b9b4c54b15ba6ecd7ac4fc05f77ccf190ec0b0717572d2a5b0a0d1ce866f3b9

    SHA512

    0a11d867af15674867f1ac05bef64eab5d4b16ff9211e8a56d59e288f4873bef2f66ce499bdd092923ee91ca38b95dbc9456ac9d709b29d27e052f2b38205567

  • /data/user/0/utan.android.utanBaby/databases/account_db-journal
    Filesize

    8KB

    MD5

    21aadb80cb0e8e0c00e7cc9eceba7e90

    SHA1

    badcd435ca2d544c568a8a731db4d9586428cdcf

    SHA256

    3a1f5eb9339b97cfdeaf86c6f2c5be3fbfbd3b7219e93d2e2531bec934f302a8

    SHA512

    08e1994d94d63e667b3a64cb82b4b330432c866d9a66e6983d1c8661410b1ba5472b9b12153861710cb2efa967b6de446be3e75b42fc0c226e791a7a7e67ba86

  • /data/user/0/utan.android.utanBaby/files/mobclick_agent_sealed_utan.android.utanBaby
    Filesize

    516B

    MD5

    1642029f6af421b3203bf423fa0aa95b

    SHA1

    97e067a0d13a029887f421364ae58aa51b3a7814

    SHA256

    85cf9db0c87cec9e69d216c75eb8ef15060fb77bef08798dee3510522dc67d4d

    SHA512

    b062a8e3aca441e282701f6026dff582d771ee24bf406524b9e936c8d9c0b4f98ad4c8b1c85586fdf82f0b27aa751956c848b6a270d0db9bfe22f6c886565b00

  • /data/user/0/utan.android.utanBaby/files/umeng_it.cache
    Filesize

    148B

    MD5

    1c030eac19a53f4c52f02f20bfac9b0a

    SHA1

    72ab6dbd103a48cd60b290b3ee2ea75a5f0a4cf6

    SHA256

    c85a410b73e2b7fecf8dee9f30f592ebfce08859eb378aafecca49db4e3ea724

    SHA512

    f73128542a27bb1ce1c322076e390604d96850d013c58ac624a7d87972145093d42ff1d16bb2db6387e167874db7d0dc08badb7025c7bece98cbecdc7c51cabe

  • /storage/emulated/0/baidu/pushservice/database/storage/emulated/0/baidu/pushservice/database/pushstat_4.1.1.107.db-journal
    Filesize

    8KB

    MD5

    74913cae3e46245ae5350b5d7b257f70

    SHA1

    4d0f2817d2d7f626fb40c199f2cec190bd0081d3

    SHA256

    1754f4fa33473282a186c0794935f94092c73204aa6a914ab86819b6b4add2b1

    SHA512

    6de6c8a16eeb16531b9075691892dc813696a052ae56c2e3fb6867846f0e366d4f3fe9d09ae1a15236ec7ec27321e40d47915eea8610d38c96b1c423199388a9

  • /storage/emulated/0/baidu/pushservice/database/storage/emulated/0/baidu/pushservice/database/pushstat_4.1.1.107.db-journal
    Filesize

    8KB

    MD5

    19b4fd5e252f07d2a651ba51263e6916

    SHA1

    7e48acf1a099cfe490542561850c4ffdeb2fe3f4

    SHA256

    80b6453f4925eb51289de7698f87666bc9cf456e0dd0f45469be083361af06da

    SHA512

    a03a1c3b5847037537dedde2208099c1cdddbd39865588f92df376a982db099b3e8e104b3ab6913ed4bd50afdb5b0945efa524476aa88e018772b81909feb0ec