2b937dfac9d5c974a0678540e663d2289e0ad37b3af1bb2e235dcf8d7d1c1f03

Analysis

max time kernel
179s
max time network
186s
platform
android_x64
resource
android-x64-arm64-20240611.1-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240611.1-enlocale:en-usos:android-11-x64system
submitted
15-06-2024 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad69d0a4f4da493a5da6445d9a0fe4f4_JaffaCakes118.apk
Size

637KB
MD5

ad69d0a4f4da493a5da6445d9a0fe4f4
SHA1

a89e5c759ceae141cacd443b65c99cd58af8d37e
SHA256

2b937dfac9d5c974a0678540e663d2289e0ad37b3af1bb2e235dcf8d7d1c1f03
SHA512

ceddffc3a8b59df4dd96613e17e487e69def6353793ecfa9044d7b329404f6774707f02ddeee3044fb5e330d07b220a0319405cb305c6d38af6bd914809b3eb4
SSDEEP

12288:064L4oQI8Y0FotaKIUtrbM5D954vqaHoCoxKI2AKYnIRIB0gXa46iSeFxqMHS946:LoL0otaYtXMPWHHMkI2on/B0gXa46izs

Score

8^/10

banker collection discovery evasion stealth trojan

Malware Config

Signatures

Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

T1628.001

Processes:

com.qhot.gbca.ojry

pid process

4494 com.qhot.gbca.ojry

pid	process
4494	com.qhot.gbca.ojry

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

T1407

Processes:

com.qhot.gbca.ojrycom.qhot.gbca.ojry:daemon

ioc	pid	process
/data/user/0/com.qhot.gbca.ojry/app_mjf/dz.jar	4494	com.qhot.gbca.ojry
/data/user/0/com.qhot.gbca.ojry/app_mjf/dz.jar	4567	com.qhot.gbca.ojry:daemon

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

T1418.001
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

T1409

Processes:

com.qhot.gbca.ojry

description ioc process

Framework service call android.accounts.IAccountManager.getAccountsAsUser com.qhot.gbca.ojry
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

T1424

Processes:

com.qhot.gbca.ojry

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.qhot.gbca.ojry
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs

Processes:

flow ioc

64 alog.umeng.com
20 alog.umeng.com
49 alog.umeng.com
Queries information about active data network 1 TTPs 1 IoCs
discovery

T1421

Processes:

com.qhot.gbca.ojry

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.qhot.gbca.ojry
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

T1421

Processes:

com.qhot.gbca.ojry

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.qhot.gbca.ojry
Reads information about phone network operator. 1 TTPs
discovery

T1422
Checks CPU information 2 TTPs 1 IoCs

T1633.001

T1426

Processes:

com.qhot.gbca.ojry

description ioc process

File opened for read /proc/cpuinfo com.qhot.gbca.ojry

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.qhot.gbca.ojry

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.qhot.gbca.ojry

flow	ioc
64	alog.umeng.com
20	alog.umeng.com
49	alog.umeng.com

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.qhot.gbca.ojry

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.qhot.gbca.ojry

description	ioc	process
File opened for read	/proc/cpuinfo	com.qhot.gbca.ojry

com.qhot.gbca.ojry
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Checks CPU information
PID:4494

com.qhot.gbca.ojry:daemon
1⤵
- Loads dropped Dex/Jar
PID:4567

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.qhot.gbca.ojry/app_mjf/ddz.jar
Filesize
105KB

MD5
23ba0b249042b7ba33e92c0199b0ea4a

SHA1
99b13ee9f7307316c2337953fceed87e9942b794

SHA256
1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2

SHA512
0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

Download Submit
/data/user/0/com.qhot.gbca.ojry/app_mjf/dz.jar
Filesize
248KB

MD5
a54a18b58c6720991c021f433dfb2a46

SHA1
d2ffa07919f92b6e04914e39843f08fdb2a75b68

SHA256
3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3

SHA512
e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

Download Submit
/data/user/0/com.qhot.gbca.ojry/app_mjf/tdz.jar
Filesize
105KB

MD5
293ea5f01e27975bed5179ba79d80eac

SHA1
c5b0806a537fd1cb753e11f1a9684933317716b8

SHA256
8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b

SHA512
c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

Download Submit
/data/user/0/com.qhot.gbca.ojry/databases/lezzd
Filesize
28KB

MD5
fdb8a92e5060ce104e8f0faca55a47ce

SHA1
270d7ca30673e18cec1d2b9add71cba96dc426fe

SHA256
194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a

SHA512
ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

Download Submit
/data/user/0/com.qhot.gbca.ojry/databases/lezzd-journal
Filesize
8KB

MD5
939d3e7370d832cf6221d67f5707762a

SHA1
317469902cdd725a066c88c4362b1bb90c947fd7

SHA256
092cbc40e3ca7cc80dbaaa966b7b28db9a739a645d7aa6ca8984b5d14aee5bde

SHA512
f724f80aeffa3a7bf8e8d1febd97ccf8442e41158af083babdf3076355854b14c696fcbd87e70781021762e4413f53f2cf2f5e29f1938a5604e9aadedef7e1c8

Download Submit
/data/user/0/com.qhot.gbca.ojry/databases/lezzd-journal
Filesize
8KB

MD5
6fa07e0646eeb6eab5746be2c9c81173

SHA1
1e36c9e85b306aa1d82edeb688380ff7395c2e71

SHA256
4ab6216e56b8ffb747999ecd9d3e72cbfd99da590fe755a319948f40e1504de2

SHA512
f254341390812f29c90bc43efb4e2cc90803e81d0837ceb177efcf6a458eaabc49557044c37c3d38ad77fa0b8c71c885e1bb2dc4d2775cd85c901bf8154d427f

Download Submit
/data/user/0/com.qhot.gbca.ojry/databases/lezzd-journal
Filesize
8KB

MD5
3bc0ed4fd0af0cd461937fe254cb3adc

SHA1
60c2ba58f597c993aff89aa48ddcac18f70ff0aa

SHA256
44ca2bbd78ac81121add517be104966bf38e3f4a9bd93eb9a2fde8aedc4f69b4

SHA512
1416655ff9f0b40a87905d3cb02949e6ef592f11cba5ba030df3c3784b89171132c599b5e888db40b15bdd05aa9a8e9d15b2180c1ac90f79335151a76ec935a2

Download Submit
/data/user/0/com.qhot.gbca.ojry/databases/lezzd-journal
Filesize
512B

MD5
a8023e73372a6082e51de544a25b7b5d

SHA1
b6a968956ce5d6315afc782583dfc3915fba1d92

SHA256
9864bd43cf1faa8680baacf313baa1e5980044abadf630db91c75f0e0750faa2

SHA512
3d5a6b01ae77b07184ebc0f3b5ebfa2de88116d9a99c5fcb0ecb14dc9fa301ba3f88c26d08fea2fd0555a803ad9cbd7598180d84f3c11028cc9c29fb5a236143

Download Submit
/data/user/0/com.qhot.gbca.ojry/databases/lezzd-journal
Filesize
8KB

MD5
564cd218b924e875bfdf60d7c33d7d0e

SHA1
4980d01806f2d1dd977ef4cf03cb12398c7040d2

SHA256
8bb7a4c45e43eb794f797b0caf3bd58a7d2cce29fde7fea5610a8cdb284952be

SHA512
6ba2232036159bc9dc80ae2b93476a1e8e645f713aab32319bfdbd13e56f873a95e3157f0f93072a58b87f5bcc1a74a3afb0a8742283045ebb166be383cc5c5e

Download Submit
/data/user/0/com.qhot.gbca.ojry/databases/lezzd-journal
Filesize
4KB

MD5
2b5361ba9130fffca8a3b2960ff35c6f

SHA1
6414b5c15854f843b8fa355a1d108f77c081677a

SHA256
60a8f0042afc5e2f188b1501d6a0ba956304ef3347190bec8cbe34854d3aa34f

SHA512
052d72e922b9eb84ef620966a6a17de08acbb7ee0609a3fccff0b218e30cf27585739ed303981217f43a7f077ef06752d3c9c52dcbc272db7892239e0d8927e4

Download Submit
/data/user/0/com.qhot.gbca.ojry/files/.um/um_cache_1718438178119.env
Filesize
653B

MD5
dfdd2d377ab320ef5905e8dafaab4122

SHA1
b5599b27cf3bc018a48831ae9276e6132d33d4ce

SHA256
1cd0e3d6d4f5e53311824248e391831b3b79ed4dd6a34ccaa4a2b554082c0e43

SHA512
c80c81a97f98dd7c07f1fc6726aa13a513141f6c35db659e3e47256dfbbba277e5c52f42da0d3cd34037f99bf1bdc74f004c865fd823582d9256cb2a0ab939b8

Download Submit
/data/user/0/com.qhot.gbca.ojry/files/.umeng/exchangeIdentity.json
Filesize
162B

MD5
347ebe5a4358682d3cc9b973ec00d443

SHA1
13188f26efd2b32c4962dceca20a76e5304e822d

SHA256
67c3183be1af53fea77984f5f43aa40872f20501c6db0e8e902bff7757d03e0d

SHA512
7936c0c2d2fbc415cf79b3fbb14a87ba696d1fd83e8c154ce3e2beec29e05c70e710d7dc04e5aa9920112556b72d140d48cf362aba2c4119410320b734f503a3

Download Submit
/data/user/0/com.qhot.gbca.ojry/files/mobclick_agent_cached_com.qhot.gbca.ojry1
Filesize
803B

MD5
b29991b474293404ac9c8f7c2b9cea15

SHA1
def93cd6e5dda0f10a9785e66ad2c20d7b442807

SHA256
9a2d2007909b942026b3ec8adae9f67da78c8b5b3ae0be384930b306ef720784

SHA512
f973514a11e963ada8adba80ef882a8bcba256f247df9022b383626a5ab34cf7f4041d891195deec7c19ada759d39f435bdf27e85606fff2e06b2ca1fca3e996

Download Submit
/data/user/0/com.qhot.gbca.ojry/files/umeng_it.cache
Filesize
350B

MD5
8a7e8f366beb330adf6d5254f459f3d0

SHA1
6336ded98c9e10774fe53fb03e85db80c059311d

SHA256
1500dec4ee7ef76b7b4a9d4631ec2469c7e683d01dc1ae98d23857466ac0f6dc

SHA512
44473c61cdb6b6c452f9400043ef003f9d5241042bcd4a89ebb23fc822513d35b559388a918d880cdd148998e31307f17bd704bb5081ae40d42a761807ddacb0

Download Submit