c862d5bdd4491f7b38a920f42af87d6f80398cf29d3484d81ee63dd455046fb6

Analysis

max time kernel
49s
max time network
131s
platform
android_x86
resource
android-x86-arm-20240611.1-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
submitted
15/06/2024, 18:20 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afc10a970ec6340ddfd1b70330433f82_JaffaCakes118.apk
Size

2.9MB
MD5

afc10a970ec6340ddfd1b70330433f82
SHA1

6ac73d8fa403a832dbf162ca1cd5986355a31d77
SHA256

c862d5bdd4491f7b38a920f42af87d6f80398cf29d3484d81ee63dd455046fb6
SHA512

cec72a27e9e6e14bfa4432068ef033ac3a89d4a643fe8ddf8d27fc056826ca459e1644cfafeaef2335b2ab8032fd44e7f7e3d4d75ada8d8e9b4f6cc22feab8c1
SSDEEP

49152:0AoiGnyJ0v6HpFVAqnq42tW019qcJzm8gzxsjTq1uP4zVA40bDpoWlrLwz6QiAJP:ho9Zv2FVAqq42o01tJ68gzxkWC4640bm

Score

7^/10

collection discovery evasion impact

Malware Config

Signatures

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.example.wzv/files/com.djob.qxgtg.jar	4299	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.example.wzv/files/com.djob.qxgtg.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.example.wzv/files/oat/x86/com.djob.qxgtg.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.example.wzv/files/com.djob.qxgtg.jar	4241	com.example.wzv

Requests cell location 2 TTPs 1 IoCs

Uses Android APIs to to get current cell location.

collection discovery evasion

Location Tracking

T1430

Geofencing

T1627.001

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.example.wzv

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs

flow	ioc
7	alog.umeng.com

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.example.wzv

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.example.wzv

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.example.wzv

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.example.wzv

com.example.wzv
1⤵
- Loads dropped Dex/Jar
- Requests cell location
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:4241
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.example.wzv/files/com.djob.qxgtg.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.example.wzv/files/oat/x86/com.djob.qxgtg.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4299

Network

DNS

vi.pi.vpvtv.cn

Remote address:

1.1.1.1:53

Request

vi.pi.vpvtv.cn

IN A

Response
DNS

s.unfoot.com

Remote address:

1.1.1.1:53

Request

s.unfoot.com

IN A

Response
DNS

alog.umeng.com

Remote address:

1.1.1.1:53

Request

alog.umeng.com

IN A

Response

alog.umeng.com

IN CNAME

alog.umeng.com.gds.alibabadns.com

alog.umeng.com.gds.alibabadns.com

IN CNAME

alog-default.umeng.com

alog-default.umeng.com

IN A

223.109.148.141

alog-default.umeng.com

IN A

223.109.148.179

alog-default.umeng.com

IN A

223.109.148.178

alog-default.umeng.com

IN A

223.109.148.177

alog-default.umeng.com

IN A

223.109.148.176

alog-default.umeng.com

IN A

223.109.148.130
DNS

android.apis.google.com

Remote address:

1.1.1.1:53

Request

android.apis.google.com

IN A

Response

android.apis.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

172.217.16.238
POST

http://alog.umeng.com/app_logs

Remote address:

223.109.148.176:80

Request

POST /app_logs HTTP/1.1
X-Umeng-UTC: 1718475666396
X-Umeng-Sdk: Android/5.5.3 %E7%9B%AE%E6%A0%87%E5%85%A8%E8%AE%A1%E5%88%92%2F1.1+Pixel+2%2F9+DF6F6E81CE9F99935BB8B772C0361CDD
Msg-Type: envelope
Content-Length: 590
Host: alog.umeng.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: Tengine
Date: Sat, 15 Jun 2024 18:21:52 GMT
Content-Type: application/thrift
Content-Length: 1140
Connection: close

172.217.169.74:443

52 B
40 B
1
1
223.109.148.141:80

alog.umeng.com

240 B
4
223.109.148.179:80

alog.umeng.com

240 B
4
142.250.187.238:443

tls, https

858 B
40 B
1
1
172.217.16.238:443

android.apis.google.com

tls

4.7kB
8.9kB
14
23
223.109.148.178:80

alog.umeng.com

240 B
4
172.217.169.74:443

tls, https

1.2kB
40 B
1
1
172.217.169.74:443

tls, https

4.0kB
40 B
2
1
223.109.148.177:80

alog.umeng.com

240 B
4
223.109.148.176:80

http://alog.umeng.com/app_logs

http

1.3kB
1.5kB
9
6

HTTP Request

POST http://alog.umeng.com/app_logs

HTTP Response

200

224.0.0.251:5353

3.7kB
11
1.1.1.1:53

vi.pi.vpvtv.cn

dns

60 B
116 B
1
1

DNS Request

vi.pi.vpvtv.cn
1.1.1.1:53

s.unfoot.com

dns

58 B
126 B
1
1

DNS Request

s.unfoot.com
1.1.1.1:53

alog.umeng.com

dns

60 B
227 B
1
1

DNS Request

alog.umeng.com

DNS Response

223.109.148.141

223.109.148.179

223.109.148.178

223.109.148.177

223.109.148.176

223.109.148.130
1.1.1.1:53

android.apis.google.com

dns

69 B
109 B
1
1

DNS Request

android.apis.google.com

DNS Response

172.217.16.238

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Execution Guardrails

T1627

Geofencing

T1627.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Location Tracking

T1430

System Information Discovery

T1426

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.example.wzv/files/.imprint

Filesize
895B

MD5
4b1bfd91063427589757d3463c7db0d3

SHA1
ae124a335e13458cd73a565a42df59eb55e5db82

SHA256
8d0874d676d62a082726d90961face11c555acd89e34c96163fca2237762e128

SHA512
d7e28c1154e353a20502afe5632fc6b8b4c638b84afca7d499e0e4f97a34b22277be87a56cbf4a903b2514725c4a3e4b45cb4ca1c571518688db8163ee71c692

Download Submit
/data/data/com.example.wzv/files/com.djob.qxgtg.jar

Filesize
214KB

MD5
5dee8b5bcbb6ebc65895fc0c7165f70b

SHA1
b14d2fe53d4ea9215ae31b78e31b1675674cb2ab

SHA256
97f0bb9fc1078231499d6dd718486485be6a5e1172cc655fe355de085155c2d3

SHA512
c0a1c696ba7522d38e44306a3a462c186d13ee7f8946261b41a8fec7be603f899c870d32b87a1b8ac0754af33fea413ba22fa2ad145480173072374b056e5cbf

Download Submit
/data/data/com.example.wzv/files/umeng_it.cache

Filesize
310B

MD5
987b28586e6fbd9615ba61945a2ce9ca

SHA1
39908087c76d620a67a0a3e1546e74ab59e40a64

SHA256
c07b788cf06e338e07adca5b90c01506cf75ca68e658cf0acd3a808b1967a9e1

SHA512
1b991ce655c990b78363a9bdc044066d87692869b07d9c6339766c306170db23d0fa8dd009ba8c1c136d0b3ed86caf53f39301417dce588c8cabd4960ca1ff69

Download Submit
/data/data/com.example.wzv/files/umeng_it.cache

Filesize
158B

MD5
4de4c39bba9b19ed45c7385fa1ee8403

SHA1
49e099159dd94d4b8018596258fcc6a917ea06c5

SHA256
11a075601231234123fe422040372c267449a72d6351e826658fe68e8758334a

SHA512
3d5afdd82df033a9f3e9cfe119049752569c25845f3c2a12c126134345f6656827c204bacce431bae18bc89c52af34a5cce39dcefb77d493e87074c59818023d

Download Submit
/data/user/0/com.example.wzv/files/com.djob.qxgtg.jar

Filesize
416KB

MD5
f71ffb817352822f0d3b16099bd2d0b1

SHA1
a61e493c8af3dd0cda67b3a00adb802c0fee6aa8

SHA256
75a8cb0fc53bfd041b44643c989757066416d497bfbafdd15b4da07f67f1e5ac

SHA512
dcfcc5624c632b7f06ef87b3e044c5174fbc623e541c24d73baf872da96653be0b6742e2cf1891ba4242908a752f4a331d14ab5338ec4317a46f66b941328373

Download Submit
/data/user/0/com.example.wzv/files/com.djob.qxgtg.jar

Filesize
416KB

MD5
459742ab80299e574d063ff524ea1256

SHA1
992dc89f4c1119d998632adbe32abf2f7bf85f29

SHA256
3b84b1f26360b2f223fbd71928b56c464ca1bffd8309d3ca4d89e0edd462a868

SHA512
3fc91ad0d2414c0f1e9ed6df8027731cd10344fa762ec29d2f1d8f12ad4c2e6a12b4e983aa2527071b30bf23b1a2c28a59721264f666bfe1481f13c1e496249b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.