Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    49s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20240611.1-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
  • submitted
    15/06/2024, 18:20 UTC

General

  • Target

    afc10a970ec6340ddfd1b70330433f82_JaffaCakes118.apk

  • Size

    2.9MB

  • MD5

    afc10a970ec6340ddfd1b70330433f82

  • SHA1

    6ac73d8fa403a832dbf162ca1cd5986355a31d77

  • SHA256

    c862d5bdd4491f7b38a920f42af87d6f80398cf29d3484d81ee63dd455046fb6

  • SHA512

    cec72a27e9e6e14bfa4432068ef033ac3a89d4a643fe8ddf8d27fc056826ca459e1644cfafeaef2335b2ab8032fd44e7f7e3d4d75ada8d8e9b4f6cc22feab8c1

  • SSDEEP

    49152:0AoiGnyJ0v6HpFVAqnq42tW019qcJzm8gzxsjTq1uP4zVA40bDpoWlrLwz6QiAJP:ho9Zv2FVAqq42o01tJ68gzxkWC4640bm

Malware Config

Signatures

  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests cell location 2 TTPs 1 IoCs

    Uses Android APIs to to get current cell location.

  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • com.example.wzv
    1⤵
    • Loads dropped Dex/Jar
    • Requests cell location
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    PID:4241
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.example.wzv/files/com.djob.qxgtg.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.example.wzv/files/oat/x86/com.djob.qxgtg.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4299

Network

  • flag-us
    DNS
    vi.pi.vpvtv.cn
    Remote address:
    1.1.1.1:53
    Request
    vi.pi.vpvtv.cn
    IN A
    Response
  • flag-us
    DNS
    s.unfoot.com
    Remote address:
    1.1.1.1:53
    Request
    s.unfoot.com
    IN A
    Response
  • flag-us
    DNS
    alog.umeng.com
    Remote address:
    1.1.1.1:53
    Request
    alog.umeng.com
    IN A
    Response
    alog.umeng.com
    IN CNAME
    alog.umeng.com.gds.alibabadns.com
    alog.umeng.com.gds.alibabadns.com
    IN CNAME
    alog-default.umeng.com
    alog-default.umeng.com
    IN A
    223.109.148.141
    alog-default.umeng.com
    IN A
    223.109.148.179
    alog-default.umeng.com
    IN A
    223.109.148.178
    alog-default.umeng.com
    IN A
    223.109.148.177
    alog-default.umeng.com
    IN A
    223.109.148.176
    alog-default.umeng.com
    IN A
    223.109.148.130
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    172.217.16.238
  • flag-cn
    POST
    http://alog.umeng.com/app_logs
    Remote address:
    223.109.148.176:80
    Request
    POST /app_logs HTTP/1.1
    X-Umeng-UTC: 1718475666396
    X-Umeng-Sdk: Android/5.5.3 %E7%9B%AE%E6%A0%87%E5%85%A8%E8%AE%A1%E5%88%92%2F1.1+Pixel+2%2F9+DF6F6E81CE9F99935BB8B772C0361CDD
    Msg-Type: envelope
    Content-Length: 590
    Host: alog.umeng.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: Tengine
    Date: Sat, 15 Jun 2024 18:21:52 GMT
    Content-Type: application/thrift
    Content-Length: 1140
    Connection: close
  • 172.217.169.74:443
    52 B
    40 B
    1
    1
  • 223.109.148.141:80
    alog.umeng.com
    240 B
    4
  • 223.109.148.179:80
    alog.umeng.com
    240 B
    4
  • 142.250.187.238:443
    tls, https
    858 B
    40 B
    1
    1
  • 172.217.16.238:443
    android.apis.google.com
    tls
    4.7kB
    8.9kB
    14
    23
  • 223.109.148.178:80
    alog.umeng.com
    240 B
    4
  • 172.217.169.74:443
    tls, https
    1.2kB
    40 B
    1
    1
  • 172.217.169.74:443
    tls, https
    4.0kB
    40 B
    2
    1
  • 223.109.148.177:80
    alog.umeng.com
    240 B
    4
  • 223.109.148.176:80
    http://alog.umeng.com/app_logs
    http
    1.3kB
    1.5kB
    9
    6

    HTTP Request

    POST http://alog.umeng.com/app_logs

    HTTP Response

    200
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    vi.pi.vpvtv.cn
    dns
    60 B
    116 B
    1
    1

    DNS Request

    vi.pi.vpvtv.cn

  • 1.1.1.1:53
    s.unfoot.com
    dns
    58 B
    126 B
    1
    1

    DNS Request

    s.unfoot.com

  • 1.1.1.1:53
    alog.umeng.com
    dns
    60 B
    227 B
    1
    1

    DNS Request

    alog.umeng.com

    DNS Response

    223.109.148.141
    223.109.148.179
    223.109.148.178
    223.109.148.177
    223.109.148.176
    223.109.148.130

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    172.217.16.238

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.example.wzv/files/.imprint

    Filesize

    895B

    MD5

    4b1bfd91063427589757d3463c7db0d3

    SHA1

    ae124a335e13458cd73a565a42df59eb55e5db82

    SHA256

    8d0874d676d62a082726d90961face11c555acd89e34c96163fca2237762e128

    SHA512

    d7e28c1154e353a20502afe5632fc6b8b4c638b84afca7d499e0e4f97a34b22277be87a56cbf4a903b2514725c4a3e4b45cb4ca1c571518688db8163ee71c692

  • /data/data/com.example.wzv/files/com.djob.qxgtg.jar

    Filesize

    214KB

    MD5

    5dee8b5bcbb6ebc65895fc0c7165f70b

    SHA1

    b14d2fe53d4ea9215ae31b78e31b1675674cb2ab

    SHA256

    97f0bb9fc1078231499d6dd718486485be6a5e1172cc655fe355de085155c2d3

    SHA512

    c0a1c696ba7522d38e44306a3a462c186d13ee7f8946261b41a8fec7be603f899c870d32b87a1b8ac0754af33fea413ba22fa2ad145480173072374b056e5cbf

  • /data/data/com.example.wzv/files/umeng_it.cache

    Filesize

    310B

    MD5

    987b28586e6fbd9615ba61945a2ce9ca

    SHA1

    39908087c76d620a67a0a3e1546e74ab59e40a64

    SHA256

    c07b788cf06e338e07adca5b90c01506cf75ca68e658cf0acd3a808b1967a9e1

    SHA512

    1b991ce655c990b78363a9bdc044066d87692869b07d9c6339766c306170db23d0fa8dd009ba8c1c136d0b3ed86caf53f39301417dce588c8cabd4960ca1ff69

  • /data/data/com.example.wzv/files/umeng_it.cache

    Filesize

    158B

    MD5

    4de4c39bba9b19ed45c7385fa1ee8403

    SHA1

    49e099159dd94d4b8018596258fcc6a917ea06c5

    SHA256

    11a075601231234123fe422040372c267449a72d6351e826658fe68e8758334a

    SHA512

    3d5afdd82df033a9f3e9cfe119049752569c25845f3c2a12c126134345f6656827c204bacce431bae18bc89c52af34a5cce39dcefb77d493e87074c59818023d

  • /data/user/0/com.example.wzv/files/com.djob.qxgtg.jar

    Filesize

    416KB

    MD5

    f71ffb817352822f0d3b16099bd2d0b1

    SHA1

    a61e493c8af3dd0cda67b3a00adb802c0fee6aa8

    SHA256

    75a8cb0fc53bfd041b44643c989757066416d497bfbafdd15b4da07f67f1e5ac

    SHA512

    dcfcc5624c632b7f06ef87b3e044c5174fbc623e541c24d73baf872da96653be0b6742e2cf1891ba4242908a752f4a331d14ab5338ec4317a46f66b941328373

  • /data/user/0/com.example.wzv/files/com.djob.qxgtg.jar

    Filesize

    416KB

    MD5

    459742ab80299e574d063ff524ea1256

    SHA1

    992dc89f4c1119d998632adbe32abf2f7bf85f29

    SHA256

    3b84b1f26360b2f223fbd71928b56c464ca1bffd8309d3ca4d89e0edd462a868

    SHA512

    3fc91ad0d2414c0f1e9ed6df8027731cd10344fa762ec29d2f1d8f12ad4c2e6a12b4e983aa2527071b30bf23b1a2c28a59721264f666bfe1481f13c1e496249b

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.