Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
49s -
max time network
131s -
platform
android_x86 -
resource
android-x86-arm-20240611.1-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system -
submitted
15/06/2024, 18:20 UTC
Static task
static1
Behavioral task
behavioral1
Sample
afc10a970ec6340ddfd1b70330433f82_JaffaCakes118.apk
Resource
android-x86-arm-20240611.1-en
General
-
Target
afc10a970ec6340ddfd1b70330433f82_JaffaCakes118.apk
-
Size
2.9MB
-
MD5
afc10a970ec6340ddfd1b70330433f82
-
SHA1
6ac73d8fa403a832dbf162ca1cd5986355a31d77
-
SHA256
c862d5bdd4491f7b38a920f42af87d6f80398cf29d3484d81ee63dd455046fb6
-
SHA512
cec72a27e9e6e14bfa4432068ef033ac3a89d4a643fe8ddf8d27fc056826ca459e1644cfafeaef2335b2ab8032fd44e7f7e3d4d75ada8d8e9b4f6cc22feab8c1
-
SSDEEP
49152:0AoiGnyJ0v6HpFVAqnq42tW019qcJzm8gzxsjTq1uP4zVA40bDpoWlrLwz6QiAJP:ho9Zv2FVAqq42o01tJ68gzxkWC4640bm
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.example.wzv/files/com.djob.qxgtg.jar 4299 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.example.wzv/files/com.djob.qxgtg.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.example.wzv/files/oat/x86/com.djob.qxgtg.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.example.wzv/files/com.djob.qxgtg.jar 4241 com.example.wzv -
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.example.wzv -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
flow ioc 7 alog.umeng.com -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.example.wzv -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.example.wzv -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.example.wzv -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.example.wzv
Processes
-
com.example.wzv1⤵
- Loads dropped Dex/Jar
- Requests cell location
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:4241 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.example.wzv/files/com.djob.qxgtg.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.example.wzv/files/oat/x86/com.djob.qxgtg.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4299
-
Network
-
Remote address:1.1.1.1:53Requestvi.pi.vpvtv.cnIN AResponse
-
Remote address:1.1.1.1:53Requests.unfoot.comIN AResponse
-
Remote address:1.1.1.1:53Requestalog.umeng.comIN AResponsealog.umeng.comIN CNAMEalog.umeng.com.gds.alibabadns.comalog.umeng.com.gds.alibabadns.comIN CNAMEalog-default.umeng.comalog-default.umeng.comIN A223.109.148.141alog-default.umeng.comIN A223.109.148.179alog-default.umeng.comIN A223.109.148.178alog-default.umeng.comIN A223.109.148.177alog-default.umeng.comIN A223.109.148.176alog-default.umeng.comIN A223.109.148.130
-
Remote address:1.1.1.1:53Requestandroid.apis.google.comIN AResponseandroid.apis.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A172.217.16.238
-
Remote address:223.109.148.176:80RequestPOST /app_logs HTTP/1.1
X-Umeng-UTC: 1718475666396
X-Umeng-Sdk: Android/5.5.3 %E7%9B%AE%E6%A0%87%E5%85%A8%E8%AE%A1%E5%88%92%2F1.1+Pixel+2%2F9+DF6F6E81CE9F99935BB8B772C0361CDD
Msg-Type: envelope
Content-Length: 590
Host: alog.umeng.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Sat, 15 Jun 2024 18:21:52 GMT
Content-Type: application/thrift
Content-Length: 1140
Connection: close
-
52 B 40 B 1 1
-
240 B 4
-
240 B 4
-
858 B 40 B 1 1
-
4.7kB 8.9kB 14 23
-
240 B 4
-
1.2kB 40 B 1 1
-
4.0kB 40 B 2 1
-
240 B 4
-
1.3kB 1.5kB 9 6
HTTP Request
POST http://alog.umeng.com/app_logsHTTP Response
200
-
3.7kB 11
-
60 B 116 B 1 1
DNS Request
vi.pi.vpvtv.cn
-
58 B 126 B 1 1
DNS Request
s.unfoot.com
-
60 B 227 B 1 1
DNS Request
alog.umeng.com
DNS Response
223.109.148.141223.109.148.179223.109.148.178223.109.148.177223.109.148.176223.109.148.130
-
69 B 109 B 1 1
DNS Request
android.apis.google.com
DNS Response
172.217.16.238
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
895B
MD54b1bfd91063427589757d3463c7db0d3
SHA1ae124a335e13458cd73a565a42df59eb55e5db82
SHA2568d0874d676d62a082726d90961face11c555acd89e34c96163fca2237762e128
SHA512d7e28c1154e353a20502afe5632fc6b8b4c638b84afca7d499e0e4f97a34b22277be87a56cbf4a903b2514725c4a3e4b45cb4ca1c571518688db8163ee71c692
-
Filesize
214KB
MD55dee8b5bcbb6ebc65895fc0c7165f70b
SHA1b14d2fe53d4ea9215ae31b78e31b1675674cb2ab
SHA25697f0bb9fc1078231499d6dd718486485be6a5e1172cc655fe355de085155c2d3
SHA512c0a1c696ba7522d38e44306a3a462c186d13ee7f8946261b41a8fec7be603f899c870d32b87a1b8ac0754af33fea413ba22fa2ad145480173072374b056e5cbf
-
Filesize
310B
MD5987b28586e6fbd9615ba61945a2ce9ca
SHA139908087c76d620a67a0a3e1546e74ab59e40a64
SHA256c07b788cf06e338e07adca5b90c01506cf75ca68e658cf0acd3a808b1967a9e1
SHA5121b991ce655c990b78363a9bdc044066d87692869b07d9c6339766c306170db23d0fa8dd009ba8c1c136d0b3ed86caf53f39301417dce588c8cabd4960ca1ff69
-
Filesize
158B
MD54de4c39bba9b19ed45c7385fa1ee8403
SHA149e099159dd94d4b8018596258fcc6a917ea06c5
SHA25611a075601231234123fe422040372c267449a72d6351e826658fe68e8758334a
SHA5123d5afdd82df033a9f3e9cfe119049752569c25845f3c2a12c126134345f6656827c204bacce431bae18bc89c52af34a5cce39dcefb77d493e87074c59818023d
-
Filesize
416KB
MD5f71ffb817352822f0d3b16099bd2d0b1
SHA1a61e493c8af3dd0cda67b3a00adb802c0fee6aa8
SHA25675a8cb0fc53bfd041b44643c989757066416d497bfbafdd15b4da07f67f1e5ac
SHA512dcfcc5624c632b7f06ef87b3e044c5174fbc623e541c24d73baf872da96653be0b6742e2cf1891ba4242908a752f4a331d14ab5338ec4317a46f66b941328373
-
Filesize
416KB
MD5459742ab80299e574d063ff524ea1256
SHA1992dc89f4c1119d998632adbe32abf2f7bf85f29
SHA2563b84b1f26360b2f223fbd71928b56c464ca1bffd8309d3ca4d89e0edd462a868
SHA5123fc91ad0d2414c0f1e9ed6df8027731cd10344fa762ec29d2f1d8f12ad4c2e6a12b4e983aa2527071b30bf23b1a2c28a59721264f666bfe1481f13c1e496249b