9da270257a4a4dcefe0f75221baa1f39d0c63e2a4dcc50b1bebd02f0c98ceadb

Analysis

max time kernel
178s
max time network
187s
platform
android_x64
resource
android-x64-20240611.1-en
resource tags

androidarch:x64arch:x86image:android-x64-20240611.1-enlocale:en-usos:android-10-x64system
submitted
16-06-2024 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3df3bed219262ac41a292c793bca25d_JaffaCakes118.apk
Size

637KB
MD5

b3df3bed219262ac41a292c793bca25d
SHA1

cd16a1046935d2c1bdf92ba789c08624bbe3175c
SHA256

9da270257a4a4dcefe0f75221baa1f39d0c63e2a4dcc50b1bebd02f0c98ceadb
SHA512

b854065e6408ca9a9af4f0365e9f416e7f82da35b135f35ac7f52237f553e43d45c21886562fb554f0125ea9cd7e69cd1921ea1e18462131f5c23714cb909346
SSDEEP

12288:d4L4oQI8Y0FotaKIUtrbMN1y/gfOdFskKkaeFx2Mbe94vvQe6ERylTUr:JoL0otaYtXMT5Ogk78MiiydS

Score

8^/10

banker collection discovery evasion persistence stealth trojan

Malware Config

Signatures

Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

T1628.001

Processes:

com.xzwt.lhyr.lkce

pid process

5036 com.xzwt.lhyr.lkce

pid	process
5036	com.xzwt.lhyr.lkce

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

T1407

Processes:

com.xzwt.lhyr.lkcecom.xzwt.lhyr.lkce:daemon

ioc	pid	process
/data/user/0/com.xzwt.lhyr.lkce/app_mjf/dz.jar	5036	com.xzwt.lhyr.lkce
/data/user/0/com.xzwt.lhyr.lkce/app_mjf/dz.jar	5121	com.xzwt.lhyr.lkce:daemon

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

T1418.001
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

T1409

Processes:

com.xzwt.lhyr.lkce

description ioc process

Framework service call android.accounts.IAccountManager.getAccountsAsUser com.xzwt.lhyr.lkce
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

T1424

Processes:

com.xzwt.lhyr.lkce

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.xzwt.lhyr.lkce
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 2 IoCs

Processes:

flow ioc

6 alog.umeng.com
39 alog.umeng.com
Queries information about active data network 1 TTPs 1 IoCs
discovery

T1421

Processes:

com.xzwt.lhyr.lkce

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.xzwt.lhyr.lkce
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

T1421

Processes:

com.xzwt.lhyr.lkce

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.xzwt.lhyr.lkce
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

T1422
Reads information about phone network operator. 1 TTPs
discovery

T1422
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

T1624.001

Processes:

com.xzwt.lhyr.lkce

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.xzwt.lhyr.lkce
Checks CPU information 2 TTPs 1 IoCs

T1633.001

T1426

Processes:

com.xzwt.lhyr.lkce

description ioc process

File opened for read /proc/cpuinfo com.xzwt.lhyr.lkce

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.xzwt.lhyr.lkce

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.xzwt.lhyr.lkce

flow	ioc
6	alog.umeng.com
39	alog.umeng.com

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.xzwt.lhyr.lkce

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.xzwt.lhyr.lkce

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.xzwt.lhyr.lkce

description	ioc	process
File opened for read	/proc/cpuinfo	com.xzwt.lhyr.lkce

com.xzwt.lhyr.lkce
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
PID:5036

com.xzwt.lhyr.lkce:daemon
1⤵
- Loads dropped Dex/Jar
PID:5121

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.xzwt.lhyr.lkce/app_mjf/ddz.jar
Filesize
105KB

MD5
23ba0b249042b7ba33e92c0199b0ea4a

SHA1
99b13ee9f7307316c2337953fceed87e9942b794

SHA256
1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2

SHA512
0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

Download Submit
/data/data/com.xzwt.lhyr.lkce/app_mjf/tdz.jar
Filesize
105KB

MD5
293ea5f01e27975bed5179ba79d80eac

SHA1
c5b0806a537fd1cb753e11f1a9684933317716b8

SHA256
8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b

SHA512
c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

Download Submit
/data/data/com.xzwt.lhyr.lkce/databases/lezzd
Filesize
28KB

MD5
dae68dcffc3d522a79f98ebbc3b6d457

SHA1
6df5dce9a50f12044a2d20b8d1742ae47b82ee03

SHA256
56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286

SHA512
23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

Download Submit
/data/data/com.xzwt.lhyr.lkce/databases/lezzd-journal
Filesize
8KB

MD5
419e7ec7e9624792e56037698c623e2a

SHA1
f9920af17ebb1ea6867b9e58c802dd0c55bdf90c

SHA256
d1e844f6ac85e76d38578fe0e96ddf1b921a7e627bb0089b934e301baf27a625

SHA512
618fc134af0ec888ac4119759c7b2ab4217a5045b0b570c79041acb2ec6520a48e07e0c8a245e36d29a2c26c86bfb95eaff662fb727df576987b223a75186278

Download Submit
/data/data/com.xzwt.lhyr.lkce/databases/lezzd-journal
Filesize
8KB

MD5
73ee8bb34c9493cc7476f91206ca172c

SHA1
8ab52e9cd3b20d34397b8f30d8a26cb6e40a2002

SHA256
14f13077b80d0fe0e11004d346f9ce5be693201642dca2434b5869e34346d321

SHA512
7debbfab8ee9f977ff47bc1d03412d9838e35c90e07d5d0443d6fd1349edee2320ac383939dfe1c1695684e71edeb44cd13839303a42e54202b115e06ba73ada

Download Submit
/data/data/com.xzwt.lhyr.lkce/databases/lezzd-journal
Filesize
8KB

MD5
6be31bf2460aa23e05557c6897d48269

SHA1
c60c6cfca88e70f4323e6e016522afa795a0815a

SHA256
d04d18ac38ba4081ae0a95a8164d7395123a060a4ec139375db08fd3b045484d

SHA512
71ba33428f436522107390e98a8ad130650ae4a660f834e4b7680ec35ae8065710be649b5ecb46e8edbd0f6ef0700dd76609dcd69c901b596b3e4446fc89012a

Download Submit
/data/data/com.xzwt.lhyr.lkce/databases/lezzd-journal
Filesize
512B

MD5
cb33572efbe4df9b91b2f03c33ff9be5

SHA1
7fe17e2139e304579aa6d7716ccf50e0c8e0ce70

SHA256
a79db50614248019d1e946ddbbce154d2db59a1f21d52370ad8179330220fadb

SHA512
48e8bf3e6ccb444ae8034f096e6b91883a4da33910423e5d88c3b2e9d66dc7cce43e3969a1ca8d1ee4ef3ad54a4be8a24afe8880ab8716b5df6a0b5be81e92bd

Download Submit
/data/data/com.xzwt.lhyr.lkce/databases/lezzd-journal
Filesize
8KB

MD5
0ad7de0d67e2eebdfc1eceea30fa141d

SHA1
999a94c8315608a56d17fe3604d07d450f4144ab

SHA256
c3d924f4ce39b53e4625de8bd15365f4116eb561c14e22e80785e3bb1854db5d

SHA512
c4eac7527928b39fb5c00a0e6187832d62e9d5d036f4eb5d0e6c8a72d4bb710f03323927595894fb6240ceb5efe5e53c572d2a2486ac94af809c524e19655d4a

Download Submit
/data/data/com.xzwt.lhyr.lkce/databases/lezzd-journal
Filesize
4KB

MD5
3583d32393068bc7478609c5bfd4e9d4

SHA1
fb93413117573c39957dd7a90c5f17f6eaf48f44

SHA256
72dec871ca66264cea31db788ffad93f6370319fc658a76140321b885a3936e3

SHA512
0ac9544d9c58d50f51b3521c91a96b94d8b5d4c9ea2a9078d29f600c4fd55652202169c3ce329cc1f0e96c3fa29fe7706b952f561ae497d717985ae49fe86d61

Download Submit
/data/data/com.xzwt.lhyr.lkce/files/.um/um_cache_1718546474425.env
Filesize
654B

MD5
46cb0787c976a921fca7db86461872ca

SHA1
e62128c4ae88c503ea1e120885ef2e1887f46c6f

SHA256
1dd4b6211cdee74eca8ce95665e1113b5b7bec070390c8c4caea5f0a7a1983c1

SHA512
448b5f69d6e6c2a24c0d3b6f22be7ebdf21b9677455005d0aa5f16661d0a2ea15080b2a4153b9c0095fc602c389ab14673e1fc226c4a28ff8cb530bcb0210c32

Download Submit
/data/data/com.xzwt.lhyr.lkce/files/.umeng/exchangeIdentity.json
Filesize
162B

MD5
88313316017c4d51d08e9dbba4fc704e

SHA1
fce641cb024557aa044536501796c347a1f7529d

SHA256
aae6fcbec00ea473083c4c504f7fd1fc30e84e8d435f0b8a233a2665ff8c9e95

SHA512
9d8dca0948bc6f85b687131891a391cb5951dce1e5203ca0b5a233cc84ce282911f66914bf308a2b3bb5e4aa28753cf9eff4f40a59bddecf0378a48016c3274f

Download Submit
/data/data/com.xzwt.lhyr.lkce/files/mobclick_agent_cached_com.xzwt.lhyr.lkce1
Filesize
806B

MD5
8470ac503fb3e6cbe26dced51943c9a1

SHA1
edee8f9daab1bbdc31b7ed7b044858552ee21f55

SHA256
5d0fca5725117d6c46c7b703ad2d149fe88e5adf98bc16cf6d3be916187f500d

SHA512
d910c580532ab153a86f361b50cf8fb679a4ece81763ee8038830b74ea8a8f93259624c7ca3597eed0be95e8d334d7cd5dae69d9793eeaf0e0e653754678ecb2

Download Submit
/data/data/com.xzwt.lhyr.lkce/files/umeng_it.cache
Filesize
352B

MD5
19f3d71202713d8417a7989a1beae4cd

SHA1
ca3f1a66bf578041cc34d35782c462730f2d002f

SHA256
8fb9a408bdc1fe9d4f37c671a42c3d48b91d89da145448a8767f262e524a4a9b

SHA512
79e192b0d1a1d63ab9e5b63117eda35ad1e5527abe5c9e800c2604e724a4d5ecd90cff0274fbc88f160477d70f23a01701c1071b42483f9809dced1949383702

Download Submit
/data/user/0/com.xzwt.lhyr.lkce/app_mjf/dz.jar
Filesize
248KB

MD5
a54a18b58c6720991c021f433dfb2a46

SHA1
d2ffa07919f92b6e04914e39843f08fdb2a75b68

SHA256
3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3

SHA512
e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

Download Submit