6eaf9eb8b33615aa6f7b08d215b19086f8715e7d7ba17737a1f65bf662cf2ecf

General

Target

d5fe83ef9554ac12d702373022013bc8_JaffaCakes118.apk
Size

18.0MB
MD5

d5fe83ef9554ac12d702373022013bc8
SHA1

b46ab014f5340be87a15af6eef0e327083620f77
SHA256

6eaf9eb8b33615aa6f7b08d215b19086f8715e7d7ba17737a1f65bf662cf2ecf
SHA512

c997159bcc007b1bacb79dafae8a6fbc8acdf6d8e7ebc42c644e279673d2bbeb72a1b7748125ad9aff82434c24f38a2e2ac5955373198796a6be0dd6d22c3b7b
SSDEEP

393216:RbLGNlBEkT35BbmZP3SGT/jG9rVDcpLuJGrnrjFYIBZeA8hVN4+oOE:pLGNYk7mZP35DmILRrnrjxnB8NJo7

Score

7^/10

discovery evasion

Malware Config

Signatures

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/storage/emulated/0/Android/data/com.skymobi.pay.app/plugins/com.skymobi.pay.opplugin_V2009.apk	4365	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/storage/emulated/0/Android/data/com.skymobi.pay.app/plugins/com.skymobi.pay.opplugin_V2009.apk --output-vdex-fd=48 --oat-fd=49 --oat-location=/storage/emulated/0/Android/data/com.skymobi.pay.app/plugins/oat/x86/com.skymobi.pay.opplugin_V2009.odex --compiler-filter=quicken --class-loader-context=&
/storage/emulated/0/Android/data/com.skymobi.pay.app/plugins/com.skymobi.pay.opplugin_V2009.apk	4329	com.langyou.niukou

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs

flow	ioc
12	alog.umeng.com

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.langyou.niukou

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.langyou.niukou

Requests dangerous framework permissions 6 IoCs

description	ioc
Allows an application to write to external storage.	android.permission.WRITE_EXTERNAL_STORAGE
Allows an app to access approximate location.	android.permission.ACCESS_COARSE_LOCATION
Allows an application to read SMS messages.	android.permission.READ_SMS
Allows an application to receive SMS messages.	android.permission.RECEIVE_SMS
Allows an application to send SMS messages.	android.permission.SEND_SMS
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device.	android.permission.READ_PHONE_STATE

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.langyou.niukou

com.langyou.niukou
1⤵
- Loads dropped Dex/Jar
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Checks CPU information
PID:4329
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/storage/emulated/0/Android/data/com.skymobi.pay.app/plugins/com.skymobi.pay.opplugin_V2009.apk --output-vdex-fd=48 --oat-fd=49 --oat-location=/storage/emulated/0/Android/data/com.skymobi.pay.app/plugins/oat/x86/com.skymobi.pay.opplugin_V2009.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4365

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Virtualization/Sandbox Evasion

1

T1633

System Checks

1

T1633.001

Credential Access

Discovery

System Information Discovery

1

T1426

System Network Connections Discovery

2

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.langyou.niukou/files/mobclick_agent_sealed_com.langyou.niukou

Filesize
655B

MD5
d602e75bdcd16e32be4866838f7bbdf5

SHA1
1fc0109be132d51260183494c6ef6ad6286f3a15

SHA256
a03658950e6f678030134702094daf9bff9fcd9fff83c400811ce11ced887372

SHA512
a138de88d43c7ed63a0cae4f44d3237bbed2efe352a153b6bbcec03d708142ae28d895072f5df55adac459cd43e2158979cf9e0a2161de8f8f7d1d66bbc99132

Download Submit
/data/data/com.langyou.niukou/files/umeng_it.cache

Filesize
211B

MD5
58d7a6b8d4140824d70743f246ad3c8a

SHA1
97c83479e67f35e00aa7dc44541ea37a497770ad

SHA256
2a694641d82460c96a4239674c15cb3f937a44bcc95f39c0878cefdfdd960d72

SHA512
c9f33927d0cbed52e51595547a9dc507ec469183ce5b86a2d55f521de115db6dc8c820c72eb55ed0cff1c6fcf1934490400425eae980bed0d5ba7c6796311feb

Download Submit
/storage/emulated/0/Android/data/com.skymobi.pay.app/plugins/com.skymobi.pay.opplugin_V2009.apk

Filesize
164KB

MD5
a40c1207bf356c7732a1b2a6bb610124

SHA1
3195c52690165edb510ad4c22b0eeae5f19de06b

SHA256
e2c0a59924b10f0af536580e4ae995827c951b10f5e47ac1a8f23082d891de5b

SHA512
5730bb406b25a7a666855db11cf8b36e4be1cf1e8813d787389d898770fc035a7cab94706692ffc36450274e97a04b6ba05929ab624f51914e730873c5cf8618

Download Submit
/storage/emulated/0/Android/data/com.skymobi.pay.app/plugins/com.skymobi.pay.opplugin_V2009.apk

Filesize
387KB

MD5
51cb0cee936b99364e6df6d75bf212c9

SHA1
5d4d61027170a202d084b3817b80b72f643f3e21

SHA256
b0f825ef39e1e3bff421ed0e2315c1f83a2e4a29db329cae803102462f6f3a52

SHA512
1c26b94cc194f151622cb9d227847c49ade80ea82e3d1a13b7c5d634468bcd5bfcd8e507788559a79c71f88af0fd9391c0169efc18e56962e212efd7f1f2ba36

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads