042545c2cc5ff14e5b6cb9865d61481021952d897795b4522b33ecf832207a5b

General

Target

e23991bf368067467b4d155da9091e70_JaffaCakes118.apk
Size

900KB
MD5

e23991bf368067467b4d155da9091e70
SHA1

5603b4bcae698b1339db77bf83d3de8118130d04
SHA256

042545c2cc5ff14e5b6cb9865d61481021952d897795b4522b33ecf832207a5b
SHA512

a03ad66d7c6230ae9c52f53f4b8deb7c9a02fc5df8f85554a2a69aaca7280f788d0d8a5a56f065efe4e4c64adad18dce10687106756ca119682c90e00003fb3b
SSDEEP

24576:Di6LvaF3zlck94/DkPEaDH8H6s5luk1iW08g0i:lzaBzCky/YNcas5lTM8g0i

Score

7^/10

discovery evasion persistence

Malware Config

Signatures

Checks Android system properties for emulator presence. 1 TTPs 2 IoCs

evasion

System Checks

T1633.001

description	ioc	Process
Accessed system property	key: ro.serialno	vfrzkbe.vzpp.khpphd.exvjouue
Accessed system property	key: ro.product.model	vfrzkbe.vzpp.khpphd.exvjouue

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/data/vfrzkbe.vzpp.khpphd.exvjouue/EOZTzhVG.jar	4268	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/data/vfrzkbe.vzpp.khpphd.exvjouue/EOZTzhVG.jar --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/data/vfrzkbe.vzpp.khpphd.exvjouue/oat/x86/EOZTzhVG.odex --compiler-filter=quicken --class-loader-context=&
/data/data/vfrzkbe.vzpp.khpphd.exvjouue/EOZTzhVG.jar	4240	vfrzkbe.vzpp.khpphd.exvjouue

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs

flow	ioc
16	alog.umeng.com

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	vfrzkbe.vzpp.khpphd.exvjouue

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	vfrzkbe.vzpp.khpphd.exvjouue

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	vfrzkbe.vzpp.khpphd.exvjouue

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	vfrzkbe.vzpp.khpphd.exvjouue

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	vfrzkbe.vzpp.khpphd.exvjouue

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	vfrzkbe.vzpp.khpphd.exvjouue

vfrzkbe.vzpp.khpphd.exvjouue
1⤵
- Checks Android system properties for emulator presence.
- Loads dropped Dex/Jar
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4240
- /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/data/vfrzkbe.vzpp.khpphd.exvjouue/EOZTzhVG.jar --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/data/vfrzkbe.vzpp.khpphd.exvjouue/oat/x86/EOZTzhVG.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4268

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Virtualization/Sandbox Evasion

3

T1633

System Checks

3

T1633.001

Credential Access

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

1

T1422

System Network Connections Discovery

2

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/vfrzkbe.vzpp.khpphd.exvjouue/EOZTzhVG.jar

Filesize
377KB

MD5
849c54efd69f9104cff4282b0b76bdaf

SHA1
c30c3df20b4f8c5384a7dc3013e89f09a6226cfd

SHA256
6650020b9671f9502235f7154518b169c0f67c18e41cfb20709f62d19dae43da

SHA512
4b53785f38afcd055bbaa5e3849d2e89275a425ef6e3aa0ccbda1da7b30ad95d692f9f8db7e8d3e4a81fb39451d66796fffe5e2acda5b9c9999745303a7a49e1

Download Submit
/data/data/vfrzkbe.vzpp.khpphd.exvjouue/EOZTzhVG.jar

Filesize
904KB

MD5
af06cebb49a0e2413482a963d31fd1ea

SHA1
4b156d6f5d93fcad20d54c3e42e31279aee6ab24

SHA256
a0953df1c9b7dfe4995c1cb6b89366b4cbff6f59a256a5a9ff2292fa6d48b60c

SHA512
5a59f250acd1858c6b4382cdf1f4e4cccb2a5cf7bb7aba2203b8d29ffea04cc5b2456655ff3b6512339ec4ccd70c43baa6ffd24d6034db120c62c915e45f61c4

Download Submit
/data/data/vfrzkbe.vzpp.khpphd.exvjouue/files/.deviceid

Filesize
32B

MD5
c8edf3bb44331b31234fb6b4f37c77a1

SHA1
e1a5c2081f8efb038faded5fb6494685e6bdd777

SHA256
ab4601ff3eda004e04bd9249b951fa23e643b83ccc5e204cac99ea263d415e21

SHA512
53458c7d7268af404bd6d9c8d4c73b3f77adbdd00cc1e7c91a55bfbe7f96ac76e01b9cfb59463f8f1e8a022eefb033cb0bc3710a9f4ba0d7c0a53ea19590b227

Download Submit
/data/data/vfrzkbe.vzpp.khpphd.exvjouue/files/.um/um_cache_1726394654208.env

Filesize
712B

MD5
9f6ec73a295d8ffec95d63f290481c52

SHA1
57ad2b6e6f996359f3aa8f8293f669ac415f236f

SHA256
e6a5517e2f86a97acda2a8fc4904a73220812318a15bafde851a8987af3cd4b8

SHA512
b26e39ffc710470705778790fb80f88b119a7496834f6be9331a503ca686999bd0ea2df4675963dbbd6fc8deae9d25f0d92a1b53f71a3b3d963c71a0f86010c1

Download Submit
/data/data/vfrzkbe.vzpp.khpphd.exvjouue/files/.umeng/exchangeIdentity.json

Filesize
162B

MD5
e7414db417c37df808e1af9252254f88

SHA1
c0b247384d8899cbe7a95d869c6313b2af884d24

SHA256
e67ca81bfcd41eda0a5256c822692404bef4e17054625075e48b6217492bd07d

SHA512
aa9c6084b2e1badf84b4127dd1e2d1a7a3d91eb204c8479f789b30b896a8f7d491952817eb560700a897b59b828d7760d008aa6ff333fa6642e4f28ee9bcc1af

Download Submit
/data/data/vfrzkbe.vzpp.khpphd.exvjouue/files/qdbh

Filesize
5B

MD5
b7a782741f667201b54880c925faec4b

SHA1
8a12a315082a345f1a9d3ad14b214cd36d310cf8

SHA256
39e5b4830d4d9c14db7368a95b65d5463ea3d09520373723430c03a5a453b5df

SHA512
0e2134196b6f11ed59ea3beef72e61ec33831c68c8a1f51bd3541f973f554d5d2c007ea1535b9def540684f8dc0a4b249add011ce9f132a4870fecb9f19f1041

Download Submit
/data/data/vfrzkbe.vzpp.khpphd.exvjouue/files/umeng_it.cache

Filesize
415B

MD5
a9a9634183ad9d242a543abc86c59276

SHA1
5680a508703d5346f0e209e8bf4f02456fb51b50

SHA256
d3fdb5b8fd1148c1e1db1e3e01e7fb088f57676a6cff5461a67460816e9a325b

SHA512
2a557b5e57bceb8f6bd4045bd87379026d82a7ad66da54ca7d8e263a7cef14e19b5d2e82d2cf99f6dc78ab0f3660a59b35e7fff6e51466f51b7d00dd07623c1c

Download Submit
/data/data/vfrzkbe.vzpp.khpphd.exvjouue/filesvfrzkbe.vzpp.khpphd.exvjouue/.libs/libccgg.so

Filesize
65KB

MD5
37f04dab3ff209479acf20493b213137

SHA1
509882e2a333b42257df2274ac3a0a8f45099e12

SHA256
e540c525d66846852b802c85a936d77bfe25cd67e7b5e59d86ef97cf7527f902

SHA512
5552cf3a7c9e7ce58b88d41ba8b9d1d4f22e93be4915410a37f0105df1531cb3936a3ce99a1c4de023c0f83e85baf491dd2ab66b4d5e974731e8ada2a545b9a9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads