852b18f2bb5d88a9b752eb32af0ef66ad9874dc6d07908d23c9923b3554a6b84

Analysis

max time kernel
149s
max time network
149s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
19/09/2024, 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea908c8107d4997c01c51f81943cc1ad_JaffaCakes118.apk
Size

31.6MB
MD5

ea908c8107d4997c01c51f81943cc1ad
SHA1

036d458c83474ef6d1adedf47382a67393d9c8e8
SHA256

852b18f2bb5d88a9b752eb32af0ef66ad9874dc6d07908d23c9923b3554a6b84
SHA512

33528d1e8a77cb33da8d5e36ebe7f8f0b136ab2ed636144523829ebbb4546b368cba46e0017a746c3cc907a19c0116faa21ff1b0f2cf7a6ab2c5e31798162c72
SSDEEP

786432:OXexxnYH3BRCv9Ly3LOfyQm+RByw3BMeIqWLxnB8NJo+r6opq+xLGM:Ue7E3+Zy7OLm+zklqSxB8NT685xKM

Score

8^/10

discovery evasion impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 1 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/app/Superuser.apk	net.skyvu.letitgoat

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/net.skyvu.letitgoat/cache/ads5310556441510276834.jar	4363	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/net.skyvu.letitgoat/cache/ads5310556441510276834.jar --output-vdex-fd=89 --oat-fd=90 --oat-location=/data/user/0/net.skyvu.letitgoat/cache/oat/x86/ads5310556441510276834.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/net.skyvu.letitgoat/cache/ads5310556441510276834.jar	4263	net.skyvu.letitgoat

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	net.skyvu.letitgoat

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 2 IoCs

flow	ioc
5	alog.umeng.com
91	alog.umeng.com

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	net.skyvu.letitgoat

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	net.skyvu.letitgoat

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	net.skyvu.letitgoat

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	net.skyvu.letitgoat

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	net.skyvu.letitgoat

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	net.skyvu.letitgoat

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	net.skyvu.letitgoat

net.skyvu.letitgoat
1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Acquires the wake lock
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4263
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/net.skyvu.letitgoat/cache/ads5310556441510276834.jar --output-vdex-fd=89 --oat-fd=90 --oat-location=/data/user/0/net.skyvu.letitgoat/cache/oat/x86/ads5310556441510276834.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4363
- getprop
  2⤵
  PID:4509

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/net.skyvu.letitgoat/cache/ads5310556441510276834.jar

Filesize
2KB

MD5
d80f6d032778b02d10a9c9a2f1a24714

SHA1
e34d4ea9618b1b499b65032723ea029ab3998500

SHA256
ee2de01a238f9e1834f9f9934dd1f5b267bdf9747965641d2fd636d740041f9b

SHA512
34fa52d41831142f86999ac407aafeb2b69bb4cd45ada9f739be84c80deb0414d11d6784f385eec287e4f6b5bdf29ba1c9a6a77c07707d66a73c60eb389136e1

Download Submit
/data/data/net.skyvu.letitgoat/cache/volley/2047948771216824210

Filesize
400B

MD5
f6484fc0635630ffb69bd8c0b464889d

SHA1
b03d3bfc03f7b751122e3306f29361dc23356b49

SHA256
56eaf47eb23b883cbc4d489693f2b879c406bb805feb0529b8699395d5ac1fe8

SHA512
d1117331b3e023be522d36d95f6af76d8a538d3f00e6bec2914ec9133f0225eb1bf0fbfbb734ab3ce43297c8a91656886dee56d8b1da9aa088588a5c1f206203

Download Submit
/data/data/net.skyvu.letitgoat/databases/3ad4da137b2e4d3286bf5454119e80d3-journal

Filesize
512B

MD5
76dd6921b24b25691352e8b8e91635ae

SHA1
690b5a14f250b93d61231a0cbdfed6322739be63

SHA256
304729e92deaa193be514f0d8419e1de5173d25c1f48112b97fbb3f2af4301ab

SHA512
1844f78f330a46f773f7d7aa6a02a3a5b05b4ff3ba6c6b65634400e59f475046cd9e40b80d46bed3c0baccb49c1428306bc2e9b1e825bcd25696de2a5bfe517e

Download Submit
/data/data/net.skyvu.letitgoat/databases/3ad4da137b2e4d3286bf5454119e80d3-wal

Filesize
60KB

MD5
ae84261b8663ecbb5f53366ee48d6472

SHA1
de2a83a935df8a347119be0c561ba0669634abc6

SHA256
02925e663aff3db8b93d92cd3f1464a5739e19b75c3cda0f2e751d8694e3af0c

SHA512
4a3cafdef51e16eb9138ecdfc805f5c5bc2b07e76430fa4b383a6cca4a43311e9a7ca23b30e4937271867099be5b3723c917d0a8c71cf4cd66656915d4d21c1d

Download Submit
/data/data/net.skyvu.letitgoat/databases/nativex_cache.db

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/net.skyvu.letitgoat/databases/nativex_cache.db-journal

Filesize
512B

MD5
03ed10575118d2a5ddcc188f17a691f9

SHA1
9cc91a0495e60529a017a4e2223aa712e9642e69

SHA256
3752784782c055b23652be412fe87bfb6f3858313579962611fc16436c6b1957

SHA512
2e97e250f2c2f1b241ceb722117278325c0a33fa9d5b81eac0dcf2793f0ab7a9de5779e01b3e381bac3cbf35ec793b6a31416a2b5ffe601479adf69c4e3a78ba

Download Submit
/data/data/net.skyvu.letitgoat/databases/nativex_cache.db-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/net.skyvu.letitgoat/databases/nativex_cache.db-wal

Filesize
56KB

MD5
4967e421e9eadb86364bee8dfe5531d5

SHA1
5c9f8f8ec0238cbb64d6056cc54d97be133dcff0

SHA256
0ef8f38d00c994acf4c5a2be78750db867efd596822b3c86cc6d81ce8c2c9f5e

SHA512
a6b0911a19d5506c91be166d5da5320531c9b1160387ad5e62fff3104617a22af3682dc113f7a4f7019d8ffa24d62980f1002b9df4e3fc4bedbcf9cc08d07bfa

Download Submit
/data/data/net.skyvu.letitgoat/files/.FlurrySenderIndex.info.AnalyticsData_87Z278QJBQGXMGWBHPGH_158

Filesize
42B

MD5
60ee74af218da6ac61b7341849985923

SHA1
d61dbd2226869cd7ed6cb220521c599de63fa2e7

SHA256
0d98ae1579b2cfc063b7a83e13d4665d0068e421ab1cc4d0c0d83b1ee5caeb30

SHA512
cf3bb13dead4f77d485d0e478e4e93ca51436dad4d1b9b5651cce55dde8504de7d9013c4c583ff207dde37e6af9cf1f018f28a7fd92196c23a25c36789dba276

Download Submit
/data/data/net.skyvu.letitgoat/files/.FlurrySenderIndex.info.AnalyticsMain

Filesize
44B

MD5
9a67a1234bed26ff387d2999a99df708

SHA1
4d0b60686e380770b80218dc7a2af3c82e38366c

SHA256
c9d6317886845f55c4e01d4ce89a52a612da7d88d4e8a8585a5759f77791de59

SHA512
e582c79befd1b127dbdddab98df515c359d32888cf011efbac49d7ff3c205a4422f1be79780918bf3a9680e3eedca2565c55470ff5e476c19cc1a00f1dfcfc4d

Download Submit
/data/data/net.skyvu.letitgoat/files/.flurryagent.-6e486521

Filesize
58B

MD5
21856f91a91b6b6ffc17417005827e66

SHA1
4d4d3b96a2d8c0269c19ae3c628e3cb40e9aab68

SHA256
0d7db949c97175d57129b371d3b8f66582b196eed2423d89e9532ef35b28cf7a

SHA512
7ac80d4f04b289cc4ab1b5e60534da3ca29550d1cee39cee5e1ec927f3418707af544c8a28aef00d70d51ea31f352bf7450df65d80fcf429b1bd5cd3b3a2571f

Download Submit
/data/data/net.skyvu.letitgoat/files/.flurrydatasenderblock.75df1a36-3a8c-484e-847b-55be5695f35a

Filesize
277B

MD5
75e57cca20b33c67e8a01fe5f360f343

SHA1
e24d5ab24c84d14a407656be8969f22201a58519

SHA256
0ea024401c5eb1d115be81ba8967190b1285fd3f5c638f06f9ba36e2dd267ef6

SHA512
6541e7bc5da53b5d85bff6ad1862d9dcfb6555df1d6f1fbfe7f2fe2636324b82e672c62b70138e74fdb87eea1b0359dc8fe7a15f8a2752123393f1f487bc0251

Download Submit
/data/data/net.skyvu.letitgoat/files/com.crittercism/app_loads/58522551270_2540896e-36d6-45de-9890-aff05ed56858.log

Filesize
176B

MD5
b94fcec49af8d503f8ef497ec3bec04d

SHA1
fcbbc91a2ab5134057bb9393c89eee1077f57cea

SHA256
bbb797bb8a67f7fe3157e84cf3d86e6d633d53a73b30488a416656af581e35fd

SHA512
c534da0ad0917e0185d176617c3830b82512a1fdc05485dfbf244b9b0828d556c793e545b442af26b75ccc0e45c3f0eff7a828a3733c1d99d5a0665e63afa94f

Download Submit
/data/data/net.skyvu.letitgoat/files/com.crittercism/current_bcs/58437254280_3931073d-490b-4d1d-919e-10d1f1b038ad.log

Filesize
48B

MD5
eecfd1e3787ad8e6622184b99f7ea24d

SHA1
1badbba4169bd2a10fcdd5b49df41288cdce8eea

SHA256
646bd3d04cee5234cdeed5321a8b3b62256e16263c9e65b0f5637018108c0ff7

SHA512
75deaebb81cc9f2d7ab155fedb32cb5cb140b38dd7df79df6f6a1506006dd6a858103ed2bef610a8bb9df28534808ef57798be1b3b4477985f85e6f5e8e989fe

Download Submit
/data/data/net.skyvu.letitgoat/files/mobclick_agent_cached_net.skyvu.letitgoat

Filesize
209B

MD5
e49ebafcf7a30d3d64c5efe47a025591

SHA1
838c34b3f6a80e4751092ff14df79ec03e9f8ad9

SHA256
1f7ba075d9d24a77201ecf3ee9250ffcb09ed6f13919322ac37c265c9d23d819

SHA512
53ed004ee579d00119cd36a90fdc4e09504197816cd42bb12a42d6266b2e36a3f54fec659eeac4965333091a9098e8c7e6b406bb7819864b39398406457d2dc3

Download Submit
/data/user/0/net.skyvu.letitgoat/cache/ads5310556441510276834.jar

Filesize
4KB

MD5
6175efac331cdc88f352d62e1e1b596d

SHA1
d2e2e8ccdd8ca885dfa83f28208459ac60e9ec1a

SHA256
3d3736a254adb3086b9cb9017b52fc7dbcaba3043e284ebf90bf27c0fa6b74e3

SHA512
c5ba4e091370597ff6780beac694a37b1fd9400a21f20b5a388a62a04253054ed91ffb14d2e84c233b7e4760f6f92fa324a98b88cf90dd868b4ad7f6db3e49f8

Download Submit
/data/user/0/net.skyvu.letitgoat/cache/ads5310556441510276834.jar

Filesize
4KB

MD5
12670a32ad1380c9021a9e74aa5f2281

SHA1
7e8caf0c7a4d78452efb90958e8ce1aae5148e44

SHA256
f3c142f78cadcb57d7da3d8e4dc5f8c7b05377417c639059910696c844afc1f9

SHA512
1277dde373cab02d5df62732834adb79f8dbf1d1a9ac56b5b348e354317fadc24fe20b5ebdd1ecc28f8fc98dcdff807d2839bef75ef7d871e976e68a95851b06

Download Submit
/storage/emulated/0/.EveryplayCache/cache.json

Filesize
55B

MD5
9eda9e8b26affb7e214d016057cc048f

SHA1
9bc7ab7513846abc1900cc0136936cbcfdd0cb90

SHA256
af515d2450daa85ece59a58b9367ec16766322feb689de4204f8dcb8b8f0e477

SHA512
c12ca88384bdc0245e1a6c438d7f3761c7455dc16e45cf0753fa7161c8bfc8661933323e096b150c84164d6c96245d2d486174273f55263ded7face322abb394

Download Submit
/storage/emulated/0/Android/data/net.skyvu.letitgoat/files/Parse.settings

Filesize
20B

MD5
0196ead3563a267407724ec0c3b8a905

SHA1
7b570636e7b62af0ac73cb8c4f35160436fc0360

SHA256
823d50eabb3da2367c7ddc88d8a0d89bd635920e95cecfc2c47b6aac3a4626af

SHA512
de32f0555a13d5ce1cd6c63aa7d2d7105568e9aa55a3ddbbc1edd5264d89428659e73cfab036c383397077a3144108d5e5fddc046bb05edde8bdeb177f6cc31a

Download Submit
/storage/emulated/0/Android/data/net.skyvu.letitgoat/files/Parse.settings

Filesize
76B

MD5
51fb0675dbc12095e752f4f53ff86d4f

SHA1
3541528ad8844f14adbdab5ee8b588831134d246

SHA256
f769f6afef5cabd9763d2a5f48ba62c705082f75932ef92e68397f3092325901

SHA512
a0e0736d0b34bca218f0bd97dbe7fac36f44f4d57f7470b14faec9b3779ca11ebcc30de3967e720ea473d5b027822123ed0c175dbe0c939615bd8184eb94cbb8

Download Submit
/storage/emulated/0/Android/data/net.skyvu.letitgoat/files/Parse.settings

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads