Analysis
-
max time kernel
42s -
max time network
150s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
14/10/2024, 15:48
Static task
static1
Behavioral task
behavioral1
Sample
42f114508beb3f136d349bc2e9f9988d_JaffaCakes118.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
42f114508beb3f136d349bc2e9f9988d_JaffaCakes118.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
42f114508beb3f136d349bc2e9f9988d_JaffaCakes118.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
42f114508beb3f136d349bc2e9f9988d_JaffaCakes118.apk
-
Size
626KB
-
MD5
42f114508beb3f136d349bc2e9f9988d
-
SHA1
c438a37b815bc1a36ab3a5b49f8b55c2fbc19ee0
-
SHA256
ab0ef2e67199a36c298c87ebf4802aab32fc56ace0e0c89b45dadb02539be0f6
-
SHA512
8f1a5fa7a0c91fc55ff31d36bd87ca1b93b09bc4ca1bec8b063ced56f979f5825ffed96b5a92d5a6e34add694269dca5486b60efab6a84923fcbaa54528888d2
-
SSDEEP
12288:hKl4GI+ToiBeB1biPo1cH6WOgGEhhBCm5aZeFN9cIp6uZ:K4GIYlBe2A1Y6WpwZKlpp
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/CTuLuK.bSYl.LJsxf/files/.ca/oTpiBCh.jar 4244 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/CTuLuK.bSYl.LJsxf/files/.ca/oTpiBCh.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/CTuLuK.bSYl.LJsxf/files/.ca/oat/x86/oTpiBCh.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/CTuLuK.bSYl.LJsxf/files/.ca/oTpiBCh.jar 4217 CTuLuK.bSYl.LJsxf -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
flow ioc 7 alog.umeng.com -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo CTuLuK.bSYl.LJsxf -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo CTuLuK.bSYl.LJsxf -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone CTuLuK.bSYl.LJsxf -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver CTuLuK.bSYl.LJsxf -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo CTuLuK.bSYl.LJsxf -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo CTuLuK.bSYl.LJsxf
Processes
-
CTuLuK.bSYl.LJsxf1⤵
- Loads dropped Dex/Jar
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4217 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/CTuLuK.bSYl.LJsxf/files/.ca/oTpiBCh.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/CTuLuK.bSYl.LJsxf/files/.ca/oat/x86/oTpiBCh.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4244
-
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5ce6135aa1b1fe4f2c2db2a546d2a5558
SHA179b59582154017aadab783dc266fcb158c252940
SHA2567b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA5122839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4
-
Filesize
36KB
MD55d7ea1a23af19b4340cc8d90f28297d5
SHA14cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA51233071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b
-
Filesize
512B
MD5029e1fc8e2473068666dab6942db3a86
SHA1d61be87d83a230534406012c416f118df541c8b7
SHA25686de87910f180cd6252b0f74a21b8fa2eb15bc4d73c2d412c100f4138d401d6e
SHA512544747c24d795ce2cd0147e5db9841cbd50922d8b5bdab76f8e037586c7ac3654412460a0a984931e20983321c2828aed93869fc67a6a88282791faf73412e4f
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
48KB
MD5139ad3fd269f2919ce5da5970466a33c
SHA103c458461ec9bb127a454062d23bd1c81312684c
SHA256333a93444dcc8516048866980a6971b55a0fb0ba64eb78c051554445ca013baf
SHA5122c305237885a7b104f8e56d7614ebe5bdfb47974484c0ca73bf4d88bdf94b5e0755c1b67b45cbf2c95611246b8db2960973699beb575da122c77414edda4ddc0
-
Filesize
16KB
MD50667e90f01d11cc37306190d813adf18
SHA185d835eba450ec945ebab142a4f24571598dc800
SHA2562f279b535edb999f29fc0b50c21a115c7eea5f75b6ca95a64e4d6e501b8112b4
SHA5126dede0b474092f6463eb4397cfab3e62d07c79386c0bc20c121b818e8a5cb493b149785a5c5f93734ad741b92ad075ee83c9f5c7b338b4b6d72803a14276cc7b
-
Filesize
136KB
MD5da400e664ffe188af1a8b4b816b13e05
SHA18ea021f6b29ec591e2e405760430b9177b8d8ce9
SHA256bebb732971c524415c51c9c26505faae9ffafc78d861b13e63eeb762aa5d8f3d
SHA51219f79d0eadd410fa1e055cfd20c94992f59c2d69bd1e46539d197d315fd40c81e811a2a99a8fcc31c7f2024d56f0b172666774085b80f7f01a13199c332f647f
-
Filesize
162B
MD51fa1efa4da241883f0a7b562253dede4
SHA1b28043bcc598480bd8b13cee2129b7e2724ea2e2
SHA25604c7ebeb747b59586bab73ec4728189a68e2bfeac53d20c6d960fb719ac30813
SHA512aa294e1cf15e6cb484fa8082391513042c248b4bd83c8ec6222e41d0c57d0c37bdc3a4eca9f3b887ee0680e584c849e647fb97c3f88ea477b641644e530aba2c
-
Filesize
415B
MD514b647d2219db6b4cdabc94a3675fc6c
SHA135842198cc4178b6233f5f0fd54a7943ebccf756
SHA256de216a4b05690702a82f2eed5d49da5b634f00b95a33e3ddd74a766b64fdba3c
SHA5123d4b67ced8c958d344845871e600f97c51d88810374d4d2862058110224c58bddfb27b61150b915ff2f8857551df7f397dcfdc521b48b419f4a0c58367a04949
-
Filesize
322KB
MD5c2c5f9faec87dacea44e31cccbbee18c
SHA1a21fb4bf1f36fc57c89fa354f89c8786492fec78
SHA256fa62adbb2c98ee99dcb828e5632586fbb12ffad84cf53379d4e642595b806a14
SHA512b3ad8033c93ebc816025b340592c64d47467a5f8a543247f53eb6e99763d0d715dfa4bac6366ca6d5f35d777b6e4756aef93e63ffd366e4c7ab50bee7ee32d30
-
Filesize
322KB
MD5d44aeaef68de95cdf62ea164966321d3
SHA184baf39cb6ea7143d17aa70fb2efb2139761ce5f
SHA2563ca53073d7e0800ba56edd33417dc8da9148975e91a3264338f64c6bd480eca4
SHA512ba04f28a1128819c34eebc236497cf2a11ce031b3be486dff2f0d0f2987ca9fe545d142a9a9bd272657bacb4f125ac85ea29f8dee79a455cd1b175b8b3a43f48
-
Filesize
5B
MD551050c73c53b9b04bc45602359b3d0fd
SHA18b603388a6737a1185e1ddcdb7cfe6f2e7af137f
SHA256695981c90535f94b0ca66f01cf77279600a905f12ca0ff335852ec1abf169aa7
SHA512ee34e692bca6cda75a753d0db287e7b9a1fc256b880c4d199f2dbfb2e442d233e760b6a4b0182a6bdaf5a913fd8941051b5e0b8c29fcec1904eceba98e4528d8