Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    14/10/2024, 20:09

General

  • Target

    43f8e613910e21ad26fad0150fca523f_JaffaCakes118.apk

  • Size

    1.3MB

  • MD5

    43f8e613910e21ad26fad0150fca523f

  • SHA1

    7a17643a10e6dc0f4d3d58da8475d1fbee4eda3b

  • SHA256

    01b1c40231c994f14457a65db196ffedbbd1312c8b685e5ac282f6bb6ba646ac

  • SHA512

    8c1ddaece0eefdbb2cff5a89ffebb1d2fef50c02b7ba9f5993c550f683e1b328771b839c83d10145e86dbad95f034161bd30f2358c37ae3516065f32f948d9f7

  • SSDEEP

    24576:moL0otaYtXMjG0dJZXs+bS8oaPnDAUCxFMyjTo+38jTmhq/13tdHbZKm51Ob83F:1Q7YtsdJZJboaPDAUcFRj/MjTmhq/1X5

Malware Config

Signatures

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • com.xsfg.nwfo.cszd
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Queries information about running processes on the device
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Checks CPU information
    PID:4457
  • com.xsfg.nwfo.cszd:daemon
    1⤵
    • Loads dropped Dex/Jar
    PID:4515

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.xsfg.nwfo.cszd/app_mjf/ddz.jar

    Filesize

    105KB

    MD5

    23ba0b249042b7ba33e92c0199b0ea4a

    SHA1

    99b13ee9f7307316c2337953fceed87e9942b794

    SHA256

    1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2

    SHA512

    0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

  • /data/user/0/com.xsfg.nwfo.cszd/app_mjf/dz.jar

    Filesize

    248KB

    MD5

    a54a18b58c6720991c021f433dfb2a46

    SHA1

    d2ffa07919f92b6e04914e39843f08fdb2a75b68

    SHA256

    3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3

    SHA512

    e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

  • /data/user/0/com.xsfg.nwfo.cszd/app_mjf/tdz.jar

    Filesize

    105KB

    MD5

    293ea5f01e27975bed5179ba79d80eac

    SHA1

    c5b0806a537fd1cb753e11f1a9684933317716b8

    SHA256

    8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b

    SHA512

    c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

  • /data/user/0/com.xsfg.nwfo.cszd/databases/lezzd

    Filesize

    28KB

    MD5

    fdb8a92e5060ce104e8f0faca55a47ce

    SHA1

    270d7ca30673e18cec1d2b9add71cba96dc426fe

    SHA256

    194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a

    SHA512

    ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

  • /data/user/0/com.xsfg.nwfo.cszd/databases/lezzd-journal

    Filesize

    8KB

    MD5

    bed18930491b04591b4a0b287f8c7fb2

    SHA1

    bbdfc5d4a909dd0a61a71bcadb0c38f8d0a8a59e

    SHA256

    9c3b95c30404c8c94d2e328d1809c909722e985777dccd1698b4ff4e7b198cc6

    SHA512

    d955910b7c35933ea295e5b2c6d1542bf3f80305adef3e5e2bf7713dc3c494f2cb94236b739deab92521c36580779e7cb6ad5e10cdadca9ca6b75176b025a989

  • /data/user/0/com.xsfg.nwfo.cszd/databases/lezzd-journal

    Filesize

    512B

    MD5

    7b14a0bf610d94a97e9239b4f2b257bc

    SHA1

    8340c93ad3085fa7280a227770eb610b5ef103a1

    SHA256

    70fc593a5561914c440c9a938ed2962e5e302c2a6be34952ec5a0c0118caac04

    SHA512

    7f55888b818301f67e7686fb419072e538f9a706310758af8ccd8d23a31be374e8f199f8b5cc14110d830d718a719eb3ddd6fb7f351c9d189c7874bd47e7344d

  • /data/user/0/com.xsfg.nwfo.cszd/databases/lezzd-journal

    Filesize

    8KB

    MD5

    02d732118606448b597fdc41ce659ebb

    SHA1

    5ef0311be1929e2e6dba85ce3a7b771d768df9f2

    SHA256

    48e611a3551f9acaf577bd7d273d95250be6b72dd09484142d1131790c4769de

    SHA512

    d9e16c3bd559cc43bffaad4d9a9c079445ca05ad8ece77e92d284be6a23f35ddda6cc0e6223eaadf95dbcdd591b1b9839a452929da78e042e495e7ddc6d14508

  • /data/user/0/com.xsfg.nwfo.cszd/databases/lezzd-journal

    Filesize

    4KB

    MD5

    746821826eaf331d7c8440cd8f8aab60

    SHA1

    2a0f5e4f735077ddbd3419fe8252e71c6e55158e

    SHA256

    d3e0175633ec1d9fd7ddfe29631740ad0559e77db03160256db8e0e69881aeed

    SHA512

    5cb2c0be1137f9e31b41147cd76f7e8eb76b577f677fb07550b244d97ffc0b76c3085c0567bd9c68decea09e3e271973a059941340e2ee1adc87cfcfbf323d31

  • /data/user/0/com.xsfg.nwfo.cszd/databases/lezzd-journal

    Filesize

    8KB

    MD5

    abcae9c6c5dcc28cdb6139dc317d88cb

    SHA1

    c1768a9844bd0d4be7af3d5a8e4bf2add679a1ca

    SHA256

    1945ab0eaedc28200fcc33ee8a1dbc6ddae981e70f3aa4a150dc7821201ab3dd

    SHA512

    466182f79528dcd647df9491b5eecec27322e3cc609719d66ef3cdb68acb5f5cdf656b0811125ded778521307581b56424279de2fd8eabf0981376d8a13b6fd4

  • /data/user/0/com.xsfg.nwfo.cszd/databases/lezzd-journal

    Filesize

    8KB

    MD5

    8e094ed8887f1ad91a0e5fc0bfb07fe4

    SHA1

    a25bedd0458f7c59a0f70d22f962974be573c7e4

    SHA256

    364517c2cb469d9dc976455c80ff3d27c7361abfca58a75824dfdd01234ca387

    SHA512

    500ae03e915d49110dc4eb8d1adb3cf98c408cc632934af488010cb1d388edcc4d1414d59aed55551a6616b7dfb2076228afec526f27df5eabbf6d3575464838

  • /data/user/0/com.xsfg.nwfo.cszd/files/.um/um_cache_1728936705322.env

    Filesize

    650B

    MD5

    06170079b0807b2c70b1d3f5bfb65508

    SHA1

    327626dcf799001c012e9375f4a3e12cf89012b6

    SHA256

    70a6dc6e554f867510d7634c2fd0891b6fde21be0b04f79c0a66e4392836d040

    SHA512

    4ccdedb9ce09f5202e1285d9c8adb67922d08b60446d39d1c61e0dc69ff32cad885c0269add150db4aefec06ea19ac4c970c5cb12785fd63e15bd5344134913a

  • /data/user/0/com.xsfg.nwfo.cszd/files/.umeng/exchangeIdentity.json

    Filesize

    162B

    MD5

    5dfe662d14b8bcaecf8a1382ca810fd1

    SHA1

    09234658090a5bc9cd5b0e5f9ca9d3d1b8cbd59c

    SHA256

    97c079118f41da37fa962f154390c62169f0fed47eee79cf5336e0b267c82fa6

    SHA512

    3d6bd7cc1eeb77f2f552fb26ba2432f9b4f4e5a3fe170040c217cea930c30e02fcf018ee45dfab6d2f9bba13236ab3dd085162210cd80d326f37078651ea64b6

  • /data/user/0/com.xsfg.nwfo.cszd/files/umeng_it.cache

    Filesize

    352B

    MD5

    b50c7a5979124c43dfd61be3c1889bc1

    SHA1

    b80862c49b278519cef84e0d678867fbd3731d7e

    SHA256

    273497eb23aca5a21fd350e8113004b2b7eb4f58a2413acc7e4d5a9aa16bb514

    SHA512

    c1e72b2d6a5eb46948bd8a3c2aeb28cf38bf9ce724afdb46c26931804c029fdf2eb619fc8ba9015c34b8e30892a7d2ae70d2e69ab3cd5a8040d00cf69dbe919c