Analysis
-
max time kernel
34s -
max time network
131s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
15/10/2024, 23:43
Static task
static1
Behavioral task
behavioral1
Sample
4a864138295774262f5075a9afb8c1a3_JaffaCakes118.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
4a864138295774262f5075a9afb8c1a3_JaffaCakes118.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
4a864138295774262f5075a9afb8c1a3_JaffaCakes118.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
4a864138295774262f5075a9afb8c1a3_JaffaCakes118.apk
-
Size
187KB
-
MD5
4a864138295774262f5075a9afb8c1a3
-
SHA1
0ff1c3bdac72eee7144d60d68522fba7acb52cd3
-
SHA256
c5e0fa3a4fb92d9875f30b137abd841ac546127fc22098c1fec8481415a0deb4
-
SHA512
f9736a110d5bdafbf1c8d8413bbda246580b461e945f803254dc2ed8f765653a62875622c4c9d9534a8358415730e30980c5eb4675a2dd85146f5beff3c51b91
-
SSDEEP
3072:RiuijdGa366TJrKNwrpx8OM3bozCVxemAoyvMk5+j2dvtluD5Z+JsfAUU:R053jTJrHrpn8Vx1dy0eFlEOWvU
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.baidu.eddw.tencent/files/.ca/jnzPLoJZce.jar 4282 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.baidu.eddw.tencent/files/.ca/jnzPLoJZce.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.baidu.eddw.tencent/files/.ca/oat/x86/jnzPLoJZce.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.baidu.eddw.tencent/files/.ca/jnzPLoJZce.jar 4255 com.baidu.eddw.tencent -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
flow ioc 7 alog.umeng.com -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.baidu.eddw.tencent -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.baidu.eddw.tencent -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.baidu.eddw.tencent -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.baidu.eddw.tencent -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.baidu.eddw.tencent -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.baidu.eddw.tencent
Processes
-
com.baidu.eddw.tencent1⤵
- Loads dropped Dex/Jar
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4255 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.baidu.eddw.tencent/files/.ca/jnzPLoJZce.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.baidu.eddw.tencent/files/.ca/oat/x86/jnzPLoJZce.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4282
-
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5ce6135aa1b1fe4f2c2db2a546d2a5558
SHA179b59582154017aadab783dc266fcb158c252940
SHA2567b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA5122839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4
-
Filesize
36KB
MD55d7ea1a23af19b4340cc8d90f28297d5
SHA14cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA51233071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b
-
Filesize
512B
MD55861c80b1b02507ee1e0c4db1a28570d
SHA1ada177696044516a835db1a7b4ceddb7d2232ace
SHA2562465c460f783c11849e9e3ff553f40c6db3846a7106ceacac454f194a9173c69
SHA512b0ef4bc90289dc7f775ac6e50718afcd722332e98140c27b7478b7a456e338a275a869e5f27de0cc4258b79a314ef2a01220bb7e3a995e4f9702f9009c0ea71d
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5ea64a66b6c2868588ff0a8d046012653
SHA12b0ecdc0d9c618644611ffc8e9cae21d740ac852
SHA256d9c77751e03ad01957d56c059bb48ede9620c94c0888f5feb592bfe1450d0b97
SHA51274f027c3024813fc932d859d0273118ee1758f87f115270c19c72b3fa7062bcb2be5c5b3492fe6b07421da8f03ec84934bf6e1df9b3fe2b9255a2dc14ddf5125
-
Filesize
48KB
MD5b52a48731cce2f221aff8e874074e1f6
SHA18d373ed9d58b9ed15ec830025715a33131bbe95d
SHA2567d356452a72439904b397cf4e9186144dd97077dd9dfe6e39c313686d3e72f9e
SHA5126d2b093492229345bb73039ca77fca829ff5b61f4e1ebad9b97ccf39ac8e56d50755bd7182a89e1d1401099cd224601a70eb59bec2795a14cf22d67687c22af7
-
Filesize
113KB
MD5ada2ce821b8e511f8f6add01283da13e
SHA1cb40774aca66e6aab0cf599ad385043cedb4b3f7
SHA256b5e870d67328f1d1026a294a8925eaecb6bbc71891176cd638f09f320f0b3251
SHA512864701c7cd5f335f25ab71a734fc6a13499e7e772044baf8b8dd391095e4cddb048fb0760f729df8f5cdf1a1d38c1c5dff70d0588dc1a4bcbb3beed99b93ac27
-
Filesize
162B
MD5cc1e6d33df54166fe728d897a4260eae
SHA1485fc5f41c83ddfd9e5b44c18fb1fdcf69d2bb5a
SHA2563fbe53d9ff83f4db6a8aeb1ca3d5da88e009ee9f7c8a5e71270035d9f8d122a9
SHA51276465b9408ce146ffac9be9997f1b870c04dfa856e2e7c7323d0ae455b6c97e463f5ba4a308d36a4eab2d4cefec2d9ae90096f8d31d8e46115672ed75c174977
-
Filesize
415B
MD5088f88eba1899005c1814329eeec486e
SHA1b716e22f626ff0bb159ad8a4ac27cef3da7b0c3c
SHA256d734595dfd6ddafd16b4a4ec226af960674a3de1d858b1703d10124970ce9f8e
SHA51235049a56477dfa07df198fcd5bd73d54037b1d4e6ab8587fd01c731817e6ae710816fb623eb534dd3c10e93c372c89b3cd17020dae18eb98373cf36a67d58ffa
-
Filesize
269KB
MD58bcbba192b129aa8c13ecb053e3e3e0c
SHA1300c858c314e2235d207cde047ab68c27e9c111e
SHA2564312eca50dba77a2010da09d742bf94950650b13639c3a8e68e42bb1080ca097
SHA512aea3d312f04831f4972e428c71302682e8165458c2dec107f1eee98ccf6294dd4f9b4fd7552def1ce7e8b8af3ef192e8a254da6b042fae7d085b03efc400c744
-
Filesize
269KB
MD54390d216408575cdc9ed228decd7b7a9
SHA1de6c0a98808f1d0d22e6c5fb674799eb84666711
SHA2565d75cc5a1349c7205e168a3f77eb36862e872420de05dcdcf50bf36d551c2fd0
SHA512d2a4df330e0beb72e1483caf683fa104cdb0c92894c8757b068fd34720d062532cfe47512c805ac682cb8b9af8c1104c27950e7b7ffc83d5c54dac9b9865470a
-
Filesize
5B
MD5cac029e0ca8add40d4d2aebd45308572
SHA158620a1744a6814de3441b4b379883c24c3eb145
SHA256d22f06e7707d70996e4c3e407358faf5b57f9eb359a33913befe74239393abbd
SHA512293b62180db178e80f947acdf96a1da42a33ecacd789b75185c4e79d7d615d284dc48b19d435c0863c6fca3627ae66933dd7f130e0cebd1b0e3010b139dc5955