Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    16/10/2024, 02:57

General

  • Target

    4b209fcc8728a49b303293bb3cfcf911_JaffaCakes118.apk

  • Size

    636KB

  • MD5

    4b209fcc8728a49b303293bb3cfcf911

  • SHA1

    f225a2c821d32815fedc181381b29a05aa576951

  • SHA256

    ae7d7f05f38aed97e8b18006f301a366c0a8a201241666e40a8f0f70a5c7b4df

  • SHA512

    5762cf8267c6bed1412f363c2294a2c3c40b2adb4c9b1ca28869b8f8f6e4f1753f80afdf2881b7ca210ebd545d52564320b6d6f7d18315b222d19fea2a03d280

  • SSDEEP

    12288:B14LUaxJLbCf7cznXk4gJ6Xn0AZv0eFxNMGH94vvQe6ERylTE3:r6LuUt0AZvt7Msiyde

Malware Config

Signatures

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 2 IoCs
  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • com.qogc.viql.fzaz
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Queries information about running processes on the device
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    PID:4255
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qogc.viql.fzaz/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.qogc.viql.fzaz/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4286
  • com.qogc.viql.fzaz:daemon
    1⤵
    • Loads dropped Dex/Jar
    PID:4329

Network

        MITRE ATT&CK Mobile v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/com.qogc.viql.fzaz/app_mjf/ddz.jar

          Filesize

          105KB

          MD5

          7f1e0fe2e6a0618b6c84d48ea0586b6d

          SHA1

          dea54fa91f9f431b85e8c4048244a1c3c4b16665

          SHA256

          4225d0ce3922e9bfd5828c3507b26226b8f08f3b03d8fcf594dbf36835a9519e

          SHA512

          7a9e77b9ee66c7cc5d406389c8dd4f344b02c8449cfcd581586d16ce895ed0fa77f6fc8c767c32b92e75863d8133422b4ed3057f54999c3fef031146602e5df6

        • /data/data/com.qogc.viql.fzaz/app_mjf/oat/dz.jar.cur.prof

          Filesize

          541B

          MD5

          c5318b3f52dc8282a8329b25ae280ba3

          SHA1

          6a73bec60c808aad411f4b2989dcb8a245f01d0f

          SHA256

          41040b16dcf1255170918f86de07f81311f1f37d02aab53e811f1621325661fa

          SHA512

          c462557da4a767b7cd3b6306138da285dfdc756f784429c8c59828e1a57ee82bd3a208ce5fa1ecae62bb52fbed66379085b3c913959a3924088dc3c443e2e36d

        • /data/data/com.qogc.viql.fzaz/app_mjf/tdz.jar

          Filesize

          105KB

          MD5

          fc1eb8c18ddc0f8727b5fb5eba8ca870

          SHA1

          af6d64fe2432bece4c523066a57f35be8f175a48

          SHA256

          7f4e38a3ac4fae5a400648d200d8b9897dc28606722dba44c43e5582182e5fe9

          SHA512

          25e5c0eafb925a6b3c6d9f8622b95d07fd8e63be2689859733b10ed65fa7f7e56e5453da64d9bd7bd7c3345f6c1a90a5dd34de9b0788f4ba080689758d5d4e66

        • /data/data/com.qogc.viql.fzaz/databases/lezzd

          Filesize

          4KB

          MD5

          f2b4b0190b9f384ca885f0c8c9b14700

          SHA1

          934ff2646757b5b6e7f20f6a0aa76c7f995d9361

          SHA256

          0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

          SHA512

          ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

        • /data/data/com.qogc.viql.fzaz/databases/lezzd-journal

          Filesize

          512B

          MD5

          db469a93df570d8e367ff685d762b5e1

          SHA1

          372e62c9a027e40d5163aabc31e3c46df45d36d5

          SHA256

          ae9f85a29289c928f63908f9b0066d240335487a862f978194f4ac271565629e

          SHA512

          07da45b327676c5dcf6274ee41fb751eafaa1e9c3c38149879c7f6191c83b67fe9b2d81ed09631476402feb69c6902811724d5ccfd209f142bb46c2bc64bc72b

        • /data/data/com.qogc.viql.fzaz/databases/lezzd-shm

          Filesize

          32KB

          MD5

          bb7df04e1b0a2570657527a7e108ae23

          SHA1

          5188431849b4613152fd7bdba6a3ff0a4fd6424b

          SHA256

          c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

          SHA512

          768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

        • /data/data/com.qogc.viql.fzaz/databases/lezzd-wal

          Filesize

          60KB

          MD5

          60ff38dc7d9d0a3a4a005d5b6e2e9e85

          SHA1

          aafe2e6e42a8fedda223f6d9b5a847a271ba6522

          SHA256

          7dc7d02d4793686afc3f18a5ac8b5a7d0314c64199eacece5cfcb67af98c1401

          SHA512

          25cf8ff950282910687c13601913950d6e6c33294172122e1256745a7ea9fd3eaf947357969c2ec497bdb0e2d557ce5bd32c7882701e6c5996d61a15062c140e

        • /data/data/com.qogc.viql.fzaz/files/.um/um_cache_1729047523454.env

          Filesize

          684B

          MD5

          358670241981dc58de044b9714088848

          SHA1

          2df5593e4e22bab059cbefda243142f5a80d6a50

          SHA256

          65b06e16690976cd4a750fb3e48c0943c068f0cf990de2abceddfab12b9601d8

          SHA512

          8b43e902be4d1cc74b3aef7d4f7e07575073abaf1df87d0d92304e5eab78b9ff75b378f0bfb1e2f650b1fc3d024525cff00be16a9acf398c1bf0ad8170f56bd1

        • /data/data/com.qogc.viql.fzaz/files/.umeng/exchangeIdentity.json

          Filesize

          162B

          MD5

          2e5ad1c759947752d61e7347946024a2

          SHA1

          a26812a411af95bba1bd7cec6b51ef6d4d10e774

          SHA256

          0c2808df1723fa478ff726d220be02cfb0800ace0707b6aef7272fb948769c79

          SHA512

          3df16ab38728151244eee02248be4a0d1f9ba68e3265d1dcd28764c8abff30360a1d409d2bfaa0f79b3f4a2173d848b946b8880361a79baa05d13f8841ad6eea

        • /data/data/com.qogc.viql.fzaz/files/mobclick_agent_cached_com.qogc.viql.fzaz1

          Filesize

          867B

          MD5

          4fb0f9944fa6f034a7cf546ae0ceade5

          SHA1

          b588ca2186c40f2b1dc0ee05ea8074698a1b226e

          SHA256

          932c8144a5e0afa2e41983110ae7adb35102f2f9be367603b03b39c746ecccc8

          SHA512

          6e7cb8799453ba2deb7bceb8e246cbe75124792f860f99845715c1ae9b6bb6c4cbf35b8e93110c00395ca93a36b2c1c315dc528c3b162c65765cf42c2e551349

        • /data/data/com.qogc.viql.fzaz/files/umeng_it.cache

          Filesize

          415B

          MD5

          26e2fe9109ca15dcc9e9571c89c8726a

          SHA1

          b3dd292ea474c803fdeb045ee2427045889986d4

          SHA256

          f93e60aec083e7b09f36da02979381c2f1363a7c823f8453b85ee3fbb80b8dd0

          SHA512

          28a8b7c172bee15552f5c1fa55636eb5d8180ab9c51cda37338c750c1ce22485d00594c91a0e3d47e829e25132a8d30673c87bd5902a9a8a78897953c287b3b7

        • /data/user/0/com.qogc.viql.fzaz/app_mjf/dz.jar

          Filesize

          249KB

          MD5

          eb4b1f8a3354e8b5c30a253c771196ab

          SHA1

          5c721a6d50b607c91d6b900b4a21a09680f6149e

          SHA256

          dee0215de8f0bf8acfc41aa199e605f30178a969cb5821a977e865b69773b3e2

          SHA512

          a7ce9f9612de9c987392c28f2ded37dbe991f3b61022ac5ad797230c294606a69030182a62df3f8ce98ee50b42a4a38eda9bc297332cc4b46b3f478cae6fe1b6

        • /data/user/0/com.qogc.viql.fzaz/app_mjf/dz.jar

          Filesize

          249KB

          MD5

          789a4162427149dd5e519f917ead0e29

          SHA1

          d2bd738c28ec21c0441c6daaefc206a6a76f8e1c

          SHA256

          830643d652f95c85fa7665c202f93822b08f106cfeae9202a8a7d894292a36c0

          SHA512

          b6a8d5c20792cea1035a7f7684bc03b3f184a0bbba3f5c322b26cc75fd50002e749882d6ac6177a93115ce93b1b3d4721f4449d2007ad700e0633a11579f7e37