Analysis
-
max time kernel
149s -
max time network
154s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
16/10/2024, 02:57
Static task
static1
Behavioral task
behavioral1
Sample
4b209fcc8728a49b303293bb3cfcf911_JaffaCakes118.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
4b209fcc8728a49b303293bb3cfcf911_JaffaCakes118.apk
Resource
android-x64-20240624-en
General
-
Target
4b209fcc8728a49b303293bb3cfcf911_JaffaCakes118.apk
-
Size
636KB
-
MD5
4b209fcc8728a49b303293bb3cfcf911
-
SHA1
f225a2c821d32815fedc181381b29a05aa576951
-
SHA256
ae7d7f05f38aed97e8b18006f301a366c0a8a201241666e40a8f0f70a5c7b4df
-
SHA512
5762cf8267c6bed1412f363c2294a2c3c40b2adb4c9b1ca28869b8f8f6e4f1753f80afdf2881b7ca210ebd545d52564320b6d6f7d18315b222d19fea2a03d280
-
SSDEEP
12288:B14LUaxJLbCf7cznXk4gJ6Xn0AZv0eFxNMGH94vvQe6ERylTE3:r6LuUt0AZvt7Msiyde
Malware Config
Signatures
-
pid Process 4255 com.qogc.viql.fzaz -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.qogc.viql.fzaz/app_mjf/dz.jar 4286 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qogc.viql.fzaz/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.qogc.viql.fzaz/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.qogc.viql.fzaz/app_mjf/dz.jar 4255 com.qogc.viql.fzaz /data/user/0/com.qogc.viql.fzaz/app_mjf/dz.jar 4329 com.qogc.viql.fzaz:daemon -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser com.qogc.viql.fzaz -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.qogc.viql.fzaz -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 2 IoCs
flow ioc 39 alog.umeng.com 5 alog.umeng.com -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.qogc.viql.fzaz -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.qogc.viql.fzaz -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.qogc.viql.fzaz -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.qogc.viql.fzaz
Processes
-
com.qogc.viql.fzaz1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
PID:4255 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qogc.viql.fzaz/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.qogc.viql.fzaz/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4286
-
-
com.qogc.viql.fzaz:daemon1⤵
- Loads dropped Dex/Jar
PID:4329
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
1Suppress Application Icon
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105KB
MD57f1e0fe2e6a0618b6c84d48ea0586b6d
SHA1dea54fa91f9f431b85e8c4048244a1c3c4b16665
SHA2564225d0ce3922e9bfd5828c3507b26226b8f08f3b03d8fcf594dbf36835a9519e
SHA5127a9e77b9ee66c7cc5d406389c8dd4f344b02c8449cfcd581586d16ce895ed0fa77f6fc8c767c32b92e75863d8133422b4ed3057f54999c3fef031146602e5df6
-
Filesize
541B
MD5c5318b3f52dc8282a8329b25ae280ba3
SHA16a73bec60c808aad411f4b2989dcb8a245f01d0f
SHA25641040b16dcf1255170918f86de07f81311f1f37d02aab53e811f1621325661fa
SHA512c462557da4a767b7cd3b6306138da285dfdc756f784429c8c59828e1a57ee82bd3a208ce5fa1ecae62bb52fbed66379085b3c913959a3924088dc3c443e2e36d
-
Filesize
105KB
MD5fc1eb8c18ddc0f8727b5fb5eba8ca870
SHA1af6d64fe2432bece4c523066a57f35be8f175a48
SHA2567f4e38a3ac4fae5a400648d200d8b9897dc28606722dba44c43e5582182e5fe9
SHA51225e5c0eafb925a6b3c6d9f8622b95d07fd8e63be2689859733b10ed65fa7f7e56e5453da64d9bd7bd7c3345f6c1a90a5dd34de9b0788f4ba080689758d5d4e66
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5db469a93df570d8e367ff685d762b5e1
SHA1372e62c9a027e40d5163aabc31e3c46df45d36d5
SHA256ae9f85a29289c928f63908f9b0066d240335487a862f978194f4ac271565629e
SHA51207da45b327676c5dcf6274ee41fb751eafaa1e9c3c38149879c7f6191c83b67fe9b2d81ed09631476402feb69c6902811724d5ccfd209f142bb46c2bc64bc72b
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
60KB
MD560ff38dc7d9d0a3a4a005d5b6e2e9e85
SHA1aafe2e6e42a8fedda223f6d9b5a847a271ba6522
SHA2567dc7d02d4793686afc3f18a5ac8b5a7d0314c64199eacece5cfcb67af98c1401
SHA51225cf8ff950282910687c13601913950d6e6c33294172122e1256745a7ea9fd3eaf947357969c2ec497bdb0e2d557ce5bd32c7882701e6c5996d61a15062c140e
-
Filesize
684B
MD5358670241981dc58de044b9714088848
SHA12df5593e4e22bab059cbefda243142f5a80d6a50
SHA25665b06e16690976cd4a750fb3e48c0943c068f0cf990de2abceddfab12b9601d8
SHA5128b43e902be4d1cc74b3aef7d4f7e07575073abaf1df87d0d92304e5eab78b9ff75b378f0bfb1e2f650b1fc3d024525cff00be16a9acf398c1bf0ad8170f56bd1
-
Filesize
162B
MD52e5ad1c759947752d61e7347946024a2
SHA1a26812a411af95bba1bd7cec6b51ef6d4d10e774
SHA2560c2808df1723fa478ff726d220be02cfb0800ace0707b6aef7272fb948769c79
SHA5123df16ab38728151244eee02248be4a0d1f9ba68e3265d1dcd28764c8abff30360a1d409d2bfaa0f79b3f4a2173d848b946b8880361a79baa05d13f8841ad6eea
-
Filesize
867B
MD54fb0f9944fa6f034a7cf546ae0ceade5
SHA1b588ca2186c40f2b1dc0ee05ea8074698a1b226e
SHA256932c8144a5e0afa2e41983110ae7adb35102f2f9be367603b03b39c746ecccc8
SHA5126e7cb8799453ba2deb7bceb8e246cbe75124792f860f99845715c1ae9b6bb6c4cbf35b8e93110c00395ca93a36b2c1c315dc528c3b162c65765cf42c2e551349
-
Filesize
415B
MD526e2fe9109ca15dcc9e9571c89c8726a
SHA1b3dd292ea474c803fdeb045ee2427045889986d4
SHA256f93e60aec083e7b09f36da02979381c2f1363a7c823f8453b85ee3fbb80b8dd0
SHA51228a8b7c172bee15552f5c1fa55636eb5d8180ab9c51cda37338c750c1ce22485d00594c91a0e3d47e829e25132a8d30673c87bd5902a9a8a78897953c287b3b7
-
Filesize
249KB
MD5eb4b1f8a3354e8b5c30a253c771196ab
SHA15c721a6d50b607c91d6b900b4a21a09680f6149e
SHA256dee0215de8f0bf8acfc41aa199e605f30178a969cb5821a977e865b69773b3e2
SHA512a7ce9f9612de9c987392c28f2ded37dbe991f3b61022ac5ad797230c294606a69030182a62df3f8ce98ee50b42a4a38eda9bc297332cc4b46b3f478cae6fe1b6
-
Filesize
249KB
MD5789a4162427149dd5e519f917ead0e29
SHA1d2bd738c28ec21c0441c6daaefc206a6a76f8e1c
SHA256830643d652f95c85fa7665c202f93822b08f106cfeae9202a8a7d894292a36c0
SHA512b6a8d5c20792cea1035a7f7684bc03b3f184a0bbba3f5c322b26cc75fd50002e749882d6ac6177a93115ce93b1b3d4721f4449d2007ad700e0633a11579f7e37