Analysis

  • max time kernel
    149s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    16/10/2024, 03:25

General

  • Target

    4b355c6f124e5f6454109c2d58d21ae3_JaffaCakes118.apk

  • Size

    1.3MB

  • MD5

    4b355c6f124e5f6454109c2d58d21ae3

  • SHA1

    cfcbf10f2f8169ec0092ef005108abab401d2555

  • SHA256

    c6ee0d569566c76f6b7e11c615e51a5056e07ae618eb930b82923738614fc5ba

  • SHA512

    9efe79db5075173cad4fab61bfabc28f91682eeaa1cdc2611d89d9753eaeb78e838f53b1d4344b683fa9bf5d7190a16938c18e2f91904629dfd88904516007ff

  • SSDEEP

    24576:eWQXoL0otaYtXMRCnEOn8wB7PvQ4jTo+j0jT+lq/13tdHbZKm51Ob83z:eSQ7Yt6CnEQfB7PvQ4j/YjT+lq/1XHNF

Malware Config

Signatures

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 2 IoCs
  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • com.clul.ifoe.zzhm
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Queries information about running processes on the device
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    PID:4254
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.clul.ifoe.zzhm/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.clul.ifoe.zzhm/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4287
  • com.clul.ifoe.zzhm:daemon
    1⤵
    • Loads dropped Dex/Jar
    PID:4325

Network

        MITRE ATT&CK Mobile v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/com.clul.ifoe.zzhm/app_mjf/ddz.jar

          Filesize

          105KB

          MD5

          23ba0b249042b7ba33e92c0199b0ea4a

          SHA1

          99b13ee9f7307316c2337953fceed87e9942b794

          SHA256

          1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2

          SHA512

          0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

        • /data/data/com.clul.ifoe.zzhm/app_mjf/oat/dz.jar.cur.prof

          Filesize

          620B

          MD5

          33834f64a4eed6154c0b6f34b9f99d4f

          SHA1

          4bb3fb9abd4f9bdc2c87a494a1ae659a92d97b24

          SHA256

          070daa997f56545956cfa5ebaa857a03244e4d43d8550b34c74126266888d28a

          SHA512

          e603e1c3d4a731f43ff5b8482b5b130e27f2ea3257f54eedda4e20c68b14dea4f836a11779d0deaf3540594e4c8e62c3a8be4ee338579da1437b381d499c5bdb

        • /data/data/com.clul.ifoe.zzhm/app_mjf/tdz.jar

          Filesize

          105KB

          MD5

          293ea5f01e27975bed5179ba79d80eac

          SHA1

          c5b0806a537fd1cb753e11f1a9684933317716b8

          SHA256

          8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b

          SHA512

          c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

        • /data/data/com.clul.ifoe.zzhm/databases/lezzd

          Filesize

          4KB

          MD5

          f2b4b0190b9f384ca885f0c8c9b14700

          SHA1

          934ff2646757b5b6e7f20f6a0aa76c7f995d9361

          SHA256

          0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

          SHA512

          ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

        • /data/data/com.clul.ifoe.zzhm/databases/lezzd-journal

          Filesize

          512B

          MD5

          3a5be57cb69b4768bd5432b0b3c24b69

          SHA1

          b1fc6e80b424b0a0a921ce70b93e511dc41f40bd

          SHA256

          f02bce3936ee33cc6b02016c59037143660f5297e38d8c3d1cabd57fa0d76e64

          SHA512

          73fdb889d29e60ce0b7f23fdfb434597d9fd4bed2920691e8c89d8a52996fca7fcf1598f0a5ad639a8e6673ba4ab51953b506e039e216a2da701fa43c721af8b

        • /data/data/com.clul.ifoe.zzhm/databases/lezzd-shm

          Filesize

          32KB

          MD5

          bb7df04e1b0a2570657527a7e108ae23

          SHA1

          5188431849b4613152fd7bdba6a3ff0a4fd6424b

          SHA256

          c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

          SHA512

          768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

        • /data/data/com.clul.ifoe.zzhm/databases/lezzd-wal

          Filesize

          60KB

          MD5

          0af5fa09d1c1d4b07144c5eaa59fec07

          SHA1

          2af0ffaa8fd20c73ee11a18006845d30ac68b2bb

          SHA256

          01dc7e1407b540e44d07bb2a251d462d9e605b6d461e70652d688e3867f6b4e1

          SHA512

          5e029964d253f68520e5355ab649b459e0d53724c4998265dc57b30f89db3a0693e229ec217f5c10e561a34b5b39bdeca3a908c63ed0b44755539896fc7cff58

        • /data/data/com.clul.ifoe.zzhm/files/.imprint

          Filesize

          1015B

          MD5

          1cf833ad0c5f50b93d57e0d0c031cbb9

          SHA1

          21b134f24ca7ebf1d8cf7a77bbf2cc6cbc89e23a

          SHA256

          92f0a0317a43e0fdd60a00825f6ad08a958daa4dbdff99f655f23f9d9e9d4e2a

          SHA512

          776a2f28d32541300f41a345f5bd7a52d70a51b8d0300198bb41fb3b3daf8ba6db6a1024388d40ea206ef2ba516464dde9627d9f992fa49f3e3ea0919827fca8

        • /data/data/com.clul.ifoe.zzhm/files/.um/um_cache_1729049239667.env

          Filesize

          682B

          MD5

          dc95f395a3aa2be0fa9bdc3de2d97e30

          SHA1

          ba354196c3446468d2166026e395045b488c95a9

          SHA256

          d67bd8cd681bdfb71991418891945b746b060db40c01ae04ba355b9207e3b085

          SHA512

          fe69ee2db551a7b72f134774d8863bc5431b3712d93c8d488a44b907dfce1a17a2de24b82fb87d41f91bf5096459fc1bf307902677e37fea729222ab5251a586

        • /data/data/com.clul.ifoe.zzhm/files/.umeng/exchangeIdentity.json

          Filesize

          162B

          MD5

          878de65f9e54d04a762d036ba7df8b3e

          SHA1

          a392a0236f85c2e7aeae0d9b15aa8eafb4e6d6be

          SHA256

          1115be7d040059ca6fe97c06f9995711d5ab6c1bdf1f165242a42eea9f11bafa

          SHA512

          b467fc76e38bac7f3a58103a703d44aa70f91b9c5f920333b7eaa29ba266c1b91514184511e11883e70998081a1ea404b7d8a89b84ff9bae1428f570901b03e2

        • /data/data/com.clul.ifoe.zzhm/files/mobclick_agent_cached_com.clul.ifoe.zzhm1

          Filesize

          1KB

          MD5

          06b20b6b92ef24d5fda384d7677901b4

          SHA1

          340e31f93bacec41c2698e0ecea87706be18346f

          SHA256

          9181a39660485b69e581ca0acdf8713fcfab2f3fecb27c94a09752f31dbb51e7

          SHA512

          572b16ce08d7bff47d7c96b4934dc2bb659cb9711418a789ace631a49fdb22df798d1a2fa8501204812ee3ef963b41543afec4a373bde5b86acc115eb246c9f0

        • /data/data/com.clul.ifoe.zzhm/files/umeng_it.cache

          Filesize

          415B

          MD5

          80e5559afcf0b4f6afc6f90a7eedd085

          SHA1

          2c290f39fccc7b4297272e05d76f729abe009840

          SHA256

          c1f197660121a8862bd7d0aef792eccbd0783c131cd35af3a9259175bd52ff26

          SHA512

          ff2e8a8276cf322df5d36e9cd46b337919cc5da311cf6f2fffd93275cb09c94b12d413bd44bd49490d3d8ed7a71cc9e4ab88aaac78768c3427dd59ff6b677540

        • /data/user/0/com.clul.ifoe.zzhm/app_mjf/dz.jar

          Filesize

          248KB

          MD5

          9b47e78a6ff90cce5755ce4742047627

          SHA1

          831b24aa9e116eb8d7065efd430088d419dfd6c7

          SHA256

          30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae

          SHA512

          4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

        • /data/user/0/com.clul.ifoe.zzhm/app_mjf/dz.jar

          Filesize

          248KB

          MD5

          a54a18b58c6720991c021f433dfb2a46

          SHA1

          d2ffa07919f92b6e04914e39843f08fdb2a75b68

          SHA256

          3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3

          SHA512

          e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc