Analysis

  • max time kernel
    87s
  • max time network
    130s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    17/10/2024, 13:27

General

  • Target

    5237db4fc88723d8ff2ad36eca190c3a_JaffaCakes118.apk

  • Size

    1.5MB

  • MD5

    5237db4fc88723d8ff2ad36eca190c3a

  • SHA1

    f37b5989319fab2e34a0ab348d1ec0d96efffdd9

  • SHA256

    0cfdff6fcee391b9f8c7edad51cd3c081f0cf3259966371c4e2770f3a4b51cfe

  • SHA512

    36e25e4bf5037e0291cf745df48dd4deae05402a94f599a115530ae349f6f1956995294d0c972c2bfc812c689e07af8380e7d3a507882c0cc95888a66c1d76b1

  • SSDEEP

    24576:/ZtzEQ7Blgt8k+igQF1mfqV0qAHCBKPuhk7C9vatjFt38ObVdDdw12IDIPPWYFL7:/ZJ9C+k+rQFkNiBKPu5U9Ft3/r5cIPPr

Malware Config

Signatures

  • Checks Android system properties for emulator presence. 1 TTPs 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • com.fittg.qvvbmmn
    1⤵
    • Checks Android system properties for emulator presence.
    • Loads dropped Dex/Jar
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    PID:4252
    • /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/data/com.fittg.qvvbmmn/posrr.jar --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/data/com.fittg.qvvbmmn/oat/x86/posrr.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4285

Network

        MITRE ATT&CK Mobile v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/com.fittg.qvvbmmn/databases/cc/cc.db

          Filesize

          36KB

          MD5

          ce6135aa1b1fe4f2c2db2a546d2a5558

          SHA1

          79b59582154017aadab783dc266fcb158c252940

          SHA256

          7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c

          SHA512

          2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

        • /data/data/com.fittg.qvvbmmn/databases/cc/cc.db

          Filesize

          36KB

          MD5

          5d7ea1a23af19b4340cc8d90f28297d5

          SHA1

          4cfe95b23a9e98378d69c4290af81b51fbe76aea

          SHA256

          474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da

          SHA512

          33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

        • /data/data/com.fittg.qvvbmmn/databases/cc/cc.db-journal

          Filesize

          512B

          MD5

          b284b9a711ffb576a8877b9c91b16418

          SHA1

          ac315dbee2751c597f8523bbd52cc406fe460ca1

          SHA256

          a8998601f6431d2513311a3213cb7a848fe39e6a5540c5f88ad39696c22200cb

          SHA512

          3e6066f470993b826a2ea9f63270edf6e3eb88c1f19fb66e4a78d25049d9eb16a2f7f11342b51fb3a89f448183badcecdc8af637b807486cee90718146924efc

        • /data/data/com.fittg.qvvbmmn/databases/cc/cc.db-shm

          Filesize

          32KB

          MD5

          bb7df04e1b0a2570657527a7e108ae23

          SHA1

          5188431849b4613152fd7bdba6a3ff0a4fd6424b

          SHA256

          c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

          SHA512

          768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

        • /data/data/com.fittg.qvvbmmn/databases/cc/cc.db-wal

          Filesize

          48KB

          MD5

          4707319659e15c90d9457278e314ca7d

          SHA1

          b98e6d7202b6e29255039f9739c57c9feb841d6a

          SHA256

          ba91a0ff9a79531941990a323857c70d7f395c294ef2c22f5bbfa8dea67b772b

          SHA512

          db0973b3f9f22f7cdfc71e78a30900ccc2d1a6ee326065fd8f3a0e70b1feba4bde611429045223e5be2eec4b0f0ec93dc49a70fa5fd936a8eb317cd5f1f3255c

        • /data/data/com.fittg.qvvbmmn/databases/cc/cc.db-wal

          Filesize

          16KB

          MD5

          083d240ee67f3b5330bc605483152ef5

          SHA1

          f82c1871b75a0ef6df5ca0dcb49071c512a96773

          SHA256

          a775751de6e9df52c354fb80f814c4156235ceee38f1b6bbff612329e2aea107

          SHA512

          e861819e201b5ce5228851ee8fde370011627ea4a37b493ea49a4fd7b3ae56592896acc887d8b50516f07767760d9f791f75246ce4d7f350ec62ac2814cdacef

        • /data/data/com.fittg.qvvbmmn/files/.deviceid

          Filesize

          32B

          MD5

          f2b4bf6e97614db8bffc8ab4055baf4a

          SHA1

          d2cd7c38e5723c3d2e4f73e7b0d60db7a1dc1ad4

          SHA256

          57d18a74c80370fa02fcb7025754444f4daea409ff962051d79368baa9f00b68

          SHA512

          423af2cd99472e76a8680e2c12e9a2d4fbef03cd930c501a1e450d13698df1e71fca681058bed96f36e5fe4a09d814b672105c05c87a802cd320bbe263c2bd89

        • /data/data/com.fittg.qvvbmmn/files/.um/um_cache_1729171740930.env

          Filesize

          1KB

          MD5

          8a75e223012ff1fdde39ada31f130322

          SHA1

          392acc9478ee32d2f1b091e978bd24cc3c8e27e4

          SHA256

          e01630354634b0f8232892a18e2130ee7e9b6517ad40dd820abbd5e962d95e32

          SHA512

          389a4d560f8d598ed890cea59ef7569cbbafab3d1d911ab2a94b54259db0d2deec4eef0af051eafcf67cfd279935bfccd8875d59ae31c0299a58b9cc1b94b458

        • /data/data/com.fittg.qvvbmmn/files/.umeng/exchangeIdentity.json

          Filesize

          162B

          MD5

          82e2da9a65b5fe3432d17f077450172b

          SHA1

          9b367eaf792c2aa90a91897a605d059a9bbf3231

          SHA256

          588b56f4fd4a1b8a93dfe6e9a47126c84d36aaf0b1593d2384a3bc0fdbbd5470

          SHA512

          b049a17aa9475b52ace67b67faf3869cc1333a9276953bee4c9e28d417560078a43db96e32a5797c8a63ec3420456296ca97d71060acdac8b42c52b13e5d6dcb

        • /data/data/com.fittg.qvvbmmn/files/qdbh

          Filesize

          5B

          MD5

          66df243d406353d0e9db6c5dd027d2d6

          SHA1

          a95eedef9091a0498339e0abc4388fd1b4a3da12

          SHA256

          29433eae6f7f1308d9799275f3a90a0afe1fef0e1818a7c7a4f0aa686493fecb

          SHA512

          c71660ba645c1080a296f0be0ea98dc10e391fae491c08619e8edeba27c9a8d122323e388ce5fd32e4669440b7cdc72b767b7b290829f9102e5acc9f7306068a

        • /data/data/com.fittg.qvvbmmn/files/umeng_it.cache

          Filesize

          498B

          MD5

          e7ffee1cfc8f96a2e89b6edc57d46439

          SHA1

          0aa185ed73f858abd4847056507f6bad424c7a5f

          SHA256

          fe6da18b39361a44fcce34a5298e70318db5b8977ce6bfa618137dad2aa00c41

          SHA512

          ec286f0e6c5895dc13e70cd48e4c2f9e858cb7acc1ba74f7218b62bf554549db5e325d31d16d89dd6f8dd6fc444b2b8bb8b77f8c6caa6822a009844570fbad81

        • /data/data/com.fittg.qvvbmmn/posrr.jar

          Filesize

          1.1MB

          MD5

          79738c91f8538709a618484e6e2f1ebf

          SHA1

          75a58cb5c1906041191e3e9f945aadbaba7fef26

          SHA256

          bb9277e4b9808ab386cd2c269a4fa443034e176ddbdbf166aeb3aff469370986

          SHA512

          d20b0ebcde5f6f7aa281182e8b20423f8e7eb6f6e219a5b874742bd18035f53bdb1bca2db7b8e2b17e419ca83e2ec4bb6de75d81ed5626914a86a2c4d5439746

        • /data/data/com.fittg.qvvbmmn/posrr.jar

          Filesize

          2.6MB

          MD5

          96b7d19d02f70c5ae0b0679ce704026a

          SHA1

          bb9230d1b3c5cf63a8ea86f0b567e85d0bfbf82e

          SHA256

          e88362458dd10dec046b401232edc98b36653fafdba683c0f696feae616e1a8d

          SHA512

          2b93cfee34875037383d308864d456dff49ca2a88305444c627868a86ad30eea946e3cdaeb93b488937fe0d423ee7741ff2455872b941096598d88ebab5526c4

        • /storage/emulated/0/.DataStorage/ContextData.xml

          Filesize

          111B

          MD5

          d958617d8c50c5a2d3e2d86951d26063

          SHA1

          dcba2f3caec5b54204f3f1289af0af1134a83fc4

          SHA256

          90c929829a3413f82bcb199fd053ce34c221735732f3add6cd17374db5428112

          SHA512

          efbd5079614e76dafda4c0c7f0a3728937bc9f35733f132d73c5c85bcd965b803964c9e35e323f102d6bf6df9531445a6ad4356ca732c0c9517aaf6c49313969

        • /storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

          Filesize

          65B

          MD5

          9781ca003f10f8d0c9c1945b63fdca7f

          SHA1

          4156cf5dc8d71dbab734d25e5e1598b37a5456f4

          SHA256

          3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793

          SHA512

          25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

        • /storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

          Filesize

          111B

          MD5

          12e11b85fd60e90ca2a98bbb13e0d43e

          SHA1

          be62636d12539e8ac629f6b7280996f06bbf073c

          SHA256

          2caa2d520cd07a4e2275df4a182578c6617debc36a93f339145b29e50ebaa413

          SHA512

          cd99a5d7ae3cc4ce423dc562f3553c432ec88279624e2f67be102acdfb8ba11c29873fea7b9c8a53ac3c8e5a7bd51f3d13a2650ae0e9b3aaabbbdf603769359c

        • /storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

          Filesize

          167B

          MD5

          3cb76dfb615717f889a4379871ee10df

          SHA1

          edc578bfa5955bee3b9b45534b647964b89ea4da

          SHA256

          bb038df214528ae4ca2148001aba0d409a5bbc9993de1af7f6874f52aab42752

          SHA512

          d537501ece33b3ebfd72adf483b3abc7ec4dcc3f756bcbcc3aa2a3c94adaac84dbba02d7adec993d172593ba2dd578cca61e71c9b2d9558e04b373c6d5b2c7e9

        • /storage/emulated/0/iapppay/statistics/com.fittg.qvvbmmn/statistics.log

          Filesize

          116B

          MD5

          1067b7dcf1e108e3e529d728d2df3f64

          SHA1

          f0252a3a97afc6fe8314032833571fb379b9b040

          SHA256

          89f024864ae1496a5887e5b53c41034e43861ab3e7ec0ec515ddae424a751812

          SHA512

          bd8171863e57a8f11a4f1c50f74b69783e1736108c6a76d11ad8a49554d603a950ac6ab48fe9159c0ce0296318ac82d48f9b0cdd1e414471537159e9ddd4dc10