Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    02/11/2024, 11:18

General

  • Target

    852b214817f3033c108bbb89a8edbc3c_JaffaCakes118.apk

  • Size

    550KB

  • MD5

    852b214817f3033c108bbb89a8edbc3c

  • SHA1

    a88bd5f408cb6a6fb1f14607d63c7bfb6b127ca8

  • SHA256

    5ac0d9e1ab2446c160374d0c232b446edd58190729edbc872fdd888b8f0a0b7b

  • SHA512

    4b455883b478f8eda2b4ac776928ba0b09b0acf4a6a64e35957c4eff082a93660657e7f5d70903c1ab5268c79149772787fae9b5b508efe4996f31af54d87ce3

  • SSDEEP

    12288:S4LINCjgcNUJglRMWU3ca27KT/jhaGOenVtI4eFxSMPIX:4NytUMacKDOnwM2

Malware Config

Signatures

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 2 IoCs
  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • com.qxkf.ryjx.lynf
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Queries information about running processes on the device
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    PID:4266
  • com.qxkf.ryjx.lynf:daemon
    1⤵
    • Loads dropped Dex/Jar
    PID:4368
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qxkf.ryjx.lynf/app_mjf/dz.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.qxkf.ryjx.lynf/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4399

Network

        MITRE ATT&CK Mobile v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/com.qxkf.ryjx.lynf/app_mjf/ddz.jar

          Filesize

          104KB

          MD5

          656eec0445b1ac574b87e1bd3a98d969

          SHA1

          fe3e1ee6bac338416e47e90ed249cb82aeaf6bd4

          SHA256

          0817449409b55007ece8d2d25f6d4b075ebea09c7feabee79636176bb0794792

          SHA512

          9a2737d22a9e647eadf4752513df79fe960cb69ec9563a2d7f504b3e91a95a6081876ab068355b8db49c44ea8627a33ca94c0244c2909668bec2620dc71a27fd

        • /data/data/com.qxkf.ryjx.lynf/app_mjf/oat/dz.jar.cur.prof

          Filesize

          740B

          MD5

          edb9208ae30baf82c3a6e8feee5a7568

          SHA1

          5753e4e2d433191387452d7a2ddb476028a97cea

          SHA256

          9b1d0aec1a31e8ef9d84fbb7901bd157ec5ff0a04fa9966ed8c37d8357f8b244

          SHA512

          fd3575237810555495c1b5c68da498484b3562fe16f54a3e5eea28428fb0741ffe7ac6196537524ce82d31b662b16cad1439f367994573b02b7f0071a98fabb2

        • /data/data/com.qxkf.ryjx.lynf/app_mjf/tdz.jar

          Filesize

          104KB

          MD5

          30617d6621bcd972fcea53d04f3b2a55

          SHA1

          a0a51f60773e3a1eea2f929c8f1df896b6d71e7e

          SHA256

          157b006e48d74dc023d671b5a7e9e61f96853be434db43efa8754aecba50e12b

          SHA512

          d7735599a3186ba6ca0c6151299fc9353495e4cb4cf1b3a8aebfe6e0901e839f1027013aebb2d168c8fe2ace65fac6bbc89b56b8316e546bda879825febd1ad0

        • /data/data/com.qxkf.ryjx.lynf/databases/lezzd

          Filesize

          4KB

          MD5

          f2b4b0190b9f384ca885f0c8c9b14700

          SHA1

          934ff2646757b5b6e7f20f6a0aa76c7f995d9361

          SHA256

          0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

          SHA512

          ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

        • /data/data/com.qxkf.ryjx.lynf/databases/lezzd-journal

          Filesize

          512B

          MD5

          6e98f7593ad65e7d83ba8c59de331655

          SHA1

          dbf101bf8c43d2f9b2ec375deec913323f9c2aaa

          SHA256

          31e06cb308de3fddff42d089ec046501725f39c31bb1b6eb6fc1af935eb5b050

          SHA512

          3c1de7ed15aeda7e2cc86006e3afa31a4f5432f0a4b4658a4368ea63506f218ce89a5bac17857d31c3822ebb3aca47d9c725e84ddd4f7df32bec943737556aa5

        • /data/data/com.qxkf.ryjx.lynf/databases/lezzd-shm

          Filesize

          32KB

          MD5

          bb7df04e1b0a2570657527a7e108ae23

          SHA1

          5188431849b4613152fd7bdba6a3ff0a4fd6424b

          SHA256

          c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

          SHA512

          768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

        • /data/data/com.qxkf.ryjx.lynf/databases/lezzd-wal

          Filesize

          60KB

          MD5

          1f3e466c64fda4b38435665628706b7c

          SHA1

          c7306b2abd93efe7ea409cba03ce1517af03d2ae

          SHA256

          33e1f328c635afc00eef90fee9d73d829b2f1659ea0676aa8c575e5caf71afbb

          SHA512

          b9e5c1e11d6a0c575c6f075f2aa4acdb96d7232d30862c74b44cdc87156c338eea22585ef9d9533c1d6ea23b0da6c4ea1bc6306b49f226ab13ed0a71de594c72

        • /data/data/com.qxkf.ryjx.lynf/files/.um/um_cache_1730546377621.env

          Filesize

          682B

          MD5

          01aa5ad6674d28071ad17b45d8a74568

          SHA1

          78875c4103cc6a9201b4a3c1fadac6e6e603890b

          SHA256

          69001f14b8f8ba7b46512a662acdf150dd9ba52fdb2592f23bb7a4cf1289bba8

          SHA512

          1c1d234d01eb66dc254a8ca2f2bec610946ad7243b9249e417c4bb0fcf407fb844d406ee8f309ebc48ae30d4d4a22260370cfd775e7e560aa8a603868f58ade9

        • /data/data/com.qxkf.ryjx.lynf/files/.umeng/exchangeIdentity.json

          Filesize

          162B

          MD5

          acb0367e5e97d7ccddbdbb31c456a482

          SHA1

          1d3ebe2f0c2da65e8337f8e12e1f4dbd921c757c

          SHA256

          06ad0e4512b69bd2596e8e8b49c14f8edc349309c5a017321a9fdf006f9da53b

          SHA512

          6c6bb346d3a372fc34a2c90cf90078b2436f7f1154088b3b3abfb46035f080404d4d05e1e0e954dc4960f2f4484a409aafc41dd158a6ba14602c211f678266ab

        • /data/data/com.qxkf.ryjx.lynf/files/mobclick_agent_cached_com.qxkf.ryjx.lynf1

          Filesize

          868B

          MD5

          c2f113b0c5c9681de06d47d1fb5add69

          SHA1

          e8c5ffacb0f6716b64f8b6b0effc2948f8e5a320

          SHA256

          fdfaddf132273a1abc24a659b1715d3fc5443cc5a350d32078f2bda201af5890

          SHA512

          9288e5099690bfa60ed026e7612a03eeed80ccfae2c048cd6bf10ac3231137ba5e71a080ecdedd0092f22b69564afa5862337855422d318a35ebae59468bfa1e

        • /data/data/com.qxkf.ryjx.lynf/files/umeng_it.cache

          Filesize

          415B

          MD5

          2a3cb46ea3e5e60ccbec903b7cb87912

          SHA1

          4b1f8e91020ceac713aca727188430c2eb55ad9f

          SHA256

          ac628262e7d4f2cb111f3f0610730592e805446f6ba146112832448d792392ad

          SHA512

          72259c50c3ead4e67a33a970395111ff31f320b2e443501bdf9139c99597cc43bc4b8f32fdb3d9589103ff234890c9bd6e364260f68200507fa51a7d636e2f52

        • /data/user/0/com.qxkf.ryjx.lynf/app_mjf/dz.jar

          Filesize

          247KB

          MD5

          18cfdb00841ddceacea677d69a13ba5a

          SHA1

          df15b27afa69a8f4e0e74c250e56df55e5701172

          SHA256

          676ca8a391c823e9a3fdd7df70a1fc30f8ebd4680db0daff3e057cc401c9ad83

          SHA512

          83886e59ac0462888e9b82475ebaeca79dcbabc8a2a01a6217c0ca122e41c1d373fb878bf6e5e885b8459f259e834df91f2c8bf30a2a52824e298a65d6dda86a

        • /data/user/0/com.qxkf.ryjx.lynf/app_mjf/dz.jar

          Filesize

          247KB

          MD5

          daa884f34fd8ae9dd3bfb6b119ff3aff

          SHA1

          7de35d394619e09d959ed996ad265702cb8b8efa

          SHA256

          c9c157972fb88b6be615c55598c6dd7bc36a518c2b24e8b6ee5fd48f532381a8

          SHA512

          dc316772998f61131936b0cb6058a3ea7f144b31da11bff492408fb03ef3796604a2f887670d160e1302253d2ceac4e1621f6d26ee4293e21856a862b4f4125f