Analysis
-
max time kernel
148s -
max time network
151s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
02/11/2024, 11:18
Static task
static1
Behavioral task
behavioral1
Sample
852b214817f3033c108bbb89a8edbc3c_JaffaCakes118.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
852b214817f3033c108bbb89a8edbc3c_JaffaCakes118.apk
Resource
android-x64-20240910-en
General
-
Target
852b214817f3033c108bbb89a8edbc3c_JaffaCakes118.apk
-
Size
550KB
-
MD5
852b214817f3033c108bbb89a8edbc3c
-
SHA1
a88bd5f408cb6a6fb1f14607d63c7bfb6b127ca8
-
SHA256
5ac0d9e1ab2446c160374d0c232b446edd58190729edbc872fdd888b8f0a0b7b
-
SHA512
4b455883b478f8eda2b4ac776928ba0b09b0acf4a6a64e35957c4eff082a93660657e7f5d70903c1ab5268c79149772787fae9b5b508efe4996f31af54d87ce3
-
SSDEEP
12288:S4LINCjgcNUJglRMWU3ca27KT/jhaGOenVtI4eFxSMPIX:4NytUMacKDOnwM2
Malware Config
Signatures
-
pid Process 4266 com.qxkf.ryjx.lynf -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.qxkf.ryjx.lynf/app_mjf/dz.jar 4266 com.qxkf.ryjx.lynf /data/user/0/com.qxkf.ryjx.lynf/app_mjf/dz.jar 4399 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qxkf.ryjx.lynf/app_mjf/dz.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.qxkf.ryjx.lynf/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.qxkf.ryjx.lynf/app_mjf/dz.jar 4368 com.qxkf.ryjx.lynf:daemon -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser com.qxkf.ryjx.lynf -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.qxkf.ryjx.lynf -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 2 IoCs
flow ioc 6 alog.umeng.com 33 alog.umeng.com -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.qxkf.ryjx.lynf -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.qxkf.ryjx.lynf -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.qxkf.ryjx.lynf -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.qxkf.ryjx.lynf
Processes
-
com.qxkf.ryjx.lynf1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
PID:4266
-
com.qxkf.ryjx.lynf:daemon1⤵
- Loads dropped Dex/Jar
PID:4368 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qxkf.ryjx.lynf/app_mjf/dz.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.qxkf.ryjx.lynf/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4399
-
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
1Suppress Application Icon
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
104KB
MD5656eec0445b1ac574b87e1bd3a98d969
SHA1fe3e1ee6bac338416e47e90ed249cb82aeaf6bd4
SHA2560817449409b55007ece8d2d25f6d4b075ebea09c7feabee79636176bb0794792
SHA5129a2737d22a9e647eadf4752513df79fe960cb69ec9563a2d7f504b3e91a95a6081876ab068355b8db49c44ea8627a33ca94c0244c2909668bec2620dc71a27fd
-
Filesize
740B
MD5edb9208ae30baf82c3a6e8feee5a7568
SHA15753e4e2d433191387452d7a2ddb476028a97cea
SHA2569b1d0aec1a31e8ef9d84fbb7901bd157ec5ff0a04fa9966ed8c37d8357f8b244
SHA512fd3575237810555495c1b5c68da498484b3562fe16f54a3e5eea28428fb0741ffe7ac6196537524ce82d31b662b16cad1439f367994573b02b7f0071a98fabb2
-
Filesize
104KB
MD530617d6621bcd972fcea53d04f3b2a55
SHA1a0a51f60773e3a1eea2f929c8f1df896b6d71e7e
SHA256157b006e48d74dc023d671b5a7e9e61f96853be434db43efa8754aecba50e12b
SHA512d7735599a3186ba6ca0c6151299fc9353495e4cb4cf1b3a8aebfe6e0901e839f1027013aebb2d168c8fe2ace65fac6bbc89b56b8316e546bda879825febd1ad0
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD56e98f7593ad65e7d83ba8c59de331655
SHA1dbf101bf8c43d2f9b2ec375deec913323f9c2aaa
SHA25631e06cb308de3fddff42d089ec046501725f39c31bb1b6eb6fc1af935eb5b050
SHA5123c1de7ed15aeda7e2cc86006e3afa31a4f5432f0a4b4658a4368ea63506f218ce89a5bac17857d31c3822ebb3aca47d9c725e84ddd4f7df32bec943737556aa5
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
60KB
MD51f3e466c64fda4b38435665628706b7c
SHA1c7306b2abd93efe7ea409cba03ce1517af03d2ae
SHA25633e1f328c635afc00eef90fee9d73d829b2f1659ea0676aa8c575e5caf71afbb
SHA512b9e5c1e11d6a0c575c6f075f2aa4acdb96d7232d30862c74b44cdc87156c338eea22585ef9d9533c1d6ea23b0da6c4ea1bc6306b49f226ab13ed0a71de594c72
-
Filesize
682B
MD501aa5ad6674d28071ad17b45d8a74568
SHA178875c4103cc6a9201b4a3c1fadac6e6e603890b
SHA25669001f14b8f8ba7b46512a662acdf150dd9ba52fdb2592f23bb7a4cf1289bba8
SHA5121c1d234d01eb66dc254a8ca2f2bec610946ad7243b9249e417c4bb0fcf407fb844d406ee8f309ebc48ae30d4d4a22260370cfd775e7e560aa8a603868f58ade9
-
Filesize
162B
MD5acb0367e5e97d7ccddbdbb31c456a482
SHA11d3ebe2f0c2da65e8337f8e12e1f4dbd921c757c
SHA25606ad0e4512b69bd2596e8e8b49c14f8edc349309c5a017321a9fdf006f9da53b
SHA5126c6bb346d3a372fc34a2c90cf90078b2436f7f1154088b3b3abfb46035f080404d4d05e1e0e954dc4960f2f4484a409aafc41dd158a6ba14602c211f678266ab
-
Filesize
868B
MD5c2f113b0c5c9681de06d47d1fb5add69
SHA1e8c5ffacb0f6716b64f8b6b0effc2948f8e5a320
SHA256fdfaddf132273a1abc24a659b1715d3fc5443cc5a350d32078f2bda201af5890
SHA5129288e5099690bfa60ed026e7612a03eeed80ccfae2c048cd6bf10ac3231137ba5e71a080ecdedd0092f22b69564afa5862337855422d318a35ebae59468bfa1e
-
Filesize
415B
MD52a3cb46ea3e5e60ccbec903b7cb87912
SHA14b1f8e91020ceac713aca727188430c2eb55ad9f
SHA256ac628262e7d4f2cb111f3f0610730592e805446f6ba146112832448d792392ad
SHA51272259c50c3ead4e67a33a970395111ff31f320b2e443501bdf9139c99597cc43bc4b8f32fdb3d9589103ff234890c9bd6e364260f68200507fa51a7d636e2f52
-
Filesize
247KB
MD518cfdb00841ddceacea677d69a13ba5a
SHA1df15b27afa69a8f4e0e74c250e56df55e5701172
SHA256676ca8a391c823e9a3fdd7df70a1fc30f8ebd4680db0daff3e057cc401c9ad83
SHA51283886e59ac0462888e9b82475ebaeca79dcbabc8a2a01a6217c0ca122e41c1d373fb878bf6e5e885b8459f259e834df91f2c8bf30a2a52824e298a65d6dda86a
-
Filesize
247KB
MD5daa884f34fd8ae9dd3bfb6b119ff3aff
SHA17de35d394619e09d959ed996ad265702cb8b8efa
SHA256c9c157972fb88b6be615c55598c6dd7bc36a518c2b24e8b6ee5fd48f532381a8
SHA512dc316772998f61131936b0cb6058a3ea7f144b31da11bff492408fb03ef3796604a2f887670d160e1302253d2ceac4e1621f6d26ee4293e21856a862b4f4125f