Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    03/11/2024, 04:43

General

  • Target

    89b00e291cd92c8c7103ae2a91c82775_JaffaCakes118.apk

  • Size

    1.3MB

  • MD5

    89b00e291cd92c8c7103ae2a91c82775

  • SHA1

    5af447807a126a49b161090036beb3952775d935

  • SHA256

    9034ef006ad45b803121b5c2a50b569c5cd421842d1ac8ac5cbd9cbeaf12e779

  • SHA512

    9d441a1f41670d1f85564329d3deaeac62fb01868302dea3cf9689a5e086760222605f3fd6aaa1017d6cb4d8b7ba5ffdcc43bee5165f40bb617fa629c61a3703

  • SSDEEP

    24576:PcEoL0otaYtXMRSprkM4FqD5Bl0ZHqU+yjro+X8jfChq/13tdHbZKm51Ob83i:aQ7Yt/rkruBl0ZHvjnsjfChq/1XHNKmK

Malware Config

Signatures

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • com.ebmy.hirh.ogps
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Queries information about running processes on the device
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    PID:4217
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ebmy.hirh.ogps/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.ebmy.hirh.ogps/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4281
  • com.ebmy.hirh.ogps:daemon
    1⤵
    • Loads dropped Dex/Jar
    PID:4316

Network

        MITRE ATT&CK Mobile v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/com.ebmy.hirh.ogps/app_mjf/ddz.jar

          Filesize

          105KB

          MD5

          23ba0b249042b7ba33e92c0199b0ea4a

          SHA1

          99b13ee9f7307316c2337953fceed87e9942b794

          SHA256

          1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2

          SHA512

          0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

        • /data/data/com.ebmy.hirh.ogps/app_mjf/oat/dz.jar.cur.prof

          Filesize

          639B

          MD5

          31c5b8b57ecb1880c1c67a78376cee68

          SHA1

          919fa75665ebcbe1ce9505c6f93e040349dcd3d6

          SHA256

          48c25d1892cea6eaaa5618cdaed34ad8ada912de4473f6f1a7c68a66f4dcfdb8

          SHA512

          58509025c7855c2b061f3e1898fcd14a8e833f217e1d5c530e11b76f862c6e51bd8e328ab166a2f665b95a0d432a8e79029ae3bef513135e2fd52aec662cc03b

        • /data/data/com.ebmy.hirh.ogps/app_mjf/tdz.jar

          Filesize

          105KB

          MD5

          293ea5f01e27975bed5179ba79d80eac

          SHA1

          c5b0806a537fd1cb753e11f1a9684933317716b8

          SHA256

          8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b

          SHA512

          c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

        • /data/data/com.ebmy.hirh.ogps/databases/lezzd

          Filesize

          4KB

          MD5

          f2b4b0190b9f384ca885f0c8c9b14700

          SHA1

          934ff2646757b5b6e7f20f6a0aa76c7f995d9361

          SHA256

          0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

          SHA512

          ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

        • /data/data/com.ebmy.hirh.ogps/databases/lezzd-journal

          Filesize

          512B

          MD5

          7dd29a51c30161d0bbc47102b8c659e0

          SHA1

          7497d3d539e579f99ce4cf4e41b8bcbfd6db3afa

          SHA256

          cfc06543336c9190465da7a6c7e0e074376c14f062de5c2d8c1064ee26d0f53e

          SHA512

          24edf72c8e8799834076d02903e136d9e919ff630c982d90b31b41f510e3ae13f338012af59234c5f948ab76c13a63d1a3563cde857d5c7d23fbc939ca89f24a

        • /data/data/com.ebmy.hirh.ogps/databases/lezzd-shm

          Filesize

          32KB

          MD5

          bb7df04e1b0a2570657527a7e108ae23

          SHA1

          5188431849b4613152fd7bdba6a3ff0a4fd6424b

          SHA256

          c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

          SHA512

          768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

        • /data/data/com.ebmy.hirh.ogps/databases/lezzd-wal

          Filesize

          60KB

          MD5

          aa65d8735392c2c87b4de00b996329ff

          SHA1

          d18ceefae12a8a4a455b12e36114ece8a4761e12

          SHA256

          f4ed722836871f88c55955777685d28982a54af60414b891a8189e37c3492d9d

          SHA512

          19e20e028128913ecab9d4a6d97e25ebabef71af9e9e0fce93fe36aba54afcd9816006422ea28e69d4d2a81adc4dcb5d1696475d5ad6ca3a0eaf821122f85be2

        • /data/data/com.ebmy.hirh.ogps/files/.um/um_cache_1730609178931.env

          Filesize

          681B

          MD5

          43c973f2278c26e82997c76bcf0f4155

          SHA1

          060c52247f199fcc52d383e8626d9cebc6b28648

          SHA256

          3d3d216da141c48bc8bdf73729734e3d3555d09a3ec135d98ee9c7d01e2ac525

          SHA512

          88b6cc2f7650c9f1f7a4344d4d2c8c54bbf914cd53124bf1ab79b2c8b75b1cd76f4b3cc9a8503c4875f707696207ac4c46e00ba74bcb7e197006e75c80764f54

        • /data/data/com.ebmy.hirh.ogps/files/.umeng/exchangeIdentity.json

          Filesize

          162B

          MD5

          11fceba4c6f6774f33876f782ca8742d

          SHA1

          94526b04cd9f6181a8455ad44de965af7430b55c

          SHA256

          226050c344d400a2f6135df2f39691327828362ea2483cc5f922ba6228abbcb9

          SHA512

          fbd7a67b5aed327529f164bb5b8442406c3dbb81ee7047e88bde30b2a79ddad070f1bb57801b5b38773125e79dcb38ff0fef250ad07cf5387d224c3f7f5c438c

        • /data/data/com.ebmy.hirh.ogps/files/umeng_it.cache

          Filesize

          415B

          MD5

          f0e4a9ceb2c7687fb75de58dbfb74fe4

          SHA1

          0833daf58a9b1af3e7689888deb9f52d5fd04388

          SHA256

          b1d1ef050f78289835386abcbf7c0cd93773cb19e55cb8ed95f3e0cd885007c1

          SHA512

          31a36daa06a969aa9523f0797bb9066e67f84f2c1b4da73b214d305527e67638b6220a63feaa8c919ccb26e48df58ee60a695ccbde75af1d973fe1cf432c9b79

        • /data/user/0/com.ebmy.hirh.ogps/app_mjf/dz.jar

          Filesize

          248KB

          MD5

          9b47e78a6ff90cce5755ce4742047627

          SHA1

          831b24aa9e116eb8d7065efd430088d419dfd6c7

          SHA256

          30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae

          SHA512

          4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

        • /data/user/0/com.ebmy.hirh.ogps/app_mjf/dz.jar

          Filesize

          248KB

          MD5

          a54a18b58c6720991c021f433dfb2a46

          SHA1

          d2ffa07919f92b6e04914e39843f08fdb2a75b68

          SHA256

          3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3

          SHA512

          e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc