Analysis

  • max time kernel
    130s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    03/11/2024, 19:08

General

  • Target

    8d0a4a004388280bbdd4063de723f626_JaffaCakes118.apk

  • Size

    9.8MB

  • MD5

    8d0a4a004388280bbdd4063de723f626

  • SHA1

    a96451f3eb8ed53604c68956830731132fc764cc

  • SHA256

    9345c977450df097a332f964e4eaa12a3091e4d54db2b19359cfca27fc6c712d

  • SHA512

    afcae82da504b71c67d97540a43e86b7a51e3db9cee7655dc6a16f1c405a0d2b1498db2443baf954d82cae16a4a476e8921c1a094847289d60fae187ac39d8d0

  • SSDEEP

    196608:Mt+KzoPL30yKyNudIZzZkKNpt+ZeGTB3yv8jCjHR8dpGbkf5:M4Ky0okKNptwTB3y0wHR8fGbA

Malware Config

Signatures

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries information about running processes on the device 1 TTPs 15 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries information about the current nearby Wi-Fi networks 1 TTPs 3 IoCs

    Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

  • Requests cell location 2 TTPs 8 IoCs

    Uses Android APIs to to get current cell location.

  • Acquires the wake lock 1 IoCs
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
  • Queries information about active data network 1 TTPs 10 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 4 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 12 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • com.lolaage.tbulu.tools
    1⤵
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    PID:4260
  • com.lolaage.tbulu.tools:push
    1⤵
    • Queries information about running processes on the device
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    PID:4302
  • com.lolaage.tbulu.tools:remote
    1⤵
    • Queries information about running processes on the device
    • Queries information about the current nearby Wi-Fi networks
    • Requests cell location
    • Queries information about active data network
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4405
  • com.lolaage.tbulu.tools:remote
    1⤵
    • Queries information about running processes on the device
    • Queries information about the current nearby Wi-Fi networks
    • Requests cell location
    • Queries information about active data network
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4459
  • com.lolaage.tbulu.tools:remote
    1⤵
    • Queries information about running processes on the device
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4514
  • com.lolaage.tbulu.tools:remote
    1⤵
    • Queries information about running processes on the device
    • Requests cell location
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4549
  • com.lolaage.tbulu.tools:remote
    1⤵
    • Queries information about running processes on the device
    PID:4582
  • com.lolaage.tbulu.tools:remote
    1⤵
    • Queries information about running processes on the device
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4614
  • com.lolaage.tbulu.tools:remote
    1⤵
    • Queries information about running processes on the device
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4651
  • com.lolaage.tbulu.tools:remote
    1⤵
    • Queries information about running processes on the device
    • Requests cell location
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4687
  • com.lolaage.tbulu.tools:remote
    1⤵
    • Queries information about running processes on the device
    PID:4737
  • com.lolaage.tbulu.tools:remote
    1⤵
    • Queries information about running processes on the device
    • Requests cell location
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4770
  • com.lolaage.tbulu.tools:remote
    1⤵
    • Queries information about running processes on the device
    • Requests cell location
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4803
  • com.lolaage.tbulu.tools:remote
    1⤵
    • Queries information about running processes on the device
    • Requests cell location
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4835
  • com.lolaage.tbulu.tools:remote
    1⤵
    • Queries information about running processes on the device
    • Queries information about the current nearby Wi-Fi networks
    • Requests cell location
    • Queries information about active data network
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4869

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.lolaage.tbulu.tools/databases/lolaage_download.db

    Filesize

    4KB

    MD5

    be888c6a02731e720c9f98dcc92f9226

    SHA1

    39ac337a3f78a48131037e1633e5e688d2fe58c2

    SHA256

    e487a0233704712252c712b264d81993d708c967c57f2447ebd64a403b51fa57

    SHA512

    d6cbd98565d2f3eb4b180d7163e3832cfbd85b25a0440dbf217df8c993b3865f87fd83b46a83059f1b05066d9483ba3ad339840fb350597fc9adbef1b3ea72d8

  • /data/data/com.lolaage.tbulu.tools/databases/lolaage_download.db-journal

    Filesize

    512B

    MD5

    03ef4dbb1916b94948bf615ad7d305ad

    SHA1

    b84a1622a623a8036434793f502191f3630e0a5f

    SHA256

    f0f4b280445d3c9f5c8a04f579b3b428441b5c056511428e5807fcd3e8f2095c

    SHA512

    fe84ef9a86e5ef06845a849d39ecfc59847c90c7a51c477424878681f6a7340cef30dc752b332fa8154c2085a7cdaea85f045e7d1f9d873661535928f0ebf8a2

  • /data/data/com.lolaage.tbulu.tools/databases/lolaage_download.db-wal

    Filesize

    32KB

    MD5

    5c1476ef5aa9713a374762ecfb175ed3

    SHA1

    5d656973c5a734a3981a87fb44c5cff9ce0112c9

    SHA256

    241a549b6ea1d99343a1c3f813fc146320449b6e320fb1d9826e63f1db3694f3

    SHA512

    161373a7e1796b16ac6f654acffa75983b2890140bfc0146fc31a3bcee3d6379f926ed671c266ceabaccc53299a5335f14abff6d361dae874277bebcd4c18e14

  • /data/data/com.lolaage.tbulu.tools/files/umeng_it.cache

    Filesize

    294B

    MD5

    bf0497131ef446d4fd537b463311dc80

    SHA1

    a8925209ad4e090e9d0fcc6089d42e1abc976b80

    SHA256

    a4e06666330fc794b2974cb14bd3377fd4fd0c21b598fffb0127a9b35f8a7138

    SHA512

    c22157a2f0b3a8b5d3f0ec805b1bf4501fd582793e5ddb4686ad7a611727deae33650b8e60ef4d510549ac3e9f4d22a1a892ba620904141de3e6e1d30d710870

  • /storage/emulated/0/baidu/tempdata/yol.dat

    Filesize

    24B

    MD5

    a936690571e9104e1922dda4a0ba5bd1

    SHA1

    65f49c57edde2f96be2a1dbdfc3f7351f1e66554

    SHA256

    f0f5049c51879dd7da0ce4a43349b5b34ce053d072a0ca704f62cf22ba4a8412

    SHA512

    3be1c3693963aebdfc04e86b1c820ee0ec3cf0b200e6a4788ef1141f39fd6c2f77f4227247ae4affa66c0a6c027df8466cc0dcec1e67ebfb953e36bee97de394

  • /storage/emulated/0/baidu/tempdata/yom.dat

    Filesize

    24B

    MD5

    1681ffc6e046c7af98c9e6c232a3fe0a

    SHA1

    d3399b7262fb56cb9ed053d68db9291c410839c4

    SHA256

    9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0

    SHA512

    11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

  • /storage/emulated/0/lolaage/TbuluTools/db/osmoffline.config

    Filesize

    160B

    MD5

    4bebe2f99ba2c5b9af38c336a5bb0c72

    SHA1

    2673c4e0e8d74fb56df53978085055bd01a250ea

    SHA256

    04aa9ab2f2090191997c83f986a6b4fd7dfc298c6c98e39580d2a750577fd95e

    SHA512

    82793d733f439e75e239d88ac6c84d6c8f1b60a7286d1fc7bfdd7f0fc575052782531fea45dff8f4dc35957c082c73479f03090ef6841fc58770880d27336c2c

  • /storage/emulated/0/lolaage/TbuluTools/db/tbulu_tools.db

    Filesize

    4KB

    MD5

    cd0e98274cbc95f98ed9ba4e8963ace8

    SHA1

    37264bf7e2af30fff22855b5046bcafe06804063

    SHA256

    2be6d1c2a8f5d57175bd64cae8bfbcd5f6ad390a27e5427b8ae5fdd4ea9b3de8

    SHA512

    8870f130cf1108842c1e3a179a590cfecd61e12cfb124b16f012110511e8e94dae058c566c3342baa186571ea3645240a22bd6c66d5b6be4a50789de2e777886

  • /storage/emulated/0/lolaage/TbuluTools/db/tbulu_tools.db-journal

    Filesize

    8KB

    MD5

    d110534b9917d6ee7b3b7bbf846e102e

    SHA1

    0ded1cd2c47f23903a03ac8d25fa86a2c12d8550

    SHA256

    7a3528c4dba7f34590667707bd5cf9599c87993ab0ba34ba2109b7767b58d30d

    SHA512

    d49c3a03f5cc2e3b084f4fed6867d324a8735086be0d9df9ea0cad2210a8e4369f700bb548efc33ca71cfcca53a77aabf443ae9f95e48aa00eda8967a0a71589

  • /storage/emulated/0/lolaage/TbuluTools/db/tbulu_tools.db-shm

    Filesize

    32KB

    MD5

    3bc1f072a0de0314dc3d8d1dcfbc992b

    SHA1

    00745aeae33221dd2efb9d34e647777460c7eecc

    SHA256

    622784ebd10f0b38785cb07f23fe16a578d41b5274486458b346ad7af6b3cd64

    SHA512

    422d5b1e81685f1ebdbbc256d7170f2c7ca84e0be08958bc0f1a0ab38e17f32552d025a99222cbca07da7a58a7e59cbcb07daec49737fd07dd57ecc075f5f5a8

  • /storage/emulated/0/lolaage/TbuluTools/db/tbulu_tools.db-wal

    Filesize

    96KB

    MD5

    3f10de8dd31dae3e00b821f5a370c7de

    SHA1

    72dd412a3b8200089a6483840b76c1f38a168e9e

    SHA256

    969982f06f18d6d1a129dc275973f893d53aa720a6997d97475dba25eb702d24

    SHA512

    67fd7204120f3bfb54038f1d66c0a5db1412449853f857b0f92b368808417c9b1bb72afe02ed7e29233de5bb5f3ae75e56814572b76f22e0432b56fb6d2807d0

  • /storage/emulated/0/lolaage/TbuluTools/db/tbulu_tools_map.db

    Filesize

    52KB

    MD5

    46d901760a00b94835f4ca6477ca1dad

    SHA1

    976de02455d0e83734651f7e1a411b7cf28f1913

    SHA256

    a69ce1acbda11c481fdf61e4b3e5a554d8fd08ee351a35db3d9325d1c4c60293

    SHA512

    d2e21d5466ff31df079c0753febd09d2c7315f52130763af8957fbfde4b02d23f7ce36bf21195c9d159abe5dd4fd770ce6fe189e03b779a6239d4d409a05f651

  • /storage/emulated/0/lolaage/TbuluTools/db/tbulu_tools_map.db-journal

    Filesize

    28KB

    MD5

    c3e7666ec54df28b3a414cc56f5bb169

    SHA1

    3d438a9f21ff789e609b1f3d0ada51eb561cd129

    SHA256

    ef56d0af44bee408e517b10b1f937b2a54446b91799fad728d7b9af8c6ce613a

    SHA512

    14c96122f629e3ec6b1a6d47638de689e6a8f79839bba3cd9acdb8331069c6912a60161ad7b48e2c1510f8ca30a807fc3f5b88a003a73881c351bc50ff424411

  • /storage/emulated/0/lolaage/TbuluTools/db/tbulu_tools_map.db-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /storage/emulated/0/lolaage/TbuluTools/db/tbulu_tools_map.db-wal

    Filesize

    64KB

    MD5

    4b39a4e9c2f3ab3757e27efd38bf04c2

    SHA1

    e0a6635166483038b50ea931cd1b6d647a8c2378

    SHA256

    e45782e1b7c6d6502c807e1560974ecc124238c417ef2d216b91a770dfe749b8

    SHA512

    b3966721a5cf71adb571158d83d8b7f74901849b80b8251a691d1c28ef46b9cd9aaf16cd2d5aea67b464acf45870c8b1a49b1fd3232d0bac8e7930d0cce0351b

  • /storage/emulated/0/lolaage/TbuluTools1.folder details.txt

    Filesize

    1KB

    MD5

    68e22a246098aab8d8e86750c54bc866

    SHA1

    32f62d96df459fc087a5b1a369a570de48ddf849

    SHA256

    2b2495d864f76d30376d16a874e4c451d3ee7923ff36149ca46924a64baff40d

    SHA512

    f8c7dd18f5a59987bb3e096b932c7c616218d61c4efe43724f77dee74fb53caf37238df9edf7f3bb5946218ade0acb9a84adc2f8f816f74e0a89a3562dc4868b