Analysis
-
max time kernel
130s -
max time network
131s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
03/11/2024, 19:08
Static task
static1
Behavioral task
behavioral1
Sample
8d0a4a004388280bbdd4063de723f626_JaffaCakes118.apk
Resource
android-x86-arm-20240624-en
General
-
Target
8d0a4a004388280bbdd4063de723f626_JaffaCakes118.apk
-
Size
9.8MB
-
MD5
8d0a4a004388280bbdd4063de723f626
-
SHA1
a96451f3eb8ed53604c68956830731132fc764cc
-
SHA256
9345c977450df097a332f964e4eaa12a3091e4d54db2b19359cfca27fc6c712d
-
SHA512
afcae82da504b71c67d97540a43e86b7a51e3db9cee7655dc6a16f1c405a0d2b1498db2443baf954d82cae16a4a476e8921c1a094847289d60fae187ac39d8d0
-
SSDEEP
196608:Mt+KzoPL30yKyNudIZzZkKNpt+ZeGTB3yv8jCjHR8dpGbkf5:M4Ky0okKNptwTB3y0wHR8fGbA
Malware Config
Signatures
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 15 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.lolaage.tbulu.tools:remote Framework service call android.app.IActivityManager.getRunningAppProcesses com.lolaage.tbulu.tools:remote Framework service call android.app.IActivityManager.getRunningAppProcesses com.lolaage.tbulu.tools:remote Framework service call android.app.IActivityManager.getRunningAppProcesses com.lolaage.tbulu.tools Framework service call android.app.IActivityManager.getRunningAppProcesses com.lolaage.tbulu.tools:remote Framework service call android.app.IActivityManager.getRunningAppProcesses com.lolaage.tbulu.tools:remote Framework service call android.app.IActivityManager.getRunningAppProcesses com.lolaage.tbulu.tools:remote Framework service call android.app.IActivityManager.getRunningAppProcesses com.lolaage.tbulu.tools:remote Framework service call android.app.IActivityManager.getRunningAppProcesses com.lolaage.tbulu.tools:remote Framework service call android.app.IActivityManager.getRunningAppProcesses com.lolaage.tbulu.tools:remote Framework service call android.app.IActivityManager.getRunningAppProcesses com.lolaage.tbulu.tools:remote Framework service call android.app.IActivityManager.getRunningAppProcesses com.lolaage.tbulu.tools:remote Framework service call android.app.IActivityManager.getRunningAppProcesses com.lolaage.tbulu.tools:remote Framework service call android.app.IActivityManager.getRunningAppProcesses com.lolaage.tbulu.tools:remote Framework service call android.app.IActivityManager.getRunningAppProcesses com.lolaage.tbulu.tools:push -
Queries information about the current nearby Wi-Fi networks 1 TTPs 3 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
description ioc Process Framework service call android.net.wifi.IWifiManager.getScanResults com.lolaage.tbulu.tools:remote Framework service call android.net.wifi.IWifiManager.getScanResults com.lolaage.tbulu.tools:remote Framework service call android.net.wifi.IWifiManager.getScanResults com.lolaage.tbulu.tools:remote -
Requests cell location 2 TTPs 8 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.lolaage.tbulu.tools:remote Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.lolaage.tbulu.tools:remote Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.lolaage.tbulu.tools:remote Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.lolaage.tbulu.tools:remote Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.lolaage.tbulu.tools:remote Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.lolaage.tbulu.tools:remote Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.lolaage.tbulu.tools:remote Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.lolaage.tbulu.tools:remote -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.lolaage.tbulu.tools -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
flow ioc 12 alog.umeng.com -
Queries information about active data network 1 TTPs 10 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.lolaage.tbulu.tools:remote Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.lolaage.tbulu.tools:remote Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.lolaage.tbulu.tools:remote Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.lolaage.tbulu.tools:remote Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.lolaage.tbulu.tools:remote Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.lolaage.tbulu.tools Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.lolaage.tbulu.tools:push Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.lolaage.tbulu.tools:remote Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.lolaage.tbulu.tools:remote Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.lolaage.tbulu.tools:remote -
Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.lolaage.tbulu.tools Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.lolaage.tbulu.tools:push -
Reads information about phone network operator. 1 TTPs
-
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 4 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener com.lolaage.tbulu.tools:remote Framework API call android.hardware.SensorManager.registerListener com.lolaage.tbulu.tools:remote Framework API call android.hardware.SensorManager.registerListener com.lolaage.tbulu.tools Framework API call android.hardware.SensorManager.registerListener com.lolaage.tbulu.tools:remote -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 12 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.lolaage.tbulu.tools:remote Framework service call android.app.IActivityManager.registerReceiver com.lolaage.tbulu.tools:remote Framework service call android.app.IActivityManager.registerReceiver com.lolaage.tbulu.tools:remote Framework service call android.app.IActivityManager.registerReceiver com.lolaage.tbulu.tools:remote Framework service call android.app.IActivityManager.registerReceiver com.lolaage.tbulu.tools:remote Framework service call android.app.IActivityManager.registerReceiver com.lolaage.tbulu.tools Framework service call android.app.IActivityManager.registerReceiver com.lolaage.tbulu.tools:remote Framework service call android.app.IActivityManager.registerReceiver com.lolaage.tbulu.tools:remote Framework service call android.app.IActivityManager.registerReceiver com.lolaage.tbulu.tools:remote Framework service call android.app.IActivityManager.registerReceiver com.lolaage.tbulu.tools:remote Framework service call android.app.IActivityManager.registerReceiver com.lolaage.tbulu.tools:remote Framework service call android.app.IActivityManager.registerReceiver com.lolaage.tbulu.tools:remote -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.lolaage.tbulu.tools:remote -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.lolaage.tbulu.tools
Processes
-
com.lolaage.tbulu.tools1⤵
- Queries information about running processes on the device
- Acquires the wake lock
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
PID:4260
-
com.lolaage.tbulu.tools:push1⤵
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
PID:4302
-
com.lolaage.tbulu.tools:remote1⤵
- Queries information about running processes on the device
- Queries information about the current nearby Wi-Fi networks
- Requests cell location
- Queries information about active data network
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4405
-
com.lolaage.tbulu.tools:remote1⤵
- Queries information about running processes on the device
- Queries information about the current nearby Wi-Fi networks
- Requests cell location
- Queries information about active data network
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4459
-
com.lolaage.tbulu.tools:remote1⤵
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4514
-
com.lolaage.tbulu.tools:remote1⤵
- Queries information about running processes on the device
- Requests cell location
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4549
-
com.lolaage.tbulu.tools:remote1⤵
- Queries information about running processes on the device
PID:4582
-
com.lolaage.tbulu.tools:remote1⤵
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4614
-
com.lolaage.tbulu.tools:remote1⤵
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4651
-
com.lolaage.tbulu.tools:remote1⤵
- Queries information about running processes on the device
- Requests cell location
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4687
-
com.lolaage.tbulu.tools:remote1⤵
- Queries information about running processes on the device
PID:4737
-
com.lolaage.tbulu.tools:remote1⤵
- Queries information about running processes on the device
- Requests cell location
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4770
-
com.lolaage.tbulu.tools:remote1⤵
- Queries information about running processes on the device
- Requests cell location
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4803
-
com.lolaage.tbulu.tools:remote1⤵
- Queries information about running processes on the device
- Requests cell location
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4835
-
com.lolaage.tbulu.tools:remote1⤵
- Queries information about running processes on the device
- Queries information about the current nearby Wi-Fi networks
- Requests cell location
- Queries information about active data network
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4869
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Execution Guardrails
1Geofencing
1Hide Artifacts
1User Evasion
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5be888c6a02731e720c9f98dcc92f9226
SHA139ac337a3f78a48131037e1633e5e688d2fe58c2
SHA256e487a0233704712252c712b264d81993d708c967c57f2447ebd64a403b51fa57
SHA512d6cbd98565d2f3eb4b180d7163e3832cfbd85b25a0440dbf217df8c993b3865f87fd83b46a83059f1b05066d9483ba3ad339840fb350597fc9adbef1b3ea72d8
-
Filesize
512B
MD503ef4dbb1916b94948bf615ad7d305ad
SHA1b84a1622a623a8036434793f502191f3630e0a5f
SHA256f0f4b280445d3c9f5c8a04f579b3b428441b5c056511428e5807fcd3e8f2095c
SHA512fe84ef9a86e5ef06845a849d39ecfc59847c90c7a51c477424878681f6a7340cef30dc752b332fa8154c2085a7cdaea85f045e7d1f9d873661535928f0ebf8a2
-
Filesize
32KB
MD55c1476ef5aa9713a374762ecfb175ed3
SHA15d656973c5a734a3981a87fb44c5cff9ce0112c9
SHA256241a549b6ea1d99343a1c3f813fc146320449b6e320fb1d9826e63f1db3694f3
SHA512161373a7e1796b16ac6f654acffa75983b2890140bfc0146fc31a3bcee3d6379f926ed671c266ceabaccc53299a5335f14abff6d361dae874277bebcd4c18e14
-
Filesize
294B
MD5bf0497131ef446d4fd537b463311dc80
SHA1a8925209ad4e090e9d0fcc6089d42e1abc976b80
SHA256a4e06666330fc794b2974cb14bd3377fd4fd0c21b598fffb0127a9b35f8a7138
SHA512c22157a2f0b3a8b5d3f0ec805b1bf4501fd582793e5ddb4686ad7a611727deae33650b8e60ef4d510549ac3e9f4d22a1a892ba620904141de3e6e1d30d710870
-
Filesize
24B
MD5a936690571e9104e1922dda4a0ba5bd1
SHA165f49c57edde2f96be2a1dbdfc3f7351f1e66554
SHA256f0f5049c51879dd7da0ce4a43349b5b34ce053d072a0ca704f62cf22ba4a8412
SHA5123be1c3693963aebdfc04e86b1c820ee0ec3cf0b200e6a4788ef1141f39fd6c2f77f4227247ae4affa66c0a6c027df8466cc0dcec1e67ebfb953e36bee97de394
-
Filesize
24B
MD51681ffc6e046c7af98c9e6c232a3fe0a
SHA1d3399b7262fb56cb9ed053d68db9291c410839c4
SHA2569d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0
SHA51211bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5
-
Filesize
160B
MD54bebe2f99ba2c5b9af38c336a5bb0c72
SHA12673c4e0e8d74fb56df53978085055bd01a250ea
SHA25604aa9ab2f2090191997c83f986a6b4fd7dfc298c6c98e39580d2a750577fd95e
SHA51282793d733f439e75e239d88ac6c84d6c8f1b60a7286d1fc7bfdd7f0fc575052782531fea45dff8f4dc35957c082c73479f03090ef6841fc58770880d27336c2c
-
Filesize
4KB
MD5cd0e98274cbc95f98ed9ba4e8963ace8
SHA137264bf7e2af30fff22855b5046bcafe06804063
SHA2562be6d1c2a8f5d57175bd64cae8bfbcd5f6ad390a27e5427b8ae5fdd4ea9b3de8
SHA5128870f130cf1108842c1e3a179a590cfecd61e12cfb124b16f012110511e8e94dae058c566c3342baa186571ea3645240a22bd6c66d5b6be4a50789de2e777886
-
Filesize
8KB
MD5d110534b9917d6ee7b3b7bbf846e102e
SHA10ded1cd2c47f23903a03ac8d25fa86a2c12d8550
SHA2567a3528c4dba7f34590667707bd5cf9599c87993ab0ba34ba2109b7767b58d30d
SHA512d49c3a03f5cc2e3b084f4fed6867d324a8735086be0d9df9ea0cad2210a8e4369f700bb548efc33ca71cfcca53a77aabf443ae9f95e48aa00eda8967a0a71589
-
Filesize
32KB
MD53bc1f072a0de0314dc3d8d1dcfbc992b
SHA100745aeae33221dd2efb9d34e647777460c7eecc
SHA256622784ebd10f0b38785cb07f23fe16a578d41b5274486458b346ad7af6b3cd64
SHA512422d5b1e81685f1ebdbbc256d7170f2c7ca84e0be08958bc0f1a0ab38e17f32552d025a99222cbca07da7a58a7e59cbcb07daec49737fd07dd57ecc075f5f5a8
-
Filesize
96KB
MD53f10de8dd31dae3e00b821f5a370c7de
SHA172dd412a3b8200089a6483840b76c1f38a168e9e
SHA256969982f06f18d6d1a129dc275973f893d53aa720a6997d97475dba25eb702d24
SHA51267fd7204120f3bfb54038f1d66c0a5db1412449853f857b0f92b368808417c9b1bb72afe02ed7e29233de5bb5f3ae75e56814572b76f22e0432b56fb6d2807d0
-
Filesize
52KB
MD546d901760a00b94835f4ca6477ca1dad
SHA1976de02455d0e83734651f7e1a411b7cf28f1913
SHA256a69ce1acbda11c481fdf61e4b3e5a554d8fd08ee351a35db3d9325d1c4c60293
SHA512d2e21d5466ff31df079c0753febd09d2c7315f52130763af8957fbfde4b02d23f7ce36bf21195c9d159abe5dd4fd770ce6fe189e03b779a6239d4d409a05f651
-
Filesize
28KB
MD5c3e7666ec54df28b3a414cc56f5bb169
SHA13d438a9f21ff789e609b1f3d0ada51eb561cd129
SHA256ef56d0af44bee408e517b10b1f937b2a54446b91799fad728d7b9af8c6ce613a
SHA51214c96122f629e3ec6b1a6d47638de689e6a8f79839bba3cd9acdb8331069c6912a60161ad7b48e2c1510f8ca30a807fc3f5b88a003a73881c351bc50ff424411
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
64KB
MD54b39a4e9c2f3ab3757e27efd38bf04c2
SHA1e0a6635166483038b50ea931cd1b6d647a8c2378
SHA256e45782e1b7c6d6502c807e1560974ecc124238c417ef2d216b91a770dfe749b8
SHA512b3966721a5cf71adb571158d83d8b7f74901849b80b8251a691d1c28ef46b9cd9aaf16cd2d5aea67b464acf45870c8b1a49b1fd3232d0bac8e7930d0cce0351b
-
Filesize
1KB
MD568e22a246098aab8d8e86750c54bc866
SHA132f62d96df459fc087a5b1a369a570de48ddf849
SHA2562b2495d864f76d30376d16a874e4c451d3ee7923ff36149ca46924a64baff40d
SHA512f8c7dd18f5a59987bb3e096b932c7c616218d61c4efe43724f77dee74fb53caf37238df9edf7f3bb5946218ade0acb9a84adc2f8f816f74e0a89a3562dc4868b