Analysis
-
max time kernel
149s -
max time network
154s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
03/11/2024, 20:17
Static task
static1
Behavioral task
behavioral1
Sample
8d4eab297e8f4913c33932f772a0a886_JaffaCakes118.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
8d4eab297e8f4913c33932f772a0a886_JaffaCakes118.apk
Resource
android-x64-20240624-en
General
-
Target
8d4eab297e8f4913c33932f772a0a886_JaffaCakes118.apk
-
Size
550KB
-
MD5
8d4eab297e8f4913c33932f772a0a886
-
SHA1
38f4d8b034ddec1bf5f1c1484a2b3d2fc10bbdc1
-
SHA256
d3655fa625d728ee9ccf7ae84024897b9d1a579faa833744b8dd46ac2935cd11
-
SHA512
c1ea92688f9ecff247a7a1f32a50cb71ad7b2e8ad0a6a906be8d63de1f320394457fe374fc2367ee3b57651cdf4d67ab0498c3aa4f0f5d3fd47a0f5691acff96
-
SSDEEP
12288:Oe4LINCjgcNUJSlRMWU3ca27KT/jhaGOenVtIceFxEMBkO:OcNwtUMacKDOTGM9
Malware Config
Signatures
-
pid Process 4254 com.lzfu.syek.pbqr -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.lzfu.syek.pbqr/app_mjf/dz.jar 4287 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.lzfu.syek.pbqr/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.lzfu.syek.pbqr/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.lzfu.syek.pbqr/app_mjf/dz.jar 4254 com.lzfu.syek.pbqr /data/user/0/com.lzfu.syek.pbqr/app_mjf/dz.jar 4328 com.lzfu.syek.pbqr:daemon -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser com.lzfu.syek.pbqr -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.lzfu.syek.pbqr -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
flow ioc 40 alog.umeng.com 6 alog.umeng.com 27 alog.umeng.com -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.lzfu.syek.pbqr -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.lzfu.syek.pbqr -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.lzfu.syek.pbqr -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.lzfu.syek.pbqr
Processes
-
com.lzfu.syek.pbqr1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
PID:4254 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.lzfu.syek.pbqr/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.lzfu.syek.pbqr/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4287
-
-
com.lzfu.syek.pbqr:daemon1⤵
- Loads dropped Dex/Jar
PID:4328
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
1Suppress Application Icon
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
104KB
MD5656eec0445b1ac574b87e1bd3a98d969
SHA1fe3e1ee6bac338416e47e90ed249cb82aeaf6bd4
SHA2560817449409b55007ece8d2d25f6d4b075ebea09c7feabee79636176bb0794792
SHA5129a2737d22a9e647eadf4752513df79fe960cb69ec9563a2d7f504b3e91a95a6081876ab068355b8db49c44ea8627a33ca94c0244c2909668bec2620dc71a27fd
-
Filesize
733B
MD5b7651923c417e1746ea4abae69116ecb
SHA153795825a0878ea160fb8060b8a72d5809af23a2
SHA256f5cd90f670c180875154c0d37da21da54f2bf84082f636d3f4cd434047c1726e
SHA512bc942b59afbe61080f60577461ad3ba0c53936376eb56803030ccca1eb1ed0d26ca41c91b22fa16886bea19444c9c60e8cf920fceefa1752c932c07679d7faa4
-
Filesize
104KB
MD530617d6621bcd972fcea53d04f3b2a55
SHA1a0a51f60773e3a1eea2f929c8f1df896b6d71e7e
SHA256157b006e48d74dc023d671b5a7e9e61f96853be434db43efa8754aecba50e12b
SHA512d7735599a3186ba6ca0c6151299fc9353495e4cb4cf1b3a8aebfe6e0901e839f1027013aebb2d168c8fe2ace65fac6bbc89b56b8316e546bda879825febd1ad0
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5ed8252bc56107301cce12b6af151e15a
SHA12e47ef5807f68492a39b4033e23b32dc7dbf3625
SHA2569b6c049c5b40ff1ab4fc920c8951af9d7309af0daf576a148de22c3fdaa344dd
SHA512a8540ded15f7cdaf199ec2e65e54efa8d1a66022dbb0ea53dcba38cbb815cf42764ef93a811e44406dbf6cd3ea865ab8447d482262aa87650e00900eea6a1675
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
60KB
MD51caa93a6bba9132f25ed0597dce693b6
SHA106ec5168572b59e04a4eddf212fe93e18f8e745a
SHA256bacf04161c9335390eeac94da78caafa8c4792d2f32d3ad5bbaad99f1d823e9b
SHA512ec8dc6e5e33710ba86294fd2b44f71246241531a0039c11abec419044e4b3792c72af22cc227a9d9c7c8d4206a4b0866fd6c8cc2c3e02d07979a6776dbba113a
-
Filesize
684B
MD52f8e5f34395a95df326d285604b50e15
SHA1135b3bfe7da490c07e5d9ab41d173547a73ae5bc
SHA256fff88f9bd10f5936c74f852d72ffa69397fc2350ee71a2853e3c8a3c16dc87b2
SHA512b0fe860979b799b6c21afb350bf36141f0b812c1d145e45c10568ca74032598934b38ff1acf740f84c0184b751b72d59f232c8c8512a7932ff0dca543698246d
-
Filesize
162B
MD58bc7a6129e7de57b15c84522058b07f5
SHA14039bd9581b14f824e05d443aebd7455405d083a
SHA256f427b93d46b0e426805891a17731eabb6f9d16f0bc56f1ce4b81b0c2c6f35028
SHA512ee7f318c78d5b0623bde1ed55e670fa754b9126fb528f50dfd5365d234143101254bba4f28f51e6b2f68ba1b14d20ea28c6ce3d46783c93c2fbd5bc96c12d725
-
Filesize
867B
MD58b2000dcdc03ad108e62ea9a19a6d9ed
SHA1385a5cad5f646559d43a2bdeceb25584bf8b8633
SHA256572f9dd98668b7f139821fddef14f5af701e5393095775121fc4cdbb59f70a3b
SHA512931f38cc2b23fc0fdd4b907260f8a90dcf1ad96b63cf3dc9dc33acea08995478ba6ff5ae63f095d417b7b7107549c4dd4058506cf69857b7895adce419f7f5f1
-
Filesize
415B
MD5da4e7678bf2fa5bd14952bf88b47346a
SHA1f94b25bdf38c06c51634cb54749332989db57a0e
SHA256ecd58dc68efa391fac0e5f4fa3f4c9b354f38662f0fdcbf0a79b4b132b05e463
SHA512c82b1e7f1aea89b20eba9f6ac5e98e89d1d2f97903a64b204aefa7c6165cc500bf0577e83c443a182d92c20ca1bfee05109564e6dd1d9a91debe3e6a80aae747
-
Filesize
247KB
MD5daa884f34fd8ae9dd3bfb6b119ff3aff
SHA17de35d394619e09d959ed996ad265702cb8b8efa
SHA256c9c157972fb88b6be615c55598c6dd7bc36a518c2b24e8b6ee5fd48f532381a8
SHA512dc316772998f61131936b0cb6058a3ea7f144b31da11bff492408fb03ef3796604a2f887670d160e1302253d2ceac4e1621f6d26ee4293e21856a862b4f4125f
-
Filesize
247KB
MD518cfdb00841ddceacea677d69a13ba5a
SHA1df15b27afa69a8f4e0e74c250e56df55e5701172
SHA256676ca8a391c823e9a3fdd7df70a1fc30f8ebd4680db0daff3e057cc401c9ad83
SHA51283886e59ac0462888e9b82475ebaeca79dcbabc8a2a01a6217c0ca122e41c1d373fb878bf6e5e885b8459f259e834df91f2c8bf30a2a52824e298a65d6dda86a