Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    03/11/2024, 20:17

General

  • Target

    8d4eab297e8f4913c33932f772a0a886_JaffaCakes118.apk

  • Size

    550KB

  • MD5

    8d4eab297e8f4913c33932f772a0a886

  • SHA1

    38f4d8b034ddec1bf5f1c1484a2b3d2fc10bbdc1

  • SHA256

    d3655fa625d728ee9ccf7ae84024897b9d1a579faa833744b8dd46ac2935cd11

  • SHA512

    c1ea92688f9ecff247a7a1f32a50cb71ad7b2e8ad0a6a906be8d63de1f320394457fe374fc2367ee3b57651cdf4d67ab0498c3aa4f0f5d3fd47a0f5691acff96

  • SSDEEP

    12288:Oe4LINCjgcNUJSlRMWU3ca27KT/jhaGOenVtIceFxEMBkO:OcNwtUMacKDOTGM9

Malware Config

Signatures

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • com.lzfu.syek.pbqr
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Queries information about running processes on the device
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    PID:4254
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.lzfu.syek.pbqr/app_mjf/dz.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.lzfu.syek.pbqr/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4287
  • com.lzfu.syek.pbqr:daemon
    1⤵
    • Loads dropped Dex/Jar
    PID:4328

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.lzfu.syek.pbqr/app_mjf/ddz.jar

    Filesize

    104KB

    MD5

    656eec0445b1ac574b87e1bd3a98d969

    SHA1

    fe3e1ee6bac338416e47e90ed249cb82aeaf6bd4

    SHA256

    0817449409b55007ece8d2d25f6d4b075ebea09c7feabee79636176bb0794792

    SHA512

    9a2737d22a9e647eadf4752513df79fe960cb69ec9563a2d7f504b3e91a95a6081876ab068355b8db49c44ea8627a33ca94c0244c2909668bec2620dc71a27fd

  • /data/data/com.lzfu.syek.pbqr/app_mjf/oat/dz.jar.cur.prof

    Filesize

    733B

    MD5

    b7651923c417e1746ea4abae69116ecb

    SHA1

    53795825a0878ea160fb8060b8a72d5809af23a2

    SHA256

    f5cd90f670c180875154c0d37da21da54f2bf84082f636d3f4cd434047c1726e

    SHA512

    bc942b59afbe61080f60577461ad3ba0c53936376eb56803030ccca1eb1ed0d26ca41c91b22fa16886bea19444c9c60e8cf920fceefa1752c932c07679d7faa4

  • /data/data/com.lzfu.syek.pbqr/app_mjf/tdz.jar

    Filesize

    104KB

    MD5

    30617d6621bcd972fcea53d04f3b2a55

    SHA1

    a0a51f60773e3a1eea2f929c8f1df896b6d71e7e

    SHA256

    157b006e48d74dc023d671b5a7e9e61f96853be434db43efa8754aecba50e12b

    SHA512

    d7735599a3186ba6ca0c6151299fc9353495e4cb4cf1b3a8aebfe6e0901e839f1027013aebb2d168c8fe2ace65fac6bbc89b56b8316e546bda879825febd1ad0

  • /data/data/com.lzfu.syek.pbqr/databases/lezzd

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.lzfu.syek.pbqr/databases/lezzd-journal

    Filesize

    512B

    MD5

    ed8252bc56107301cce12b6af151e15a

    SHA1

    2e47ef5807f68492a39b4033e23b32dc7dbf3625

    SHA256

    9b6c049c5b40ff1ab4fc920c8951af9d7309af0daf576a148de22c3fdaa344dd

    SHA512

    a8540ded15f7cdaf199ec2e65e54efa8d1a66022dbb0ea53dcba38cbb815cf42764ef93a811e44406dbf6cd3ea865ab8447d482262aa87650e00900eea6a1675

  • /data/data/com.lzfu.syek.pbqr/databases/lezzd-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.lzfu.syek.pbqr/databases/lezzd-wal

    Filesize

    60KB

    MD5

    1caa93a6bba9132f25ed0597dce693b6

    SHA1

    06ec5168572b59e04a4eddf212fe93e18f8e745a

    SHA256

    bacf04161c9335390eeac94da78caafa8c4792d2f32d3ad5bbaad99f1d823e9b

    SHA512

    ec8dc6e5e33710ba86294fd2b44f71246241531a0039c11abec419044e4b3792c72af22cc227a9d9c7c8d4206a4b0866fd6c8cc2c3e02d07979a6776dbba113a

  • /data/data/com.lzfu.syek.pbqr/files/.um/um_cache_1730665124084.env

    Filesize

    684B

    MD5

    2f8e5f34395a95df326d285604b50e15

    SHA1

    135b3bfe7da490c07e5d9ab41d173547a73ae5bc

    SHA256

    fff88f9bd10f5936c74f852d72ffa69397fc2350ee71a2853e3c8a3c16dc87b2

    SHA512

    b0fe860979b799b6c21afb350bf36141f0b812c1d145e45c10568ca74032598934b38ff1acf740f84c0184b751b72d59f232c8c8512a7932ff0dca543698246d

  • /data/data/com.lzfu.syek.pbqr/files/.umeng/exchangeIdentity.json

    Filesize

    162B

    MD5

    8bc7a6129e7de57b15c84522058b07f5

    SHA1

    4039bd9581b14f824e05d443aebd7455405d083a

    SHA256

    f427b93d46b0e426805891a17731eabb6f9d16f0bc56f1ce4b81b0c2c6f35028

    SHA512

    ee7f318c78d5b0623bde1ed55e670fa754b9126fb528f50dfd5365d234143101254bba4f28f51e6b2f68ba1b14d20ea28c6ce3d46783c93c2fbd5bc96c12d725

  • /data/data/com.lzfu.syek.pbqr/files/mobclick_agent_cached_com.lzfu.syek.pbqr1

    Filesize

    867B

    MD5

    8b2000dcdc03ad108e62ea9a19a6d9ed

    SHA1

    385a5cad5f646559d43a2bdeceb25584bf8b8633

    SHA256

    572f9dd98668b7f139821fddef14f5af701e5393095775121fc4cdbb59f70a3b

    SHA512

    931f38cc2b23fc0fdd4b907260f8a90dcf1ad96b63cf3dc9dc33acea08995478ba6ff5ae63f095d417b7b7107549c4dd4058506cf69857b7895adce419f7f5f1

  • /data/data/com.lzfu.syek.pbqr/files/umeng_it.cache

    Filesize

    415B

    MD5

    da4e7678bf2fa5bd14952bf88b47346a

    SHA1

    f94b25bdf38c06c51634cb54749332989db57a0e

    SHA256

    ecd58dc68efa391fac0e5f4fa3f4c9b354f38662f0fdcbf0a79b4b132b05e463

    SHA512

    c82b1e7f1aea89b20eba9f6ac5e98e89d1d2f97903a64b204aefa7c6165cc500bf0577e83c443a182d92c20ca1bfee05109564e6dd1d9a91debe3e6a80aae747

  • /data/user/0/com.lzfu.syek.pbqr/app_mjf/dz.jar

    Filesize

    247KB

    MD5

    daa884f34fd8ae9dd3bfb6b119ff3aff

    SHA1

    7de35d394619e09d959ed996ad265702cb8b8efa

    SHA256

    c9c157972fb88b6be615c55598c6dd7bc36a518c2b24e8b6ee5fd48f532381a8

    SHA512

    dc316772998f61131936b0cb6058a3ea7f144b31da11bff492408fb03ef3796604a2f887670d160e1302253d2ceac4e1621f6d26ee4293e21856a862b4f4125f

  • /data/user/0/com.lzfu.syek.pbqr/app_mjf/dz.jar

    Filesize

    247KB

    MD5

    18cfdb00841ddceacea677d69a13ba5a

    SHA1

    df15b27afa69a8f4e0e74c250e56df55e5701172

    SHA256

    676ca8a391c823e9a3fdd7df70a1fc30f8ebd4680db0daff3e057cc401c9ad83

    SHA512

    83886e59ac0462888e9b82475ebaeca79dcbabc8a2a01a6217c0ca122e41c1d373fb878bf6e5e885b8459f259e834df91f2c8bf30a2a52824e298a65d6dda86a