Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    03/11/2024, 20:17

General

  • Target

    8d4eab297e8f4913c33932f772a0a886_JaffaCakes118.apk

  • Size

    550KB

  • MD5

    8d4eab297e8f4913c33932f772a0a886

  • SHA1

    38f4d8b034ddec1bf5f1c1484a2b3d2fc10bbdc1

  • SHA256

    d3655fa625d728ee9ccf7ae84024897b9d1a579faa833744b8dd46ac2935cd11

  • SHA512

    c1ea92688f9ecff247a7a1f32a50cb71ad7b2e8ad0a6a906be8d63de1f320394457fe374fc2367ee3b57651cdf4d67ab0498c3aa4f0f5d3fd47a0f5691acff96

  • SSDEEP

    12288:Oe4LINCjgcNUJSlRMWU3ca27KT/jhaGOenVtIceFxEMBkO:OcNwtUMacKDOTGM9

Malware Config

Signatures

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 2 IoCs
  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • com.lzfu.syek.pbqr
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Queries information about running processes on the device
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Checks CPU information
    PID:4515
  • com.lzfu.syek.pbqr:daemon
    1⤵
    • Loads dropped Dex/Jar
    PID:4588

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.lzfu.syek.pbqr/app_mjf/ddz.jar

    Filesize

    104KB

    MD5

    656eec0445b1ac574b87e1bd3a98d969

    SHA1

    fe3e1ee6bac338416e47e90ed249cb82aeaf6bd4

    SHA256

    0817449409b55007ece8d2d25f6d4b075ebea09c7feabee79636176bb0794792

    SHA512

    9a2737d22a9e647eadf4752513df79fe960cb69ec9563a2d7f504b3e91a95a6081876ab068355b8db49c44ea8627a33ca94c0244c2909668bec2620dc71a27fd

  • /data/user/0/com.lzfu.syek.pbqr/app_mjf/dz.jar

    Filesize

    247KB

    MD5

    18cfdb00841ddceacea677d69a13ba5a

    SHA1

    df15b27afa69a8f4e0e74c250e56df55e5701172

    SHA256

    676ca8a391c823e9a3fdd7df70a1fc30f8ebd4680db0daff3e057cc401c9ad83

    SHA512

    83886e59ac0462888e9b82475ebaeca79dcbabc8a2a01a6217c0ca122e41c1d373fb878bf6e5e885b8459f259e834df91f2c8bf30a2a52824e298a65d6dda86a

  • /data/user/0/com.lzfu.syek.pbqr/app_mjf/tdz.jar

    Filesize

    104KB

    MD5

    30617d6621bcd972fcea53d04f3b2a55

    SHA1

    a0a51f60773e3a1eea2f929c8f1df896b6d71e7e

    SHA256

    157b006e48d74dc023d671b5a7e9e61f96853be434db43efa8754aecba50e12b

    SHA512

    d7735599a3186ba6ca0c6151299fc9353495e4cb4cf1b3a8aebfe6e0901e839f1027013aebb2d168c8fe2ace65fac6bbc89b56b8316e546bda879825febd1ad0

  • /data/user/0/com.lzfu.syek.pbqr/databases/lezzd

    Filesize

    28KB

    MD5

    fdb8a92e5060ce104e8f0faca55a47ce

    SHA1

    270d7ca30673e18cec1d2b9add71cba96dc426fe

    SHA256

    194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a

    SHA512

    ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

  • /data/user/0/com.lzfu.syek.pbqr/databases/lezzd-journal

    Filesize

    8KB

    MD5

    52f3ba824a66ab3493c94f74138c9fcc

    SHA1

    31fd48a70c0726209551998c5d7a7faaf61705e7

    SHA256

    d5b7ceba9936e0a4cd26a3fe36d01d62914399f7b3b84a2a2ecf4288eca3ebdd

    SHA512

    f7bbb1f776835250263fa6d2dfebab67354b45c4bd0f639bd010d0e612503c46377ce2f9d3f5ff403258565797dda679d557dc00dc7de7f9dc4114d974e2be77

  • /data/user/0/com.lzfu.syek.pbqr/databases/lezzd-journal

    Filesize

    8KB

    MD5

    096fc2139b5a65fafe6d62950370f6ae

    SHA1

    e60c7b80decc97174bfe2cf05305b868968bea24

    SHA256

    fdeb8b8ea934eb91bb440cb5dc8f460880308ecbcc3b6917057d5da648561fb8

    SHA512

    0453e7c19caaa141a54b6dceadc2b1f6be9a383871b08e0fcfb771b4b0a8ed390933c16534db41879660f19cc4d270924d0f76db8c290f260fbb94f1ed8ea425

  • /data/user/0/com.lzfu.syek.pbqr/databases/lezzd-journal

    Filesize

    8KB

    MD5

    356d1fa6ec56cd9e4ef1a9731ec69aa2

    SHA1

    fbc4beb3a0c6bba775000521b5b50fae8101b4f0

    SHA256

    ddab3f6cbd9faa0838907b26d91eefc900c3985bd53b411622c4ef213a1f39d9

    SHA512

    8748b418f6f433586a77d68296c03db1486e7c66da3700494c45c8634895410bf00a502c746dda5ed3e0bc359b345f4c9eaf3fc1a597132f40fe26ee132bfe03

  • /data/user/0/com.lzfu.syek.pbqr/databases/lezzd-journal

    Filesize

    512B

    MD5

    13c344a10ee66cf22650be273a52f2c0

    SHA1

    17a8fe93c9dec1b6b63d1cc1ff30b0e3dc03b24d

    SHA256

    dc4bfbbd45b8808dee72864841e1f9309946e46adee4899221ba48294ba5b1fe

    SHA512

    e98e5c1851115190a601ddaa27378d74ff88c34c0dc158a75845776d464f6467b4a90c698eb73e140b30a294b6e9c0dc6f490ecbc1160134378b620a572e3d2c

  • /data/user/0/com.lzfu.syek.pbqr/databases/lezzd-journal

    Filesize

    8KB

    MD5

    c1b07ddd510db2caeaead78e755815b0

    SHA1

    f54f3c507464b514ee443f7c0777c7ce75607640

    SHA256

    41f75ed60f75ebe524dd7c53b7c716a0dd5a5bbfc54c7ac4bbe06ce4f45ee415

    SHA512

    3195cbdfb8211907e99a071b382ad3a78f167298fa4e940630bc397f4bf8e3ea1a7e8ea391f48ed0f333330afc3205531f0d2e65e356d3326c76cd36b70605b8

  • /data/user/0/com.lzfu.syek.pbqr/databases/lezzd-journal

    Filesize

    4KB

    MD5

    57be8b73f2d4886f203e8e913b8601ea

    SHA1

    179eac413521b7a1defb1af6e4bc4372258dbca6

    SHA256

    843a99f48de45b7821137c2d97a8dac6a18e5c3e1a0656496e572449ea0e6bc5

    SHA512

    97256f25329ea7be58dbd0691561ad14f3d75149fff17e5e4168194b9a8b5931f44633e00a4430e2e21e45716404fb599a34d9e7536ed2b62eaac9f6f86431d2

  • /data/user/0/com.lzfu.syek.pbqr/files/.um/um_cache_1730665126127.env

    Filesize

    657B

    MD5

    4815d175bab4a3198357647921691972

    SHA1

    48ebb44405d8611c5afff3eba59ffdd3615a7725

    SHA256

    634e893d518d88e3b47228f5c40da1ebc8c59fa7fb8022d64630003dca145122

    SHA512

    7d5c1d4443a0584b97b2cfb1609797bdcc852b8dad33bb384b30e09c7d2d682162f980f2483a47b17b2c5cdd48e24dbbee8b3cf086d06f9a154dd7ed5d9b66b1

  • /data/user/0/com.lzfu.syek.pbqr/files/.umeng/exchangeIdentity.json

    Filesize

    162B

    MD5

    67850f72b23b7585f0b88917afd56af7

    SHA1

    fc581ca11845d26cdbe57445a6004e4c57ec7eec

    SHA256

    13ff070db075609298508087b0d2bdab6078d54fe31f17f2f00f20a185ac51dd

    SHA512

    aeb42acb319d8ecfec6b3e8e032a721f66175fe2ec87dbacd93bb1a2dd62f663619588a071d10e2211e4ab1fe209652d54a8796db8df420bdbbfdcefaa592304

  • /data/user/0/com.lzfu.syek.pbqr/files/mobclick_agent_cached_com.lzfu.syek.pbqr1

    Filesize

    806B

    MD5

    082b2d83953e14e03709c867d4a5df5f

    SHA1

    074e1a7ebdca796ebcc276bd78042fa5b4fb8606

    SHA256

    33191475a7e279ba872eb33730b106aeb5d141747c633cec20aea9b8ca49bbd8

    SHA512

    f640c866e11d9ca3f4562efc5b0a1edabdd5d37ae6a021ac5769ba4058e4d83506e52d67d6c17b2fc0525b0955effd85cc299077097903d3a28cc0741783b35e

  • /data/user/0/com.lzfu.syek.pbqr/files/umeng_it.cache

    Filesize

    352B

    MD5

    57322e0e50feb28317f8dee350faad80

    SHA1

    35df229115e9fae23cb778aecab4952d30d45090

    SHA256

    139e382e7d269ff22cb881d82aa6cb7a53346254ed11bc89b79c2fe328a3864d

    SHA512

    0f9f9586aaf4dd5ee9fe098c03516971e6d173ba24194216ee2634e24ca5dc2ab8fe6260f8a9a65e74471bd7d97fcc929733bf4944e3120f8df9adf732716db6