c88128e20249c5df95d9e03582e4123bb401c81e04418fd5580defd4d3d68c3a

Analysis

max time kernel
148s
max time network
156s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
25-11-2024 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e70048f38afc7538818be9574b91749_JaffaCakes118.apk
Size

636KB
MD5

9e70048f38afc7538818be9574b91749
SHA1

ad52388b5c91c024c11eb544b454b21eb5b08710
SHA256

c88128e20249c5df95d9e03582e4123bb401c81e04418fd5580defd4d3d68c3a
SHA512

075f013dba5e25bf615414ae7091f2898eccd17b0a6419a3d129d22a6982f69a8fd849d411b59c9cb7f761af842cd324b02fc9aaf1c2ee69bcf559609620d2a6
SSDEEP

12288:L4LUaxJLby1pXCikYPgaH9OIpleFxoMtE94vvQe6ERylTgg:b6L+/CiJPz9IiMSiydV

Score

8^/10

banker collection discovery evasion persistence stealth trojan

Malware Config

Signatures

Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.xicq.fcyk.qhqr

pid process

5060 com.xicq.fcyk.qhqr

pid	process
5060	com.xicq.fcyk.qhqr

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.xicq.fcyk.qhqrcom.xicq.fcyk.qhqr:daemon

ioc	pid	process
/data/user/0/com.xicq.fcyk.qhqr/app_mjf/dz.jar	5060	com.xicq.fcyk.qhqr
/data/user/0/com.xicq.fcyk.qhqr/app_mjf/dz.jar	5123	com.xicq.fcyk.qhqr:daemon

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

Stored Application Data
T1409

Processes:

com.xicq.fcyk.qhqr

description ioc process

Framework service call android.accounts.IAccountManager.getAccountsAsUser com.xicq.fcyk.qhqr
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

Process Discovery
T1424

Processes:

com.xicq.fcyk.qhqr

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.xicq.fcyk.qhqr
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 2 IoCs

Processes:

flow ioc

42 alog.umeng.com
6 alog.umeng.com
Queries information about active data network 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.xicq.fcyk.qhqr

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.xicq.fcyk.qhqr
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.xicq.fcyk.qhqr

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.xicq.fcyk.qhqr
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.xicq.fcyk.qhqr

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.xicq.fcyk.qhqr
Checks CPU information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.xicq.fcyk.qhqr

description ioc process

File opened for read /proc/cpuinfo com.xicq.fcyk.qhqr

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.xicq.fcyk.qhqr

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.xicq.fcyk.qhqr

flow	ioc
42	alog.umeng.com
6	alog.umeng.com

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.xicq.fcyk.qhqr

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.xicq.fcyk.qhqr

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.xicq.fcyk.qhqr

description	ioc	process
File opened for read	/proc/cpuinfo	com.xicq.fcyk.qhqr

com.xicq.fcyk.qhqr
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
PID:5060

com.xicq.fcyk.qhqr:daemon
1⤵
- Loads dropped Dex/Jar
PID:5123

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Process Discovery

T1424

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.xicq.fcyk.qhqr/app_mjf/ddz.jar

Filesize
105KB

MD5
7f1e0fe2e6a0618b6c84d48ea0586b6d

SHA1
dea54fa91f9f431b85e8c4048244a1c3c4b16665

SHA256
4225d0ce3922e9bfd5828c3507b26226b8f08f3b03d8fcf594dbf36835a9519e

SHA512
7a9e77b9ee66c7cc5d406389c8dd4f344b02c8449cfcd581586d16ce895ed0fa77f6fc8c767c32b92e75863d8133422b4ed3057f54999c3fef031146602e5df6

Download Submit
/data/data/com.xicq.fcyk.qhqr/app_mjf/oat/dz.jar.cur.prof

Filesize
730B

MD5
dd700f22a556fcad635f2dbcd470244a

SHA1
ccef6021225a1e037cf4a402384ae62e3f936a71

SHA256
cdb870b3b79e1f5490341cfbc0a1b2cc4abf4c88e53b5597161c04aa92d2901b

SHA512
41984f251c0167335c1cb34ec2b51ff7f253abd9ee9516ebd6a247856895a40d77ef6c302107374892ab6bee18d559d92b77c7a0768031e793ff51cba887e276

Download Submit
/data/data/com.xicq.fcyk.qhqr/app_mjf/tdz.jar

Filesize
105KB

MD5
fc1eb8c18ddc0f8727b5fb5eba8ca870

SHA1
af6d64fe2432bece4c523066a57f35be8f175a48

SHA256
7f4e38a3ac4fae5a400648d200d8b9897dc28606722dba44c43e5582182e5fe9

SHA512
25e5c0eafb925a6b3c6d9f8622b95d07fd8e63be2689859733b10ed65fa7f7e56e5453da64d9bd7bd7c3345f6c1a90a5dd34de9b0788f4ba080689758d5d4e66

Download Submit
/data/data/com.xicq.fcyk.qhqr/databases/lezzd

Filesize
28KB

MD5
dae68dcffc3d522a79f98ebbc3b6d457

SHA1
6df5dce9a50f12044a2d20b8d1742ae47b82ee03

SHA256
56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286

SHA512
23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

Download Submit
/data/data/com.xicq.fcyk.qhqr/databases/lezzd-journal

Filesize
8KB

MD5
641af2ed137e124e902744314589b6fd

SHA1
485b49b398d931655db931a79a2c2051b57145c4

SHA256
f55612582affbc7402ee621fe0cfe8da251ac9c3ddcaa5226cd8bc9ba84c28bf

SHA512
6a9865edc8bee4ce49e49c872cc7a1b0248e2c2a2f10afc97ee93f77865b6d5c81161f687958e7d2848048f0380317af53e1186f8f14997b0d2003b0b37abe3a

Download Submit
/data/data/com.xicq.fcyk.qhqr/databases/lezzd-journal

Filesize
8KB

MD5
f68810bfc277c935dc6d02553173bc12

SHA1
74397801590ee1f6349af16e1fe98b51b281c46c

SHA256
a524ccf3162d7fb9482a6e32ee7131083424e9f00046072d146413250eded868

SHA512
6245de88de377a86d5a77ba853157c6dfde063374f0a41d6318ddd5d3f25711ffe355faa6ae68bc684e849e586a34799e65c4d195436a13a04f344a8aaf7b038

Download Submit
/data/data/com.xicq.fcyk.qhqr/databases/lezzd-journal

Filesize
8KB

MD5
712ff34951932861e732ebc9a1cbe470

SHA1
2dc63e2de1b210792c1e7b08bdde3e86a6e4c1b4

SHA256
70578e01da5dbc4a72aa26640931d29c37805600accf994ae196b5e5ae0f3823

SHA512
205f1f26ab5130e67e9e710a4c17cc7f6d05ee8dab7ca94dbd1382e668845dfb8dae7a3222cb1c335ab27aa7886721401a931bcce8a31863e5577916cdad4031

Download Submit
/data/data/com.xicq.fcyk.qhqr/databases/lezzd-journal

Filesize
512B

MD5
3026bfbda9d030f3761570386e3f4b2c

SHA1
e4681a9b27da1afd10aa0b570fd17b4a5427ab58

SHA256
95787fa8c04590517edf253d6d8ea4f9ccde76eb6b2a7c10b6473c36c509fa17

SHA512
68313b27b033ccfc5b3fd39eb679ef3041b74853055d4c744538af048729f31cf711a736c226c96847ef70e4fd9f98b2d3b44afcd6bbabdda1d509ab12bdb691

Download Submit
/data/data/com.xicq.fcyk.qhqr/databases/lezzd-journal

Filesize
8KB

MD5
fad9f4276b5cd1fd2e73d84367a46983

SHA1
7381e17319c13aa1c79d6fe8d56fe66fe4213128

SHA256
c02c621dc4eb0cccc8110afd6d34786b08f4e10938468dca28f07b0d7473df44

SHA512
4f945cebcffa56e174f77a782897ed7e053e8c99d93e9b93dcd596fd3e0014bebc65315f7fd214083a2843d3aa96dd8ef2b74299af6d041c6b122f2ebbce819b

Download Submit
/data/data/com.xicq.fcyk.qhqr/databases/lezzd-journal

Filesize
4KB

MD5
f1700d5501ad1d6ffa79593c39b7e67b

SHA1
3db6495175ba22f18215c55d3de59326c512ebde

SHA256
da88e5c53c8cd15f2154895a5e1b6d3356f47ca24f5ceb06ce48f968aa225d7e

SHA512
f06e716e6d81f686f3309797087d4a0a7287bfe3d518ed12f90fb34f037f353fbdbb23e992471d7b6e6569473bcb1e1ab858a84fbe90480e3c332f39f1a3bd5d

Download Submit
/data/data/com.xicq.fcyk.qhqr/files/.um/um_cache_1732576121564.env

Filesize
657B

MD5
c41b0fdae0cc115a49c0c39d04930e73

SHA1
dcb09cead16d59bb9cf1ae662bec1711a9b9a8ad

SHA256
b99595d348c264f557813c46667220f1872d018119ee0f733f71113bb63ffb20

SHA512
179cd34569a975b7422b75c5cc8fbf985b35b751b31e861f1d0600ce1a4a92ab12ac6ec58d00aa8810be95b84c2ed7dd8f924628a4ca8ae49cee61536e65a4f7

Download Submit
/data/data/com.xicq.fcyk.qhqr/files/.umeng/exchangeIdentity.json

Filesize
162B

MD5
60f210f52c11df1b7ae0f755499add7d

SHA1
5caf8c36b624e465a968f90a1f794682c37772cc

SHA256
3e66d2c4949b1ecf2581890b530c7420953647e1cc38b833b3e951c7a49c1c73

SHA512
30c73775029fc279fba3c90001317fefd7772aa34381cf7cf0153ff5dfea5adff2f62f610893fbbd3c1dc41f4a4b06b3eb3a5b1673cfac6843a105972334a544

Download Submit
/data/data/com.xicq.fcyk.qhqr/files/mobclick_agent_cached_com.xicq.fcyk.qhqr1

Filesize
803B

MD5
e54e129c32fafd9f1d1fb598406b6253

SHA1
3540072eae78277a4c63bb709560ee902b4d37a7

SHA256
ba3e1aa84ee855594f3808180ddf1cbf582e0792bb96991250dd2337598ced14

SHA512
b0638bfb799054f8976202eb8b53df976c29600527afd09ca3a68dacbe2188e5495b9794ceadaa08535bb4752604c88b7cf1577a973ec4033035026e13ed418f

Download Submit
/data/data/com.xicq.fcyk.qhqr/files/umeng_it.cache

Filesize
350B

MD5
739bcc24afb343d7eefdae8ea48fa9f7

SHA1
9ad328a8d71b437e6db4b3d7790602bdaf6ecadf

SHA256
6bf028352ee51a34de3e2499a7cdd4410428e8413454341e539106d0caa6d483

SHA512
d6b96154d1f1ae1dc3973341492b9fa1cd1d8377ca352300a37b7d2ae21f0d9dc18920842b4de895a222b73761704aa059e8b18b9545967b811452eda755febe

Download Submit
/data/user/0/com.xicq.fcyk.qhqr/app_mjf/dz.jar

Filesize
249KB

MD5
789a4162427149dd5e519f917ead0e29

SHA1
d2bd738c28ec21c0441c6daaefc206a6a76f8e1c

SHA256
830643d652f95c85fa7665c202f93822b08f106cfeae9202a8a7d894292a36c0

SHA512
b6a8d5c20792cea1035a7f7684bc03b3f184a0bbba3f5c322b26cc75fd50002e749882d6ac6177a93115ce93b1b3d4721f4449d2007ad700e0633a11579f7e37

Download Submit