c88128e20249c5df95d9e03582e4123bb401c81e04418fd5580defd4d3d68c3a

Analysis

max time kernel
148s
max time network
156s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
25-11-2024 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e70048f38afc7538818be9574b91749_JaffaCakes118.apk
Size

636KB
MD5

9e70048f38afc7538818be9574b91749
SHA1

ad52388b5c91c024c11eb544b454b21eb5b08710
SHA256

c88128e20249c5df95d9e03582e4123bb401c81e04418fd5580defd4d3d68c3a
SHA512

075f013dba5e25bf615414ae7091f2898eccd17b0a6419a3d129d22a6982f69a8fd849d411b59c9cb7f761af842cd324b02fc9aaf1c2ee69bcf559609620d2a6
SSDEEP

12288:L4LUaxJLby1pXCikYPgaH9OIpleFxoMtE94vvQe6ERylTgg:b6L+/CiJPz9IiMSiydV

Score

8^/10

banker collection discovery evasion stealth trojan

Malware Config

Signatures

Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.xicq.fcyk.qhqr

pid process

4477 com.xicq.fcyk.qhqr

pid	process
4477	com.xicq.fcyk.qhqr

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.xicq.fcyk.qhqrcom.xicq.fcyk.qhqr:daemon

ioc	pid	process
/data/user/0/com.xicq.fcyk.qhqr/app_mjf/dz.jar	4477	com.xicq.fcyk.qhqr
/data/user/0/com.xicq.fcyk.qhqr/app_mjf/dz.jar	4550	com.xicq.fcyk.qhqr:daemon

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

Stored Application Data
T1409

Processes:

com.xicq.fcyk.qhqr

description ioc process

Framework service call android.accounts.IAccountManager.getAccountsAsUser com.xicq.fcyk.qhqr
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

Process Discovery
T1424

Processes:

com.xicq.fcyk.qhqr

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.xicq.fcyk.qhqr
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs

Processes:

flow ioc

25 alog.umeng.com
49 alog.umeng.com
61 alog.umeng.com
Queries information about active data network 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.xicq.fcyk.qhqr

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.xicq.fcyk.qhqr
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.xicq.fcyk.qhqr

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.xicq.fcyk.qhqr
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Checks CPU information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.xicq.fcyk.qhqr

description ioc process

File opened for read /proc/cpuinfo com.xicq.fcyk.qhqr

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.xicq.fcyk.qhqr

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.xicq.fcyk.qhqr

flow	ioc
25	alog.umeng.com
49	alog.umeng.com
61	alog.umeng.com

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.xicq.fcyk.qhqr

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.xicq.fcyk.qhqr

description	ioc	process
File opened for read	/proc/cpuinfo	com.xicq.fcyk.qhqr

com.xicq.fcyk.qhqr
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Checks CPU information
PID:4477

com.xicq.fcyk.qhqr:daemon
1⤵
- Loads dropped Dex/Jar
PID:4550

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Process Discovery

T1424

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.xicq.fcyk.qhqr/app_mjf/ddz.jar

Filesize
105KB

MD5
7f1e0fe2e6a0618b6c84d48ea0586b6d

SHA1
dea54fa91f9f431b85e8c4048244a1c3c4b16665

SHA256
4225d0ce3922e9bfd5828c3507b26226b8f08f3b03d8fcf594dbf36835a9519e

SHA512
7a9e77b9ee66c7cc5d406389c8dd4f344b02c8449cfcd581586d16ce895ed0fa77f6fc8c767c32b92e75863d8133422b4ed3057f54999c3fef031146602e5df6

Download Submit
/data/user/0/com.xicq.fcyk.qhqr/app_mjf/dz.jar

Filesize
249KB

MD5
789a4162427149dd5e519f917ead0e29

SHA1
d2bd738c28ec21c0441c6daaefc206a6a76f8e1c

SHA256
830643d652f95c85fa7665c202f93822b08f106cfeae9202a8a7d894292a36c0

SHA512
b6a8d5c20792cea1035a7f7684bc03b3f184a0bbba3f5c322b26cc75fd50002e749882d6ac6177a93115ce93b1b3d4721f4449d2007ad700e0633a11579f7e37

Download Submit
/data/user/0/com.xicq.fcyk.qhqr/app_mjf/tdz.jar

Filesize
105KB

MD5
fc1eb8c18ddc0f8727b5fb5eba8ca870

SHA1
af6d64fe2432bece4c523066a57f35be8f175a48

SHA256
7f4e38a3ac4fae5a400648d200d8b9897dc28606722dba44c43e5582182e5fe9

SHA512
25e5c0eafb925a6b3c6d9f8622b95d07fd8e63be2689859733b10ed65fa7f7e56e5453da64d9bd7bd7c3345f6c1a90a5dd34de9b0788f4ba080689758d5d4e66

Download Submit
/data/user/0/com.xicq.fcyk.qhqr/databases/lezzd

Filesize
28KB

MD5
fdb8a92e5060ce104e8f0faca55a47ce

SHA1
270d7ca30673e18cec1d2b9add71cba96dc426fe

SHA256
194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a

SHA512
ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

Download Submit
/data/user/0/com.xicq.fcyk.qhqr/databases/lezzd-journal

Filesize
8KB

MD5
50545f0001d28faf9d11039db624ae0f

SHA1
e9a2b563898e182ec43f41ba1a79518245f71b48

SHA256
05a5ee0d960af921bddc001463c81ebcaaf532359c58c3da1e56bff240ae6037

SHA512
0102ac6fb545f4511215bc0e1ae68baeff04f582e3a9db6daebd3b5ce3661c835306df2d35e875651bb96aa5c3c49b8f34cd67340aa590f6185827d60fdf6b5e

Download Submit
/data/user/0/com.xicq.fcyk.qhqr/databases/lezzd-journal

Filesize
8KB

MD5
4978a1aa9171b270135ebc7ecb9e583b

SHA1
26599128e36e6754a31e450b0445bec3bfbc988b

SHA256
1a2f580b10dd43d53a73630725abb6f871e6f52ccb39e97d54d23043b4388884

SHA512
d889e2cc3ed007224d5206b240e1586a81674118b085e80df3799d53aeabb74b280a2451cd1acdf887bd18a9ef5c86bc23b7f5cf506055d05154378a7fc1767a

Download Submit
/data/user/0/com.xicq.fcyk.qhqr/databases/lezzd-journal

Filesize
8KB

MD5
01dd1220fd165d7b50c682c1f08e00b7

SHA1
ef59b8fac2bca12d55e4ab208296be385f521260

SHA256
d5b0f2277d20ca5979f0ea7eab16c2873e086b698d87209ee3bc82420b169784

SHA512
a87bcdf24a159e0cecdc9fd91899c1b785bfa1473554d1c841922d5f4cf99a8a4aaeaeaac99bd360b8c8734b2e29b8818f04f2810b22f33aace429a77ad55cf3

Download Submit
/data/user/0/com.xicq.fcyk.qhqr/databases/lezzd-journal

Filesize
512B

MD5
908c868159079a51d4034b3e8b526d70

SHA1
4ecd2dc35c48f7f55650e8e89d54eb197e598009

SHA256
9dde5a51b4c177bef7f58829b84ea7525e2cd7132b93beea18e04e3f144da1b2

SHA512
f2582e1a910dff0adb51ecd74dc6c0fc41d216763ca69ec68b9b86e35198dc6b3415e4410ac5d2eb85c6a4d442ab233af71293b102bbdc579965a82821eb4752

Download Submit
/data/user/0/com.xicq.fcyk.qhqr/databases/lezzd-journal

Filesize
8KB

MD5
88454a105b3b85495e5183a7c4c2d15e

SHA1
64dd1652736eb0f18bad98091639c52261d0f45f

SHA256
8bc0b461f7679535e4a7c06d9f03fbe44941fcedbfd92fa2827be45aaf6e3476

SHA512
757a9b7b4c66d592fbb9c249fc277ca47d141b1084a4ac8a9c4cee0f5bd712051c595e55b76b86de9c77974b18b676d0a6e789bdf96d87c5b0976737fdb225a2

Download Submit
/data/user/0/com.xicq.fcyk.qhqr/databases/lezzd-journal

Filesize
4KB

MD5
c5613f310fd6482bd139f9e6cf12cc66

SHA1
b0755ce81b82d974cc8b8dbfbcdf5fef0a3b71f0

SHA256
05d401e19f51ee0fe45258d60ba5ec45e0f774b366b11fb4c18fa6bbf142be87

SHA512
54b2c664be1c8332393ae2715a06b1bd23da6e541277ed27c04ece18cb7765431b670aeff6d6a0152f9d13bebeb2ff35d581f065d569d3d9db57a1e00f82ee4b

Download Submit
/data/user/0/com.xicq.fcyk.qhqr/files/.um/um_cache_1732576122987.env

Filesize
651B

MD5
b1628ad2b86472e8b9e536d38b09d75e

SHA1
a7dfa1141090b5b2d12f2ef3b987e0c8311dd008

SHA256
7af8babb3385b0660ca19f78b9de0ac50feb93201d6155fecd4e526ce0fca218

SHA512
087d3c532a6afa3edf54c4aa23ee0ee418cb89c327078f5711b0fc80a16b94bd627310ad6b10526f4eb3f1598cbb3b1c4ada6903c6bc8f59692c7ba72bb59013

Download Submit
/data/user/0/com.xicq.fcyk.qhqr/files/.umeng/exchangeIdentity.json

Filesize
162B

MD5
e9c749a6c3d8e0e72e1d63f813deaf3f

SHA1
e184f6befe3afdfd3f35a42207e2391305a379a2

SHA256
ded28859e2d44f47ad134d7d8eb9ff492e8c983be422ce4b82992f14de64f7d6

SHA512
76f7a413cefcb45afc1ea441b6e30119927edc9faa1a399609de1ea802aa4238c7560b076fbab8b8a2f2cb8e820da3adb4366efcee2c9c655fbdcc0f2510cfb5

Download Submit
/data/user/0/com.xicq.fcyk.qhqr/files/mobclick_agent_cached_com.xicq.fcyk.qhqr1

Filesize
806B

MD5
6cbf6ed92766fef0a72d317d6fcdf2bc

SHA1
e1f5d33c61ed416a7a97ca1ec8a5ef968207c228

SHA256
3aa7361c122fb1c22505ec58ff238250334c68f9c7f9ccf80024136d359350d5

SHA512
068552b4ccd49f638920acbe2811b982fe37ca87e081307edbed40395f05a6244a014200538fd49b585f1c386a7b26ddb69af31c773fbd5d90bd6ea7b53b2764

Download Submit
/data/user/0/com.xicq.fcyk.qhqr/files/umeng_it.cache

Filesize
352B

MD5
743c84f4f96d33632e5f3e79929c09e0

SHA1
a30b1f916ffd1050921d7a61bb2ccebfb56efb82

SHA256
7ed05f8d334aba748a1f2100723e49ba4398c68a4fdb851b6dcf7e409aa71912

SHA512
3fa463bb87dbc4972e0b0900f13fea1651ec98dfb22991b1d148ebbffc906da426ea34520a2c4f15ab67495c1cd56cc766ea4549687dde8c2386572251cd46ea

Download Submit