37a8186b50f7e71555de54e98165a875a579f92576aecfa56248bc9de211f0ef

Analysis

max time kernel
149s
max time network
154s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
25-11-2024 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e762a41028d829e98b147544802a819_JaffaCakes118.apk
Size

636KB
MD5

9e762a41028d829e98b147544802a819
SHA1

9d04ffa1a13abf7c3f8bd5cf1935ba3ad759a04a
SHA256

37a8186b50f7e71555de54e98165a875a579f92576aecfa56248bc9de211f0ef
SHA512

d5fa7dad349ca70487c84d7fd279ca9579e74508325726db7fa70fa18fc92de06c48dcfa97fd2fd8eacca20a579c5116721328a280f9c74351812c99f304c122
SSDEEP

12288:d4L4oQI8Y0FotaKIUtrbMmDS3FAGxLoi96kUjGLutzeFxvMol94vvQe6ERylTIY:JoL0otaYtXMBVAGxLoU6kVLm2hMkiydJ

Score

8^/10

banker collection discovery evasion persistence stealth trojan

Malware Config

Signatures

Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.csqo.qsfk.kadi

pid process

5052 com.csqo.qsfk.kadi

pid	process
5052	com.csqo.qsfk.kadi

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.csqo.qsfk.kadicom.csqo.qsfk.kadi:daemon

ioc	pid	process
/data/user/0/com.csqo.qsfk.kadi/app_mjf/dz.jar	5052	com.csqo.qsfk.kadi
/data/user/0/com.csqo.qsfk.kadi/app_mjf/dz.jar	5114	com.csqo.qsfk.kadi:daemon

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

Stored Application Data
T1409

Processes:

com.csqo.qsfk.kadi

description ioc process

Framework service call android.accounts.IAccountManager.getAccountsAsUser com.csqo.qsfk.kadi
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

Process Discovery
T1424

Processes:

com.csqo.qsfk.kadi

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.csqo.qsfk.kadi
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs

Processes:

flow ioc

9 alog.umeng.com
37 alog.umeng.com
49 alog.umeng.com
Queries information about active data network 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.csqo.qsfk.kadi

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.csqo.qsfk.kadi
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.csqo.qsfk.kadi

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.csqo.qsfk.kadi
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.csqo.qsfk.kadi

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.csqo.qsfk.kadi
Checks CPU information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.csqo.qsfk.kadi

description ioc process

File opened for read /proc/cpuinfo com.csqo.qsfk.kadi

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.csqo.qsfk.kadi

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.csqo.qsfk.kadi

flow	ioc
9	alog.umeng.com
37	alog.umeng.com
49	alog.umeng.com

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.csqo.qsfk.kadi

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.csqo.qsfk.kadi

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.csqo.qsfk.kadi

description	ioc	process
File opened for read	/proc/cpuinfo	com.csqo.qsfk.kadi

com.csqo.qsfk.kadi
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
PID:5052

com.csqo.qsfk.kadi:daemon
1⤵
- Loads dropped Dex/Jar
PID:5114

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Process Discovery

T1424

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.csqo.qsfk.kadi/app_mjf/ddz.jar

Filesize
105KB

MD5
23ba0b249042b7ba33e92c0199b0ea4a

SHA1
99b13ee9f7307316c2337953fceed87e9942b794

SHA256
1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2

SHA512
0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

Download Submit
/data/data/com.csqo.qsfk.kadi/app_mjf/oat/dz.jar.cur.prof

Filesize
730B

MD5
9df34a73e06042ef84544649758bf854

SHA1
e58d26f0606209a99588cc077295a4eaab08aa6e

SHA256
4d89a342d9a57e9257f97364c431260de38583fdb7794f0de3da5dcafc01ab14

SHA512
4d5ecf8e821e03f175be5ae3a4870119050f5abc0c02d61d3d88eaf038327c85677854982e77ced68d3fdd203acb2cb5e0b7ed6735a2c3277000bdcfd3610851

Download Submit
/data/data/com.csqo.qsfk.kadi/app_mjf/tdz.jar

Filesize
105KB

MD5
293ea5f01e27975bed5179ba79d80eac

SHA1
c5b0806a537fd1cb753e11f1a9684933317716b8

SHA256
8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b

SHA512
c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

Download Submit
/data/data/com.csqo.qsfk.kadi/databases/lezzd

Filesize
28KB

MD5
dae68dcffc3d522a79f98ebbc3b6d457

SHA1
6df5dce9a50f12044a2d20b8d1742ae47b82ee03

SHA256
56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286

SHA512
23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

Download Submit
/data/data/com.csqo.qsfk.kadi/databases/lezzd-journal

Filesize
8KB

MD5
1ee8710a6a59c7b028c809a9f8a3769c

SHA1
10f8a89c0f4fc8d03ae906ce71158ad2cd2b371b

SHA256
0292439ad03da765d8fe67a80271af5ab0f8bee1cc13205816b065cfb0644430

SHA512
52c790cfbced6809947470b6919c0040e553f2fa93ba5eb22e0046d2985ffa2f64d3188a910650684134c397331644c498bd4eb3a5cb4cd8b94154ea49211882

Download Submit
/data/data/com.csqo.qsfk.kadi/databases/lezzd-journal

Filesize
8KB

MD5
976959087b3110b33e5b6c5087f6c679

SHA1
81f3c7db0173ec8f2a54af263bbdda93d1bf7c2d

SHA256
c6b654a1ff948f3ae4173312552f9b68b86151749a410a2ef0a866b97dd4ccac

SHA512
39bd79505652e08961e2b2cbf1db4e3dfd600a3662f24d4e6c22e4cdd4bfa3572fc6d4c6abcee0325aef2f7242523afa883623d5fb2100390a21e539fe2872e8

Download Submit
/data/data/com.csqo.qsfk.kadi/databases/lezzd-journal

Filesize
8KB

MD5
b6c81a576b80aa16cd3225a653cae896

SHA1
dd4042ba7b7003e63de32fe16227a2ee70b2a1c2

SHA256
2b73af3deed7d0b685fdcf72bab4112a2d31c2a78a0aeb7c3a75d06f24d19f9d

SHA512
f524a38effaef372d1dc019e7548308da5af832216937e7866fea856cc40533b32325e52183db2ef06804a9b4b7383741af3cfed6716ff064512a4aec4237e5a

Download Submit
/data/data/com.csqo.qsfk.kadi/databases/lezzd-journal

Filesize
512B

MD5
b2cdf0e480e8cf71d0e8d3ad9411fdf7

SHA1
4365f9a6b3e9b129d2e5071b936e97a8e9107f34

SHA256
16dc0826a8cbd75967bc96a8d218dbf0b0ac479d9da04602e4a15d6dddfe53d8

SHA512
3ab9edc4978f226174d2e3d04410d4c0285b2c0a14ded536d8ca3a320862c99fab1e927101fd6ea3d4a9b816d7f8b42c13aa9ed40e6b948bc311800dc78b48cd

Download Submit
/data/data/com.csqo.qsfk.kadi/databases/lezzd-journal

Filesize
8KB

MD5
a4d60c91dfd5c50870618f2bb4f33c8b

SHA1
c7566ded372b40356bc5fc1a946088c86f7703a9

SHA256
4bb86c1269266f956f932618b76d54b768953cb2b7b488ba47306f420a47d6ef

SHA512
f9545785b7f9c7d19f7a85366babbad2670fe0e64cb1a9a3bfb7e6303f3977b6017cc18f1ba7482a6d75b0f67a5ffa8a5c8f54b33658fb0a5965011f669093fc

Download Submit
/data/data/com.csqo.qsfk.kadi/databases/lezzd-journal

Filesize
4KB

MD5
73c2b1a626c570192578bdce4493b0a6

SHA1
6f99adb1c3b142874cf36a3b52fdd472f57376ea

SHA256
7c9dc447a7c241a988fb5ac2344b350ab2dcd637dfacf3fab21c7a18ce6f4e58

SHA512
08edc6bc52c82b63b99cc2bc30b901d3993f5107a48c23ba24140e6d1344819aa0757f32c213ee7e238cb13f5afe07ccac05808cca041e9ccf0546a66dc1d156

Download Submit
/data/data/com.csqo.qsfk.kadi/files/.um/um_cache_1732576436446.env

Filesize
659B

MD5
c7e967086420fdf7bd88b71ae6bbe2bf

SHA1
16ff44cc60e85369dacfd10cd1e05331fba3cb71

SHA256
7548a8f5fc14d98ab2777465333cae1862747b52cf989329e69dd06656d0550f

SHA512
7892e5ed95b7a17d28ee53ac404b755b8c4d818c2700e29759d49abc85ee58f3e23c3ae8aadb5074dc6ac91dfbde1ce151335fe8e2d02807e0b238d5419db9fe

Download Submit
/data/data/com.csqo.qsfk.kadi/files/.umeng/exchangeIdentity.json

Filesize
162B

MD5
0b04e0b1323962b56f60c4b5a2c8e21f

SHA1
170a361d84002a495e3a13b980c3d2e1a4f753b4

SHA256
128129a1f66aa4bbc7f5578ab5ad8772b507a14e7cd06d1305b82efe87c55ac1

SHA512
d34874af70be48c87e8f4829c90bb06b94660c3a2aef051dd16fc21e9b55b5ea1472cfd88fd60fee62e3a8365f6edc219db5d8fa8d13932c188c9f0be4a043f2

Download Submit
/data/data/com.csqo.qsfk.kadi/files/mobclick_agent_cached_com.csqo.qsfk.kadi1

Filesize
803B

MD5
770ff2c551eca3e6dc011ce91b4fc15f

SHA1
e91ac14a22262015dc63542dd8795e4b54318606

SHA256
5fa85b457dfbbe94972a4cdd5ef1bcf16bfbd087154446d23bfe833fb8e8069c

SHA512
f98d2b4d9e554b8e985fefaa02c3dd2469e439d0b32d2f9b6700163dd8e76a87e616297c76e4926747fbef911b9566bbb07bccedaf31353aae83be952b223e9a

Download Submit
/data/data/com.csqo.qsfk.kadi/files/umeng_it.cache

Filesize
350B

MD5
6d8bb5b32b05705f528af4f0cc283e5e

SHA1
d4fecb6831a0930e94c4dfff5148c8d5e52395a4

SHA256
2e16b6c2e2f22434d6613aca4d6b370997446f4832c2234bf45ae6849c6dc6f6

SHA512
e62b986960faf421065ee67e1528565013d969a431235ee4f66d3848958edb1f304719b1065a8440365f832826c64f9bf5d0cdd2941bb2e56bee7cfee68a4bcc

Download Submit
/data/user/0/com.csqo.qsfk.kadi/app_mjf/dz.jar

Filesize
248KB

MD5
a54a18b58c6720991c021f433dfb2a46

SHA1
d2ffa07919f92b6e04914e39843f08fdb2a75b68

SHA256
3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3

SHA512
e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

Download Submit