28f78c1e87a6686ecbdcccbcb8750850ea3b603519d63876649406b635b0ccd8

Analysis

max time kernel
44s
max time network
128s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
29-11-2024 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0d7e7a8b5a7791684459011ca8eaa21_JaffaCakes118.apk
Size

16.4MB
MD5

b0d7e7a8b5a7791684459011ca8eaa21
SHA1

d7b65655e95e9d4d71bbaf7e4582b5411566dfce
SHA256

28f78c1e87a6686ecbdcccbcb8750850ea3b603519d63876649406b635b0ccd8
SHA512

8ef3e496b798faddb0cb912f70db46fbb5137f1fd2e333c80eb79395f842b52e897ea6e5c3223576a7226e5e759eddd24d0d831cdb69799f42ef661ea000ecca
SSDEEP

393216:QMC3VPprgzN+9cHfksDzrLuGlcsgSHaXw2HaX9MZu7Z9+:Q399EUmHhD3L6sh+Z+t+

Score

7^/10

collection discovery evasion impact persistence

Malware Config

Signatures

Queries information about running processes on the device 1 TTPs 4 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

Processes:

com.quicklyask.activitycom.quicklyask.activity:ipcio.rong.pushcom.quicklyask.activity:remote

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.quicklyask.activity
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.quicklyask.activity:ipc
Framework service call	android.app.IActivityManager.getRunningAppProcesses	io.rong.push
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.quicklyask.activity:remote

Queries information about the current nearby Wi-Fi networks 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

discovery

System Network Connections Discovery

T1421

Processes:

com.quicklyask.activitycom.quicklyask.activity:remote

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getScanResults	com.quicklyask.activity
Framework service call	android.net.wifi.IWifiManager.getScanResults	com.quicklyask.activity:remote

Requests cell location 2 TTPs 2 IoCs

Uses Android APIs to to get current cell location.

collection discovery evasion

Location Tracking

T1430

Geofencing

T1627.001

Processes:

com.quicklyask.activitycom.quicklyask.activity:remote

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.quicklyask.activity
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	com.quicklyask.activity:remote

Acquires the wake lock 2 IoCs

Processes:

com.quicklyask.activityio.rong.push

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.quicklyask.activity
Framework service call	android.os.IPowerManager.acquireWakeLock	io.rong.push

Queries information about active data network 1 TTPs 4 IoCs

discovery

System Network Connections Discovery

T1421

Processes:

com.quicklyask.activityio.rong.pushcom.quicklyask.activity:ipccom.quicklyask.activity:remote

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.quicklyask.activity
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	io.rong.push
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.quicklyask.activity:ipc
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.quicklyask.activity:remote

Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

Processes:

com.quicklyask.activitycom.quicklyask.activity:remote

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.quicklyask.activity
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.quicklyask.activity:remote

Queries the mobile country code (MCC) 1 TTPs 4 IoCs

discovery

System Network Configuration Discovery

T1422

Processes:

com.quicklyask.activitycom.quicklyask.activity:ipcio.rong.pushcom.quicklyask.activity:remote

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.quicklyask.activity
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.quicklyask.activity:ipc
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	io.rong.push
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.quicklyask.activity:remote

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 4 IoCs

persistence

Broadcast Receivers

T1624.001

Processes:

com.quicklyask.activitycom.quicklyask.activity:ipcio.rong.pushcom.quicklyask.activity:remote

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.quicklyask.activity
Framework service call	android.app.IActivityManager.registerReceiver	com.quicklyask.activity:ipc
Framework service call	android.app.IActivityManager.registerReceiver	io.rong.push
Framework service call	android.app.IActivityManager.registerReceiver	com.quicklyask.activity:remote

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

Processes:

com.quicklyask.activity

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.quicklyask.activity

Checks memory information 2 TTPs 4 IoCs

System Checks

T1633.001

System Information Discovery

T1426

Processes:

com.quicklyask.activitycom.quicklyask.activity:ipcio.rong.pushcom.quicklyask.activity:remote

description	ioc	Process
File opened for read	/proc/meminfo	com.quicklyask.activity
File opened for read	/proc/meminfo	com.quicklyask.activity:ipc
File opened for read	/proc/meminfo	io.rong.push
File opened for read	/proc/meminfo	com.quicklyask.activity:remote

com.quicklyask.activity
1⤵
- Queries information about running processes on the device
- Queries information about the current nearby Wi-Fi networks
- Requests cell location
- Acquires the wake lock
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks memory information
PID:4241

com.quicklyask.activity:ipc
1⤵
- Queries information about running processes on the device
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks memory information
PID:4269

io.rong.push
1⤵
- Queries information about running processes on the device
- Acquires the wake lock
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks memory information
PID:4289

com.quicklyask.activity:remote
1⤵
- Queries information about running processes on the device
- Queries information about the current nearby Wi-Fi networks
- Requests cell location
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks memory information
PID:4448

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Execution Guardrails

T1627

Geofencing

T1627.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Location Tracking

T1430

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.quicklyask.activity/databases/mechat.db

Filesize
32KB

MD5
7c9268af167a354ee53cbbb88d4f890d

SHA1
1f50f72e1440b1e808cd042f074c531af9c8dbc0

SHA256
f9e3eea7d7a6552413a98848beab4626f818fa32cc999d2c603ad54cf5cefd21

SHA512
38d2efc24ed7c9a8941221b1b510730393e36d3c85d86fed3c2ad8d79f914f112870fea34054171f570697020bbbfdfb6979b106745642b9343a59306738f07b

Download Submit
/data/data/com.quicklyask.activity/databases/mechat.db

Filesize
28KB

MD5
0d3e99204c6401ea499fe9e6d9855497

SHA1
09829f00ca458eab7374d5079393a2cd69a2348a

SHA256
63ad014cb50908591939d6a1536f85eece807425af4f4e8a1f9b9eeab13cc5ca

SHA512
8d9a50aa9abd17e508ed3ac35a3033e8f9e550d1088baa951f53e6c4697c5ac026d22b90e36e27341d64baa3f0202bd89ca97583e99feb25f8c26b5776c59c68

Download Submit
/data/data/com.quicklyask.activity/databases/mechat.db-journal

Filesize
52KB

MD5
d12c2f780b828b595c8b003e9ec58444

SHA1
68a81c496450b9a1b45cdc9e0cc725e71791f898

SHA256
6b21acbe6f4e6d283320b3a4332310fc2040c5e8748f1cad7159745cdd4eeb76

SHA512
095918a885a86d127e646f12b60a747f5b5ee1dabc67897e125bb6cb1bd1269beda5c04401894a768af0b0831daa3ce12fc241452767b78151808e56fdca5f21

Download Submit
/data/data/com.quicklyask.activity/databases/mechat.db-wal

Filesize
12KB

MD5
b4491c307cb08a9093f922586f7b710f

SHA1
94c95e7c876c29921d671fadd787abf1c5ca8596

SHA256
013696519bb46855d6381b5c30bb34bef2a75e072ebae913e0f9439ce0b4ebe2

SHA512
6cfce7567d730556e30f88787022b5f5bbf0aa2d059b77cc515c2ec095a97b988460a3eab6c45ef21cbdcf3847d24e5bfda5ba6b57c59831e2b0d293f43d6e76

Download Submit
/data/data/com.quicklyask.activity/databases/mechat.db-wal

Filesize
48KB

MD5
d768b0fe346c91f43544697160fa15a3

SHA1
4544cbe1ed53c4f5c56b7a57426914f2aded2e22

SHA256
e4522832f44942cfea9bdcd09937211a8bb9193fc5f7560bc3ce4ad36f30b2d7

SHA512
139b795926a9fdfe560789f405f08f5bc2c560f201867927193524b56bcc26b890966b9bd887ac343a659db015610184ab769c841777f448a538e13280849810

Download Submit
/data/data/com.quicklyask.activity/databases/rong_version.db-journal

Filesize
512B

MD5
76056347e84c4057a3552520a1d27bd3

SHA1
fc9e83e52908e0aef10e78c809121592b488a846

SHA256
6f834a4ef9b9303a81ff326be1d579c5d1b0538ec1cb3152d95c6aa4eb1f8bb0

SHA512
b059d60de7b45d139534778d9b73f07ec7dadbd2076e45f34739f66586c2c682ac57749fa89f1c3833f0066f8b8b0bffb2896cb7e9b5d3c96a23ccdde2133009

Download Submit
/data/data/com.quicklyask.activity/databases/rong_version.db-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.quicklyask.activity/files/lldt/firll.dat

Filesize
76B

MD5
37502e309a3a2cb054d9e1b63e91bc60

SHA1
4d342a7ac5599191b42af2de1bd66068e9f6934c

SHA256
6aa9fe8ec874f34756b0c0f0b437ef00e3feb1e2afec1e3be47b0da05dea7ad9

SHA512
7ac6a011321b87bf2491e0eaed8ccef95d574d8b9ca24f892daf0b6facc73115a4981e777501e67c783f61adcc053d4a1002c46928732b891d78f67d456c17d3

Download Submit
/data/data/com.quicklyask.activity/files/ofld/ofl.config

Filesize
235B

MD5
3315611c861b68105e799ea7c373ed37

SHA1
522e10ba7c8a3c33bc14cdef5ab65593d9663e9e

SHA256
4c2a04ba08df06cd4d8cb3b5796206d3620e94d24f7f9957b9568d7ae39415a3

SHA512
26c32b2ff5aac35f79fa4105bbb0f7529201829321f99d20345a7c5cdb2dc3142ef55800a762c6ed1617378d9c5cd663d5b9902471118dab7c17d6ded4c41849

Download Submit
/data/data/com.quicklyask.activity/files/ofld/ofl_location.db-wal

Filesize
48KB

MD5
482a7fe3fe6d2e2031846a013aea43ae

SHA1
9c27805d6be55e0678c8f5467282d77bbdfe4f6d

SHA256
69d17f6b7027b8392ac2b6968c9fc9fb0cd5505022e680061b44743612cb675f

SHA512
1c1e64f783aeb74b2363770b148813477852accec74673ed90d109d8b9b2497f4e796c1271c44d23d1fdf53cc749c7500037c4ddaf338feef68966bf2ca552b8

Download Submit
/data/data/com.quicklyask.activity/files/ofld/ofl_statistics.db

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.quicklyask.activity/files/ofld/ofl_statistics.db-journal

Filesize
512B

MD5
08a71850d358709b7957ce8f1020a130

SHA1
f612579e9b79342ae22740686037cc82366a1cb7

SHA256
b23585ef33736a1dfce3b4d65d50efda746518c7cc2922044b45deb745ae5c3a

SHA512
7e1008ffb03b5f965be1589c4c0635a82985d326fb186962db09f0ef41067ef4b070b5a7814963c27bd31c8ef60d8bdc58cade2ad7fb70ae2bd48fbf0fc45ec8

Download Submit
/data/data/com.quicklyask.activity/files/ofld/ofl_statistics.db-wal

Filesize
156KB

MD5
9845161a267b6b4f873b76219a6660c0

SHA1
5c8c67e54eee55af41fca45289185b1e819403ff

SHA256
43c5b2d3f6c0fc8ac4414ad3a1fb62471c44c9a2b49685a5c40b7f4d04666159

SHA512
4777c706c70ffa14a14e4b8cebb1657efccd5e2591b8644a0601dd1d2dbd0738be5c24e13a800aa801e2c6f8a02e7dda1d1157778a6c4b8f7607e1aa7d5f4a7c

Download Submit
/storage/emulated/0/Android/data/com.quicklyask.activity/cache/kit/journal.tmp

Filesize
28KB

MD5
f76191c3ef8586ceadac44ef3183a907

SHA1
f8b16ebcb04d3e4cd9cb31c92a2c45c03ff53c71

SHA256
611c731b1bfa1f71a3fc2630eead272b3074acd552611e74bf68afb715d12c73

SHA512
b0d168dab48958a0eeca121c07612463b87225b1d4091943d1c656225c58da400af72a7ce2182ce75577c51ec0b18ee077addfbbba3e3b956d47fb7ea597bd7d

Download Submit
/storage/emulated/0/Android/data/com.quicklyask.activity/cache/xBitmapCache/journal.tmp

Filesize
56KB

MD5
24072dca00b6c3691b32ef385378daef

SHA1
9209496b99deb8df09c2cb97ad738449363a87a6

SHA256
84edcf613d3271a4bcb23a84fdf7eb361982f42fbbe32dabed4860f950aa09c0

SHA512
6be2079744e563a93ca87ba4bce11c97ff7a2f840aa7bd100646beb30704999afe6ec0faf819bc868c69cdb7222bbdbf509206762729e602706ec01275e3ed43

Download Submit
/storage/emulated/0/Android/data/com.quicklyask.activity/files/baidu/tempdata/conlts.dat

Filesize
12B

MD5
8d80bc8ea90e9cac010d3ddf97bda5f5

SHA1
f063bc0d356e6ba9ab1eb9a851131ffbefd8fa07

SHA256
f52db31332534833414abd5e870f78c810b8ebbe5b134bbf599506beecfd1b93

SHA512
9ea732dd572a9a4ba91b70891972230a09576687ca1bc19e62d5a98b5b84e0f2ae11985108008bc9fbccf357219b8bd3dbf146bb70752f618f70dc5d0c46a7c7

Download Submit
/storage/emulated/0/Android/data/com.quicklyask.activity/files/baidu/tempdata/conlts.dat

Filesize
160B

MD5
6960398256d3f97cb44516997ae92c43

SHA1
f2988bb863079d3c7c9e05b4ac9dc8dcbf17c57d

SHA256
f36dd64808bdee74fb11b854b12f4d5cc341f5426353e1c2edb5b50372eecf50

SHA512
b199050710a2dae1a8dee3880da57def3a0beb09d013a79d5f588ea5ac4c357b1775da88208e72ab480e13567879d92d3926f926624b73132599f5c824a97d05

Download Submit
/storage/emulated/0/Android/data/com.quicklyask.activity/files/baidu/tempdata/llg.dat

Filesize
24B

MD5
161557b06b4a4d3ce095528dea370eb7

SHA1
8bfe9c4d916fe58d856b5a6ecaf8cd9ea4df2c9f

SHA256
f054ef19481234ee5b2db1d1c681839dab235a857ed3a4bc02efa8f785f478d4

SHA512
96ce8aedbdbb387438efc86aaabd13a6378628bfae203d2bc25ea1cd7daa6ddbd6dd2c81d631fbdc9b653a93011d3c80f0c085580275b683d5e0bce077e6e449

Download Submit
/storage/emulated/0/Android/data/com.quicklyask.activity/files/baidu/tempdata/llg.dat

Filesize
446B

MD5
589fdc9aaa432bb3b63bce995bb7abd3

SHA1
e66144f31fc84c1e010c6083d281fa25fb1b3300

SHA256
0b343ed74f7fa5b235ad42f3db160c359a1d664d75f2eee4ab5d1399fc4e317f

SHA512
5fbec3e8016c5bee92bfe897b465e3271872041238d8f60c6af2645a8514efb3b7ff1c3cc7f52566b91da6c75f7bcb669e83a575c3a9c5d6fa9c9b86c0ad6d0c

Download Submit
/storage/emulated/0/baidu/.cuid

Filesize
512B

MD5
8f0e6c40c10148bb5338aae27ca45ff4

SHA1
cc6d214556d56084a86d5bee6ac492781cc3032d

SHA256
a2f1ca966dcb4d39ca349baa919bab0d98b62530bf7d69ca0122c4322cf087af

SHA512
5d2fd2066952ff71206573f6db3284d59ed6bd46a832909e1edeed3b7b4b46b8f83a47fa89f426c8bef5a13d627b28a6317392cd40ccfd14707db790738e1bf9

Download Submit
/storage/emulated/0/baidu/tempdata/lcvif.dat

Filesize
96B

MD5
6f87fe2691b69b839b7dbba3a0a8c0e7

SHA1
1a1d01e6f2a3032ee1ac0c19692e57b123dfa808

SHA256
95fe53f9981658873c31f373c5840365c3f7c84fe2dca83ffdfbee8482694347

SHA512
97331d12cbdb90b681ee8a75c85f360d4326a87915c6aea9f347080edf9e439b0c2257e8550cbc9958b2cc7088ed70b3056566c5ec8b516dceb0d3d441648301

Download Submit