Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    03-04-2024 22:05

General

  • Target

    a7e1a12eb27b3ee2209dffa1a59f58c8_JaffaCakes118.apk

  • Size

    444KB

  • MD5

    a7e1a12eb27b3ee2209dffa1a59f58c8

  • SHA1

    bff82146d55983003e8da6b77a5bd8eee898ed72

  • SHA256

    c92a7d2f90ed8bdc73a7ed3fef7bb98cc86b875a939c2b5d2b01ca6db71f98d8

  • SHA512

    bdbbfbcb8a2744066026f0718bdb961a22f6e86b52cfb9e34368bfc7b95e3f07e4755e860c82f1a743223b82b1743c23ed6693f5ef3553f2955bbe270284f1f2

  • SSDEEP

    12288:tf51spL11E3VShd+qr1svgrruWUwSkOLreoWfT:tf5sJ1iVS/fr1ugryWUwSkOXeoWL

Malware Config

Signatures

  • XLoader payload 2 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Reads the content of the MMS message. 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs

Processes

  • dhzzc.bk.he.bsvqqc.fnb
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Reads the content of the MMS message.
    • Acquires the wake lock
    PID:4273

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/dhzzc.bk.he.bsvqqc.fnb/files/d

    Filesize

    453KB

    MD5

    d7f0257d31574b862af05971f883fae0

    SHA1

    252b1b03017de80d8fd70907cda39ce2bfadaddc

    SHA256

    765119852dc93c3a5d397cbaa167ac148856dba9773062626ed4aeb9674f860c

    SHA512

    3a53daaa693c0ee6904d737850d490a40035454931cebdbba865cefcd97df58e0c72e2ac33bbd4c1445f5d056193e81f113c0862d93acecbe74a0bcaa362eac5

  • /data/data/dhzzc.bk.he.bsvqqc.fnb/files/oat/d.cur.prof

    Filesize

    795B

    MD5

    0220dab6039fe8249592dfd8f15fda6f

    SHA1

    4040f26bc0928f87c723ea21eca9701af341afe7

    SHA256

    a31326fa3fa904123310e77ce5c42c2e5cca6c56e0fe38aad7b2c51b1a0fdf9a

    SHA512

    fa42f71b08f578725e2574244cff710e4210af3bbcb57cb3015d57e6f739669194c6768019671fd40e86e68fa8f02004ce1362137e18a6c6278e592447f513c5