Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    04-04-2024 17:15

General

  • Target

    be19ba6e627b0cb5a1e4acb7c725a240_JaffaCakes118.apk

  • Size

    444KB

  • MD5

    be19ba6e627b0cb5a1e4acb7c725a240

  • SHA1

    5f4b437ce703ad85ec0d52a83a8f96c2f9491c29

  • SHA256

    dc2c8a143099b03f2de31b05cf02a7dc68e88b330c8f5a7f9536c69963293380

  • SHA512

    89b376176d63554c620fc42195cd03dbdcf371351fde90bf4ccfb6f2362373d8cf283190b67b0d3e8f3fb1604955749f779ba8fd47473f23b8e81bccd82ba663

  • SSDEEP

    12288:wbVQmt51spL11E3VShd+qr1svgrruW/a/xDRQqtGlU:w5QI5sJ1iVS/fr1ugryWmR9Qm

Malware Config

Signatures

  • XLoader payload 2 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Reads the content of the MMS message. 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs

Processes

  • oss.epbbyl.enul.tf.pidj
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Reads the content of the MMS message.
    • Acquires the wake lock
    PID:4278

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/oss.epbbyl.enul.tf.pidj/files/d

    Filesize

    453KB

    MD5

    d7f0257d31574b862af05971f883fae0

    SHA1

    252b1b03017de80d8fd70907cda39ce2bfadaddc

    SHA256

    765119852dc93c3a5d397cbaa167ac148856dba9773062626ed4aeb9674f860c

    SHA512

    3a53daaa693c0ee6904d737850d490a40035454931cebdbba865cefcd97df58e0c72e2ac33bbd4c1445f5d056193e81f113c0862d93acecbe74a0bcaa362eac5

  • /data/data/oss.epbbyl.enul.tf.pidj/files/oat/d.cur.prof

    Filesize

    796B

    MD5

    fba9c7135c88d8ef2761f79ca00583be

    SHA1

    00e8d2a6681259d2bdefa1b6e0a9656f617dad17

    SHA256

    d69d3416186a55279ea42fafe22f154bda4e8a2d2d9a736eea07af6b16f7aa69

    SHA512

    de2bf232acc8c4c53d3fce320a554283c91f9f46cf1ecdb7f0d0effb9663a17d25f57baa6b7dd05d96e75e0fb5e1279d3b974276f28f15f804cdef893f3d0de7