Analysis
-
max time kernel
149s -
max time network
155s -
platform
android_x86 -
resource
android-x86-arm-20240221-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system -
submitted
07-04-2024 14:00
Static task
static1
Behavioral task
behavioral1
Sample
e51944dd17e2bcfc8590dae5d10b3bef_JaffaCakes118.apk
Resource
android-x86-arm-20240221-en
General
-
Target
e51944dd17e2bcfc8590dae5d10b3bef_JaffaCakes118.apk
-
Size
445KB
-
MD5
e51944dd17e2bcfc8590dae5d10b3bef
-
SHA1
1dd89f1ce4360730ab1c42ef229bb80af4792896
-
SHA256
c24d6f3deaab53373c75f1b53ba14a0b7834c1a493f24a8ac611f681848eff8c
-
SHA512
5aed6e91967827ede55670e75763ef235efac8f0810299841b122702bf9aa778ea205576ea462dc23f78e9c26a82913c7ff4e9caa9c2aea0bfd74766d67712d3
-
SSDEEP
12288:sRXCcCmL+cnu/D7DAEXqyqQnSMey7SQZy+DbbP:jcCcu/D7Duy5g8ke
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 2 IoCs
Processes:
resource yara_rule /data/data/m.tzhab.elxh/files/d family_xloader_apk /data/data/m.tzhab.elxh/files/d family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
m.tzhab.elxhioc pid process /data/user/0/m.tzhab.elxh/files/d 4278 m.tzhab.elxh /data/user/0/m.tzhab.elxh/files/d 4278 m.tzhab.elxh -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
m.tzhab.elxhdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground m.tzhab.elxh -
Queries account information for other applications stored on the device. 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
Processes:
m.tzhab.elxhdescription ioc process Framework service call android.accounts.IAccountManager.getAccounts m.tzhab.elxh -
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
m.tzhab.elxhdescription ioc process URI accessed for read content://mms/ m.tzhab.elxh -
Acquires the wake lock 1 IoCs
Processes:
m.tzhab.elxhdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock m.tzhab.elxh -
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs
Processes:
m.tzhab.elxhdescription ioc process Framework API call javax.crypto.Cipher.doFinal m.tzhab.elxh
Processes
-
m.tzhab.elxh1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
PID:4278
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
454KB
MD5d28e6b862a1aee68793e1b022f18306a
SHA19044c8b066fc6610bb53b2fe4fec1c8b3e5ae985
SHA25605d35fa20111813c4e3063181b5b90d7f13a03856e6104f1dfc64c735055c76a
SHA51264d6105fc4a17057c184804a6214a99e4f96326af423fa11cd7cc89ea0cd1c9e67e43e91ecbaf8ccea6b3175a05dc1d2a3dd1cbd0830d921dfbfb738ec874526
-
Filesize
1KB
MD5b75eb7a5ad2cdd018cd9702c28df8d8f
SHA1803dab27a7cd5af275a9887c805f9cebd858ea7a
SHA256e8eb487a42e7390e3c73a51aaf2a77aee2b28f8a8c907c55d1c9792417100d5c
SHA512f7447589340f63b2323d452f99b1af5ec01e91c6de7da25af4ad3eedbce7be95aac028159573cfefede456c873fc7cfa8108896173b16f766661dc11281994b8
-
Filesize
36B
MD5bfc58f720fb30147de1bb27d318a5a7c
SHA128d4283f8c06f79c2406da3bea95f10c38295eed
SHA256dfc59b68c5e3ba7e8d4e3036b68c3047ff8a1574cd39a034bd833cde86e316d8
SHA512c2252478339fcd7b78bddb8e75e216aecf723bac9f8fb5b39ecacc34b772a1ff95d864551e5423cf6384457741fa9a48e05e6aab48dfe00ed278d93d8a93386f