Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    07-04-2024 14:00

General

  • Target

    e51944dd17e2bcfc8590dae5d10b3bef_JaffaCakes118.apk

  • Size

    445KB

  • MD5

    e51944dd17e2bcfc8590dae5d10b3bef

  • SHA1

    1dd89f1ce4360730ab1c42ef229bb80af4792896

  • SHA256

    c24d6f3deaab53373c75f1b53ba14a0b7834c1a493f24a8ac611f681848eff8c

  • SHA512

    5aed6e91967827ede55670e75763ef235efac8f0810299841b122702bf9aa778ea205576ea462dc23f78e9c26a82913c7ff4e9caa9c2aea0bfd74766d67712d3

  • SSDEEP

    12288:sRXCcCmL+cnu/D7DAEXqyqQnSMey7SQZy+DbbP:jcCcu/D7Duy5g8ke

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.39:28844

DES_key

Signatures

  • XLoader payload 2 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries account information for other applications stored on the device. 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Reads the content of the MMS message. 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • m.tzhab.elxh
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries account information for other applications stored on the device.
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4278

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/m.tzhab.elxh/files/d

    Filesize

    454KB

    MD5

    d28e6b862a1aee68793e1b022f18306a

    SHA1

    9044c8b066fc6610bb53b2fe4fec1c8b3e5ae985

    SHA256

    05d35fa20111813c4e3063181b5b90d7f13a03856e6104f1dfc64c735055c76a

    SHA512

    64d6105fc4a17057c184804a6214a99e4f96326af423fa11cd7cc89ea0cd1c9e67e43e91ecbaf8ccea6b3175a05dc1d2a3dd1cbd0830d921dfbfb738ec874526

  • /data/data/m.tzhab.elxh/files/oat/d.cur.prof

    Filesize

    1KB

    MD5

    b75eb7a5ad2cdd018cd9702c28df8d8f

    SHA1

    803dab27a7cd5af275a9887c805f9cebd858ea7a

    SHA256

    e8eb487a42e7390e3c73a51aaf2a77aee2b28f8a8c907c55d1c9792417100d5c

    SHA512

    f7447589340f63b2323d452f99b1af5ec01e91c6de7da25af4ad3eedbce7be95aac028159573cfefede456c873fc7cfa8108896173b16f766661dc11281994b8

  • /storage/emulated/0/.msg_device_id.txt

    Filesize

    36B

    MD5

    bfc58f720fb30147de1bb27d318a5a7c

    SHA1

    28d4283f8c06f79c2406da3bea95f10c38295eed

    SHA256

    dfc59b68c5e3ba7e8d4e3036b68c3047ff8a1574cd39a034bd833cde86e316d8

    SHA512

    c2252478339fcd7b78bddb8e75e216aecf723bac9f8fb5b39ecacc34b772a1ff95d864551e5423cf6384457741fa9a48e05e6aab48dfe00ed278d93d8a93386f