Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    15-04-2024 19:33

General

  • Target

    f1c1ef7355d3ad37a8fdebc2716cbe4e_JaffaCakes118.apk

  • Size

    445KB

  • MD5

    f1c1ef7355d3ad37a8fdebc2716cbe4e

  • SHA1

    b82ab7ce847abe2b1fc92f91c97d67773fd49cfa

  • SHA256

    9f34a0f5d16f203eef15bdb01a953c22016ad7f252bce4d781fc4028035bce07

  • SHA512

    333fa4d51a5919acba2f7f703eef3d3d73601f153163741f8968d7bf027b7c7e45338a2140e0bce127e35a67711280471288e132903d8786c6c13dcd3b1fc7e2

  • SSDEEP

    12288:QkOrBFJ5YXxzE2vIIte+M1SyD7DAEXqyqQnSMey7SQZy0:QPVFnYXxzjwIrM1SyD7Duy5g8k0

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.39:28844

DES_key

Signatures

  • XLoader payload 2 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries account information for other applications stored on the device. 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Reads the content of the MMS message. 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • i.uoa.rbr
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries account information for other applications stored on the device.
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4212

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/i.uoa.rbr/files/d

    Filesize

    454KB

    MD5

    d28e6b862a1aee68793e1b022f18306a

    SHA1

    9044c8b066fc6610bb53b2fe4fec1c8b3e5ae985

    SHA256

    05d35fa20111813c4e3063181b5b90d7f13a03856e6104f1dfc64c735055c76a

    SHA512

    64d6105fc4a17057c184804a6214a99e4f96326af423fa11cd7cc89ea0cd1c9e67e43e91ecbaf8ccea6b3175a05dc1d2a3dd1cbd0830d921dfbfb738ec874526

  • /data/data/i.uoa.rbr/files/oat/d.cur.prof

    Filesize

    1KB

    MD5

    b75eb7a5ad2cdd018cd9702c28df8d8f

    SHA1

    803dab27a7cd5af275a9887c805f9cebd858ea7a

    SHA256

    e8eb487a42e7390e3c73a51aaf2a77aee2b28f8a8c907c55d1c9792417100d5c

    SHA512

    f7447589340f63b2323d452f99b1af5ec01e91c6de7da25af4ad3eedbce7be95aac028159573cfefede456c873fc7cfa8108896173b16f766661dc11281994b8

  • /storage/emulated/0/.msg_device_id.txt

    Filesize

    36B

    MD5

    a504ea4af391110f8ff2cdb7d90e9b38

    SHA1

    180d919899fc9a735071819bfead9fb947f4e32d

    SHA256

    354112a2a212bdebb51fded476eacbc52383edef9fbeab37c29f64c1e7b15b5c

    SHA512

    f685429827312c67932272b377a571da651e8dcb5bc2eb449960862dad5f3cea7c2dc47686024cf3ef138c4949d4b9bca5d711a4138a18935350c0d9b5ae571b