Analysis
-
max time kernel
150s -
max time network
137s -
platform
android_x86 -
resource
android-x86-arm-20240221-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system -
submitted
15-04-2024 19:33
Static task
static1
Behavioral task
behavioral1
Sample
f1c1ef7355d3ad37a8fdebc2716cbe4e_JaffaCakes118.apk
Resource
android-x86-arm-20240221-en
General
-
Target
f1c1ef7355d3ad37a8fdebc2716cbe4e_JaffaCakes118.apk
-
Size
445KB
-
MD5
f1c1ef7355d3ad37a8fdebc2716cbe4e
-
SHA1
b82ab7ce847abe2b1fc92f91c97d67773fd49cfa
-
SHA256
9f34a0f5d16f203eef15bdb01a953c22016ad7f252bce4d781fc4028035bce07
-
SHA512
333fa4d51a5919acba2f7f703eef3d3d73601f153163741f8968d7bf027b7c7e45338a2140e0bce127e35a67711280471288e132903d8786c6c13dcd3b1fc7e2
-
SSDEEP
12288:QkOrBFJ5YXxzE2vIIte+M1SyD7DAEXqyqQnSMey7SQZy0:QPVFnYXxzjwIrM1SyD7Duy5g8k0
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 2 IoCs
Processes:
resource yara_rule /data/data/i.uoa.rbr/files/d family_xloader_apk /data/data/i.uoa.rbr/files/d family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
i.uoa.rbrioc pid process /data/user/0/i.uoa.rbr/files/d 4212 i.uoa.rbr /data/user/0/i.uoa.rbr/files/d 4212 i.uoa.rbr -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
i.uoa.rbrdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground i.uoa.rbr -
Queries account information for other applications stored on the device. 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
Processes:
i.uoa.rbrdescription ioc process Framework service call android.accounts.IAccountManager.getAccounts i.uoa.rbr -
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
i.uoa.rbrdescription ioc process URI accessed for read content://mms/ i.uoa.rbr -
Acquires the wake lock 1 IoCs
Processes:
i.uoa.rbrdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock i.uoa.rbr -
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs
Processes:
i.uoa.rbrdescription ioc process Framework API call javax.crypto.Cipher.doFinal i.uoa.rbr
Processes
-
i.uoa.rbr1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
PID:4212
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
454KB
MD5d28e6b862a1aee68793e1b022f18306a
SHA19044c8b066fc6610bb53b2fe4fec1c8b3e5ae985
SHA25605d35fa20111813c4e3063181b5b90d7f13a03856e6104f1dfc64c735055c76a
SHA51264d6105fc4a17057c184804a6214a99e4f96326af423fa11cd7cc89ea0cd1c9e67e43e91ecbaf8ccea6b3175a05dc1d2a3dd1cbd0830d921dfbfb738ec874526
-
Filesize
1KB
MD5b75eb7a5ad2cdd018cd9702c28df8d8f
SHA1803dab27a7cd5af275a9887c805f9cebd858ea7a
SHA256e8eb487a42e7390e3c73a51aaf2a77aee2b28f8a8c907c55d1c9792417100d5c
SHA512f7447589340f63b2323d452f99b1af5ec01e91c6de7da25af4ad3eedbce7be95aac028159573cfefede456c873fc7cfa8108896173b16f766661dc11281994b8
-
Filesize
36B
MD5a504ea4af391110f8ff2cdb7d90e9b38
SHA1180d919899fc9a735071819bfead9fb947f4e32d
SHA256354112a2a212bdebb51fded476eacbc52383edef9fbeab37c29f64c1e7b15b5c
SHA512f685429827312c67932272b377a571da651e8dcb5bc2eb449960862dad5f3cea7c2dc47686024cf3ef138c4949d4b9bca5d711a4138a18935350c0d9b5ae571b