Analysis
-
max time kernel
150s -
max time network
134s -
platform
android_x86 -
resource
android-x86-arm-20240221-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system -
submitted
21-04-2024 18:05
Static task
static1
Behavioral task
behavioral1
Sample
ffdac644009fb0f4b565f28f8c25d402_JaffaCakes118.apk
Resource
android-x86-arm-20240221-en
General
-
Target
ffdac644009fb0f4b565f28f8c25d402_JaffaCakes118.apk
-
Size
445KB
-
MD5
ffdac644009fb0f4b565f28f8c25d402
-
SHA1
cf4cf495ebcc3605273824a4c93e312f27b6f198
-
SHA256
b5a3a633ddd31e523e4d0665d8c915f9ef7be81eb841211621380fac301c70eb
-
SHA512
91e58cf1f6cf375c80364eaacffabbe93abebc149169cd94e5cd98b8663bd2927e77612d13fca4048c910a6fe8faeff6e1381bacdb828a78ef6a9d0697ae5cf9
-
SSDEEP
6144:sVQgxr5v9JJJufcmakf910m5C7XrXDDUEW+3qyqPoQ+8QVbSda8lysdWINQZoFSL:ropifcmakfcD7DAEXqyqQnSMey7SQZym
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 2 IoCs
Processes:
resource yara_rule /data/data/a.ghsyp.jfw/files/d family_xloader_apk /data/data/a.ghsyp.jfw/files/d family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
a.ghsyp.jfwioc pid process /data/user/0/a.ghsyp.jfw/files/d 4228 a.ghsyp.jfw /data/user/0/a.ghsyp.jfw/files/d 4228 a.ghsyp.jfw -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
a.ghsyp.jfwdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground a.ghsyp.jfw -
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
Processes:
a.ghsyp.jfwdescription ioc process Framework service call android.accounts.IAccountManager.getAccounts a.ghsyp.jfw -
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
a.ghsyp.jfwdescription ioc process URI accessed for read content://mms/ a.ghsyp.jfw -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
a.ghsyp.jfwdescription ioc process Framework service call android.app.IActivityManager.registerReceiver a.ghsyp.jfw -
Acquires the wake lock 1 IoCs
Processes:
a.ghsyp.jfwdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock a.ghsyp.jfw -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
a.ghsyp.jfwdescription ioc process Framework API call javax.crypto.Cipher.doFinal a.ghsyp.jfw
Processes
-
a.ghsyp.jfw1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
PID:4228
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
454KB
MD5d28e6b862a1aee68793e1b022f18306a
SHA19044c8b066fc6610bb53b2fe4fec1c8b3e5ae985
SHA25605d35fa20111813c4e3063181b5b90d7f13a03856e6104f1dfc64c735055c76a
SHA51264d6105fc4a17057c184804a6214a99e4f96326af423fa11cd7cc89ea0cd1c9e67e43e91ecbaf8ccea6b3175a05dc1d2a3dd1cbd0830d921dfbfb738ec874526
-
Filesize
1KB
MD5b19931a2396f18d9e43f60ea1fd4acc0
SHA1bef5527f3cb760d242314eb99ec568ba8f1fcf9d
SHA256099476caabf2c5da34c533d0ec38ab0b160b004117d36816f05d3f0a2a59eb57
SHA5127ef8c7c99f97bbc7bd5f27c0b2276be52c31a594cb7815aa0053ea1a8842e80ed93dec7e8e518702e818ffec8f333e5ee4caf998d2f15589effd06aab9165004
-
Filesize
36B
MD5821fb17429ffa865c45f8f7c0e24513f
SHA1dc7dc2805b767b263b880430bcb5a0cca41eb6af
SHA2561879ab0f09809c417e149e404aed1cbbb4394a940fe8d447640efcc77083a311
SHA512d5d6f5cd4cf67b9d68ef8cf6ec782732f351a1dcc24b2b2c9c6c22f38e393e174970998dfd8c8a587e15ca18999324d3457514984d6db946285d669d83f0a52b