Malware Analysis Report

2024-10-19 11:52

Sample ID 240421-wpbbsage35
Target ffdac644009fb0f4b565f28f8c25d402_JaffaCakes118
SHA256 b5a3a633ddd31e523e4d0665d8c915f9ef7be81eb841211621380fac301c70eb
Tags
xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b5a3a633ddd31e523e4d0665d8c915f9ef7be81eb841211621380fac301c70eb

Threat Level: Known bad

The file ffdac644009fb0f4b565f28f8c25d402_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan

XLoader, MoqHao

XLoader payload

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries account information for other applications stored on the device

Loads dropped Dex/Jar

Registers a broadcast receiver at runtime (usually for listening for system events)

Makes use of the framework's foreground persistence service

Reads the content of the MMS message.

Requests dangerous framework permissions

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-21 18:05

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-21 18:05

Reported

2024-04-21 18:08

Platform

android-x86-arm-20240221-en

Max time kernel

150s

Max time network

134s

Command Line

a.ghsyp.jfw

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/a.ghsyp.jfw/files/d N/A N/A
N/A /data/user/0/a.ghsyp.jfw/files/d N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

a.ghsyp.jfw

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 docs.google.com udp
GB 216.58.204.78:443 docs.google.com tcp
GB 216.58.204.78:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp

Files

/data/data/a.ghsyp.jfw/files/d

MD5 d28e6b862a1aee68793e1b022f18306a
SHA1 9044c8b066fc6610bb53b2fe4fec1c8b3e5ae985
SHA256 05d35fa20111813c4e3063181b5b90d7f13a03856e6104f1dfc64c735055c76a
SHA512 64d6105fc4a17057c184804a6214a99e4f96326af423fa11cd7cc89ea0cd1c9e67e43e91ecbaf8ccea6b3175a05dc1d2a3dd1cbd0830d921dfbfb738ec874526

/storage/emulated/0/.msg_device_id.txt

MD5 821fb17429ffa865c45f8f7c0e24513f
SHA1 dc7dc2805b767b263b880430bcb5a0cca41eb6af
SHA256 1879ab0f09809c417e149e404aed1cbbb4394a940fe8d447640efcc77083a311
SHA512 d5d6f5cd4cf67b9d68ef8cf6ec782732f351a1dcc24b2b2c9c6c22f38e393e174970998dfd8c8a587e15ca18999324d3457514984d6db946285d669d83f0a52b

/data/data/a.ghsyp.jfw/files/oat/d.cur.prof

MD5 b19931a2396f18d9e43f60ea1fd4acc0
SHA1 bef5527f3cb760d242314eb99ec568ba8f1fcf9d
SHA256 099476caabf2c5da34c533d0ec38ab0b160b004117d36816f05d3f0a2a59eb57
SHA512 7ef8c7c99f97bbc7bd5f27c0b2276be52c31a594cb7815aa0053ea1a8842e80ed93dec7e8e518702e818ffec8f333e5ee4caf998d2f15589effd06aab9165004