Malware Analysis Report

2024-10-19 11:52

Sample ID 240428-g87rrsac3v
Target 04925c1a7625b678cb4cb367a42e4f83_JaffaCakes118
SHA256 240365ecc76fe093dc512d79b7e6578a9a5052789b839f2fe1a816de037e0fe2
Tags
xloader_apk banker collection discovery evasion infostealer persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

240365ecc76fe093dc512d79b7e6578a9a5052789b839f2fe1a816de037e0fe2

Threat Level: Known bad

The file 04925c1a7625b678cb4cb367a42e4f83_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xloader_apk banker collection discovery evasion infostealer persistence stealth trojan

XLoader, MoqHao

XLoader payload

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads the content of the MMS message.

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Makes use of the framework's foreground persistence service

Acquires the wake lock

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-28 06:29

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-28 06:29

Reported

2024-04-28 06:32

Platform

android-x86-arm-20240221-en

Max time kernel

150s

Max time network

138s

Command Line

com.ghpf.cpxv

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ghpf.cpxv/files/dex N/A N/A
N/A /data/user/0/com.ghpf.cpxv/files/dex N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.ghpf.cpxv

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 y4wgres.blogspot.com udp
GB 216.58.213.1:443 y4wgres.blogspot.com tcp
GB 216.58.213.1:443 y4wgres.blogspot.com tcp
GB 216.58.213.1:443 y4wgres.blogspot.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 216.58.213.1:443 y4wgres.blogspot.com tcp
GB 216.58.213.1:443 y4wgres.blogspot.com tcp
GB 172.217.169.10:443 tcp
GB 216.58.213.1:443 y4wgres.blogspot.com tcp
GB 216.58.213.1:443 y4wgres.blogspot.com tcp

Files

/data/data/com.ghpf.cpxv/files/dex

MD5 6526216a7364ec9c5bb732ee17d84f72
SHA1 ffeae6438762af6eda6d446a835fedb82f0f467e
SHA256 b35fceb0126729d542aa5c57bba648a4385194696a25944ff74788e4756a7331
SHA512 6cb9b7d25ff492d7eb20d20efb39892e1c4ff4cdf2baaad6f334c886bd8022c85bc720bc3837c2e7bc842ca0dc0eabd407bb1e24fca078d5c1cc3faff8454600

/data/data/com.ghpf.cpxv/files/oat/dex.cur.prof

MD5 bb751e2686e61a79f750d0e2d329f632
SHA1 e9138dd0379ce2841d46d4ce9e3ecc5211e7cc35
SHA256 69b6f45777fa2f26a221a10176d334eda34a1b8678acde0ec44925125964b9f5
SHA512 77cfeb2634e9d8d2c8f0bb8b60c9897e4263b6a02be3ea07481a7979f0072eb16268defbad8db86dbe6edb84685b38f6ec2539402dddb34c41520e78d861b18f

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-28 06:29

Reported

2024-04-28 06:32

Platform

android-x64-20240221-en

Max time kernel

150s

Max time network

138s

Command Line

com.ghpf.cpxv

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ghpf.cpxv/files/dex N/A N/A
N/A /data/user/0/com.ghpf.cpxv/files/dex N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.ghpf.cpxv

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 y4wgres.blogspot.com udp
GB 142.250.200.33:443 y4wgres.blogspot.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.200.33:443 y4wgres.blogspot.com tcp
GB 142.250.200.33:443 y4wgres.blogspot.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.200.33:443 y4wgres.blogspot.com tcp
GB 142.250.200.33:443 y4wgres.blogspot.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
GB 142.250.200.33:443 y4wgres.blogspot.com tcp
GB 142.250.200.33:443 y4wgres.blogspot.com tcp

Files

/data/data/com.ghpf.cpxv/files/dex

MD5 6526216a7364ec9c5bb732ee17d84f72
SHA1 ffeae6438762af6eda6d446a835fedb82f0f467e
SHA256 b35fceb0126729d542aa5c57bba648a4385194696a25944ff74788e4756a7331
SHA512 6cb9b7d25ff492d7eb20d20efb39892e1c4ff4cdf2baaad6f334c886bd8022c85bc720bc3837c2e7bc842ca0dc0eabd407bb1e24fca078d5c1cc3faff8454600

/data/data/com.ghpf.cpxv/files/oat/dex.cur.prof

MD5 bc31103da987eff63eb8a3e21a37b7a0
SHA1 c37129f658baa0f8d82971aae42d5ddddb801a47
SHA256 6bd6a5e2154228c7f3a240589a9d182c3b489db08c5f658f9cb3f300e999f301
SHA512 39b35cdd8fc06fc30c8218fbc0d3eb1bd65e17e2c17f09abf5822e66861ff548cd3dd111e6f3ced377129e65f9c087c7b923d17b09ff3982835ae07a6bd440f6

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-28 06:29

Reported

2024-04-28 06:32

Platform

android-x64-arm64-20240221-en

Max time kernel

150s

Max time network

140s

Command Line

com.ghpf.cpxv

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ghpf.cpxv/files/dex N/A N/A
N/A /data/user/0/com.ghpf.cpxv/files/dex N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.ghpf.cpxv

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 udp
GB 142.250.200.46:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 y4wgres.blogspot.com udp
GB 142.250.187.225:443 y4wgres.blogspot.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.187.225:443 y4wgres.blogspot.com tcp
GB 142.250.187.225:443 y4wgres.blogspot.com tcp
GB 142.250.187.225:443 y4wgres.blogspot.com tcp
GB 142.250.187.225:443 y4wgres.blogspot.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 142.250.187.225:443 y4wgres.blogspot.com tcp
GB 142.250.187.225:443 y4wgres.blogspot.com tcp

Files

/data/user/0/com.ghpf.cpxv/files/dex

MD5 6526216a7364ec9c5bb732ee17d84f72
SHA1 ffeae6438762af6eda6d446a835fedb82f0f467e
SHA256 b35fceb0126729d542aa5c57bba648a4385194696a25944ff74788e4756a7331
SHA512 6cb9b7d25ff492d7eb20d20efb39892e1c4ff4cdf2baaad6f334c886bd8022c85bc720bc3837c2e7bc842ca0dc0eabd407bb1e24fca078d5c1cc3faff8454600

/data/user/0/com.ghpf.cpxv/files/oat/dex.cur.prof

MD5 831b2e5eb1371365404f0c1d7fa642c5
SHA1 5deee82e06263aedd3b3da7bfe2e2357abd37424
SHA256 7969df698db470aea987b42f00b8710a021fcec43f038007afe86707aeed05a1
SHA512 4494696dd5dc6b6c65700a623d45b5a025fb223262ea54bc80dedbf42abe0c83fcfa063eefe8a9975e5584c78ea1b910a683b55192d1119f122954e8287970a9