Analysis
-
max time kernel
149s -
max time network
144s -
platform
android_x86 -
resource
android-x86-arm-20240506-en -
resource tags
-
submitted
09-05-2024 05:17
General
-
Target
2874dd72742f50946fda2bc798593d01_JaffaCakes118.apk
-
Size
436KB
-
MD5
2874dd72742f50946fda2bc798593d01
-
SHA1
e476b8660f060a09192d6847664f954f660dcc2a
-
SHA256
492ca513e88e0c9d733306fc827a06d7bc14592923e8a670874b78c70a0e5e87
-
SHA512
c6b85a016e64ac0fc958f7fa7eaa755b2b65dc740165a05dd42fe0732fc5a65c56403e692c0dc961c038586869f4a627a771869e77931f3e9087b2a78ed7df2c
-
SSDEEP
6144:XTBNfL1iH4hec5KKa3afkwFnbh7MzWho1IEh5OZ1i01wMdB+fDWZjJ7DgygB0Il2:j/jcH4h91/zMzChZ6MdBQDYJ7xgxC3ag
Malware Config
Extracted
xloader_apk
http://103.126.160.21:38866
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Checks if the internet connection is available 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.onmj.zovu1⤵
- Removes its main activity from the application launcher
- Requests changing the default SMS application.
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Reads the content of the MMS message.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Checks if the internet connection is available
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.onmj.zovu/files/dexFilesize
766KB
MD50db6ad8c907da9266e0a615d774e0b96
SHA12d6f055b44e894d1954e96c8379d9a0b6bf55bac
SHA2567235a30c0acb0e73b56c6436a830551a1d8f561fab828471a217c056a0241289
SHA512a879a14bcabce77b551e3a975fd64b645bd1f4534e870f39c2fc5d201c6d3922f12fd64e76daf415b35afcc3d2c0c3743ff66a163a388b1faffcaa4f13f34d24