Analysis
-
max time kernel
150s -
max time network
141s -
platform
android_x86 -
resource
android-x86-arm-20240506-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240506-enlocale:en-usos:android-9-x86system -
submitted
10-05-2024 08:26
Static task
static1
Behavioral task
behavioral1
Sample
2e388d52acc836abbc123d3c72712a0a_JaffaCakes118.apk
Resource
android-x86-arm-20240506-en
Behavioral task
behavioral2
Sample
2e388d52acc836abbc123d3c72712a0a_JaffaCakes118.apk
Resource
android-x64-20240506-en
Behavioral task
behavioral3
Sample
2e388d52acc836abbc123d3c72712a0a_JaffaCakes118.apk
Resource
android-x64-arm64-20240506-en
General
-
Target
2e388d52acc836abbc123d3c72712a0a_JaffaCakes118.apk
-
Size
393KB
-
MD5
2e388d52acc836abbc123d3c72712a0a
-
SHA1
58394375ce91a6dea1c9c6361e4f87267e507e5b
-
SHA256
04132e7cc46761b756aa8c2885fba5759d10db3027bd31865fa9efb5a38d529b
-
SHA512
9c731ba892af5df5498a887c1d4e8bfa54c17141c3a7e93d7f0db4452cf88d7408bab7140666e69b8b57b3f44086c48cda72abaf6d34546719543336f0079fdc
-
SSDEEP
12288:N2sQcoRDzql0m4+nTH0s3TMj6KdDPjLVRWVDsQHesUGSJgsf1l00:N2JHzql0h+nr07lLVNmiGebj
Malware Config
Signatures
-
XLoader payload 1 IoCs
Processes:
resource yara_rule /data/data/com.lvis.czxl/files/dex family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.lvis.czxlioc pid process /data/user/0/com.lvis.czxl/files/dex 4188 com.lvis.czxl /data/user/0/com.lvis.czxl/files/dex 4188 com.lvis.czxl -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.lvis.czxldescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.lvis.czxl -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.lvis.czxldescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.lvis.czxl -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
com.lvis.czxldescription ioc process URI accessed for read content://mms/ com.lvis.czxl -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.lvis.czxldescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.lvis.czxl -
Acquires the wake lock 1 IoCs
Processes:
com.lvis.czxldescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.lvis.czxl -
Checks if the internet connection is available 1 TTPs 1 IoCs
Processes:
com.lvis.czxldescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.lvis.czxl -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.lvis.czxldescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.lvis.czxl
Processes
-
com.lvis.czxl1⤵
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Reads the content of the MMS message.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Checks if the internet connection is available
- Requests disabling of battery optimizations (often used to enable hiding in the background).
-
ping -c 42⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.lvis.czxl/files/dexFilesize
688KB
MD5eaf8cdb9b91399306e9e5bc7b6308758
SHA134fc3e3cb3d954d2c7834fa47e3d25e2370e714e
SHA2563803d2cdd6cd669afcb40eea1e2a61e2fa9a83c1f92a25d637132b37d0d537b7
SHA51298298c3f10c652e3f09ed5967759d64e76f9887ca7104d5aa748334430c2c6297be8de8f296a81c304370affb8399013022ff5cdb38af57ac603004572529caa
-
/data/data/com.lvis.czxl/files/oat/dex.cur.profFilesize
787B
MD5e410a2bb02447550215693af34def4e4
SHA11a56604f5bdb73064a7d5587d637a21286bee0be
SHA2562812dc4f178525e5e5e3c956b2767e5fc337d076f49ddd311edab7a645e17d6f
SHA512f35aa4331759d9a9ea6651adb4f6074f4692554f2839b3af767f9e0f42573fa1f0a221183d284d0995f35d58c0ac012f53c4e40dd5f6d1f7a31deb46b424af69
-
/data/data/com.lvis.czxl/files/oat/dex.cur.profFilesize
1013B
MD546eec805259375dcbb4f657c6f052c20
SHA13d517a8e826433db47995354252ae83b0ff4a71f
SHA25673b80f913879e99291dadc0ce60026fe786d4009a04bae031fc735fdf376d2ed
SHA512fb7d3717f1df4a9d902c4286b4a27ee268d1196de4d083e60eb96e4b691c8ca7fcb1436fc6509796c82cc750de10d719f660ac66e8ba555c9ca6fb30e0be5cb8