Analysis
-
max time kernel
150s -
max time network
145s -
platform
android_x64 -
resource
android-x64-20240506-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240506-enlocale:en-usos:android-10-x64system -
submitted
10-05-2024 08:26
Static task
static1
Behavioral task
behavioral1
Sample
2e388d52acc836abbc123d3c72712a0a_JaffaCakes118.apk
Resource
android-x86-arm-20240506-en
Behavioral task
behavioral2
Sample
2e388d52acc836abbc123d3c72712a0a_JaffaCakes118.apk
Resource
android-x64-20240506-en
Behavioral task
behavioral3
Sample
2e388d52acc836abbc123d3c72712a0a_JaffaCakes118.apk
Resource
android-x64-arm64-20240506-en
General
-
Target
2e388d52acc836abbc123d3c72712a0a_JaffaCakes118.apk
-
Size
393KB
-
MD5
2e388d52acc836abbc123d3c72712a0a
-
SHA1
58394375ce91a6dea1c9c6361e4f87267e507e5b
-
SHA256
04132e7cc46761b756aa8c2885fba5759d10db3027bd31865fa9efb5a38d529b
-
SHA512
9c731ba892af5df5498a887c1d4e8bfa54c17141c3a7e93d7f0db4452cf88d7408bab7140666e69b8b57b3f44086c48cda72abaf6d34546719543336f0079fdc
-
SSDEEP
12288:N2sQcoRDzql0m4+nTH0s3TMj6KdDPjLVRWVDsQHesUGSJgsf1l00:N2JHzql0h+nr07lLVNmiGebj
Malware Config
Signatures
-
XLoader payload 1 IoCs
Processes:
resource yara_rule /data/data/com.lvis.czxl/files/dex family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.lvis.czxlioc pid process /data/user/0/com.lvis.czxl/files/dex 5151 com.lvis.czxl /data/user/0/com.lvis.czxl/files/dex 5151 com.lvis.czxl -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.lvis.czxldescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.lvis.czxl -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.lvis.czxldescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.lvis.czxl -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
com.lvis.czxldescription ioc process URI accessed for read content://mms/ com.lvis.czxl -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.lvis.czxldescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.lvis.czxl -
Acquires the wake lock 1 IoCs
Processes:
com.lvis.czxldescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.lvis.czxl -
Checks if the internet connection is available 1 TTPs 1 IoCs
Processes:
com.lvis.czxldescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.lvis.czxl
Processes
-
com.lvis.czxl1⤵
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Reads the content of the MMS message.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Checks if the internet connection is available
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.lvis.czxl/files/dexFilesize
688KB
MD5eaf8cdb9b91399306e9e5bc7b6308758
SHA134fc3e3cb3d954d2c7834fa47e3d25e2370e714e
SHA2563803d2cdd6cd669afcb40eea1e2a61e2fa9a83c1f92a25d637132b37d0d537b7
SHA51298298c3f10c652e3f09ed5967759d64e76f9887ca7104d5aa748334430c2c6297be8de8f296a81c304370affb8399013022ff5cdb38af57ac603004572529caa
-
/data/data/com.lvis.czxl/files/oat/dex.cur.profFilesize
763B
MD561edc7c926cb521a2fff49c5f3beb166
SHA138607a5768dc1b0aa8f3764b5511ae8543732f40
SHA25695c370db9ca1714005cc83af75f77dfb8d5f64cede9647c7370caf8c09e90559
SHA512ff0ebb2f6d3f03b63584d51a3a817660619ca6ea137df91c2c954f62d0845994f3171927ad73c9b23f4cad89d3710968552144abdeedf034429856ef99b781bd