Analysis
-
max time kernel
179s -
max time network
173s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
-
submitted
16-05-2024 23:45
General
-
Target
4d9a7e425f8c8b02d598ef0a0a776a58_JaffaCakes118.apk
-
Size
360KB
-
MD5
4d9a7e425f8c8b02d598ef0a0a776a58
-
SHA1
6326ee3221532268e5d26164376408b28292ff85
-
SHA256
c65318aa58c9091b938948b62c4b5d6e47237697d8d2f96863f99ef177b6818d
-
SHA512
45a4c3490855413e23f94338903522fe6199f62b227ee501e986fecc669252e52f5f08c6146e3591ccca1d480ac8eb1bdd6cad74f194d1611c8768e8e3f30248
-
SSDEEP
6144:p9V8nmTiZi0CoYk8tInWRXVRR18qn4fQXiCIuFN0pnyw7e16qVYZCtQFyx6h/6V:p9MmTiinXBRXV2r49930hekqVYYtAh/2
Malware Config
Signatures
-
XLoader payload 2 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Tries to add a device administrator. 2 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Checks if the internet connection is available 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes
-
ghd.et.hds1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Reads the content of the MMS message.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Tries to add a device administrator.
- Acquires the wake lock
- Checks if the internet connection is available
- Requests disabling of battery optimizations (often used to enable hiding in the background).
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/ghd.et.hds/files/test.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/ghd.et.hds/files/oat/x86/test.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
ping -c 42⤵
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Privilege Escalation
Abuse Elevation Control Mechanism
1Device Administrator Permissions
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/ghd.et.hds/files/test.dexFilesize
627KB
MD56e1926d548ffac0f6cedfb4a4f49196e
SHA1fd1d8b3cfd7002986e26aa47a7fb7b1b69c438cb
SHA2569ef653326e0c5f7bbe84bf1d870d5c0ac7e6cc3ec857c5a76a3658c5599960cc
SHA5123bcecb651f2f3d7261e123b36c489f77f6c228827112002cdf58866a171c5c9c1d2242997a10f40201d014833c1a8b98fc9477d62b85ee2a370da372a690e246
-
/data/user/0/ghd.et.hds/files/test.dexFilesize
627KB
MD547621c507f766da22b7fe069da838119
SHA1e8106ed267506dcf4e6a42226c0fd16c05c5c75b
SHA256fd475d22849b355a80417916b677a7b69d989e31bc94d0570a4b17b63bd8c108
SHA512309cbb7c0be135a63e15159b56feb7438f53d1425e40fbe19bedb241e7e2042bee2913d903b30b2ed24cf95dfefe9b06de6e69c1d34907d4d2547d2367da8d6d