Analysis
-
max time kernel
179s -
max time network
171s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
-
submitted
21-05-2024 06:50
General
-
Target
6265095f4911afb6f89375a8be063615_JaffaCakes118.apk
-
Size
436KB
-
MD5
6265095f4911afb6f89375a8be063615
-
SHA1
4b0e54e10189a27c6afc46168926a2d6a4b4be5f
-
SHA256
7ec1a6674d138f5ceb7c4e7bba6a489ddf9565d3871f7473c592bbc8a402e275
-
SHA512
b424d705d89d0bfb0d6c99c814241cbf8c218f481a1deb79b3fb083d5e7ea61d957f73835dc9a2fb318bfcee5af4854d1871feca97f7cb79c4cda203af585b84
-
SSDEEP
12288:gLOEWMR7vjK9eMXk4h3DhlJ8r2RN7q0woQVNOi6Yse/:6WMRO7n3DJ++u0xSO0
Malware Config
Extracted
xloader_apk
http://45.114.129.49:28866
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Checks if the internet connection is available 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.wncp.sdct1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Requests changing the default SMS application.
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Reads the content of the MMS message.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Checks if the internet connection is available
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
-
ping -c 4 45.114.129.492⤵
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.wncp.sdct/files/dexFilesize
766KB
MD5474a6c270ad9ce11d542743d22f4f618
SHA15465c0640e725a1745dc32aaaa455a7e88b6df30
SHA256d37c5d615adc341d03f84b43e8fd060c4b8de258420f4d9076428e37039d8510
SHA512aebeb07a5daacbb1a33eb26cc472393e9341c01d2413926ed3101543f77e6bb4b0884fa2a49ea9947bdf99f6bdea6deb162ca1cfcda25be16a21d3767be2f4fb
-
/data/data/com.wncp.sdct/files/oat/dex.cur.profFilesize
1004B
MD509efa6c873370069fe404844caaafc68
SHA14b2a79101581594e77362477f74da23d52813454
SHA25678141b4f6a45ee42b52235e1c6963b87748ee8835ec504ba33fc587978d0e68c
SHA51202a89ad04e3d3ec6fdc08ec6f75a7d7a5e9a76e230123c58cda555a61c1678b17d86c23eda3ba2fa30d7e9aa52cabc34d6b4d4d3e47357d7309dfb5a84a1bbe2
-
/data/data/com.wncp.sdct/files/oat/dex.cur.profFilesize
1KB
MD537035317afc9889ae2e9ad9c61c5ac7e
SHA19435581f01df2e24909a2bf58051c74f0403206a
SHA256a91adaae71e959817101bbfd336c419ebdebd8ec3fbe35e21ee0b59d2853d5fe
SHA512579bb7de5eb19edd16cc7a6af72d60a616eab6a54bd3433dc6883865766cad85a78a37165f80a592617734fc433a538ecbdc2d0c61a9a13ccbf85c1541a1cb92