Analysis
-
max time kernel
179s -
max time network
171s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
21-05-2024 06:50
Static task
static1
Behavioral task
behavioral1
Sample
6265095f4911afb6f89375a8be063615_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
6265095f4911afb6f89375a8be063615_JaffaCakes118.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral3
Sample
6265095f4911afb6f89375a8be063615_JaffaCakes118.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
6265095f4911afb6f89375a8be063615_JaffaCakes118.apk
-
Size
436KB
-
MD5
6265095f4911afb6f89375a8be063615
-
SHA1
4b0e54e10189a27c6afc46168926a2d6a4b4be5f
-
SHA256
7ec1a6674d138f5ceb7c4e7bba6a489ddf9565d3871f7473c592bbc8a402e275
-
SHA512
b424d705d89d0bfb0d6c99c814241cbf8c218f481a1deb79b3fb083d5e7ea61d957f73835dc9a2fb318bfcee5af4854d1871feca97f7cb79c4cda203af585b84
-
SSDEEP
12288:gLOEWMR7vjK9eMXk4h3DhlJ8r2RN7q0woQVNOi6Yse/:6WMRO7n3DJ++u0xSO0
Malware Config
Extracted
xloader_apk
http://45.114.129.49:28866
Signatures
-
XLoader payload 1 IoCs
Processes:
resource yara_rule /data/data/com.wncp.sdct/files/dex family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
Processes:
com.wncp.sdctioc process /system/bin/su com.wncp.sdct /system/xbin/su com.wncp.sdct /sbin/su com.wncp.sdct -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
Processes:
com.wncp.sdctdescription ioc process Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT com.wncp.sdct -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.wncp.sdctioc pid process /data/user/0/com.wncp.sdct/files/dex 4224 com.wncp.sdct /data/user/0/com.wncp.sdct/files/dex 4224 com.wncp.sdct -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.wncp.sdctdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.wncp.sdct -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
com.wncp.sdctdescription ioc process URI accessed for read content://mms/ com.wncp.sdct -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.wncp.sdctdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.wncp.sdct -
Acquires the wake lock 1 IoCs
Processes:
com.wncp.sdctdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.wncp.sdct -
Checks if the internet connection is available 1 TTPs 1 IoCs
Processes:
com.wncp.sdctdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.wncp.sdct -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.wncp.sdctdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.wncp.sdct -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.wncp.sdctdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.wncp.sdct
Processes
-
com.wncp.sdct1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Requests changing the default SMS application.
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Reads the content of the MMS message.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Checks if the internet connection is available
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4224 -
ping -c 4 45.114.129.492⤵PID:4520
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.wncp.sdct/files/dexFilesize
766KB
MD5474a6c270ad9ce11d542743d22f4f618
SHA15465c0640e725a1745dc32aaaa455a7e88b6df30
SHA256d37c5d615adc341d03f84b43e8fd060c4b8de258420f4d9076428e37039d8510
SHA512aebeb07a5daacbb1a33eb26cc472393e9341c01d2413926ed3101543f77e6bb4b0884fa2a49ea9947bdf99f6bdea6deb162ca1cfcda25be16a21d3767be2f4fb
-
/data/data/com.wncp.sdct/files/oat/dex.cur.profFilesize
1004B
MD509efa6c873370069fe404844caaafc68
SHA14b2a79101581594e77362477f74da23d52813454
SHA25678141b4f6a45ee42b52235e1c6963b87748ee8835ec504ba33fc587978d0e68c
SHA51202a89ad04e3d3ec6fdc08ec6f75a7d7a5e9a76e230123c58cda555a61c1678b17d86c23eda3ba2fa30d7e9aa52cabc34d6b4d4d3e47357d7309dfb5a84a1bbe2
-
/data/data/com.wncp.sdct/files/oat/dex.cur.profFilesize
1KB
MD537035317afc9889ae2e9ad9c61c5ac7e
SHA19435581f01df2e24909a2bf58051c74f0403206a
SHA256a91adaae71e959817101bbfd336c419ebdebd8ec3fbe35e21ee0b59d2853d5fe
SHA512579bb7de5eb19edd16cc7a6af72d60a616eab6a54bd3433dc6883865766cad85a78a37165f80a592617734fc433a538ecbdc2d0c61a9a13ccbf85c1541a1cb92