Analysis
-
max time kernel
179s -
max time network
142s -
platform
android_x64 -
resource
android-x64-arm64-20240514-en -
resource tags
-
submitted
21-05-2024 06:50
General
-
Target
6265095f4911afb6f89375a8be063615_JaffaCakes118.apk
-
Size
436KB
-
MD5
6265095f4911afb6f89375a8be063615
-
SHA1
4b0e54e10189a27c6afc46168926a2d6a4b4be5f
-
SHA256
7ec1a6674d138f5ceb7c4e7bba6a489ddf9565d3871f7473c592bbc8a402e275
-
SHA512
b424d705d89d0bfb0d6c99c814241cbf8c218f481a1deb79b3fb083d5e7ea61d957f73835dc9a2fb318bfcee5af4854d1871feca97f7cb79c4cda203af585b84
-
SSDEEP
12288:gLOEWMR7vjK9eMXk4h3DhlJ8r2RN7q0woQVNOi6Yse/:6WMRO7n3DJ++u0xSO0
Malware Config
Extracted
xloader_apk
http://45.114.129.49:28866
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Checks if the internet connection is available 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.wncp.sdct1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Requests changing the default SMS application.
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Reads the content of the MMS message.
- Acquires the wake lock
- Checks if the internet connection is available
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/com.wncp.sdct/files/dexFilesize
766KB
MD5474a6c270ad9ce11d542743d22f4f618
SHA15465c0640e725a1745dc32aaaa455a7e88b6df30
SHA256d37c5d615adc341d03f84b43e8fd060c4b8de258420f4d9076428e37039d8510
SHA512aebeb07a5daacbb1a33eb26cc472393e9341c01d2413926ed3101543f77e6bb4b0884fa2a49ea9947bdf99f6bdea6deb162ca1cfcda25be16a21d3767be2f4fb