Analysis
-
max time kernel
179s -
max time network
138s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
25-05-2024 02:50
Static task
static1
Behavioral task
behavioral1
Sample
70a081850df3843c8bba0c7a4822d9a6_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
70a081850df3843c8bba0c7a4822d9a6_JaffaCakes118.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral3
Sample
70a081850df3843c8bba0c7a4822d9a6_JaffaCakes118.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
70a081850df3843c8bba0c7a4822d9a6_JaffaCakes118.apk
-
Size
434KB
-
MD5
70a081850df3843c8bba0c7a4822d9a6
-
SHA1
1fd5e2a5f322f663ae8cf07e2c1f31ff1ea08adb
-
SHA256
72f4581d233e45c636b377a572e936bdad236b25e62198864045a219c714031c
-
SHA512
6c70479d0c2496637259f4da6c96e39d3b93b27a9eafcfe0ff1e4c2e8c29966324cb40cef5dc65fc1af131acc3773834ee4943f9f2c8c4bcb83ee6ce81d48224
-
SSDEEP
12288:XOa7eDLhzStvEmnovq/OF8x+Zt57yOOyEoQfjN+:ELhIvrnGmx+ZDSfU
Malware Config
Signatures
-
XLoader payload 1 IoCs
Processes:
resource yara_rule /data/data/com.take.fmtx/files/dex family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
Processes:
com.take.fmtxioc process /sbin/su com.take.fmtx /system/bin/su com.take.fmtx /system/xbin/su com.take.fmtx -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
Processes:
com.take.fmtxdescription ioc process Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT com.take.fmtx -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.take.fmtxioc pid process /data/user/0/com.take.fmtx/files/dex 4291 com.take.fmtx /data/user/0/com.take.fmtx/files/dex 4291 com.take.fmtx -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.take.fmtxdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.take.fmtx -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
com.take.fmtxdescription ioc process URI accessed for read content://mms/ com.take.fmtx -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.take.fmtxdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.take.fmtx -
Acquires the wake lock 1 IoCs
Processes:
com.take.fmtxdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.take.fmtx -
Checks if the internet connection is available 1 TTPs 1 IoCs
Processes:
com.take.fmtxdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.take.fmtx -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.take.fmtxdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.take.fmtx
Processes
-
com.take.fmtx1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Requests changing the default SMS application.
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Reads the content of the MMS message.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Checks if the internet connection is available
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4291
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.take.fmtx/files/dexFilesize
766KB
MD52d50b35b6f6fee37bde7a9ec86703932
SHA12d9b5311ba513f335702593523b5f1ce488adb38
SHA256f082845fa037937fc01572fb3561b8b555dfb86e8c39f9d9c628270509ee92b1
SHA5126aa66f26c12db6e6a0d9ec9feebc0dca4c84f06c85da5916a39268fe58ef8695175fef3f07d30a7b29251c89524deaccdc4873129411eb931c810a3c810861e2