Analysis
-
max time kernel
179s -
max time network
163s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
31-05-2024 01:10
Static task
static1
Behavioral task
behavioral1
Sample
8589234bc2d4abdafaf217959c42bceb_JaffaCakes118.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
8589234bc2d4abdafaf217959c42bceb_JaffaCakes118.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral3
Sample
8589234bc2d4abdafaf217959c42bceb_JaffaCakes118.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
8589234bc2d4abdafaf217959c42bceb_JaffaCakes118.apk
-
Size
432KB
-
MD5
8589234bc2d4abdafaf217959c42bceb
-
SHA1
c871e289d269cd4687820a645e2f7602df484de2
-
SHA256
f796547ec9e4d1c8e899df282c7a9008343a36d11958bdf314fd9c00de391233
-
SHA512
58e3a6aaebc9729ef4d55f4a7b3c400eaa8d68620278bb9495aa3bfa35406f73ed399834d3612079c02f9e390c63fd6daa5ca994a16089870227ce4b7e54a0f0
-
SSDEEP
6144:zMIDbS8RcSHRMroCcsGY/L8o4jzIjqhQkq5LI5J8h3vlb7hr6WP2ptPJ3UPi:zMIDW8LMBcsG0+jzEW8h3vlb7VbmRJ3R
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 1 IoCs
Processes:
resource yara_rule /data/data/com.zkqe.cemi/files/dex family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
Processes:
com.zkqe.cemiioc process /sbin/su com.zkqe.cemi /system/bin/su com.zkqe.cemi /system/xbin/su com.zkqe.cemi -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
Processes:
com.zkqe.cemidescription ioc process Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT com.zkqe.cemi -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.zkqe.cemiioc pid process /data/user/0/com.zkqe.cemi/files/dex 4283 com.zkqe.cemi /data/user/0/com.zkqe.cemi/files/dex 4283 com.zkqe.cemi -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.zkqe.cemidescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.zkqe.cemi -
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
Processes:
com.zkqe.cemidescription ioc process Framework service call android.accounts.IAccountManager.getAccounts com.zkqe.cemi -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
com.zkqe.cemidescription ioc process URI accessed for read content://mms/ com.zkqe.cemi -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.zkqe.cemidescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.zkqe.cemi -
Acquires the wake lock 1 IoCs
Processes:
com.zkqe.cemidescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.zkqe.cemi -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.zkqe.cemidescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.zkqe.cemi -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.zkqe.cemidescription ioc process Framework API call javax.crypto.Cipher.doFinal com.zkqe.cemi
Processes
-
com.zkqe.cemi1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Requests changing the default SMS application.
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4283
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.zkqe.cemi/files/dexFilesize
766KB
MD5b3aa28b0cf2269079fa51c1db9ad032b
SHA1c85618082d725fd8dd4789ecf43ce274b743c9cb
SHA2568933f198d336dc72d7e4c2012cf6ea5356bedf6a97a16c9b74fb2fac63ea02b0
SHA5122c077f33169d2d77a3a64d70c2705e32f46c8addb9299459c97a6ad9d7647fc906c36d172acf5731b53cb461c7eb21c6adfbe10ace50e483e41f55e16f958339