Overview

overview

10

Static

static

6

8abf4d0e70...18.apk

android-9-x86

10

8abf4d0e70...18.apk

android-10-x64

10

8abf4d0e70...18.apk

android-11-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    155s
  • platform
    android_x86
  • resource
    android-x86-arm-20240514-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
  • submitted
    01-06-2024 14:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8abf4d0e70259a301abc74840b2b5c4d_JaffaCakes118.apk

  • Size

    436KB

  • MD5

    8abf4d0e70259a301abc74840b2b5c4d

  • SHA1

    879ed502b8eff4fe0990c966e5bc1015a7c7d493

  • SHA256

    6c5be239259baa5be95437c5511f053980eb2781190c07502fa142a8a7d0b6c4

  • SHA512

    9d286737b92f06c0c07052e4dc4851268a981ec54a5c85a6aa8b72a892d0aa338c58fb727cec380a243d3ae8150bacd1016039164272ceaa9e46cf0a09beb0ca

  • SSDEEP

    12288:nj7h42jkheTpM9riI/KDy0BigC2sgMlvWS:nj7hBja4KmQOy0BiGS

Score
10/10
xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

    trojaninfostealerbankerxloader_apk
  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Requests changing the default SMS application. 2 TTPs 1 IoCs
    collectionimpact
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
    collection
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Acquires the wake lock 1 IoCs
  • Checks if the internet connection is available 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion

Processes

  • com.udso.olwa
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Requests changing the default SMS application.
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Reads the content of the MMS message.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Acquires the wake lock
    • Checks if the internet connection is available
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4300
    • ping -c 4
      2⤵
        PID:4630

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /data/data/com.udso.olwa/files/dex
      Filesize

      766KB

      MD5

      87c507e8caa6f65f96df854d77ce615f

      SHA1

      013f2f4ec099064557c48972f90039fbb4a703ab

      SHA256

      54706114ae6a0be60adc9620e5ce8deb61ed7cf578e7a372257e57e289cc2dea

      SHA512

      568351784b329fd04f7a7c50be7834985d047f990fd7c2a30933db0d5f52da5bdbbb9eb193e129569c06c2f7f731e399723b6b628a65cd59a13372ea09cf3a4c

      Download Submit