Analysis
-
max time kernel
179s -
max time network
164s -
platform
android_x86 -
resource
android-x86-arm-20240603-en -
resource tags
-
submitted
04-06-2024 15:38
General
-
Target
956125f133f42be6b04600897c5d9e6e_JaffaCakes118.apk
-
Size
431KB
-
MD5
956125f133f42be6b04600897c5d9e6e
-
SHA1
71c18bebcfe1556a4faabffb0da5817bde7e8149
-
SHA256
5c292c0677ed1e47569476666ea7da87541514a871857c43214acf10f746318b
-
SHA512
867dd49397bf5841963d95ef3b5bff53de37c6ecc77f5e7cb67133621d1a4a9356b383390cffb5f5a05c320991bb46a502005d09cee0c6336ea471a387783de9
-
SSDEEP
12288:PPz99Yif9Gno+QOYeqEji4VAP9K8nS5kScVEOZnpCXRJ3V:PjPfBCsaiV85kSc3ZnpCXrV
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.lkgc.slce1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
766KB
MD5a94e56982fdbb56095f2063d0560021b
SHA11366dc9b7351a298c3deec87783c0bb9e7d41e0b
SHA2569e7bf9d8214a0f1f3d91f0740ff7b8ee90100ed05fa1a21f2c03e1569e2fa540
SHA512f9715e2296319815495ffff4281eb4d53866fd0ababda1d32a507539d3ce06f673664e37466282ccbdd797c778c7ffa09d3046e21fba6fbf2c2bc2c35b470855
-
Filesize
1KB
MD56cb83e0033772ead231306626a176fa7
SHA17efb4c467d54ac45e34cb40fb549eedba387fe08
SHA25610d5dae2e0afdf3d5c93824741ae37472dceecc5dde5e033c222c6a2b85ccd40
SHA51219e9042daeaeaef8cdd2957c6aef5299ba99570deeec0880dfbe532e0077de3eba9913720afa7a1a33219d2cb54b5c09eebbc3cf6c9a2ffa8c6fcc6828e31772