Analysis

  • max time kernel
    179s
  • max time network
    186s
  • platform
    android_x64
  • resource
    android-x64-20240603-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240603-enlocale:en-usos:android-10-x64system
  • submitted
    05-06-2024 00:07

General

  • Target

    96b5ccbec2c26bb52772e2dfa30fc342_JaffaCakes118.apk

  • Size

    432KB

  • MD5

    96b5ccbec2c26bb52772e2dfa30fc342

  • SHA1

    b5fff9d1583ff1b21310eb809994703003cb56be

  • SHA256

    3cec891544c0861cece2167e6d8a410cb42ecc3707fd3cf8231b05af3cba63cb

  • SHA512

    0982d9ad0ccd07754caee6f0359fbbbaf4ab3fced1d62f8ae476e546304ac6187a024ff23bddd37aa12d1bfa3119fe75dac2a91b0b323f5b454c20143bd6babd

  • SSDEEP

    12288:1y1e6D3TQwsgjGIDxVZVmqT9ZKtz1yBXkScVEOZnpCj:s4SQqSEvLvvKtZy5kSc3ZnpCj

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.39:28844

DES_key

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.nzln.fyex
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.nzln.fyex/files/dex
    Filesize

    766KB

    MD5

    a94e56982fdbb56095f2063d0560021b

    SHA1

    1366dc9b7351a298c3deec87783c0bb9e7d41e0b

    SHA256

    9e7bf9d8214a0f1f3d91f0740ff7b8ee90100ed05fa1a21f2c03e1569e2fa540

    SHA512

    f9715e2296319815495ffff4281eb4d53866fd0ababda1d32a507539d3ce06f673664e37466282ccbdd797c778c7ffa09d3046e21fba6fbf2c2bc2c35b470855

  • /data/data/com.nzln.fyex/files/oat/dex.cur.prof
    Filesize

    1KB

    MD5

    ff975a903c04fbdb33bd721c5a2ec252

    SHA1

    5a4c9682ceefaa32d5733e096f0fc59c3e988b7d

    SHA256

    88638623de36414c395e282307c6c11203e07745b1fdc48729c3a62a73ac7b5d

    SHA512

    d1a5d6d136141528b9f0611f382975784c7017f850d3d65f94de7cd6c7000fe65f13bc251d3371578aea555105afdd002f2eb293da7cfca985f4141096b6fd7c