Analysis
-
max time kernel
179s -
max time network
160s -
platform
android_x86 -
resource
android-x86-arm-20240603-en -
resource tags
-
submitted
10/06/2024, 12:15
General
-
Target
9aa1ddab19664623862e51f0067dbd59_JaffaCakes118.apk
-
Size
432KB
-
MD5
9aa1ddab19664623862e51f0067dbd59
-
SHA1
4bf0e335120a81211d7fd60bc99010eb5b4f9aa2
-
SHA256
1274b0e27ed5356e2e56ad30fbe910927915de22381749172896688e30ae235b
-
SHA512
cf10f7f66d76a906f29a9474a6ab12fc1139c6f2c76516943189ec0db9377e165da578d756b29fbb6264b088888fe825b349990407995b2914c50cb5f5df86ea
-
SSDEEP
12288:bsX7N0HgSziADpDwQtUHFYo1lCYI8akScVEOZnpCLRJ3Z:bisiobMxPDakSc3ZnpCLrZ
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.iqky.sncy1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
766KB
MD5a94e56982fdbb56095f2063d0560021b
SHA11366dc9b7351a298c3deec87783c0bb9e7d41e0b
SHA2569e7bf9d8214a0f1f3d91f0740ff7b8ee90100ed05fa1a21f2c03e1569e2fa540
SHA512f9715e2296319815495ffff4281eb4d53866fd0ababda1d32a507539d3ce06f673664e37466282ccbdd797c778c7ffa09d3046e21fba6fbf2c2bc2c35b470855