Analysis
-
max time kernel
179s -
max time network
184s -
platform
android_x86 -
resource
android-x86-arm-20240611.1-en -
resource tags
-
submitted
15-06-2024 17:29
General
-
Target
af8f947cab9f85a199ec22d1765a497f_JaffaCakes118.apk
-
Size
431KB
-
MD5
af8f947cab9f85a199ec22d1765a497f
-
SHA1
79b6c49983d46d782ebcfdc5eb5f83f2bd75bf3b
-
SHA256
64ebad7541e90c786e7bbc7063e7dc44bf9ebe8b6aeb93a1661a27531f8cb44f
-
SHA512
a80c717290dfa9933313192bd2bf59c7cdc54568a903e89a13b462afb09638ff56ea041363cf139f7de560e8519963bfd220a975c105c5c54119d02227b690bc
-
SSDEEP
12288:4SSOdjX7N0HgSziADpDwQtUHFYo1lCYI8akScVEOZnpCE:4gsiobMxPDakSc3ZnpCE
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.jcvh.uprh1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
ping -c 4 91.204.227.392⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.jcvh.uprh/files/dexFilesize
766KB
MD5a94e56982fdbb56095f2063d0560021b
SHA11366dc9b7351a298c3deec87783c0bb9e7d41e0b
SHA2569e7bf9d8214a0f1f3d91f0740ff7b8ee90100ed05fa1a21f2c03e1569e2fa540
SHA512f9715e2296319815495ffff4281eb4d53866fd0ababda1d32a507539d3ce06f673664e37466282ccbdd797c778c7ffa09d3046e21fba6fbf2c2bc2c35b470855
-
/data/data/com.jcvh.uprh/files/oat/dex.cur.profFilesize
1KB
MD5c038bbbf8b831668d92a287766ba2773
SHA1ef3e16c000e187c98aeaf90f4225e8187fc5c822
SHA256eb8e7560123821197695b1db79ce42dfa7654df22b4b9dfe58260dcf793d6777
SHA5121379316715d4af0b67a73cf5ca030698a7c9f49b403e1ba64458ef7718c0a19ddc6170aeb72ef56d767f0c3a8969f34b70f06835a73ff224ab38366604c6753e