Malware Analysis Report

2024-09-09 13:24

Sample ID 240617-nc1f5sscmm
Target b85114eae8892abe7c80dd440c62f9f6_JaffaCakes118
SHA256 d33f13aa7335020d71986b1c51bb5dd562acec6b897aa505c1b78400ed6714a2
Tags
xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d33f13aa7335020d71986b1c51bb5dd562acec6b897aa505c1b78400ed6714a2

Threat Level: Known bad

The file b85114eae8892abe7c80dd440c62f9f6_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan

XLoader payload

XLoader, MoqHao

Checks if the Android device is rooted.

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Reads the content of the MMS message.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Queries information about active data network

Requests disabling of battery optimizations (often used to enable hiding in the background).

Acquires the wake lock

Requests changing the default SMS application.

Requests dangerous framework permissions

Reads information about phone network operator.

Makes use of the framework's foreground persistence service

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 11:15

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 11:15

Reported

2024-06-17 11:19

Platform

android-x64-20240611.1-en

Max time kernel

178s

Max time network

179s

Command Line

com.hjno.sjjz

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.hjno.sjjz/files/dex N/A N/A
N/A /data/user/0/com.hjno.sjjz/files/dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.hjno.sjjz

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.blogger.com udp
GB 216.58.204.73:443 www.blogger.com tcp
KR 45.114.129.49:28866 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.200.10:443 tcp
KR 45.114.129.49:28866 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
KR 45.114.129.49:28866 tcp
KR 45.114.129.49:28866 tcp
KR 45.114.129.49:28866 tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.200.46:443 android.apis.google.com tcp
KR 45.114.129.49:28866 tcp
KR 45.114.129.49:28866 tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp
US 1.1.1.1:53 smtp-mail.outlook.com udp
US 52.96.109.198:587 smtp-mail.outlook.com tcp
KR 45.114.129.49:28866 tcp
KR 45.114.129.49:28866 tcp
KR 45.114.129.49:28866 tcp

Files

/data/data/com.hjno.sjjz/files/dex

MD5 474a6c270ad9ce11d542743d22f4f618
SHA1 5465c0640e725a1745dc32aaaa455a7e88b6df30
SHA256 d37c5d615adc341d03f84b43e8fd060c4b8de258420f4d9076428e37039d8510
SHA512 aebeb07a5daacbb1a33eb26cc472393e9341c01d2413926ed3101543f77e6bb4b0884fa2a49ea9947bdf99f6bdea6deb162ca1cfcda25be16a21d3767be2f4fb

/data/data/com.hjno.sjjz/files/oat/dex.cur.prof

MD5 a291048184291777dba875ae5a2b8a20
SHA1 81808ba04cd774873b85b3947ae88860c6dfdec2
SHA256 3ab85577b586cfdebb94524f9326e371acac4f697741aa915ffe910432e44f4e
SHA512 03468ea000ecefd757fcdbb5da2e1a87bf3a4f8be9c428b9799763a19bde7f09584ed9a947ff29da236cd333e834ad75885cdf3f462139e658d184555df6d914

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-17 11:15

Reported

2024-06-17 11:19

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

170s

Command Line

com.hjno.sjjz

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.hjno.sjjz/files/dex N/A N/A
N/A /data/user/0/com.hjno.sjjz/files/dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.hjno.sjjz

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.blogger.com udp
GB 216.58.201.105:443 www.blogger.com tcp
KR 45.114.129.49:28866 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
KR 45.114.129.49:28866 tcp
KR 45.114.129.49:28866 tcp
KR 45.114.129.49:28866 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
KR 45.114.129.49:28866 tcp
KR 45.114.129.49:28866 tcp
KR 45.114.129.49:28866 tcp
US 1.1.1.1:53 smtp-mail.outlook.com udp
US 52.96.111.22:587 smtp-mail.outlook.com tcp
US 1.1.1.1:53 smtp-mail.outlook.com udp
KR 45.114.129.49:28866 tcp
KR 45.114.129.49:28866 tcp
KR 45.114.129.49:28866 tcp

Files

/data/user/0/com.hjno.sjjz/files/dex

MD5 474a6c270ad9ce11d542743d22f4f618
SHA1 5465c0640e725a1745dc32aaaa455a7e88b6df30
SHA256 d37c5d615adc341d03f84b43e8fd060c4b8de258420f4d9076428e37039d8510
SHA512 aebeb07a5daacbb1a33eb26cc472393e9341c01d2413926ed3101543f77e6bb4b0884fa2a49ea9947bdf99f6bdea6deb162ca1cfcda25be16a21d3767be2f4fb

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 11:15

Reported

2024-06-17 11:19

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

147s

Command Line

com.hjno.sjjz

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.hjno.sjjz/files/dex N/A N/A
N/A /data/user/0/com.hjno.sjjz/files/dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.hjno.sjjz

ping -c 4 45.114.129.49

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.blogger.com udp
GB 142.250.187.201:443 www.blogger.com tcp
KR 45.114.129.49:28866 tcp
KR 45.114.129.49:28866 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
KR 45.114.129.49:28866 tcp
KR 45.114.129.49:28866 tcp
KR 45.114.129.49:28866 tcp
KR 45.114.129.49:28866 tcp
KR 45.114.129.49:28866 tcp
US 1.1.1.1:53 smtp-mail.outlook.com udp
US 52.96.88.54:587 smtp-mail.outlook.com tcp
KR 45.114.129.49:28866 tcp
KR 45.114.129.49:28866 tcp

Files

/data/data/com.hjno.sjjz/files/dex

MD5 474a6c270ad9ce11d542743d22f4f618
SHA1 5465c0640e725a1745dc32aaaa455a7e88b6df30
SHA256 d37c5d615adc341d03f84b43e8fd060c4b8de258420f4d9076428e37039d8510
SHA512 aebeb07a5daacbb1a33eb26cc472393e9341c01d2413926ed3101543f77e6bb4b0884fa2a49ea9947bdf99f6bdea6deb162ca1cfcda25be16a21d3767be2f4fb