Analysis
-
max time kernel
34s -
max time network
182s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
10-07-2024 11:58
Static task
static1
Behavioral task
behavioral1
Sample
349f4825ed74588c297e88a977d5774b_JaffaCakes118.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
349f4825ed74588c297e88a977d5774b_JaffaCakes118.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
349f4825ed74588c297e88a977d5774b_JaffaCakes118.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
349f4825ed74588c297e88a977d5774b_JaffaCakes118.apk
-
Size
429KB
-
MD5
349f4825ed74588c297e88a977d5774b
-
SHA1
509bdec4260a9f6e747d24c77f72f08a0e753ecb
-
SHA256
a5174b4486507d672f5c1c9f495118b66aaeaa88490032a222bf354c3d473a18
-
SHA512
2c640544b4469721ca43c7bb1d81ec47d1394f7bbac4857e147e272414556d83179282f78ea1a9dbde2bdbcdef41e038d448fceb2bcc73d352396995854b97d4
-
SSDEEP
12288:Ar0VKjTLusbhzscFajtXDSVVf+vC5pLmf3HRJ3/:Ark4sFzG+65pLm/r/
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 1 IoCs
Processes:
resource yara_rule /data/data/com.qudu.siia/files/dex family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
Processes:
com.qudu.siiaioc process /system/bin/su com.qudu.siia /system/xbin/su com.qudu.siia /sbin/su com.qudu.siia -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.qudu.siiaioc pid process /data/user/0/com.qudu.siia/files/dex 4973 com.qudu.siia /data/user/0/com.qudu.siia/files/dex 4973 com.qudu.siia -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
com.qudu.siiadescription ioc process URI accessed for read content://mms/ com.qudu.siia -
Acquires the wake lock 1 IoCs
Processes:
com.qudu.siiadescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.qudu.siia -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.qudu.siiadescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.qudu.siia -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.qudu.siiadescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.qudu.siia -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.qudu.siiadescription ioc process Framework API call javax.crypto.Cipher.doFinal com.qudu.siia
Processes
-
com.qudu.siia1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.qudu.siia/files/dexFilesize
763KB
MD544d6b4327a543a21d3c55a45018ccda2
SHA1395f521260820fd5de49298d3355becf6730b7c1
SHA2561d73e451a41adb1a700dc6dd53a844e9a2ea72fd5dcde35c7b3ac8a7953764bb
SHA512c2cf475214b7c6275698740f56a80d9e1cad53b2adb88cc9ffb895199e1d6993e48efba090f7828d4309b6ae2d9f4bde816d4213be3d8b1f3ccb836a2616a55e