Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

9e570d50a2...18.apk

android-9-x86

10

9e570d50a2...18.apk

android-10-x64

10

9e570d50a2...18.apk

android-11-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    172s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    16/08/2024, 12:20 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e570d50a20902cae53d54ba39a79c05_JaffaCakes118.apk

  • Size

    302KB

  • MD5

    9e570d50a20902cae53d54ba39a79c05

  • SHA1

    9e38d058a68692a04fbaac87e7e563b9885cb9d9

  • SHA256

    b13856e604ab4dbd3fdef7b5ba4a22622760990d16a002867dcec02b78c275cf

  • SHA512

    d4b5b5ae12f53534e41d082d8a73d5829cf43d206f8a2a6955b4968118bccb6ec3376e006e9476634fdfa3763c2808a7d7aaba46ecc5bdbd26aef9d93745ba1d

  • SSDEEP

    6144:h4N8EMLFo5Pl+wPlShAz7q+ZIsar0cV0WDnKGE6Es2U5CEsmkj4eXwaglj:hWOhzwPlSCz7q+ZIs4Y2KH6ES5CEsmkK

Score
10/10
xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.39:28844

DES_key
1
4162356431513332

Signatures

Processes

  • liyy.nxmuy.xygvf
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests changing the default SMS application.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4660

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    172.217.16.238
  • flag-us
    DNS
    docs.google.com
    Remote address:
    1.1.1.1:53
    Request
    docs.google.com
    IN A
    Response
    docs.google.com
    IN A
    216.58.212.206
  • flag-gb
    GET
    https://docs.google.com/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasic
    Remote address:
    216.58.212.206:443
    Request
    GET /document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasic HTTP/1.1
    User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36
    Accept: text/html,*/*;q=0.8
    Accept-Encoding: gzip
    Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
    Cache-Control: no-cache
    Host: docs.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Type: text/html; charset=utf-8
    X-Robots-Tag: noarchive
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Fri, 16 Aug 2024 12:20:16 GMT
    Content-Encoding: gzip
    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
    Content-Security-Policy: require-trusted-types-for 'script';report-uri https://csp.withgoogle.com/csp/docs-tt
    Content-Security-Policy: base-uri 'self';object-src 'none';report-uri https://docs.google.com/document/cspreport;script-src 'report-sample' 'nonce-DO4zXKz-AH1m6cGyCbw5lQ' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';worker-src 'self' blob:
    Reporting-Endpoints: default="/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/web-reports?context=eJwV0XdU1FcWB_Dr73cfoqIiigUFQcQSxWAvNIeZ4QAblCTi-4VIXCnhEF0nQTSrUVfQeAzqZtHYy8zA0J0YzRIrlgiWiFEsuCFWImpA9ICOCEbYr398ziv3nXPvu7frrd5ubbNpvZOkaGdJZljeTZIdfnSRdAF0rpJywctN0nB3SXooh3l9JZ3sJ2l0f8Qh2kPSkIGSZg-SZPOSlDpY0ushkpJ8JbkMk-QJJ-D1O5K6j5bUCwphlL-kTWMkrR0rKXyipCzYAh2TJM2cLOnaFEkPIDRE0vuxqEGTNBmuxEm6B-ZPJN2cJ-kRdEmSNABuJEuaMF-SAawmSQegYTFyw_9WSXoMhRmSDsOvmZLugGG1pFkwZaOkCMjaKmkn-G2TNBHat0vqsUNS5m7UC5lmrDDaIikInHMl9YddNkkl8ItdUg30-UHSUKCDklzhSCn6CrfLJDWCz1lJY2EFbITI85I-At1F_BfCK9FT2AFFYL2E_8CoK5ICoey6pEtQWi2pAp6DelPSv3-TtBfyahCDI3ABfr4j6Sp43Zc0BrY9kFQAPeskDYaD8DOchWp49FhSC7xpwtyaMTfwgQRIg4fwEjJcNMqGhJ4anYIr4OKq0SB41E-jKA-N4sB1gkbeMHeSRovhGFyE6qkaPYQu0RqFxGg0A76DtA81Wgtb4ZCm0f04jTLikQt08zR6H04naFQFwQs0igbXRcgBs9I12rxSo11wCx7Ajn9pZIUzcBFqoR4awQF33aso7p0GJQE2zGlSvoOalCalFr4-06RshJTaZsUEA959rvhAzOznigb7xziUQ3A6wKF4RTiUYRC7wqHEw6BVDmUo9Mt0KIPh5VGH0g67KxyKDS7Mb1GqYGnQKyUDtOBXyt8h7tNXSgIcy3qlnIHK2FblOkz-qlUJBbdfWhUP6HKlVekFgW5tih4GrG5TfCBrfZuy6S1Lm7ITUnb-pZhgzQftygZ42dGutMPxQR1KOcya36HMgYClHcoUUJZ1KF0h1pXUeBhqInU02NJI3Qc190ithS05ndQIWyc1BgZvVNThcM6iqJfhbDn2qqpeBu-RqjoCjn2gqmdgbqyqpkDpWlU9BaZyVf0SmutUtQ0Wd2W1wpvVS_Dk6TR-AW4t09gDsusDeQd88zSQs6H5RSC3we8zg7jv9iD2gvv7gvhPSPEIZhNUjgxm7ynBPAJ6Dg3hfrBkfAivhBNJIXwWqkUo34Hob0M5FtrPh7LThVAuqgrlAzBwwnT2BdKmszMcLp7Op0B3Yzq7eerYA15H6NgpUsfWKB0Xwe5VOrbB5Sc6vgsnG3V8DpzCwrgH1H0Vxo1QtD2MD8D-wjA-CZUlYXwd3O1h7AlD--l5NNTH6LkZyj7XcwU8W6LnFmhdrudOK_TsmaFnP6jZr-daqDuo50bw-0nP_nD8hp7LIb5Bz8kwtlHPU8GzCW8g3MfAM8AxxMDC18D_1Ay8DpZ9ZuAnBQZ-AbFHDBwPf5w0cAMEvjSwHowQDUVwAHwVI4-Ca55G_h32-hr5exg_3Mh62JVo5OupRr4Fe74wch5MX2LkCOiabWQ3SLQbec0JI2-AveeMrLtq5EjY99DI_4Uy73CugAUTwzkd6iaHswOezw3n1_BwfTg_hfHfhnMgZFeG8w4wu0fweVjoGcErIRM2vZUSwTf3RnAt-FbjTa9IvgIf947kRLjQJ5J_g2P9I_ksdF4WyT3h4LpIPgpJnaN4AWR1jeJNUDLTLH6E3h-axcC3fjALXyg_ZBaV8PVxs9gCPX41i7zbZlEK73axiFAYkGwRPm-tsoixcH8z7opxhj1HLSIPFh6ziCXQpcYiekHcLYuYc98ikqD7C4twh_SXFrEGtnWyigIY_olV9LdaxQj4KdcqTsCMDquYDXX-OaIR8oJzhB3uzckRj8Fld47oA357coQ_VDXnCJ-OHLE5LVfsAnN2rtgPz27nihZoa8gVypNckfosV3wBrNhEHxg70CamQtwCm0iAP_9jE02w8oZNrIVKrzxxHTx35onqqHzR8bd80fm9fHE3Nl88g8TV-WI-fLM5Xxwuyxdn4PQfBaIKsgcXir5BhWIYnNMXistvZRSKGpicVShCwam0UPSAiKuFIgbKQorFJZhQXyyC4CJcg4d_FYunYH1TLIrgyMAScRoopkQ4g9_WEuEPm0pLRA6MqNgnMmA528UaCB5pF0bYNtEuCuDgZ3ZxFN5bahezoPthu3AH79d2EQB5IfXCDu6meuEHBRvrxX7Q92oQpvgG8SW0nH4iOiBpYqMYt7NRTAPXkU3CGw43d3M66ejmNKu1m5Obi_OqdW9KnVzXHf3-QCePbtGmhNQFyWHzFqUmDhmZnJSabkpbNCbJlLj4H8kL0xf5f5pmWpievDBp7riAcRMCpgRMGhMwbu7n4_8P4jCwhw&build-label=editors.documents-frontend_20240806.02_p3&imp-sid=CO6l-dq_-YcDFUqKFAgdLtkeKA&is-cached-offline=false"
    Referrer-Policy: strict-origin-when-cross-origin
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    Server: GSE
    Set-Cookie: NID=516=UOMkMHOj42H7K0GJ6EgEUk2RDHrplwxU71oOElF9KEAj7fClHekuMv9AABtLWnjlLVSEBheB7qkPFEklzI3AH6FlrPAVJbsp4-0WU0x4pqZTvDrIJR4thFjFleGh8Wc30nrB1jZKOLlvzkrxmRLUVX37s2RWt8Yc0emf78tageA; expires=Sat, 15-Feb-2025 12:20:16 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    x-l2-request-path: l2-managed-5
    Transfer-Encoding: chunked
  • flag-gb
    GET
    https://docs.google.com/document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/mobilebasic
    Remote address:
    216.58.212.206:443
    Request
    GET /document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/mobilebasic HTTP/1.1
    User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36
    Accept: text/html,*/*;q=0.8
    Accept-Encoding: gzip
    Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
    Cache-Control: no-cache
    Host: docs.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Type: text/html; charset=utf-8
    X-Robots-Tag: noindex, nofollow, nosnippet
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Fri, 16 Aug 2024 12:20:16 GMT
    Content-Encoding: gzip
    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
    Content-Security-Policy: require-trusted-types-for 'script';report-uri https://csp.withgoogle.com/csp/docs-tt
    Content-Security-Policy: base-uri 'self';object-src 'none';report-uri https://docs.google.com/document/cspreport;script-src 'report-sample' 'nonce-0kjPHWXJNUUGzen-XB3MBQ' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';worker-src 'self' blob:
    Reporting-Endpoints: default="/document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/web-reports?context=eJwV0XlQ1FcSB_D29-uHoqiI4oGCIHhGDN4o5zDMFLiLkkR8v7ASV45QrK6TIOomq66gsQzqZtF4HzMDAwzgrEeWeB9EUEkwilGMxHgQUQOiBYoIRtivf3zqHf2qul93z5_7u3XMo41OkmJ6SDLDil6SVoIDvnGRVAk6V0l54OUmabS7JD2Uw8KBks4OkjR-MOIQ44E3QyXNGybJ5iUpbbik1yMkJftKchklyRPOwOtxknqPl9QP7PCOv6QtEyStnyjJOFVSNmyDrmmS5kyX9FOgpAcQFirpvTjUoEmaDlfjJd0D80eSbi6U9AickyUNgRspkqYskhQJVpOkw9C4DLnh5zWSHoM9U9Ix-DFL0h2IXCtpLgRulhQF2dsl7YaROyRNhc6dkvrskpS1F_VClhkrjLdICgbnPOSGPTZJJfC9Q1ItDDgkyQ_oiCRXOF6KvsKd05Kegs8FSRNhFWyG6EuSPgTdD_gvGKvQU9gFRWC9jP_AuKuSZkJpjaQKeA7qTUn_viVpP-TXIgbHoRK-uyPpGnjdlzQBdjyQVAh96yUNhyPwHVyAGnj0WFIbvGnGvFowL_CBREiHh_ASMl00yoHEvhqdg6vg4qrRMHg0SKNZHhrFg-sUjbxhwTSNlsFJ-AFqZmj0EJxjNAqN1Wg2fA3pH2i0HrbDUU2j-_EaZSYgF-gWavQelCVqVA0hizWKAdelyAFzMzTaulqjPWCHQ3AbHsC6f2m0CS7DDaiDBmiCVrjrXk3x4xqVRNg0v1n5GmpTm5U6-OJ8s7IZUutaFBMMefe54gOx854rGhyc0KochbKAVsUrqlUZBXGrWpUEGLamVfGDQVmtynB4eaJV6YS9Fa2KDSoXtSnV8FnwKyUTtJBXyl8h_uNXSiKczH6lnIequHblOkz_Z7sSBm7ftyse4Hy1XekHQW4dih6GrO1QfCB7Y4ey5S1Lh7IbUnf_oZhg3fudyiZ42dWpdMKpYV1KOcxd1KXMh4DPupRAUD7vUnpCnCupCeBnInU82NJJPQC190itg2253dQoWzc1FoZvVtTRcNGiqFfgQjn2qqpeAe-xqjoGTr6vqudhQZyqpkLpelU9B6ZyVV0BLfWq2gHLerJa4c3qZXjydCa_ALe2mewBOQ1BvAu-fBrEOdDyIog74Jc5wTxwZzB7wf0Dwfw7pHqEsAmqxoawd2AIj4G-fqE8CJZPDuXVcCY5lC9AjQjjO1AdGMa3IOarMI6Dzkth7FQZxkXVYXwYhk4JZ18gLZx7wLHicD4HuhvhPMxTx37wOkrHTtE6ts7ScRHsXaNjG1x5ouO7cLZJxxfBKSKC-0DRzgg-DAftEXwWqkoi-Dq4OyLYE_wG6Xk8NMTquQVOf6LnCni2XM9t0L5Sz91W6dkzU88jofagnuug_oiem2Dkt3r2h1M39FwOCY16ToGJTXqeAZ7NeANGn0ieDa0jIln4RvI_tEjeAE8KI_kFxB2P5AT47WwkN0LQy0jWgwFi4ENYCEVwGOqhCXwVA78DP3ka-BfY72vg_8Lk0QbWw54kA19PM_Bt2PepgfMhfLmBo6BnjoHdIMlh4HVnDLwJ9l80sO6agaPhwEMD_w9Oexu5AhZPNXIG1E83cis8X2Dk1_Bwo5GfwuSvjBwEOVVG3gVm9yiuhCWeUbwasmDLW6lRfHN_FNeBb00UX-oXzVfhL_2jOQkqB0TzLTg5OJovQPfPo7kvHNkQzScgufssXgzZPWfxFiiZYxbfQP8PzGLoW4fMwhfKj5pFFXxxyiy2QZ8fzSL_V7MohXedLSIMhqRYhM9bayxiItzfirtinGHfCYvIhyUnLWI5ONdaRD-Iv20R8-9bRDL0fmER7pDx0iLWwY5uVlEIoz-yisFWqxgD3-ZZxRmY3WUV86DeP1c0QX5IrnDAvfm54jG47M0VA2DkvlzhD9UtucKnK1dsTc8Te8CSkycOwbNf80QbdDTmCeVJnkh7lic-BVZsYgBMHGoTMyB-sU0kwu__sYlmWH3DJtZDlVe-uA6eu_NFzawC0fWnAtH9zwXiblyBeAZJawvEIvhya4E4drpAnIey3wpFNeQMt4uBwXYxCi7q7eLKW5l2UQvTs-0iDJxK7aIPRF2zi1g4HVosLkNoQ7EwQhlUwsM_isVTsL4pFkVwfGiJKAOKLRE9YOT2EuEPW0pLRC6MqTggMmElO8Q6CBnrEAbYMdUhCuHI3xziBPQ-5hDu4P3aIQIgP7RBOGCgqUGMgsLNDeIg6Ps1ClNCo1gBbWVPRBckT20SrmObhTcca-nlFNfey8nNpceaDW9KnVwtWdaNqkevGFNi2uKUiIVL05JGjE1JTsswpS-dkGxKWvb3lCUZS_0_TjctyUhZkrxgUsCkKQGBAdMmBExa8Mnk_wMzUq2W&build-label=editors.documents-frontend_20240806.02_p3&imp-sid=CMTUldu_-YcDFRfGzgAdOGEvZA&is-cached-offline=false"
    Referrer-Policy: strict-origin-when-cross-origin
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    Server: GSE
    Set-Cookie: NID=516=Fk3w7D5QMrptCXmrurL9TRorbfOpD2Cr073f0RUqzYTsYLfHVjApuXZ6GqJ9LhPGbf44PVMGixsWZZcm5oWcY_ZKzzv99VNb5-KAtaVnxva8r3UQrRT-FkZBLE27sxRsz_Sstirbv7AYFnvD2hoYaFDZExLHKnf42G7cYVwOXj8; expires=Sat, 15-Feb-2025 12:20:16 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    x-l2-request-path: l2-managed-5
    Transfer-Encoding: chunked
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.180.8
  • 142.250.187.238:443
    tls, https
    695 B
     40 B
     1
    1
  • 142.250.187.238:443
    tls, https
    695 B
     40 B
     1
    1
  • 142.250.187.238:443
    android.apis.google.com
    tls
    999 B
     4.5kB
     8
    7
  • 172.217.16.238:443
    android.apis.google.com
    tls
    5.6kB
     8.9kB
     23
    23
  • 216.58.212.206:443
    https://docs.google.com/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasic
    tls, http
    2.1kB
     18.9kB
     20
    20

    HTTP Request

    GET https://docs.google.com/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasic

    HTTP Response

    200
  • 216.58.212.206:443
    https://docs.google.com/document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/mobilebasic
    tls, http
    1.9kB
     18.8kB
     18
    21

    HTTP Request

    GET https://docs.google.com/document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/mobilebasic

    HTTP Response

    200
  • 91.204.227.39:28844
    180 B
     3
  • 142.250.180.8:443
    ssl.google-analytics.com
    tls
    1.3kB
     5.8kB
     8
    8
  • 91.204.227.39:28844
    180 B
     3
  • 91.204.227.39:28844
    180 B
     3
  • 91.204.227.39:28844
    180 B
     3
  • 142.250.200.36:443
    tls, https
    851 B
     40 B
     2
    1
  • 142.250.200.36:443
    www.google.com
    tls
    11.7kB
     11.4kB
     31
    36
  • 91.204.227.39:28844
    180 B
     3
  • 91.204.227.39:28844
    180 B
     3
  • 91.204.227.39:28844
    180 B
     3
  • 91.204.227.39:28844
    180 B
     3
  • 91.204.227.39:28844
    180 B
     3
  • 91.204.227.39:28844
    180 B
     3
  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    172.217.16.238

  • 1.1.1.1:53
    docs.google.com
    dns
    61 B
     77 B
     1
    1

    DNS Request

    docs.google.com

    DNS Response

    216.58.212.206

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
     86 B
     1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.180.8

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/liyy.nxmuy.xygvf/files/dex
    Filesize

    580KB

    MD5

    ed9219be2761d62f01f05dee71f02df3

    SHA1

    c2b904961f519a66052c04d444b34ef4c3f00e67

    SHA256

    b8f6a3769331039a5f2dc29eba3adc431a7b086d47ec579cd143da11f137f13d

    SHA512

    420dc0fa4e231a66fa5c26fbd7952f574aa24aec62ecdf387dd376e98dac93cbea493785d67a030bd6d6745b00c7f3b14b693f906124ee6438b6a227d682f8bd

    Download Submit

  • /data/user/0/liyy.nxmuy.xygvf/files/oat/dex.cur.prof
    Filesize

    1008B

    MD5

    0411ad996422406501e06e031cd9d624

    SHA1

    dff7d63e20a57b47432ac2fb3753666944d5cd1f

    SHA256

    86d58d764c4e542591c06de4766de16d988f43fc4f943360d69e093e7bc03df0

    SHA512

    9df2a7d23e636729f56afaffbe729109278527b75935d225239a73559479f8a68cb59837ba470bf76da697ce69454f6ed56d0ced94f6f624841498c73dd4e3a6

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.