Analysis
-
max time kernel
149s -
max time network
150s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
21-09-2024 12:36
General
-
Target
efcf2b57fc1c976b628c3df4a9631b7e_JaffaCakes118.apk
-
Size
432KB
-
MD5
efcf2b57fc1c976b628c3df4a9631b7e
-
SHA1
a831ce7fee03e8633e4dffdc2f7b2d7ce83cd68c
-
SHA256
8d37efcafcbb31b5d12c6b640b4fdeedff972e4c12a6aa93b2c1c6a09a4a84d7
-
SHA512
94d3a55f061bc64e0dc107258fb9d8d9dabd83508c10e86f965356079f948cb8c0c6662d5fc6ebcb09f9f856faf5da6078e4c848a2dc03f8baddf6e3038aae91
-
SSDEEP
12288:WRJ3GSOdjX7N0HgSziADpDwQtUHFYo1lCYI8akScVEOZnpC8:WrcsiobMxPDakSc3ZnpC8
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.chib.adrj1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
ping -c 4 91.204.227.392⤵
-
-
ping -c 4 91.204.227.392⤵
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
766KB
MD5a94e56982fdbb56095f2063d0560021b
SHA11366dc9b7351a298c3deec87783c0bb9e7d41e0b
SHA2569e7bf9d8214a0f1f3d91f0740ff7b8ee90100ed05fa1a21f2c03e1569e2fa540
SHA512f9715e2296319815495ffff4281eb4d53866fd0ababda1d32a507539d3ce06f673664e37466282ccbdd797c778c7ffa09d3046e21fba6fbf2c2bc2c35b470855
-
Filesize
1KB
MD54a45bea2ddebb1f1d6dcf13276a07948
SHA14d76d8c2ceda6487e7f2ee35b68a78833296f4fc
SHA2563c055f210db4af078a487eb3a4a15b4592f7787309a83b34ad54e4df2ba8fbee
SHA5123e5567000dcb4ee17c7b8d7187799f8ef3a8356ae635dbe2b4cc1e10e2ef05c49ab12dcc4132d4ec875edfa9c841e8ecad0aec07bf2ff9d4be156f56fd7b2c76