Analysis
-
max time kernel
149s -
max time network
155s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
24-09-2024 13:55
General
-
Target
f3ca571b2d1f0ecff371fb82119d1afe_JaffaCakes118.apk
-
Size
357KB
-
MD5
f3ca571b2d1f0ecff371fb82119d1afe
-
SHA1
18a5fcadd8a9cd78dd937cdf03c5033026725593
-
SHA256
0f49416b6bcb6e755d999255fabb4c77c5ea7dedeb7e6cdb0925c4f23c1fb00e
-
SHA512
eb961874dc6f6b3c86c22eff0654f7211f88925006a6675971f12f02c772b125ba8510a765f81f7a21ade77a5f9468554453255d862259d93fed76cd7c9887c4
-
SSDEEP
6144:df5WDxZxFhtotuY8BDWhH3raNhnf+HdIq4WMp1OnW5pqbl1p5aptPJ34:6DxzouYw8XraNhf+9IdfpkuMlFSRJ34
Malware Config
Signatures
-
XLoader payload 2 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Tries to add a device administrator. 2 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes
-
fddf.tre.hjgdsgkh1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Tries to add a device administrator.
- Registers a broadcast receiver at runtime (usually for listening for system events)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/fddf.tre.hjgdsgkh/files/test.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/fddf.tre.hjgdsgkh/files/oat/x86/test.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Privilege Escalation
Abuse Elevation Control Mechanism
1Device Administrator Permissions
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
621KB
MD5f9757bbced603e2ccb70bd0bec4e039a
SHA10a35bc10485713fbe8f512265c89d6a97bce839b
SHA2560128d03f6f519387751a6718b15e75898c3b7bb6a859b800ae514c239290d5c0
SHA512ad87f192444296fe0eb243007f1318c90924a2a59996ccb65d54f06674855238d506eaf42f804f85343ca08b23d1b535f03044a8472ded3cb4e3f49fc80a0299
-
Filesize
621KB
MD5bd3166c2d69ff523bec487d59f0aa65f
SHA1a8ad89cbcc2ea0da31d254a06aad6ad27f16b93c
SHA25672c969f869ceb82a7221c155bed0befd66fa95f6966b83d43b168e0526b70ea3
SHA5121698b6ef082a32ffc1e9c1dbf2722e3f13beb3ef0e33242cfc123e34db15bcf6f9ff6fdb6ca6b35ddfe08bee05e5ef37eb9055d01eb284ba2140aeb8cbe07381