Analysis
-
max time kernel
149s -
max time network
149s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
27-09-2024 16:20
General
-
Target
fabbdc3ead3051d561a9f896fcb38175_JaffaCakes118.apk
-
Size
453KB
-
MD5
fabbdc3ead3051d561a9f896fcb38175
-
SHA1
7c3568dc42903a7fb3155e1ed20ccc73b464994d
-
SHA256
b46983a3ac3524d78bf8d3c443ad84d3142f87400260824a19b66526955a9675
-
SHA512
990b879a2702239d812e100f8a3c330b065b5c2cef66c36d0161152b73a0137504e3b66503491fa8f430a9a5a5924de3ddb975b080027f1f3c26071791dd2e37
-
SSDEEP
12288:pyqhOHDinbi4NuKDsVRiHNym6QD7qfBsS+b4dMoYglw:p3bNZIV8HL5S+cdM8m
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.giuv.ibfo1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
ping -c 4 91.204.227.392⤵
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
766KB
MD57962ea579bddfb2d56deaeb75556d33a
SHA1292c29c70d73caff3148eb993fc389c58b966cde
SHA256ff87cb92852a7d77c93494f73a3876fb3c3570115ffe73c2fcd08ae3ac1e3551
SHA512bad435e79acad4d6c25ea5a580a12dde0e065a85677744c6428bf20ee03a55972d20416ca719f9254be886f20a00c2cd3e4816911e05ebab199e398bc4c6a0f4