xloader_apk | a8f5979a21824121f4315cda63d9db3f9bc8c79ed7c7c2c767d3d1b55dcb4572

General

Target

jFrSeMuVbVdLeFtUt.apk
Size

218KB
MD5

e84d5570be8386f2ba88530c442dded0
SHA1

8a448626c60248fb8bc13309e3b1761eeb1beba9
SHA256

a8f5979a21824121f4315cda63d9db3f9bc8c79ed7c7c2c767d3d1b55dcb4572
SHA512

b71d2c549ccad5bc7fc537d0bc1294e4064dcbac9023a06c9c4ea6b589a643ad446bdbff11fe1a1ea4a731ac8bf178ce958ab97a4d9eeb6ca7716584487c92d1

Score

10^/10

xloader_apk banker infostealer obfuscation ransomware stealth trojan

Malware Config

Extracted

DES_key

Signatures

XLoader, MoqHao
An Android banker and info stealer.
trojan infostealer banker xloader_apk
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

mwsx.zaksh.ajnxw

pid process

3542 mwsx.zaksh.ajnxw
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.

Processes:

mwsx.zaksh.ajnxw

ioc pid process

/data/user/0/mwsx.zaksh.ajnxw/files/dex 3542 mwsx.zaksh.ajnxw
/data/user/0/mwsx.zaksh.ajnxw/files/dex 3542 mwsx.zaksh.ajnxw
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.

Processes:

mwsx.zaksh.ajnxw

description ioc process

Framework API call android.telephony.TelephonyManager.getNetworkOperatorName mwsx.zaksh.ajnxw
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

mwsx.zaksh.ajnxw

description ioc process

Framework API call javax.crypto.Cipher.doFinal mwsx.zaksh.ajnxw
Suspicious use of android.app.ApplicationPackageManager.getInstalledPackages 2 IoCs

Processes:

mwsx.zaksh.ajnxw

pid process

3542 mwsx.zaksh.ajnxw
3542 mwsx.zaksh.ajnxw

ioc	pid	process
/data/user/0/mwsx.zaksh.ajnxw/files/dex	3542	mwsx.zaksh.ajnxw
/data/user/0/mwsx.zaksh.ajnxw/files/dex	3542	mwsx.zaksh.ajnxw

description	ioc	process
Framework API call	android.telephony.TelephonyManager.getNetworkOperatorName	mwsx.zaksh.ajnxw

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	mwsx.zaksh.ajnxw

Suspicious use of android.net.wifi.WifiInfo.getMacAddress 17 IoCs

Processes:

mwsx.zaksh.ajnxw

pid	process
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw

Suspicious use of android.os.PowerManager$WakeLock.acquire 1 IoCs

Processes:

mwsx.zaksh.ajnxw

pid process

3542 mwsx.zaksh.ajnxw

Suspicious use of android.telephony.TelephonyManager.getLine1Number 59 IoCs

Processes:

mwsx.zaksh.ajnxw

pid	process
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw
3542	mwsx.zaksh.ajnxw

Uses reflection 65 IoCs

obfuscation

Processes:

mwsx.zaksh.ajnxw

description	pid	process
Invokes method com.Loader.create	3542	mwsx.zaksh.ajnxw
Invokes method android.content.ContextWrapper.getPackageManager	3542	mwsx.zaksh.ajnxw
Invokes method android.app.ApplicationPackageManager.setComponentEnabledSetting	3542	mwsx.zaksh.ajnxw
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	3542	mwsx.zaksh.ajnxw
Invokes method com.Loader.start	3542	mwsx.zaksh.ajnxw
Invokes method android.telephony.SignalStrength.getLevel	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw
Invokes method android.os.PowerManager.isIgnoringBatteryOptimizations	3542	mwsx.zaksh.ajnxw

mwsx.zaksh.ajnxw
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads name of network operator
- Uses Crypto APIs (Might try to encrypt user data).
- Suspicious use of android.app.ApplicationPackageManager.getInstalledPackages
- Suspicious use of android.net.wifi.WifiInfo.getMacAddress
- Suspicious use of android.os.PowerManager$WakeLock.acquire
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Uses reflection
PID:3542

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads