Malware Analysis Report

2025-01-19 04:56

Sample ID 220120-pnxp3aaack
Target dgpykawdca.apk
SHA256 35380c831ccd7ac5e68b1ceaca0c37f6dc65768edf409f8e1b1a46b59e31aa7d
Tags
xloader_apk banker infostealer ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35380c831ccd7ac5e68b1ceaca0c37f6dc65768edf409f8e1b1a46b59e31aa7d

Threat Level: Known bad

The file dgpykawdca.apk was found to be: Known bad.

Malicious Activity Summary

xloader_apk banker infostealer ransomware trojan

XLoader, MoqHao

XLoader Payload

Loads dropped Dex/Jar

Requests dangerous framework permissions

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-01-20 12:29

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-20 12:29

Reported

2022-01-20 12:32

Platform

android-x86-arm

Max time kernel

2004422s

Max time network

187s

Command Line

oa.zwcbsq.bqf.eqhvd

Signatures

XLoader Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/oa.zwcbsq.bqf.eqhvd/files/d N/A N/A
N/A /data/user/0/oa.zwcbsq.bqf.eqhvd/files/d N/A N/A

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

oa.zwcbsq.bqf.eqhvd

Network

Country Destination Domain Proto
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 alt3-mtalk.google.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 alt3-mtalk.google.com udp
NL 142.251.36.35:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.251.36.35:80 tcp
NL 216.58.208.99:80 tcp
NL 142.250.179.164:80 tcp
NL 216.58.208.100:80 tcp
NL 216.58.208.100:443 tcp
NL 142.251.36.42:443 tcp
NL 216.58.208.98:443 tcp
NL 142.251.36.42:443 tcp
SG 74.125.200.188:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.251.36.35:80 connectivitycheck.gstatic.com tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:53 m.vk.com udp
RU 87.240.137.158:443 m.vk.com tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 1.1.1.1:853 tcp
US 107.148.243.103:28866 tcp
US 1.1.1.1:853 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
SG 74.125.200.188:443 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp
US 107.148.243.103:28866 tcp

Files

/data/user/0/oa.zwcbsq.bqf.eqhvd/files/d

MD5 d125d7e8d3e1bd80e89df9ebb0522296
SHA1 b1d6d142a5f67661a555000726e0ab72ca43ce7b
SHA256 5c25ea3bbc2a4ca578fa198b9a33fdb3d51e829b274b22af75768c3b22fa962d
SHA512 aac0eb838beeb6e38b2226798359cee9ae4b937724f108e3dea5bd3307964810cb4ba09368e71eaf4b9551624ff4886a02ee5d72022f8487a2e6dc540a4fa42e

/data/user/0/oa.zwcbsq.bqf.eqhvd/files/d

MD5 d125d7e8d3e1bd80e89df9ebb0522296
SHA1 b1d6d142a5f67661a555000726e0ab72ca43ce7b
SHA256 5c25ea3bbc2a4ca578fa198b9a33fdb3d51e829b274b22af75768c3b22fa962d
SHA512 aac0eb838beeb6e38b2226798359cee9ae4b937724f108e3dea5bd3307964810cb4ba09368e71eaf4b9551624ff4886a02ee5d72022f8487a2e6dc540a4fa42e