Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    16-03-2024 23:33

General

  • Target

    cf5b114ae032a4b25e388d2dfc32b3e7.apk

  • Size

    445KB

  • MD5

    cf5b114ae032a4b25e388d2dfc32b3e7

  • SHA1

    120020a30a124af03ec0aa9d96ba01a70442744a

  • SHA256

    9f2aa63acc278a2d9f82d4536c2c9d5193d0e1a5ae92388d2ca891bba09c1377

  • SHA512

    390aec64457793431ab046e992cc333bb5b25b6891d69491d46d58676cf2ff41f3e3a4080311136a73e7c2a8a910ead8fddae795359c0dfaa92dc9943e2a693a

  • SSDEEP

    12288:WRxe7tfIt4vzVUD7DAEXqyqQnSMey7SQZyXzF:WROvzyD7Duy5g8kjF

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.39:28844

DES_key

Signatures

  • XLoader payload 2 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • v.vc.kyx
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Reads the contacts stored on the device.
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4244

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/v.vc.kyx/files/d

    Filesize

    454KB

    MD5

    d28e6b862a1aee68793e1b022f18306a

    SHA1

    9044c8b066fc6610bb53b2fe4fec1c8b3e5ae985

    SHA256

    05d35fa20111813c4e3063181b5b90d7f13a03856e6104f1dfc64c735055c76a

    SHA512

    64d6105fc4a17057c184804a6214a99e4f96326af423fa11cd7cc89ea0cd1c9e67e43e91ecbaf8ccea6b3175a05dc1d2a3dd1cbd0830d921dfbfb738ec874526

  • /data/data/v.vc.kyx/files/oat/d.cur.prof

    Filesize

    1KB

    MD5

    f86239221c5f9f8456ba186a4d1deaff

    SHA1

    2686fa6a1d21d0447bb72f0be011f0121c1e5bd4

    SHA256

    4a2954aad0fc993d61c08c55ba186076ee84a1a410134c87be57fada37bc589d

    SHA512

    bc0bb5e82cbebe4cba59cb4dcc21b1c3ea951abedcb2845cb8e8df8727e00a7926df49aef7d4e8116af865ab505751b5622f3fbf02497fc61433682e5b76b5b7

  • /storage/emulated/0/.msg_device_id.txt

    Filesize

    36B

    MD5

    5903b3707c0f6f9a7f771b534a5ae89e

    SHA1

    6f188e4ecde5ad8098ff999e3cd33b992a86b2aa

    SHA256

    74a48a8bf63ff4e3a5cffa08d42bcf50dd67bbf259008411fa7a4fe21d65953c

    SHA512

    c5179ced39e2d752077878a3fa0fb45a9ca5213010f085508fec705d466fa6bc3c7a0b8856ad6a4ba98386b80f668a0e1938ae11b25edfdb9d6b17856c030a31