Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    17-03-2024 08:13

General

  • Target

    d05f96b3aab83be5732f07276568b5ff.apk

  • Size

    445KB

  • MD5

    d05f96b3aab83be5732f07276568b5ff

  • SHA1

    b8fe26ffa2f03eaf755833837f2525fd17ea49a8

  • SHA256

    c4bb20855e33752dba0aadf468a84b6a67a15bf5744bf04da603fa20127aa59f

  • SHA512

    fb63b78e7c96207a1da42ccb5cfdc8a3a0f1d7d6cabcadb7516b298e2f302ece8e7f538206950a42d548ccd686fdb8f4cd0ee7e2b2cfc8240dbfe4670e0a6e9a

  • SSDEEP

    12288:dWGuQ/Hj8gCNw72iCTD7DAEXqyqQnSMey7SQZyJ:dfdjaARmD7Duy5g8kJ

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.39:28844

DES_key

Signatures

  • XLoader payload 2 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • y.oujqjl.crh
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Reads the contacts stored on the device.
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4178

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/y.oujqjl.crh/files/oat/d.cur.prof

    Filesize

    1KB

    MD5

    8cf3e83fcf5617f953492380765cc68a

    SHA1

    d306346cd4b42a67c7ba9d3792d0e5af5699a6b7

    SHA256

    41614b12f859ac623801aca86c2af0648bf50c2d34fdf42f27f02a409cc15003

    SHA512

    25307db453ba9024ea3094244422abed53b58c81c3bc4e41ede7833db88e5b75e54e109eb0fb0f0828a13184a57583b93f24df1e4fff8e0451d95b7c18f9e5ae

  • /data/user/0/y.oujqjl.crh/files/d

    Filesize

    454KB

    MD5

    d28e6b862a1aee68793e1b022f18306a

    SHA1

    9044c8b066fc6610bb53b2fe4fec1c8b3e5ae985

    SHA256

    05d35fa20111813c4e3063181b5b90d7f13a03856e6104f1dfc64c735055c76a

    SHA512

    64d6105fc4a17057c184804a6214a99e4f96326af423fa11cd7cc89ea0cd1c9e67e43e91ecbaf8ccea6b3175a05dc1d2a3dd1cbd0830d921dfbfb738ec874526

  • /storage/emulated/0/.msg_device_id.txt

    Filesize

    36B

    MD5

    740bc6018513036b3e491b5d9667020c

    SHA1

    7a6c7c0b5b8d81e77d6416f4c9b4ae49ce2ac5e4

    SHA256

    025dcbdf2cc807a7cb51179913a82a11e45b301b5a4b1e82e414a0afb8cbba3a

    SHA512

    5fb25d866d781f79ba19fe1e87880d382c5d0d8706a13289c597fdde0db80d463728cad2daca7bdcfcdd955f174388c379c2a663053ba61a484aa04a1dedb4f0