Analysis Overview
SHA256
7c2ce095afd68f2a6c4ac11b495f3e6c648d10d0af1379392b1e07a8c2e5bbcd
Threat Level: Known bad
The file d57dea71951a50c509b5ac98b3296f0c was found to be: Known bad.
Malicious Activity Summary
XLoader payload
XLoader, MoqHao
Removes its main activity from the application launcher
Loads dropped Dex/Jar
Reads the content of the MMS message.
Acquires the wake lock
Requests dangerous framework permissions
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-19 07:01
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-19 07:01
Reported
2024-03-19 07:03
Platform
android-x86-arm-20240221-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
XLoader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XLoader, MoqHao
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/c.ao.wynwv/files/d | N/A | N/A |
| N/A | /data/user/0/c.ao.wynwv/files/d | N/A | N/A |
Reads the content of the MMS message.
| Description | Indicator | Process | Target |
| URI accessed for read | content://mms/ | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Processes
c.ao.wynwv
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | www.blogger.com | udp |
| GB | 142.250.187.233:443 | www.blogger.com | tcp |
| GB | 142.250.187.233:443 | www.blogger.com | tcp |
| US | 1.1.1.1:53 | www.blogger.com | udp |
| GB | 142.250.200.41:443 | www.blogger.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.41:443 | www.blogger.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| GB | 142.250.200.41:443 | www.blogger.com | tcp |
| GB | 142.250.200.41:443 | www.blogger.com | tcp |
| GB | 142.250.200.41:443 | www.blogger.com | tcp |
Files
/data/data/c.ao.wynwv/files/d
| MD5 | 6428e12b85d6a8b13047c03b638af740 |
| SHA1 | a6c785d42dcf46457421a066e5dfbe77becc1130 |
| SHA256 | 45a16f45f7ecbe02bdfe4ae246a52b4b2252335fdfc71bbde069023cd014cbe1 |
| SHA512 | f9f9d09d201ce6c2095dbc8f6b51945a5f0e364d8bcaad1499028d2ef9aaef356121913014f53ecff2ac2ef2c91ad73eb01e9643019a9316ff6b2d58d9f2b6c1 |
/data/data/c.ao.wynwv/files/oat/d.cur.prof
| MD5 | 36a1389a9e4b6c5614fe8aa3d4316ab4 |
| SHA1 | a5ba5ea7a45aae6c6910f7a2ca250fcc52dd77a0 |
| SHA256 | f5421c980cf2e92a987bba5e0946c787050ebfc697afd54cfcf20ca18d835bfc |
| SHA512 | 7a4d2c6e11b3ff02175503c6a9537f96f147713a87247c99c6826f8043ca38ee348b7c2abaf52b6c2c3f4c3d5d37c4d5ff18e82ab7d3610c03537a337baec9dd |