Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    19-03-2024 19:41

General

  • Target

    d6f54ced913717993181cd5aaaf8998b.apk

  • Size

    445KB

  • MD5

    d6f54ced913717993181cd5aaaf8998b

  • SHA1

    8e0d0bf3cd855b1878838ddba52f77e04a8e4afc

  • SHA256

    8d43daddf4ac85a99816078ad3a04a4e658f6d48d2ce21d76ec156f455a42b84

  • SHA512

    597e0c34159a6f31112783dae5a80f47785b83abb43e9e13b2e148da97a16911446683c4c7edd922cbc8ee6827f0e02fbb13c92a8695ba4ab8f78ece7e0404d2

  • SSDEEP

    12288:Ma4923l1BtD7DAEXqyqQnSMey7SQZyOUr:Md2dtD7Duy5g8kOUr

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.39:28844

DES_key

Signatures

  • XLoader payload 2 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • y.eiuzmz.fu
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Reads the contacts stored on the device.
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4264

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/y.eiuzmz.fu/files/d

    Filesize

    454KB

    MD5

    d28e6b862a1aee68793e1b022f18306a

    SHA1

    9044c8b066fc6610bb53b2fe4fec1c8b3e5ae985

    SHA256

    05d35fa20111813c4e3063181b5b90d7f13a03856e6104f1dfc64c735055c76a

    SHA512

    64d6105fc4a17057c184804a6214a99e4f96326af423fa11cd7cc89ea0cd1c9e67e43e91ecbaf8ccea6b3175a05dc1d2a3dd1cbd0830d921dfbfb738ec874526

  • /data/data/y.eiuzmz.fu/files/oat/d.cur.prof

    Filesize

    1KB

    MD5

    a43791e8c2eca19e6942c91f8e0a317d

    SHA1

    9fa5dae526565d64f1b243b745a101b5b07f6010

    SHA256

    423ca83bd2815f2209b25927db251ffa8588e3108aa304cdee59eec7c2afe18b

    SHA512

    51f8001ce6581192233fb56a2e7cd0c4d99107f6bb60646946c442f6e8e342bb1e51d13aedb274e9cba64c2be4f6e92bec9550af6c4b3a65761eb8d862835a79

  • /storage/emulated/0/.msg_device_id.txt

    Filesize

    36B

    MD5

    481f066e64a850e081a23cc947315153

    SHA1

    feed4fd9f2447cba064eeb8392da8af42d70852c

    SHA256

    c2dd9c440ccd215c082bd37509f0e7081d67f600474b826d8596314395df47e5

    SHA512

    4e5165f906beb8621f8798eec2ac578ef377d9ce742930fbe46e9e5f75dec72ed3fbcc69e07fd62701417b0d384ac4415ea498c59b23d6f55546f43f352cf7b4