Malware Analysis Report

2024-10-19 11:52

Sample ID 240417-1zkenaff56
Target 7be196df227488c343fb42cfe03d4d07f64f7258b5bf5817c3dfec43c84f3f7c.bin
SHA256 7be196df227488c343fb42cfe03d4d07f64f7258b5bf5817c3dfec43c84f3f7c
Tags
xloader_apk banker collection discovery evasion infostealer persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7be196df227488c343fb42cfe03d4d07f64f7258b5bf5817c3dfec43c84f3f7c

Threat Level: Known bad

The file 7be196df227488c343fb42cfe03d4d07f64f7258b5bf5817c3dfec43c84f3f7c.bin was found to be: Known bad.

Malicious Activity Summary

xloader_apk banker collection discovery evasion infostealer persistence stealth trojan

XLoader, MoqHao

XLoader payload

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Reads the content of the MMS message.

Queries account information for other applications stored on the device.

Makes use of the framework's foreground persistence service

Queries the phone number (MSISDN for GSM devices)

Queries the unique device ID (IMEI, MEID, IMSI)

Acquires the wake lock

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 22:05

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 22:05

Reported

2024-04-17 22:26

Platform

android-x86-arm-20240221-en

Max time kernel

150s

Max time network

155s

Command Line

vfaw.sqs.cfxch

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/vfaw.sqs.cfxch/files/dex N/A N/A
N/A /data/user/0/vfaw.sqs.cfxch/files/dex N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries account information for other applications stored on the device.

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

vfaw.sqs.cfxch

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 docs.google.com udp
GB 216.58.204.78:443 docs.google.com tcp
GB 216.58.204.78:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 172.217.169.10:443 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp

Files

/data/data/vfaw.sqs.cfxch/files/dex

MD5 dccd8cb67405ad4d9b53e36c040d53b9
SHA1 ddba058c9cf0ad4e594c4885e7bb71a7a4442856
SHA256 8c221b88e6755f04827bf176521a83a6e06ac054b3edca7aeb7c743a41fa01e6
SHA512 28a25885bb0bd38d28ba3118a25253b41e17211fc00af2df6ee55ed70b8ea08862afab0661fd9db3085403bbb224f2231850b695f09bd94044e45574c27114ab

/storage/emulated/0/.msg_device_id.txt

MD5 b74a8be84af2fd235867fca5956f3f4c
SHA1 090f0664bb5d9407d9966fa5c7014412241d5130
SHA256 189c40143a22d24dabc7b649c30a9e6644b7b05def963635048f7012dcfa575d
SHA512 57de4f05346ed8068b1f273995f1d2840cd0eef54634d92a4b11257e160a947da5965b3609976a7fb7e9e0bc1ea8f0c569a1a883eda6e91ec53efbfa6967bb4e

/data/data/vfaw.sqs.cfxch/files/oat/dex.cur.prof

MD5 f8a83e63b0a87f13ff0f8f5bd0512908
SHA1 d4d356aaac3a07fb0ba72d0fad1a4d52f695126e
SHA256 8a688e11f5410cefbcb0a3230c139fc11679c2fcfe6cd271b876a20de1fadc29
SHA512 a9509b6190b18684ba9a2bb7584eff98d59f783b6ac7f42314d90239a1277a2b3aa29c9f2ab48faaba4fadc911c8b5b120a8a3989293c8090a3162520fdd7e43

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 22:05

Reported

2024-04-17 22:24

Platform

android-x64-20240221-en

Max time kernel

150s

Max time network

157s

Command Line

vfaw.sqs.cfxch

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/vfaw.sqs.cfxch/files/dex N/A N/A
N/A /data/user/0/vfaw.sqs.cfxch/files/dex N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries account information for other applications stored on the device.

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

vfaw.sqs.cfxch

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 docs.google.com udp
GB 172.217.16.238:443 docs.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 172.217.16.238:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp

Files

/data/data/vfaw.sqs.cfxch/files/dex

MD5 dccd8cb67405ad4d9b53e36c040d53b9
SHA1 ddba058c9cf0ad4e594c4885e7bb71a7a4442856
SHA256 8c221b88e6755f04827bf176521a83a6e06ac054b3edca7aeb7c743a41fa01e6
SHA512 28a25885bb0bd38d28ba3118a25253b41e17211fc00af2df6ee55ed70b8ea08862afab0661fd9db3085403bbb224f2231850b695f09bd94044e45574c27114ab

/storage/emulated/0/.msg_device_id.txt

MD5 ab4f5bfc9b51195c8ec365530d76faa4
SHA1 f19df8b3ac7eac4924dc555e24c1d1606e37ad56
SHA256 1b0eac3da1b3ad0fcf4170bfa31ef06007b15eed4a847c63f95a4d87eff6585e
SHA512 6f793b53d5de29656e81b044fbf694cd08487cdfdb45a7e2bce3d0bf61c8ba41ee6d4609a34617d59c10c5bc07197c3abf9494135268935dddad0a96042e42f4

/data/data/vfaw.sqs.cfxch/files/oat/dex.cur.prof

MD5 65d4ddb3b0b775d83b2a1cd736def6df
SHA1 fc9780ae58817015f10dd02cf66c2df189bd8c04
SHA256 8bec3e22832e149607cbd1a5a94e69b8b0948fc34a3337fcdcc44c3b0a132ede
SHA512 270f33d4b0616cc77935bd3a6af9f9b2db02bc8fdf6ddf6ad1bf526af4a6f5ee49d0fb8024d9fda5df70a71c7b0b0beff9fb616c7f874398185bb9367887566c

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-17 22:05

Reported

2024-04-17 22:25

Platform

android-x64-arm64-20240221-en

Max time kernel

150s

Max time network

159s

Command Line

vfaw.sqs.cfxch

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/vfaw.sqs.cfxch/files/dex N/A N/A
N/A /data/user/0/vfaw.sqs.cfxch/files/dex N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries account information for other applications stored on the device.

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

vfaw.sqs.cfxch

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 udp
GB 142.250.200.46:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp
US 1.1.1.1:53 docs.google.com udp
GB 142.250.200.46:443 docs.google.com tcp
GB 142.250.200.46:443 docs.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp

Files

/data/user/0/vfaw.sqs.cfxch/files/dex

MD5 dccd8cb67405ad4d9b53e36c040d53b9
SHA1 ddba058c9cf0ad4e594c4885e7bb71a7a4442856
SHA256 8c221b88e6755f04827bf176521a83a6e06ac054b3edca7aeb7c743a41fa01e6
SHA512 28a25885bb0bd38d28ba3118a25253b41e17211fc00af2df6ee55ed70b8ea08862afab0661fd9db3085403bbb224f2231850b695f09bd94044e45574c27114ab

/storage/emulated/0/.msg_device_id.txt

MD5 35524e8b01adea8b96d56c05a66220a1
SHA1 6a88cd3a3aa8c462d02d472a5f17f26ef7c6084e
SHA256 939e51e8facc0862e86c143c9001eeb9deb725ae14794f25045587df9a743d66
SHA512 07845f896e8d9c4fb7abed16303768c431a3cd15163ed731dd4af26ad182d5ce15081c7a03ea23093786aa67d0fb80bab05772970266cf24c42c3510ce61081d

/data/user/0/vfaw.sqs.cfxch/files/oat/dex.cur.prof

MD5 86735c3edd01fc05987d83196033eb38
SHA1 b1049d981ae8b2c1c3d40b2de656a1eb3e40bed1
SHA256 ec418656a802b63d5bc119d7cfa9ea5c0afdbd2696d50d23e7f6dfc2bde630e1
SHA512 4507a1e28b17e5a63dd495d81f9b5374a6104a26937d33c6b92505adb048a017055ac3fdd6d9c7967abd10881143245e4a8b623a5a50bc7ca1a0fa961a9bd62d