Analysis
-
max time kernel
149s -
max time network
155s -
platform
android_x86 -
resource
android-x86-arm-20240221-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system -
submitted
30-04-2024 22:02
Static task
static1
Behavioral task
behavioral1
Sample
ed30cb030113fda302a2c396b9601830fdd3e37eaae35e5275b76fc2cf60404c.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
ed30cb030113fda302a2c396b9601830fdd3e37eaae35e5275b76fc2cf60404c.apk
Resource
android-x64-20240221-en
Behavioral task
behavioral3
Sample
ed30cb030113fda302a2c396b9601830fdd3e37eaae35e5275b76fc2cf60404c.apk
Resource
android-x64-arm64-20240221-en
General
-
Target
ed30cb030113fda302a2c396b9601830fdd3e37eaae35e5275b76fc2cf60404c.apk
-
Size
205KB
-
MD5
246ebb34c1c28512d67c18f1513968c0
-
SHA1
0c6dd62ef0214ce6418159b0d23352f85d261333
-
SHA256
ed30cb030113fda302a2c396b9601830fdd3e37eaae35e5275b76fc2cf60404c
-
SHA512
c3ba6c393354a7c40a18453e58e741ab756c6dd77a552d03ec7d925064572ce8eef3a2e5698b274361ef18ca34b87d40fb80b1297cb1b9277f96d7465d001598
-
SSDEEP
3072:7/RXv/CfOSNVOOa6ahUTQhsnhd6Y0zi3uP8USojMr1qSfsFxINzX3dlSuf:jRXXATVRaRIQ06s3uP8noArQLxAzBf
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 2 IoCs
Processes:
resource yara_rule /data/data/jhm.er.sj/files/dex family_xloader_apk /data/data/jhm.er.sj/files/dex family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
jhm.er.sjioc pid process /data/user/0/jhm.er.sj/files/dex 4179 jhm.er.sj /data/user/0/jhm.er.sj/files/dex 4179 jhm.er.sj -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
jhm.er.sjdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground jhm.er.sj -
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
Processes:
jhm.er.sjdescription ioc process Framework service call android.accounts.IAccountManager.getAccounts jhm.er.sj -
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
jhm.er.sjdescription ioc process Framework service call android.app.IActivityManager.registerReceiver jhm.er.sj -
Acquires the wake lock 1 IoCs
Processes:
jhm.er.sjdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock jhm.er.sj -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
jhm.er.sjdescription ioc process Framework API call javax.crypto.Cipher.doFinal jhm.er.sj
Processes
-
jhm.er.sj1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/jhm.er.sj/files/dexFilesize
454KB
MD5dccd8cb67405ad4d9b53e36c040d53b9
SHA1ddba058c9cf0ad4e594c4885e7bb71a7a4442856
SHA2568c221b88e6755f04827bf176521a83a6e06ac054b3edca7aeb7c743a41fa01e6
SHA51228a25885bb0bd38d28ba3118a25253b41e17211fc00af2df6ee55ed70b8ea08862afab0661fd9db3085403bbb224f2231850b695f09bd94044e45574c27114ab
-
/data/data/jhm.er.sj/files/oat/dex.cur.profFilesize
1KB
MD5400d4ff9ab2bb83eff3d5131509d1093
SHA16ef0f82de70da5eb61004940bae7aa6e56ab107a
SHA256696ec7e4da9cb70b35fe156ec526af04a5fa585b4a3ffb1094f8f3ecab330ff3
SHA512d9115f23e5ec5358fa705791685d659f68c2cc454b2761410f6fb7d634f5e59c98ef5660c1f5d7265eda62737cdce4bc3eea71868ea2980bef4e8f4cb03f1c35
-
/data/data/jhm.er.sj/files/oat/dex.cur.profFilesize
1KB
MD52fb8493f0373bc4dedf2be6e0502709d
SHA13290daae71ba94bb221441d3769e33aa0c8b0a45
SHA256150efee2bdbc19d2e444ef019a56cd6f30bf5fc48250d807402262c5643514d5
SHA512b0dfb11036479d657b43f62d91060d1bff0ace4e0f413391e5927753a679782865fb7be3dec854e941e558cdc144a61ac43dfd6ac6f84393eb6319ba55850e84
-
/data/data/jhm.er.sj/files/oat/dex.cur.profFilesize
1KB
MD5a0c5427bbe60702cff52f8ab2c4f8dfb
SHA16c5ea925363b67fcd5244aac875b577516c79abb
SHA2566548415d8aa0d3c965654d49030749389fac6db5f145d708f5fcea53f862f7fb
SHA51225a4308e4edaea0ed51e501e51d666ee6c1da0d01b5b1e10049aa1ba26586357b1c9dcac3c311e14f47459a1cf762c05faf5a5033c70bdedc5bc8b3139e00c7b
-
/storage/emulated/0/.msg_device_id.txtFilesize
36B
MD518fab27b0fb072b96c9fc764ca6aaf4b
SHA19cf3f4b68c12fe9cac5e4f9dc9add9516733f41e
SHA256e9508773d96e551cade8cb987a600d9a1cd37f0cb3806ff5c67ad723f52761c1
SHA512c6a43ee20f50ec8e5566d79eccbc4059b515de6ab2f3402d5e92ff79600325d55807298c1c829574d1810100c45f375ef4bc68b721b080da9700863421c2226a