Analysis
-
max time kernel
179s -
max time network
181s -
platform
android_x64 -
resource
android-x64-20240514-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system -
submitted
19-05-2024 22:04
Static task
static1
Behavioral task
behavioral1
Sample
ce3313bd7c3134904d5a2c1faea4ff83d512479255cdd0f5296c415fbec95187.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
ce3313bd7c3134904d5a2c1faea4ff83d512479255cdd0f5296c415fbec95187.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral3
Sample
ce3313bd7c3134904d5a2c1faea4ff83d512479255cdd0f5296c415fbec95187.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
ce3313bd7c3134904d5a2c1faea4ff83d512479255cdd0f5296c415fbec95187.apk
-
Size
205KB
-
MD5
a4998cf1f8315383b3aa0ff957cb65bd
-
SHA1
45f8af06acd0e4f815bf69c7d3098b9affac5c6b
-
SHA256
ce3313bd7c3134904d5a2c1faea4ff83d512479255cdd0f5296c415fbec95187
-
SHA512
dff7ba87d5544fc08067aada33d3b8f8d9ef2ac1ba909ccfd86fdc35fd912a345a65db79571f4d74fc5f6ab6bd58f8e777c91049d99ccdc44d67f3560af05389
-
SSDEEP
3072:wsFRzkx39oO52yaXLYITXTQ4Qm95pS+Xt0edn3KXCHhNuF/JWCsIjqmgd3Jy7wID:ZG9oOAPX4m9dSedICH8RWcZgd5otBN
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 2 IoCs
Processes:
resource yara_rule /data/data/ulus.yczef.yimsr/files/dex family_xloader_apk /data/data/ulus.yczef.yimsr/files/dex family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
Processes:
ulus.yczef.yimsrioc process /system/xbin/su ulus.yczef.yimsr /sbin/su ulus.yczef.yimsr /system/bin/su ulus.yczef.yimsr -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
ulus.yczef.yimsrioc pid process /data/user/0/ulus.yczef.yimsr/files/dex 5115 ulus.yczef.yimsr /data/user/0/ulus.yczef.yimsr/files/dex 5115 ulus.yczef.yimsr -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
ulus.yczef.yimsrdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground ulus.yczef.yimsr -
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
Processes:
ulus.yczef.yimsrdescription ioc process Framework service call android.accounts.IAccountManager.getAccounts ulus.yczef.yimsr -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
ulus.yczef.yimsrdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo ulus.yczef.yimsr -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
ulus.yczef.yimsrdescription ioc process URI accessed for read content://mms/ ulus.yczef.yimsr -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
ulus.yczef.yimsrdescription ioc process Framework service call android.app.IActivityManager.registerReceiver ulus.yczef.yimsr -
Acquires the wake lock 1 IoCs
Processes:
ulus.yczef.yimsrdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock ulus.yczef.yimsr -
Checks if the internet connection is available 1 TTPs 1 IoCs
Processes:
ulus.yczef.yimsrdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo ulus.yczef.yimsr -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
ulus.yczef.yimsrdescription ioc process Framework API call javax.crypto.Cipher.doFinal ulus.yczef.yimsr
Processes
-
ulus.yczef.yimsr1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device
- Queries information about the current Wi-Fi connection
- Reads the content of the MMS message.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/ulus.yczef.yimsr/files/dexFilesize
454KB
MD5c908b637c002940ef72c0f34eda33115
SHA1c886b4786f696ca4be26516a83e842863e71f728
SHA256125b57669edb6060fea0e71718ea17c957186496c2c1ea010d95c64218fe31ae
SHA51257eafa70138d9b97af7c3160306133f1591f015563f4ebe21cb4a0354a6c2a380e246de64ea54d492e84d433b77b50d887ebdd3566002799abdeba66742ec350
-
/data/data/ulus.yczef.yimsr/files/oat/dex.cur.profFilesize
1KB
MD545283daa9e05ae2153c1bb220e33de8d
SHA131dddd372fa606805a6e4b0d688ec965ee43bd39
SHA256e70417309ef4da7e7d1607411ba4bce37c774058ba74ce6b13ee54336fa1fd8e
SHA5123dd5928e85cf34994399b32b08c51e447a6b1ca6b1621bca8d873db245ce5b7625e17e417770dd30e4b82325b3f59f28b9f0e811bdffc836743a5ae09498dd55
-
/storage/emulated/0/.msg_device_id.txtFilesize
36B
MD56c301c6c7bf2761e4c362648ab86c8cb
SHA13f86a3cdf5467e4e4676a4c70e500713ec7e071a
SHA2568ccd9721f6db66cc6bfec7e43c6e5382d528ba583831d0d2fb6803b7cc3c47c8
SHA512f8563f2d4d2a484b8df2a7cfcf556e00a81fb52753562c4f6f5fab0be3f36b75b217944279863a149ff4efc450fb5d7046809b1ea1ed3f156ed1c09bd0a98735