Analysis
-
max time kernel
179s -
max time network
187s -
platform
android_x64 -
resource
android-x64-arm64-20240514-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system -
submitted
21-05-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
e1fedb5339ba0078daacfa30e31c8a0a2c047a67605d4541616a6e25f8b4689b.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
e1fedb5339ba0078daacfa30e31c8a0a2c047a67605d4541616a6e25f8b4689b.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral3
Sample
e1fedb5339ba0078daacfa30e31c8a0a2c047a67605d4541616a6e25f8b4689b.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
e1fedb5339ba0078daacfa30e31c8a0a2c047a67605d4541616a6e25f8b4689b.apk
-
Size
302KB
-
MD5
454375d894a3d4d4bb473d4cd3269ffb
-
SHA1
d7c2d1c2f5d98369bbd00ec7b428979fd6ad3603
-
SHA256
e1fedb5339ba0078daacfa30e31c8a0a2c047a67605d4541616a6e25f8b4689b
-
SHA512
654fb9707ad47191003a576b08fe2f5b5df85866602c6f92934feecc0a23da7720d1e3734c82cdf572b9934dc40026115e24fcc3c91e26456ce4d1d1d0c87293
-
SSDEEP
6144:9pkNPMSzQx5lzu2jd8de8/bgfUj6QPX3z2p9ToCBTzJ:91/lBjd8e8UfUjJP3Ixx
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 2 IoCs
Processes:
resource yara_rule /data/user/0/hghb.svacm.pifmn/files/dex family_xloader_apk /data/user/0/hghb.svacm.pifmn/files/dex family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
hghb.svacm.pifmnioc pid process /data/user/0/hghb.svacm.pifmn/files/dex 4676 hghb.svacm.pifmn /data/user/0/hghb.svacm.pifmn/files/dex 4676 hghb.svacm.pifmn -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
hghb.svacm.pifmndescription ioc process Framework service call android.app.IActivityManager.setServiceForeground hghb.svacm.pifmn -
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
Processes:
hghb.svacm.pifmndescription ioc process Framework service call android.accounts.IAccountManager.getAccountsAsUser hghb.svacm.pifmn -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
hghb.svacm.pifmndescription ioc process URI accessed for read content://mms/ hghb.svacm.pifmn -
Acquires the wake lock 1 IoCs
Processes:
hghb.svacm.pifmndescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock hghb.svacm.pifmn -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
hghb.svacm.pifmndescription ioc process Framework API call javax.crypto.Cipher.doFinal hghb.svacm.pifmn
Processes
-
hghb.svacm.pifmn1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Requests changing the default SMS application.
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/hghb.svacm.pifmn/files/dexFilesize
580KB
MD58c7542abcfd5e2c08e99555d8d0bc605
SHA15f40007a5343603be18a1ce3c39ce43604099be5
SHA2560cd2b17aa21cd8de63842da21e3464df7bb2bd4a278fffbbfea6b294c3ca9e6d
SHA512362c7dd23aa52a9c72e9d90eebb99e1d4e4cd01b68348249bbeee4bb407728aabd30874488926635bacb2e1d640ad4e95852e345afa8ad66057c80c8f768ed88
-
/data/user/0/hghb.svacm.pifmn/files/oat/dex.cur.profFilesize
1KB
MD5665fe01462c6b5ab3a1e30d5fb3acdbf
SHA10dd527ccea467532d7a6bef870af1fbfe02ba9b9
SHA256868823a6e6e74cca6ac1f00bdb11f491644f54aaf55cbf1f6c4c0d2a923d4a54
SHA512c8d0045d8af816af2e118b6e1e1e325cf99e0e231c42d9efcb3179152d233ccd2e62587930b5d6526bd370dfdc4a39258d2bd3df70d36eb85cc24f19d965fc44
-
/storage/emulated/0/.msg_device_id.txtFilesize
36B
MD59844c30d158ecf5c8717c36857d2ed13
SHA19ebdd720632d47646f97631e4e44fb29bbbe602e
SHA256f62278d669643750102967702f9171ace8af97936836dabb7895644c8db28d4d
SHA512821fef4ce7121e1234397512bf3725ef66c2e24d0f1ed6ebf888dd5684a3bfcbe5603d22a5f2bd0428590cfd6fc83e2e8d0834d95ed90724fff9cdbeef8f79ea