Analysis
-
max time kernel
179s -
max time network
161s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
30-05-2024 23:52
Static task
static1
Behavioral task
behavioral1
Sample
a89ab7a079cdec1c42e038ae5e54dd8e36aa62d71ecf982b2c125f4df74ff0f1.apk
Resource
android-x86-arm-20240514-en
General
-
Target
a89ab7a079cdec1c42e038ae5e54dd8e36aa62d71ecf982b2c125f4df74ff0f1.apk
-
Size
440KB
-
MD5
0ace9b82e5c108a3e812360d444738a1
-
SHA1
4dd872556838d32be207026e2940a8f1fb8585de
-
SHA256
a89ab7a079cdec1c42e038ae5e54dd8e36aa62d71ecf982b2c125f4df74ff0f1
-
SHA512
883251e64174ce14f754b2c3fe2e5395e78dabb2c29b0523f985b26ea4d2228fae5b8474db87e92d785dac45c04d9fe7f279cf7e8bef1d6267c91869a1fd8603
-
SSDEEP
12288:Mh3M3kGKATD2/rQEO7ZXZjqutpp5hDTS+JyaIipuS:CMD9TqUn7ZXwutjvDO+ZIipJ
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 2 IoCs
Processes:
resource yara_rule /data/data/r.vtolp.nawwxf/files/d family_xloader_apk /data/data/r.vtolp.nawwxf/files/d family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
Processes:
r.vtolp.nawwxfioc process /system/bin/su r.vtolp.nawwxf /system/xbin/su r.vtolp.nawwxf /sbin/su r.vtolp.nawwxf -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
r.vtolp.nawwxfioc pid process /data/user/0/r.vtolp.nawwxf/files/d 4223 r.vtolp.nawwxf /data/user/0/r.vtolp.nawwxf/files/d 4223 r.vtolp.nawwxf -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
r.vtolp.nawwxfdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground r.vtolp.nawwxf -
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
Processes:
r.vtolp.nawwxfdescription ioc process Framework service call android.accounts.IAccountManager.getAccounts r.vtolp.nawwxf -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
r.vtolp.nawwxfdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo r.vtolp.nawwxf -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
Processes:
r.vtolp.nawwxfdescription ioc process URI accessed for read content://com.android.contacts/raw_contacts r.vtolp.nawwxf -
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
r.vtolp.nawwxfdescription ioc process URI accessed for read content://mms/ r.vtolp.nawwxf -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
r.vtolp.nawwxfdescription ioc process Framework service call android.app.IActivityManager.registerReceiver r.vtolp.nawwxf -
Acquires the wake lock 1 IoCs
Processes:
r.vtolp.nawwxfdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock r.vtolp.nawwxf -
Checks if the internet connection is available 1 TTPs 1 IoCs
Processes:
r.vtolp.nawwxfdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo r.vtolp.nawwxf -
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
r.vtolp.nawwxfdescription ioc process Framework API call javax.crypto.Cipher.doFinal r.vtolp.nawwxf
Processes
-
r.vtolp.nawwxf1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device
- Queries information about the current Wi-Fi connection
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4223
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/r.vtolp.nawwxf/files/dFilesize
453KB
MD5a0d33b0500d1583e27643c8e196a6364
SHA1f96482f00a8545dd6c70c0a65b21f051ed34dde2
SHA2569cdaf7ebed7c3a34653b8cffa6ccdc3304150a34254859c19920235daa6395a9
SHA5123dbb3d73d710aceb7028a472c7d61ceff97c976dab53fb390a8024b01d3a58755374cb2d41012c8d1763b258afc87efacfef9bf6833c92883d6c386cee265a24
-
/data/data/r.vtolp.nawwxf/files/oat/d.cur.profFilesize
1KB
MD5ac2294b1d1aa59db58461225d6477b7f
SHA126e86cd021d0183c85eeed6608f5266adc12b14f
SHA256341ee777059be8831cbe9e8418686c4e645d48949c1ee383d60de2e792d75794
SHA512272992e87eae05c88882b9e13f3ae1441740906211cc27a9e4eaebe4d6d8b428d10ac82feaf13097ce36844c99f625288708b64b84e1d3a59278413dc6672a18
-
/storage/emulated/0/.msg_device_id.txtFilesize
36B
MD5f5b9950704a793acf184ab19e984a2d5
SHA147645bf1aee26f0cfe1f8c3b89d8d1e45fb7a4a5
SHA256b060d54d1da4a2c6f2343d2c0566d117a7bafce55d37cc6db0b6cdbdcf9846cf
SHA5128b7304d748b106d8a80560e3cf254cfc54733e8e9b87b7fb024a33862941604a4315544dbe95c3363962a67eb821446eb3bbb24a5495e6a9e34fb990ae723ad8