xloader_apk | aeba0c63341f7e9d94ec7de700230ad8287c8e7b2d6cc0d2120cb5f5af66c548

Analysis

max time kernel
179s
max time network
138s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
31/05/2024, 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88aa4b9568bdb1c4f97fd53718650ee1_JaffaCakes118.apk
Size

291KB
MD5

88aa4b9568bdb1c4f97fd53718650ee1
SHA1

9869de7529d9d4019cdc098cd754a96f30aa70a6
SHA256

aeba0c63341f7e9d94ec7de700230ad8287c8e7b2d6cc0d2120cb5f5af66c548
SHA512

090c09c0da976c13f4e4af156bb052e2adb6d46c20840f5350d97e2ee3141e0be96b0eca0c9593999b6cc7ffce8decebc35e69706d1fde72cb73c3d72a0f695b
SSDEEP

6144:6Ld8XP7NS0XvlUf43Y9pVaM0OnZ6MKqMXHaNDSbmjJMhqW7Jc2i:656zhfKfxl0OZ6WsHDyjEFJcn

Score

10^/10

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan

Malware Config

Signatures

XLoader payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_xloader_apk2

XLoader, MoqHao
An Android banker and info stealer.
trojan infostealer banker xloader_apk

Checks if the Android device is rooted. 1 TTPs 3 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/xbin/su	com.inia.bnwc
/sbin/su	com.inia.bnwc
/system/bin/su	com.inia.bnwc

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4329	com.inia.bnwc

Requests changing the default SMS application. 2 TTPs 1 IoCs

collection impact

SMS Messages

T1636.004

SMS Control

T1582

description	ioc	Process
Intent action	android.provider.Telephony.ACTION_CHANGE_DEFAULT	com.inia.bnwc

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.inia.bnwc/files/dex	4329	com.inia.bnwc
/data/user/0/com.inia.bnwc/files/dex	4329	com.inia.bnwc

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.inia.bnwc

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Reads the content of the MMS message. 1 TTPs 1 IoCs

collection

SMS Messages

T1636.004

description	ioc	Process
URI accessed for read	content://mms/	com.inia.bnwc

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.inia.bnwc

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.inia.bnwc

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.inia.bnwc

com.inia.bnwc
1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Requests changing the default SMS application.
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Reads the content of the MMS message.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4329

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Protected User Data

T1636

SMS Messages

T1636.004

Command and Control

Exfiltration

Impact

SMS Control

T1582

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.inia.bnwc/files/dex

Filesize
483KB

MD5
384bf7c23cc9357a9186c5569b9a651a

SHA1
a83ac005c4599e9fb6b09a0295ed44bc4f9090c3

SHA256
5049cfb7fccf9b87de4e12f7ce77521666eb97acf3eb22da0c4310bc252bc9bd

SHA512
71cd4a5c52d902db6f4de271aa83860d7107de362727371e50bc9c1d883aed6e7520967ff6c6cc26486465805ac94ea6197f321b3825bc1c9f0e187a23b2d981

Download Submit
/data/data/com.inia.bnwc/files/oat/dex.cur.prof

Filesize
830B

MD5
93877d683d2b3aa3c286531e64c18791

SHA1
d0773b3a8bed33f9cf4d617c815dd32b5de476e2

SHA256
ac8b74c941a54ada56d5db2818aab5cacfebc83c1b4bc2a9574a8f2c11b63d51

SHA512
79a91a886689f25f0e102970e7fcba88123017d7b363f6d540ca0df3247c88afed1323e4ec2537bedb887a0b47f8e2e82af3a9d8d717462fc8afec40718360f3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads