Overview

overview

10

Static

static

6

1b0a6cbddc...33.apk

android-9-x86

10

1b0a6cbddc...33.apk

android-10-x64

10

1b0a6cbddc...33.apk

android-11-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    166s
  • platform
    android_x64
  • resource
    android-x64-20240514-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system
  • submitted
    02-06-2024 00:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b0a6cbddc2a700211fc6055a85731e82f9f8f4de64ff6714f0fb8ff145fab33.apk

  • Size

    205KB

  • MD5

    f2d6f6a3c2ce6df2c3ec787a24ce55d1

  • SHA1

    787dfe527aa93a7488b14175d9b182c2eb304cf3

  • SHA256

    1b0a6cbddc2a700211fc6055a85731e82f9f8f4de64ff6714f0fb8ff145fab33

  • SHA512

    61c1499bd6e9989f11e215d510fd9961b693d6bfcfbdc1f1f7659459a37e986ae4d6c021e29119820e48e618dd13430c63899d93bfc8a3955112d3b3def1136d

  • SSDEEP

    6144:i2ydMW03PlMHKLATFhjHCORXelZGUXx++oPnOv+sU:5yl0f+MCb1efBk+VvRU

Score
10/10
xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.39:28844

DES_key

Signatures

  • XLoader payload 2 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

    trojaninfostealerbankerxloader_apk
  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
    collection
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Acquires the wake lock 1 IoCs
  • Checks if the internet connection is available 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • adwd.izoyo.mtgcc
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries account information for other applications stored on the device
    • Queries information about the current Wi-Fi connection
    • Reads the contacts stored on the device.
    • Reads the content of the MMS message.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Acquires the wake lock
    • Checks if the internet connection is available
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5143

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/adwd.izoyo.mtgcc/files/dex
    Filesize

    454KB

    MD5

    c908b637c002940ef72c0f34eda33115

    SHA1

    c886b4786f696ca4be26516a83e842863e71f728

    SHA256

    125b57669edb6060fea0e71718ea17c957186496c2c1ea010d95c64218fe31ae

    SHA512

    57eafa70138d9b97af7c3160306133f1591f015563f4ebe21cb4a0354a6c2a380e246de64ea54d492e84d433b77b50d887ebdd3566002799abdeba66742ec350

    Download Submit

  • /data/data/adwd.izoyo.mtgcc/files/oat/dex.cur.prof
    Filesize

    1KB

    MD5

    e8771c5fef124ba08fbf2361d8709cf4

    SHA1

    70093c3ab54c33fdb0d55d5f9d392b1bf9707757

    SHA256

    7e1fc4ab6a662ad7433968de681f123cee699e11b08affc8477a385f20f472c2

    SHA512

    191ee1eeca7b122b3db5d269d8bb55194d35414cabe155971eeb3279fce040452008415b673f9b1fa2bbd05f270e1f66e120593eaeacfa950649cd8457bbb08f

    Download Submit

  • /storage/emulated/0/.msg_device_id.txt
    Filesize

    36B

    MD5

    ad7cc74a54bec2ab05d523233a68ad74

    SHA1

    545bfb84d20cbb23aaae17d133b2e2ad37b2839c

    SHA256

    c56348674341baf668c7cc84ec33c3ca9b1b002358861fbd938e7aa839ad5f8c

    SHA512

    c91c22ac030802d9a9b0b5d25ff2dc37d98209a38a63194a1de000e1e68c08cec67f53e06ec59527b82cedf883fab201567340701d758f3af7676a362fafccbc

    Download Submit