Analysis
-
max time kernel
179s -
max time network
166s -
platform
android_x64 -
resource
android-x64-arm64-20240514-en -
resource tags
-
submitted
02-06-2024 00:19
General
-
Target
1b0a6cbddc2a700211fc6055a85731e82f9f8f4de64ff6714f0fb8ff145fab33.apk
-
Size
205KB
-
MD5
f2d6f6a3c2ce6df2c3ec787a24ce55d1
-
SHA1
787dfe527aa93a7488b14175d9b182c2eb304cf3
-
SHA256
1b0a6cbddc2a700211fc6055a85731e82f9f8f4de64ff6714f0fb8ff145fab33
-
SHA512
61c1499bd6e9989f11e215d510fd9961b693d6bfcfbdc1f1f7659459a37e986ae4d6c021e29119820e48e618dd13430c63899d93bfc8a3955112d3b3def1136d
-
SSDEEP
6144:i2ydMW03PlMHKLATFhjHCORXelZGUXx++oPnOv+sU:5yl0f+MCb1efBk+VvRU
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 2 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Checks if the internet connection is available 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
adwd.izoyo.mtgcc1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Requests changing the default SMS application.
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device
- Queries information about the current Wi-Fi connection
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
1System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/adwd.izoyo.mtgcc/files/dexFilesize
454KB
MD5c908b637c002940ef72c0f34eda33115
SHA1c886b4786f696ca4be26516a83e842863e71f728
SHA256125b57669edb6060fea0e71718ea17c957186496c2c1ea010d95c64218fe31ae
SHA51257eafa70138d9b97af7c3160306133f1591f015563f4ebe21cb4a0354a6c2a380e246de64ea54d492e84d433b77b50d887ebdd3566002799abdeba66742ec350
-
/storage/emulated/0/.msg_device_id.txtFilesize
36B
MD50a0ee4b29be08e6c609e8ada6a109bcf
SHA15f63e12131e8833fff27c0d02fe54e32e2b40da9
SHA256402a1c298cd38b30f0e94386116637ff103bde2e7f255df643599f5f6ebcd797
SHA512afca9ebeb91ed4fcf517b06ea33f3de0f7bb034dedd41e6bca6aa7aae09d91618fbe0d030e72282945469967bb028c4d105ee1ca674dd0328de0d22f14420de6