xloader_apk | bf3f51bf8720246b4afd754164e6a6b5df23a8470121b2a12f0c2ccec6432686

General

Target

9dab8c3da71a62ebd0f2c8f9324ec11c_JaffaCakes118
Size

431KB
Sample

240611-k6c16asckj
MD5

9dab8c3da71a62ebd0f2c8f9324ec11c
SHA1

8ecb1515175b9441f348c3164dfa37d9f71aa3cb
SHA256

bf3f51bf8720246b4afd754164e6a6b5df23a8470121b2a12f0c2ccec6432686
SHA512

e84ebcd49f178e750fce33fbd01b9d3f747fc966e6fc80a327f6044585e3ef19db32b2ab0c84896a23fb2725398e4429bb4ae1e325886a3e401f2993669fc383
SSDEEP

12288:jKpShoTIg33qZ0WatDIjr1K+h/dOkScVEOZnpCVC:OkazqZJKc1xldOkSc3ZnpCVC

Score

10^/10

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.39:28844

DES_key

Targets

- Target
  
  9dab8c3da71a62ebd0f2c8f9324ec11c_JaffaCakes118
- Size
  
  431KB
- MD5
  
  9dab8c3da71a62ebd0f2c8f9324ec11c
- SHA1
  
  8ecb1515175b9441f348c3164dfa37d9f71aa3cb
- SHA256
  
  bf3f51bf8720246b4afd754164e6a6b5df23a8470121b2a12f0c2ccec6432686
- SHA512
  
  e84ebcd49f178e750fce33fbd01b9d3f747fc966e6fc80a327f6044585e3ef19db32b2ab0c84896a23fb2725398e4429bb4ae1e325886a3e401f2993669fc383
- SSDEEP
  
  12288:jKpShoTIg33qZ0WatDIjr1K+h/dOkScVEOZnpCVC:OkazqZJKc1xldOkSc3ZnpCVC
Score

10^/10

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan
- XLoader payload
- XLoader, MoqHao
  An Android banker and info stealer.
  trojan infostealer banker xloader_apk
- Checks if the Android device is rooted.
  evasion
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries account information for other applications stored on the device
  Application may abuse the framework's APIs to collect account information stored on the device.
  collection
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Reads the content of the MMS message.
  collection
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries information about active data network
  discovery
- Queries information about the current Wi-Fi connection
  Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
  discovery
- Reads information about phone network operator.
  discovery
- Requests changing the default SMS application.
  collection impact
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

XLoader payload

XLoader, MoqHao

Checks if the Android device is rooted.

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries account information for other applications stored on the device

Queries the phone number (MSISDN for GSM devices)

Reads the content of the MMS message.

Acquires the wake lock

Makes use of the framework's foreground persistence service

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests changing the default SMS application.

Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3