xloader_apk | af8751dd7b2f5d994291189b618076cf10cc591dff509e54195eed29b2478ffa

General

Target

9f34f8ed1573d33b56ffeb628dd33559_JaffaCakes118
Size

431KB
Sample

240611-xjd16axelp
MD5

9f34f8ed1573d33b56ffeb628dd33559
SHA1

fa73ac11441b981cbb732405d419297bdcc5d953
SHA256

af8751dd7b2f5d994291189b618076cf10cc591dff509e54195eed29b2478ffa
SHA512

ef220f4be0f3b8fd4b8e3d888240d81f7d8c3ae4a2a2c1caef3e7b90be1978f19534a89dc6e4e1fb84e03872884a926497db59aeafc840705cd0fe8589bbffe3
SSDEEP

12288:spBU9+y1M4QA9K5a6b5vDjzCvlb7VboRJ3oq:iO9tmoK/8tBorz

Score

10^/10

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.39:28844

DES_key

Targets

- Target
  
  9f34f8ed1573d33b56ffeb628dd33559_JaffaCakes118
- Size
  
  431KB
- MD5
  
  9f34f8ed1573d33b56ffeb628dd33559
- SHA1
  
  fa73ac11441b981cbb732405d419297bdcc5d953
- SHA256
  
  af8751dd7b2f5d994291189b618076cf10cc591dff509e54195eed29b2478ffa
- SHA512
  
  ef220f4be0f3b8fd4b8e3d888240d81f7d8c3ae4a2a2c1caef3e7b90be1978f19534a89dc6e4e1fb84e03872884a926497db59aeafc840705cd0fe8589bbffe3
- SSDEEP
  
  12288:spBU9+y1M4QA9K5a6b5vDjzCvlb7VboRJ3oq:iO9tmoK/8tBorz
Score

10^/10

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan
- XLoader payload
- XLoader, MoqHao
  An Android banker and info stealer.
  trojan infostealer banker xloader_apk
- Checks if the Android device is rooted.
  evasion
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries account information for other applications stored on the device
  Application may abuse the framework's APIs to collect account information stored on the device.
  collection
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Reads the content of the MMS message.
  collection
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries information about active data network
  discovery
- Queries information about the current Wi-Fi connection
  Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
  discovery
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
- Requests changing the default SMS application.
  collection impact
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

XLoader payload

XLoader, MoqHao

Checks if the Android device is rooted.

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries account information for other applications stored on the device

Queries the phone number (MSISDN for GSM devices)

Reads the content of the MMS message.

Acquires the wake lock

Makes use of the framework's foreground persistence service

Queries information about active data network

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Requests changing the default SMS application.

Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3