Analysis
-
max time kernel
10s -
max time network
183s -
platform
android_x86 -
resource
android-x86-arm-20240611.1-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system -
submitted
12-06-2024 22:14
Static task
static1
Behavioral task
behavioral1
Sample
2df6335a074a17b6fc685eebbf8cc036acf152b2e63b918ae221dcdf0e0346f3.apk
Resource
android-x86-arm-20240611.1-en
General
-
Target
2df6335a074a17b6fc685eebbf8cc036acf152b2e63b918ae221dcdf0e0346f3.apk
-
Size
436KB
-
MD5
1868d729f483d777737b8289e0c59bca
-
SHA1
750e17a1af01dd2070fc47d0a2bc640f8d2cef7f
-
SHA256
2df6335a074a17b6fc685eebbf8cc036acf152b2e63b918ae221dcdf0e0346f3
-
SHA512
431e84e564bb8a5b3cdfc9218b475a18d4314dd6d32338427b0f663ad262d55222f6832aed7c9671085ff16ceea18ea2ff2b4e36065b4ee68d3574cb789f8c2b
-
SSDEEP
12288:YASErcqs13T0ERAcWyysVeDaNju9+HkAbtT4qw:zXrcqsFvvys7udAba
Malware Config
Extracted
xloader_apk
http://91.204.227.50:28899
Signatures
-
XLoader payload 1 IoCs
resource yara_rule behavioral1/files/fstream-3.dat family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
ioc Process /system/bin/su ayiosji.slbewzhjq.kevnxf /system/xbin/su ayiosji.slbewzhjq.kevnxf /sbin/su ayiosji.slbewzhjq.kevnxf -
pid Process 4282 ayiosji.slbewzhjq.kevnxf -
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/ayiosji.slbewzhjq.kevnxf/app_picture/1.jpg 4282 ayiosji.slbewzhjq.kevnxf /data/user/0/ayiosji.slbewzhjq.kevnxf/app_picture/1.jpg 4282 ayiosji.slbewzhjq.kevnxf /data/user/0/ayiosji.slbewzhjq.kevnxf/files/b 4282 ayiosji.slbewzhjq.kevnxf /data/user/0/ayiosji.slbewzhjq.kevnxf/files/b 4282 ayiosji.slbewzhjq.kevnxf -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts ayiosji.slbewzhjq.kevnxf -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://mms/ ayiosji.slbewzhjq.kevnxf -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock ayiosji.slbewzhjq.kevnxf -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground ayiosji.slbewzhjq.kevnxf -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS ayiosji.slbewzhjq.kevnxf -
Checks the presence of a debugger
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver ayiosji.slbewzhjq.kevnxf -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal ayiosji.slbewzhjq.kevnxf -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo ayiosji.slbewzhjq.kevnxf
Processes
-
ayiosji.slbewzhjq.kevnxf1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:4282
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
167KB
MD5dfac73001efa2316f67826d7089c0e75
SHA1ce56002f48d3e00583835a55a5c83ef681f8bd57
SHA25601467468cfdf647cbe3cdb2af673258463f5459a59725ed9ae45cf0b0e860288
SHA51214def358f92e66b5f1fb3e30ae0bda2cb9f6e0f38b115a403cfcccb99cfddd7348e0a0ff21ae4335a91e7d5edb48d259447712e7bc87d18f4c95e26f21fd359c
-
Filesize
444KB
MD55052e382193805f854a17470afdeadc8
SHA1e434b19018b8d0a14c3db4b47318a9e92e9f5148
SHA2566eac212f3e5d11281f0c7263e5795bd74241b233898280b8cb9479443747f52a
SHA512be6fde561141ceebed2f1c98c845fdf247b10aecd15698130bda158484f02309e336a57e1a19fc740137f919904f0c649fcfed6d659b53b0ae6e97aaf794cec7
-
Filesize
167KB
MD5437877313809a90356581910be82b816
SHA1d65fc3f634b7da73dc9ceb8113afe52bf9e3fd5a
SHA256bab627686c883fa730f4ccae3ee8d6b9cc7860031f076e48f47a2edf55d3d309
SHA5125f0557dd42b94c7336c264d94336ee4ef2192661029e4c61ee21803a670ef0cc1c8f5c6c469ed3faf7ec7adef9b0d73368a28ba82a96232390fe36b8d3fbaec1
-
Filesize
36B
MD5d16d10425f7441318778267fa61d84c5
SHA16cafaa4c97e44637154d1a334ffe38dd6a428d3a
SHA25633259e7e92165e60910cf35b7a38a41ec271eafc2757cf726f45168674a7d263
SHA5127e820ef8c557623e36ac17e2ccb74b59c37faab0a2c8e1ed04a3ecb7b021e54cb426fc86c395efd3f9aaa3015aedd68fa345c0cfafedfd21dc40904291adbd90