xloader_apk | 4d26965de39473c0be20f2287cbb4dfe0a7e92acde5469222344d857d3c1824b

General

Target

4d26965de39473c0be20f2287cbb4dfe0a7e92acde5469222344d857d3c1824b.apk
Size

436KB
MD5

3103202d13b4441d3a08177e7239d991
SHA1

d1309df17f834880927e1da1345a1c6562509fb4
SHA256

4d26965de39473c0be20f2287cbb4dfe0a7e92acde5469222344d857d3c1824b
SHA512

91012662d0b2c0553589f8916dee86c74abdf50c83bccf46ba194e7a9ed0b1d801824b32958bcc379c16b733a6dd7a7e4ef14ce95fbb5d51900ace0e69185199
SSDEEP

6144:FIaQYiSWTql6+iK6edDusVeDaOJ3CBtKXyFju92/HAjjcJ1ttT6zziXXjhVxPioj:9AcWyysVeDaNju9+HkAbtT4q0oJb+K

Score

10^/10

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.50:28899

DES_key

Signatures

XLoader payload 1 IoCs

Processes:

resource	yara_rule
/data/data/ksajmxi.ipivdcvjw.gfxsjr/files/b	family_xloader_apk2

XLoader, MoqHao
An Android banker and info stealer.
trojan infostealer banker xloader_apk
Checks if the Android device is rooted. 1 TTPs 3 IoCs
evasion

T1426

Processes:

ksajmxi.ipivdcvjw.gfxsjr

ioc process

/sbin/su ksajmxi.ipivdcvjw.gfxsjr
/system/bin/su ksajmxi.ipivdcvjw.gfxsjr
/system/xbin/su ksajmxi.ipivdcvjw.gfxsjr
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

T1628.001

Processes:

ksajmxi.ipivdcvjw.gfxsjr

pid process

4337 ksajmxi.ipivdcvjw.gfxsjr

ioc	process
/sbin/su	ksajmxi.ipivdcvjw.gfxsjr
/system/bin/su	ksajmxi.ipivdcvjw.gfxsjr
/system/xbin/su	ksajmxi.ipivdcvjw.gfxsjr

pid	process
4337	ksajmxi.ipivdcvjw.gfxsjr

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

T1407

Processes:

ksajmxi.ipivdcvjw.gfxsjr

ioc	pid	process
/data/user/0/ksajmxi.ipivdcvjw.gfxsjr/app_picture/1.jpg	4337	ksajmxi.ipivdcvjw.gfxsjr
/data/user/0/ksajmxi.ipivdcvjw.gfxsjr/app_picture/1.jpg	4337	ksajmxi.ipivdcvjw.gfxsjr
/data/user/0/ksajmxi.ipivdcvjw.gfxsjr/files/b	4337	ksajmxi.ipivdcvjw.gfxsjr
/data/user/0/ksajmxi.ipivdcvjw.gfxsjr/files/b	4337	ksajmxi.ipivdcvjw.gfxsjr

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

T1418.001
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

T1409

Processes:

ksajmxi.ipivdcvjw.gfxsjr

description ioc process

Framework service call android.accounts.IAccountManager.getAccounts ksajmxi.ipivdcvjw.gfxsjr
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

T1422
Reads the content of the MMS message. 1 TTPs 1 IoCs
collection

T1636.004

Processes:

ksajmxi.ipivdcvjw.gfxsjr

description ioc process

URI accessed for read content://mms/ ksajmxi.ipivdcvjw.gfxsjr
Acquires the wake lock 1 IoCs

Processes:

ksajmxi.ipivdcvjw.gfxsjr

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock ksajmxi.ipivdcvjw.gfxsjr
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

T1541

Processes:

ksajmxi.ipivdcvjw.gfxsjr

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground ksajmxi.ipivdcvjw.gfxsjr
Reads information about phone network operator. 1 TTPs
discovery

T1422
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

T1628.002

Processes:

ksajmxi.ipivdcvjw.gfxsjr

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS ksajmxi.ipivdcvjw.gfxsjr
Checks the presence of a debugger
evasion
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

T1624.001

Processes:

ksajmxi.ipivdcvjw.gfxsjr

description ioc process

Framework service call android.app.IActivityManager.registerReceiver ksajmxi.ipivdcvjw.gfxsjr
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

T1471

Processes:

ksajmxi.ipivdcvjw.gfxsjr

description ioc process

Framework API call javax.crypto.Cipher.doFinal ksajmxi.ipivdcvjw.gfxsjr
Checks CPU information 2 TTPs 1 IoCs

T1633.001

T1426

Processes:

ksajmxi.ipivdcvjw.gfxsjr

description ioc process

File opened for read /proc/cpuinfo ksajmxi.ipivdcvjw.gfxsjr

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccounts	ksajmxi.ipivdcvjw.gfxsjr

description	ioc	process
URI accessed for read	content://mms/	ksajmxi.ipivdcvjw.gfxsjr

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	ksajmxi.ipivdcvjw.gfxsjr

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	ksajmxi.ipivdcvjw.gfxsjr

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	ksajmxi.ipivdcvjw.gfxsjr

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	ksajmxi.ipivdcvjw.gfxsjr

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	ksajmxi.ipivdcvjw.gfxsjr

description	ioc	process
File opened for read	/proc/cpuinfo	ksajmxi.ipivdcvjw.gfxsjr

ksajmxi.ipivdcvjw.gfxsjr
1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:4337

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/ksajmxi.ipivdcvjw.gfxsjr/app_picture/1.jpg
Filesize
168KB

MD5
4934329ff2aa2ae11153d888ec3d0813

SHA1
661b1d64aef43271cefa819ca4b00b2a6ebc4fe1

SHA256
34910e9eb87010455edd1c41db3f2e8b9f7fd109e9c1041a0e6f410cc8fb2d45

SHA512
2fbca6067afe6ee7ac68c259ee51cee0bd4b840e670afcd64dc9c533a827080bdcce5ebb261487effa9ad74a82cafde1f313e43a200f80c2811d128237b7757a

Download Submit
/data/data/ksajmxi.ipivdcvjw.gfxsjr/files/b
Filesize
444KB

MD5
5052e382193805f854a17470afdeadc8

SHA1
e434b19018b8d0a14c3db4b47318a9e92e9f5148

SHA256
6eac212f3e5d11281f0c7263e5795bd74241b233898280b8cb9479443747f52a

SHA512
be6fde561141ceebed2f1c98c845fdf247b10aecd15698130bda158484f02309e336a57e1a19fc740137f919904f0c649fcfed6d659b53b0ae6e97aaf794cec7

Download Submit
/data/user/0/ksajmxi.ipivdcvjw.gfxsjr/app_picture/1.jpg
Filesize
168KB

MD5
f8c36415ac6c81ed0954c5577aed25d9

SHA1
4aa5482bf076641af35f1faa75d87ab62ccc50e4

SHA256
da6241a0cbee0a28a636965dc175355b5f48d81b6b0ad8f87bd7a2fb5e13c2d6

SHA512
84a1b3a6e9fda438a6e7b596dc799514eef73ee148a78d27e943374621738768dbd4b8b66da36a144279233ecdc5666a77aedeab8f6078fa8c6919bd200714db

Download Submit
/storage/emulated/0/.msg_device_id.txt
Filesize
36B

MD5
6bc984c09785bb2cd8dbf1e0e36e3613

SHA1
c5d882f22372e65728294b3cfebb18c1bee8f8f6

SHA256
9d641f88a4d7cadcd71622879bb9a518040743bdaa4c0ddb095e1491b3319870

SHA512
1541f8c9b105f4395d4de6ece2c7e3c822cf2de0fadaafd4b9e7d1d22531c9e9609a817f5d6616ee003405f695d9e69017119c07932358f136f27561b5bf8cdc

Download Submit

Analysis

Sharing