Overview

overview

10

Static

static

6

5ddf9c7d1a...05.apk

android-9-x86

10

Analysis

  • max time kernel
    179s
  • max time network
    184s
  • platform
    android_x86
  • resource
    android-x86-arm-20240611.1-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
  • submitted
    12-06-2024 23:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ddf9c7d1a3607c16a75bf552f9605cf2d69f016ec95c4112fb35bddc6ebb805.apk

  • Size

    440KB

  • MD5

    6f4f4f443ec3a6f094726af486c8f863

  • SHA1

    5258f0b8e8d2896f6c0903996218d9f687cc1d2e

  • SHA256

    5ddf9c7d1a3607c16a75bf552f9605cf2d69f016ec95c4112fb35bddc6ebb805

  • SHA512

    e52353843bf8276df671cd492394145cea645398b3610b3fa2077ab06b26184aab003b6c4f995534bdd4a27d7843455644612509d41dbc6cd55195a33ba6c157

  • SSDEEP

    12288:BRkcNERizAcWyysVeDaNju9+HkAbtT4qc:BqcNEyys7udAbG

Score
10/10
xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.50:28899

DES_key

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

    trojaninfostealerbankerxloader_apk
  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
    evasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Checks the presence of a debugger
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • dudomts.zraxtwbpo.yfvoyi
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    PID:4305

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/dudomts.zraxtwbpo.yfvoyi/app_picture/1.jpg
    Filesize

    172KB

    MD5

    372533ea3c31325becf569d5f67396e7

    SHA1

    667ef57d1e68733a75ce6f610416df99a6504251

    SHA256

    d40123b91cc31f758c7f08f49759b7fcfa05a954d3aa2cb877a26d719cb172a5

    SHA512

    48db0363c795a659d9146e31045e3c57c5dc6cd8a65bcc097d0bc5a5520a0e3e558cf15fe6a48f38443892fc2d21d605f111825fad0ce41ed3e890ea98f19dd0

    Download Submit
  • /data/data/dudomts.zraxtwbpo.yfvoyi/files/b
    Filesize

    444KB

    MD5

    5052e382193805f854a17470afdeadc8

    SHA1

    e434b19018b8d0a14c3db4b47318a9e92e9f5148

    SHA256

    6eac212f3e5d11281f0c7263e5795bd74241b233898280b8cb9479443747f52a

    SHA512

    be6fde561141ceebed2f1c98c845fdf247b10aecd15698130bda158484f02309e336a57e1a19fc740137f919904f0c649fcfed6d659b53b0ae6e97aaf794cec7

    Download Submit
  • /data/user/0/dudomts.zraxtwbpo.yfvoyi/app_picture/1.jpg
    Filesize

    172KB

    MD5

    e851ba16244768b86d8bb80211d786bc

    SHA1

    e357b8829fd8d1e08aebe192875e70a8385b2a85

    SHA256

    4bdc241290aff34b8d1ec21551338df42761233e64e997518ce301d44cc0f179

    SHA512

    cd7975536458f0967f1cc431a95bcd727383c8f6f8b8eabd19b7765e74065bc6e5a2dd7427a7a8ef70fa600b72889e5c6cb4c1011f20db22915fb867c2af0279

    Download Submit
  • /storage/emulated/0/.msg_device_id.txt
    Filesize

    36B

    MD5

    7e84a06e6a76dd518eb46b84dd4d3e17

    SHA1

    f0899acba192f7c855bbe60902fc8fea5a0f42e9

    SHA256

    1b8583ab03e9d152c9e99822155e0efedf2e277a51c6a89fa8434adab8ddf87d

    SHA512

    53b644e826e00490ea3a799dd2a4be5e199741b782d72da33a79c871933db754546f5faaab1c6060cf217d7b5bec69f1f6352c39df8cb606b8524d3f12a2c133

    Download Submit