Analysis
-
max time kernel
179s -
max time network
164s -
platform
android_x64 -
resource
android-x64-arm64-20240611.1-en -
resource tags
-
submitted
12-06-2024 17:19
General
-
Target
c767a13041d305d995f3580d04faeaf1113f3fa0c0d4ef55568020963d9d2263.apk
-
Size
289KB
-
MD5
fd7c0b5726e58955ecd89eb573a25db2
-
SHA1
804d59d095dd6f9dc09e22e69c9c598c63dadd85
-
SHA256
c767a13041d305d995f3580d04faeaf1113f3fa0c0d4ef55568020963d9d2263
-
SHA512
a541a21783ba9ab65af8e4a1de6970bd33dacb4a3750a04a4d04db2caeca21c75e7e3204a6c0794a1882b12b0fd8eee9ae4f85c2182b93d113a2471223429cdb
-
SSDEEP
6144:VIbQTQsqmdxuMDcYg8xYh+w3IlDlOlxM+seXf6x7SxgXZMxvh5z:isqUtuWYM+ssM2WXZMdhF
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.gmjb.bomt1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
483KB
MD5ae9c12585483e8f440602e44dedfc892
SHA19605a4070f7c3d7e180c319b3125751233b655ef
SHA2566bae5b64c4d0c9b7777a8ff1d198eff5a89fc4b1e2489e0b13e2751b5e2e33cd
SHA512cf958ae50832841f5921c82a8ac0ed3822afb6361648fb2d2c2cc99a17ff4a22343594e0599836342fd9cbeccc6c05623505f1c0d87197f296d5a917c5e7b33c