Analysis
-
max time kernel
179s -
max time network
184s -
platform
android_x86 -
resource
android-x86-arm-20240611.1-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system -
submitted
13/06/2024, 00:48
Static task
static1
Behavioral task
behavioral1
Sample
9074d40182d1263d5860648ba53523e21d31e6d565ce04b629bb9dfcde27ea73.apk
Resource
android-x86-arm-20240611.1-en
General
-
Target
9074d40182d1263d5860648ba53523e21d31e6d565ce04b629bb9dfcde27ea73.apk
-
Size
436KB
-
MD5
28b2d33a143e985b0ada64d011537904
-
SHA1
c21a119119f73bed195c0654634cf780d92eede9
-
SHA256
9074d40182d1263d5860648ba53523e21d31e6d565ce04b629bb9dfcde27ea73
-
SHA512
13030e2cc1199103c3d9f39bead9f27eccc4d53286a76676701e336de484e7798db1b1a9da4107f0930902288995a799e7612e15a000239dfeed3a1172bfda67
-
SSDEEP
6144:pTNEtKuWtqB62kUYC4IaQYiSWTql6+iK6edDusVeDaOJ3CBtKXyFju92/HAjjcJ+:DENUkYzAcWyysVeDaNju9+HkAbtT4q9K
Malware Config
Extracted
xloader_apk
http://91.204.227.50:28899
Signatures
-
XLoader payload 1 IoCs
resource yara_rule behavioral1/files/fstream-3.dat family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
ioc Process /system/bin/su fbyczjn.tsznovohb.jijqfz /system/xbin/su fbyczjn.tsznovohb.jijqfz /sbin/su fbyczjn.tsznovohb.jijqfz -
pid Process 4309 fbyczjn.tsznovohb.jijqfz -
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/fbyczjn.tsznovohb.jijqfz/app_picture/1.jpg 4309 fbyczjn.tsznovohb.jijqfz /data/user/0/fbyczjn.tsznovohb.jijqfz/app_picture/1.jpg 4309 fbyczjn.tsznovohb.jijqfz /data/user/0/fbyczjn.tsznovohb.jijqfz/files/b 4309 fbyczjn.tsznovohb.jijqfz /data/user/0/fbyczjn.tsznovohb.jijqfz/files/b 4309 fbyczjn.tsznovohb.jijqfz -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts fbyczjn.tsznovohb.jijqfz -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://mms/ fbyczjn.tsznovohb.jijqfz -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock fbyczjn.tsznovohb.jijqfz -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground fbyczjn.tsznovohb.jijqfz -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS fbyczjn.tsznovohb.jijqfz -
Checks the presence of a debugger
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver fbyczjn.tsznovohb.jijqfz -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal fbyczjn.tsznovohb.jijqfz -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo fbyczjn.tsznovohb.jijqfz
Processes
-
fbyczjn.tsznovohb.jijqfz1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:4309
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
166KB
MD545bef012a5b803dd55e04e7c8073a55a
SHA1c2b600639ac03dc9f7af03f42362c7a4b06ac447
SHA256d7b26b91afa1d5fffcc1e11522859915ff2f730bc80975af1e8ea6408234f357
SHA512d846df31669d75a3ab8edf550b0454dab8a432876526721b9c118413799acee7e136cd31005b68ba5be94d7750a77f7e85c630d1ee86090278ca98a269d46d05
-
Filesize
444KB
MD55052e382193805f854a17470afdeadc8
SHA1e434b19018b8d0a14c3db4b47318a9e92e9f5148
SHA2566eac212f3e5d11281f0c7263e5795bd74241b233898280b8cb9479443747f52a
SHA512be6fde561141ceebed2f1c98c845fdf247b10aecd15698130bda158484f02309e336a57e1a19fc740137f919904f0c649fcfed6d659b53b0ae6e97aaf794cec7
-
Filesize
166KB
MD59e950e1c68fdd520faa56f9f6a55c16b
SHA1c548ceca5ea5c6998373d79c1718f7b7d6ae3cd3
SHA256f8b33976f3ddebb18e73f766f7f40576839c2880f9139126c57aa01e88a84356
SHA5129dd4e41ee240721eec39ce5d2a54cdc712ccb6156b0f5ea2520b2acebc75707fddd31ffbd465ff26a1fe939d653ec956f6227b0ddeaaad8bdf43814cf2cf7020
-
Filesize
36B
MD5cb37b86bb202e3eb45d9589a012ccb9e
SHA1c43105a06a4bbcbc9b954e4c8edbea6d310e9ce2
SHA256fd55874cb95aba3e272943ef616afd20a4ff672fce2e419c77a7c303ed7d0f63
SHA5127f7dcafcad324c11d745af1f288f07e6fa21c197f87ba6dda5dc674770c5c060f601fcf37f15b7b2d39bfdbbb3ba3613968fd8df72942c44f435da88fc126e34