Analysis

  • max time kernel
    179s
  • max time network
    184s
  • platform
    android_x86
  • resource
    android-x86-arm-20240611.1-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
  • submitted
    13/06/2024, 00:48

General

  • Target

    9074d40182d1263d5860648ba53523e21d31e6d565ce04b629bb9dfcde27ea73.apk

  • Size

    436KB

  • MD5

    28b2d33a143e985b0ada64d011537904

  • SHA1

    c21a119119f73bed195c0654634cf780d92eede9

  • SHA256

    9074d40182d1263d5860648ba53523e21d31e6d565ce04b629bb9dfcde27ea73

  • SHA512

    13030e2cc1199103c3d9f39bead9f27eccc4d53286a76676701e336de484e7798db1b1a9da4107f0930902288995a799e7612e15a000239dfeed3a1172bfda67

  • SSDEEP

    6144:pTNEtKuWtqB62kUYC4IaQYiSWTql6+iK6edDusVeDaOJ3CBtKXyFju92/HAjjcJ+:DENUkYzAcWyysVeDaNju9+HkAbtT4q9K

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.50:28899

DES_key

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Checks the presence of a debugger
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • fbyczjn.tsznovohb.jijqfz
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    PID:4309

Network

        MITRE ATT&CK Mobile v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/fbyczjn.tsznovohb.jijqfz/app_picture/1.jpg

          Filesize

          166KB

          MD5

          45bef012a5b803dd55e04e7c8073a55a

          SHA1

          c2b600639ac03dc9f7af03f42362c7a4b06ac447

          SHA256

          d7b26b91afa1d5fffcc1e11522859915ff2f730bc80975af1e8ea6408234f357

          SHA512

          d846df31669d75a3ab8edf550b0454dab8a432876526721b9c118413799acee7e136cd31005b68ba5be94d7750a77f7e85c630d1ee86090278ca98a269d46d05

        • /data/data/fbyczjn.tsznovohb.jijqfz/files/b

          Filesize

          444KB

          MD5

          5052e382193805f854a17470afdeadc8

          SHA1

          e434b19018b8d0a14c3db4b47318a9e92e9f5148

          SHA256

          6eac212f3e5d11281f0c7263e5795bd74241b233898280b8cb9479443747f52a

          SHA512

          be6fde561141ceebed2f1c98c845fdf247b10aecd15698130bda158484f02309e336a57e1a19fc740137f919904f0c649fcfed6d659b53b0ae6e97aaf794cec7

        • /data/user/0/fbyczjn.tsznovohb.jijqfz/app_picture/1.jpg

          Filesize

          166KB

          MD5

          9e950e1c68fdd520faa56f9f6a55c16b

          SHA1

          c548ceca5ea5c6998373d79c1718f7b7d6ae3cd3

          SHA256

          f8b33976f3ddebb18e73f766f7f40576839c2880f9139126c57aa01e88a84356

          SHA512

          9dd4e41ee240721eec39ce5d2a54cdc712ccb6156b0f5ea2520b2acebc75707fddd31ffbd465ff26a1fe939d653ec956f6227b0ddeaaad8bdf43814cf2cf7020

        • /storage/emulated/0/.msg_device_id.txt

          Filesize

          36B

          MD5

          cb37b86bb202e3eb45d9589a012ccb9e

          SHA1

          c43105a06a4bbcbc9b954e4c8edbea6d310e9ce2

          SHA256

          fd55874cb95aba3e272943ef616afd20a4ff672fce2e419c77a7c303ed7d0f63

          SHA512

          7f7dcafcad324c11d745af1f288f07e6fa21c197f87ba6dda5dc674770c5c060f601fcf37f15b7b2d39bfdbbb3ba3613968fd8df72942c44f435da88fc126e34