Analysis
-
max time kernel
179s -
max time network
187s -
platform
android_x64 -
resource
android-33-x64-arm64-20240611.1-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240611.1-enlocale:en-usos:android-13-x64system -
submitted
17-06-2024 00:06
Static task
static1
Behavioral task
behavioral1
Sample
d4d1daf7cba285f1f3ec10eedcbb2a0083b84a34b502112778abdcdb4811e9bd.apk
Resource
android-33-x64-arm64-20240611.1-en
General
-
Target
d4d1daf7cba285f1f3ec10eedcbb2a0083b84a34b502112778abdcdb4811e9bd.apk
-
Size
208KB
-
MD5
4a520cc422bc02c7ca5088d4bb9f7c6f
-
SHA1
c0e3dcea53a6d5e163c1cdd52b33574778aeaea3
-
SHA256
d4d1daf7cba285f1f3ec10eedcbb2a0083b84a34b502112778abdcdb4811e9bd
-
SHA512
2ce47fc68c76bc935be7ff3f800fde6bde940fb36f18038318696e4046f4340d87e466bb3b73c3ad00bda383fa73ea853f5e72ed14c8b37930dbc74c87d4046e
-
SSDEEP
6144:+rXOUF4PBTCXw5sF1kDpBF/4y55+yuGrE3YAaO:+rXxFOMnCr58lYrO
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 2 IoCs
Processes:
resource yara_rule /data/user/0/kzse.cvbrfi.axxwul/files/dex family_xloader_apk /data/user/0/kzse.cvbrfi.axxwul/files/dex family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
Processes:
kzse.cvbrfi.axxwulioc pid process /data/user/0/kzse.cvbrfi.axxwul/files/dex 4298 kzse.cvbrfi.axxwul -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
Processes:
kzse.cvbrfi.axxwuldescription ioc process Framework service call android.accounts.IAccountManager.getAccountsAsUser kzse.cvbrfi.axxwul -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
kzse.cvbrfi.axxwuldescription ioc process URI accessed for read content://mms/ kzse.cvbrfi.axxwul -
Acquires the wake lock 1 IoCs
Processes:
kzse.cvbrfi.axxwuldescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock kzse.cvbrfi.axxwul -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
kzse.cvbrfi.axxwuldescription ioc process Framework service call android.app.IActivityManager.setServiceForeground kzse.cvbrfi.axxwul -
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
kzse.cvbrfi.axxwuldescription ioc process Framework API call javax.crypto.Cipher.doFinal kzse.cvbrfi.axxwul
Processes
-
kzse.cvbrfi.axxwul1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests changing the default SMS application.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/kzse.cvbrfi.axxwul/files/dexFilesize
446KB
MD58bb09c2927ef88bda95970b61599f314
SHA1391656ad53355854928f21a99e995f14e5c75ce7
SHA25627ec66655a2a5e63f95ec2a4066bf7e64a79d7070923f42ba0cbffe53e2ba2dd
SHA51294f59ce40f5b0a03c7bf0c4d199b47c4c7f85f98ae686f6994d74119f7c4b76d031d8607a879818d92c9097ce7603dbfef55d850186a21add9dee18f2bf90d68
-
/storage/emulated/0/.msg_device_id.txtFilesize
36B
MD5c84a1d45f42373467ca8aca9e43b96a5
SHA1a13e27382241b8afac44fdceb4ac3072d103bbe7
SHA25617160fe850659ad000e4f7ded26223992fbdd9a779185ed11d08cfb8a211e884
SHA512b88dc7684728436fe1a686deffc4a759a95dced2e8c23d92fca1e99d98785041af40537fc6e674bc4988f851afd89b91a5d8e42e2aaf4ef7f0b8ff2a5b2310d9