xloader_apk | 6223f7c442ea7132e722ee0bb83e900e027bdf3324a5329306a933a1b561dbef

General

Target

b85303e17afb9609d8c5a1936a36f99f_JaffaCakes118
Size

437KB
Sample

240617-nd22csscqp
MD5

b85303e17afb9609d8c5a1936a36f99f
SHA1

042680ab93360090aa835ba15d6abb574119aad9
SHA256

6223f7c442ea7132e722ee0bb83e900e027bdf3324a5329306a933a1b561dbef
SHA512

cebe524910100898181d6094c23cb5f9b262cefea6871e14829372cea581cc6ffd2eb6e9cf3a5034b0745c367a1ee828d0ea8bd648c449b350f3f16c5af74ca6
SSDEEP

12288:2v1pfwjWvqD1FAQTq2KQfmIi/gbfBsS+b4dMoYlC4Z:2v0qYhejgaS+cdM3Z

Score

10^/10

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.39:28844

DES_key

Targets

- Target
  
  b85303e17afb9609d8c5a1936a36f99f_JaffaCakes118
- Size
  
  437KB
- MD5
  
  b85303e17afb9609d8c5a1936a36f99f
- SHA1
  
  042680ab93360090aa835ba15d6abb574119aad9
- SHA256
  
  6223f7c442ea7132e722ee0bb83e900e027bdf3324a5329306a933a1b561dbef
- SHA512
  
  cebe524910100898181d6094c23cb5f9b262cefea6871e14829372cea581cc6ffd2eb6e9cf3a5034b0745c367a1ee828d0ea8bd648c449b350f3f16c5af74ca6
- SSDEEP
  
  12288:2v1pfwjWvqD1FAQTq2KQfmIi/gbfBsS+b4dMoYlC4Z:2v0qYhejgaS+cdM3Z
Score

10^/10

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan
- XLoader payload
- XLoader, MoqHao
  An Android banker and info stealer.
  trojan infostealer banker xloader_apk
- Checks if the Android device is rooted.
  evasion
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries account information for other applications stored on the device
  Application may abuse the framework's APIs to collect account information stored on the device.
  collection
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Reads the content of the MMS message.
  collection
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries information about active data network
  discovery
- Queries information about the current Wi-Fi connection
  Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
  discovery
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
- Requests changing the default SMS application.
  collection impact
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

XLoader payload

XLoader, MoqHao

Checks if the Android device is rooted.

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries account information for other applications stored on the device

Queries the phone number (MSISDN for GSM devices)

Reads the content of the MMS message.

Acquires the wake lock

Makes use of the framework's foreground persistence service

Queries information about active data network

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Requests changing the default SMS application.

Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3