Analysis Overview
SHA256
5a161d2c80bd95a7b9b9fe321bf8f9aa1132e555e696f7c9a7037337d669b271
Threat Level: Known bad
The file 5a161d2c80bd95a7b9b9fe321bf8f9aa1132e555e696f7c9a7037337d669b271.bin was found to be: Known bad.
Malicious Activity Summary
XLoader payload
XLoader, MoqHao
Checks if the Android device is rooted.
Loads dropped Dex/Jar
Declares services with permission to bind to the system
Requests dangerous framework permissions
Checks CPU information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-19 02:13
Signatures
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. | android.permission.BIND_NOTIFICATION_LISTENER_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
| Allows an application a broad access to external storage in scoped storage. | android.permission.MANAGE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 02:13
Reported
2024-06-19 02:16
Platform
android-x86-arm-20240611.1-en
Max time kernel
10s
Max time network
130s
Command Line
Signatures
XLoader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XLoader, MoqHao
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /sbin/su | N/A | N/A |
| N/A | /system/bin/su | N/A | N/A |
| N/A | /system/xbin/su | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/citneqj.yhcnkbxqj.arsmaq/app_picture/1.jpg | N/A | N/A |
| N/A | /data/user/0/citneqj.yhcnkbxqj.arsmaq/app_picture/1.jpg | N/A | N/A |
| N/A | /data/user/0/citneqj.yhcnkbxqj.arsmaq/files/b | N/A | N/A |
| N/A | /data/user/0/citneqj.yhcnkbxqj.arsmaq/files/b | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Processes
citneqj.yhcnkbxqj.arsmaq
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 216.58.204.78:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
Files
/data/data/citneqj.yhcnkbxqj.arsmaq/app_picture/1.jpg
| MD5 | e04b61068deeadc8c19e5ee4b2f9de4d |
| SHA1 | 112d59ad0f079246df6228080f3f219fc4ad53bb |
| SHA256 | 5b3d2060b3298ff49a4f59e922d152271eff1df75caa20127bdf48b9b8403dcc |
| SHA512 | e216869ccdf2ab8d257c8acd6a96678d369e39a6a62b7644ff815bdf28582ee342e24dc9915a69c41038896e731571d3f3d28bef4c728bc655e09b6646281e0d |
/data/user/0/citneqj.yhcnkbxqj.arsmaq/app_picture/1.jpg
| MD5 | ad62abf0a43c4b7cfa83a26e2152f250 |
| SHA1 | 57a1edac6c4897119aecf3485dae900fcc45f298 |
| SHA256 | eac8b83c45cb80713bb4ac451c6bddafa43b90249c1628fdb60d8537961f237d |
| SHA512 | b1954b52f2ff0b8e5090b80591a1dc9c8512320640f9b9380990fae00d4aa1bc9032be6721736fb164060bf31b49b2231cea3e8f93447b6e2e616f65eecdc2bd |
/data/data/citneqj.yhcnkbxqj.arsmaq/files/b
| MD5 | 4f4569db9ddb90b5f60c424621cf3a72 |
| SHA1 | 63c79e63187921b33d30c66de3e791e3f51d746e |
| SHA256 | 18c14954e985db1a807189513a739c2ccb9ad37bba6cc9f8a61f0c42edffda4c |
| SHA512 | cf1c150f19ccc58441ac38060fe80961bbc9ea575a69c4437bd04be7555b92a3422490a4358f720450492edf5780d3d76eed4e02493c184bb3f13a8ab5ec4929 |