Overview

overview

10

Static

static

6

3bcff3c7f9...74.apk

android-9-x86

10

Analysis

  • max time kernel
    179s
  • max time network
    183s
  • platform
    android_x86
  • resource
    android-x86-arm-20240611.1-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
  • submitted
    20-06-2024 23:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3bcff3c7f99f95312e4a21aebed0e53719318357b260559c16396dfef2930974.apk

  • Size

    412KB

  • MD5

    d684e5fad88e60bcec53c6bb98d9d552

  • SHA1

    967276d8db01e44ffc3ef1f5762397e7eef5c3a1

  • SHA256

    3bcff3c7f99f95312e4a21aebed0e53719318357b260559c16396dfef2930974

  • SHA512

    bc080cdd6188617240eeea704c9a8833a341324a543c8155a7a32a3a9432056008c3ffec772e27c278aafaef588c32b83bf5c189a609ac982d2f02afb3307cc6

  • SSDEEP

    12288:IJk1SuNRxiSzhDNUHiiQDhu0vUEbqmEYxp:qqZ5d+HiiQFvUE+J8

Score
10/10
xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.50:28899

DES_key

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

    trojaninfostealerbankerxloader_apk
  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
    evasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • iivqpsh.tfqgjrplq.qwjxoh
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    PID:4285

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/iivqpsh.tfqgjrplq.qwjxoh/app_picture/1.jpg
    Filesize

    169KB

    MD5

    852541beb5a7843aae444df3ffda7a94

    SHA1

    cedd08c73858d582d9e2abfa7b3f1d20605da419

    SHA256

    a63cd16e910d7c147ed3c21ee9cc8d32a7bf84e74a1816e2b0a58efcd86f2285

    SHA512

    22dd7c7c1b41f10942d946c0ab6c958c444c64fb8da81f992db5f938462e480936bc2fd596fadb548c77876cf10033be104dd23327495e6c9403bff0c7f30d61

    Download Submit

  • /data/data/iivqpsh.tfqgjrplq.qwjxoh/files/b
    Filesize

    446KB

    MD5

    5daa1f3756c6785b25d466ca6b7bdc50

    SHA1

    ad6a6880ad1b812434e5bd3b2c1717ba11b54cf6

    SHA256

    a1695cf685fbf9712a67bbc7f9bf82c6d6fe5f8ef185f1ede33fcb76526143c7

    SHA512

    2dbeab1cfd8658b6681d3bda791f2fd3f1199c9aee135b1baa1e91abf87d20de221eec1027f611356781b7c6dbb823b8b157509ced30b03a62f6842fbde0e7e9

    Download Submit

  • /data/user/0/iivqpsh.tfqgjrplq.qwjxoh/app_picture/1.jpg
    Filesize

    169KB

    MD5

    9e391338033f7b553326f72e2db2d439

    SHA1

    f18fbaa4915d0d1be4e68ddd006c3ca84e80308a

    SHA256

    b185b660c3bc5afcc42970a9d2d4a2ae874fa2f98e1eabecaffcab26ba12eba7

    SHA512

    b6a9066c4e29577134a9568be123708a9e6466f1d3f87bbdd23a159a97b33c3f93bb82441ce97f206161d1003f043278dbb5a1d3d6386b4a026bb646cc34baa2

    Download Submit

  • /storage/emulated/0/.msg_device_id.txt
    Filesize

    36B

    MD5

    72bd1f6fecfdb39e0d84fabe45bd3c80

    SHA1

    5e54d0d7e7d4e34e407315933f181645c0e0ec65

    SHA256

    fc6ee086f7edb5f624796c55af897017025b34d03126c66a4a1a0cd02244c5e9

    SHA512

    3aef65d7b9706a0e105e4963856c9f09432392ca70a9b9bca8102bfd3261fd2fca9f46d9d5d18df1d760c81da52c91a440013bf5d0604f7a2af464f24c79e8d0

    Download Submit