Analysis
-
max time kernel
10s -
max time network
183s -
platform
android_x86 -
resource
android-x86-arm-20240611.1-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system -
submitted
20-06-2024 00:05
Static task
static1
Behavioral task
behavioral1
Sample
db4bb46159fc86048a8a535e830ad142c9fe4f438e5bf412159daa5068c7a51e.apk
Resource
android-x86-arm-20240611.1-en
General
-
Target
db4bb46159fc86048a8a535e830ad142c9fe4f438e5bf412159daa5068c7a51e.apk
-
Size
408KB
-
MD5
fda3c7012499b494890b4ba9b747b5e1
-
SHA1
dd58026770175846bd9827a9dda26bd666da155d
-
SHA256
db4bb46159fc86048a8a535e830ad142c9fe4f438e5bf412159daa5068c7a51e
-
SHA512
7c7694191c63e327a3709e440cfab6976f1d0849a954048fbd0c66f0735c738ac0e724c74e24d6b0465eb07cb0e88fb604896a041855c94fd2bf996784918eec
-
SSDEEP
12288:iiTKlqYhB12tPpc7RlScl3evk6OR7jwflvqn+O05:1EBj4Jgzlj60s9ZO05
Malware Config
Extracted
xloader_apk
http://91.204.227.50:28899
Signatures
-
XLoader payload 1 IoCs
Processes:
resource yara_rule /data/data/temiozq.girvaehdl.yunird/files/b family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
Processes:
temiozq.girvaehdl.yunirdioc process /sbin/su temiozq.girvaehdl.yunird /system/bin/su temiozq.girvaehdl.yunird /system/xbin/su temiozq.girvaehdl.yunird -
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
Processes:
temiozq.girvaehdl.yunirdioc pid process /data/user/0/temiozq.girvaehdl.yunird/app_picture/1.jpg 4277 temiozq.girvaehdl.yunird /data/user/0/temiozq.girvaehdl.yunird/app_picture/1.jpg 4277 temiozq.girvaehdl.yunird /data/user/0/temiozq.girvaehdl.yunird/files/b 4277 temiozq.girvaehdl.yunird /data/user/0/temiozq.girvaehdl.yunird/files/b 4277 temiozq.girvaehdl.yunird -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
Processes:
temiozq.girvaehdl.yunirddescription ioc process Framework service call android.accounts.IAccountManager.getAccounts temiozq.girvaehdl.yunird -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
temiozq.girvaehdl.yunirddescription ioc process URI accessed for read content://mms/ temiozq.girvaehdl.yunird -
Acquires the wake lock 1 IoCs
Processes:
temiozq.girvaehdl.yunirddescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock temiozq.girvaehdl.yunird -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
temiozq.girvaehdl.yunirddescription ioc process Framework service call android.app.IActivityManager.setServiceForeground temiozq.girvaehdl.yunird -
Queries information about active data network 1 TTPs 1 IoCs
Processes:
temiozq.girvaehdl.yunirddescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo temiozq.girvaehdl.yunird -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
temiozq.girvaehdl.yunirddescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo temiozq.girvaehdl.yunird -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
temiozq.girvaehdl.yunirddescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS temiozq.girvaehdl.yunird -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
temiozq.girvaehdl.yunirddescription ioc process Framework service call android.app.IActivityManager.registerReceiver temiozq.girvaehdl.yunird -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
temiozq.girvaehdl.yunirddescription ioc process Framework API call javax.crypto.Cipher.doFinal temiozq.girvaehdl.yunird -
Checks CPU information 2 TTPs 1 IoCs
Processes
-
temiozq.girvaehdl.yunird1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/temiozq.girvaehdl.yunird/app_picture/1.jpgFilesize
165KB
MD50c5e2466fc06bb60d9ce799a94ab5393
SHA1f359d57fb474d2ae04d5f1fa968734e77eb3f573
SHA2566a9c54bf15de346b4ccf88ee72223272bbb5ba714ea90aee6aca6e0885974c58
SHA512a9742b572c9cf31dc7ee72c1c8691334ed06eb76b578452d47e47bf081e6d120c9897acf68a14f3f4cd0e4eba8515aeeee5a2d57292da4e410465264b0996019
-
/data/data/temiozq.girvaehdl.yunird/files/bFilesize
446KB
MD54f4569db9ddb90b5f60c424621cf3a72
SHA163c79e63187921b33d30c66de3e791e3f51d746e
SHA25618c14954e985db1a807189513a739c2ccb9ad37bba6cc9f8a61f0c42edffda4c
SHA512cf1c150f19ccc58441ac38060fe80961bbc9ea575a69c4437bd04be7555b92a3422490a4358f720450492edf5780d3d76eed4e02493c184bb3f13a8ab5ec4929
-
/data/user/0/temiozq.girvaehdl.yunird/app_picture/1.jpgFilesize
165KB
MD5424dac5b7e57fd2c04b236ade171f56f
SHA12df0a6ff8b17f8d71199adcd09e3187c1a661811
SHA256f72f3c28223e8e6856c974457275628edac8fb23f01fb066e0a7840bbf1ee9b4
SHA512eb907b09488e2477c6dbcc17e31b7d3675865e3df32f88fed715483cbe34e8336ab789bde3b1a5c3c9cded7bf14c9d6e05153ed19cedbd9f8fcccd7bac6a08fe
-
/storage/emulated/0/.msg_device_id.txtFilesize
36B
MD5047b1482f8f86fd5ee03d444e0dd85f0
SHA1ced6d786d9b8cf49f11f12a1ee2cf18bdd9e80f2
SHA25671938b533a9ddb000200abf37b119c59ffae85fa55fa459015e97ab37bdd3e9d
SHA512791a371c03f1eaacbf6ffba3511473de796a2dc6ea597e7162d803e15c24b6504fa9ed70f6e25773d998e9d854d0a314496f5769a49443633b99e6ddf75d57e9