Analysis

  • max time kernel
    179s
  • max time network
    185s
  • platform
    android_x86
  • resource
    android-x86-arm-20240611.1-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
  • submitted
    20-06-2024 01:45

General

  • Target

    e407a6b8c78629532961c69d03eec2797cc11f65edc2ba379cf8e2528849bf2a.apk

  • Size

    408KB

  • MD5

    09b3cdf695c54e4b5043ffa0c09308b4

  • SHA1

    5a16a0ebbfe2148cf13285812b7d90cb90060646

  • SHA256

    e407a6b8c78629532961c69d03eec2797cc11f65edc2ba379cf8e2528849bf2a

  • SHA512

    ea5117324fc6800499bdc32c93070246e8cdd22c975b3ad5a2c76e47a48be53c297b7526f2fd39fe701785f349da33d86ec440fa518d1d21fcfbbe1ce50f92f1

  • SSDEEP

    12288:TGU7RlScl3evk6OR7jwflvqn+ZZcSM6o+D/2U:TGuzlj60s9ZH3M4DeU

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.50:28899

DES_key

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • nrbumsc.miyxazmyz.omherq
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    PID:4293

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/nrbumsc.miyxazmyz.omherq/app_picture/1.jpg
    Filesize

    161KB

    MD5

    86c17ee0c30b5d86877990836d478656

    SHA1

    9c2ae23ba42c94d85e8753162c9f83a45efd42c9

    SHA256

    a8931e81859ab4c7535e75367f6b2ae9fe6d341312460a7d30806e2ab7b4795e

    SHA512

    b28f67f0221d79bef66501cfe49249e6dc38307fba4ec0fde38383cc402b6293a03f469574aec2a856416aa4d15ecd63450c40bcfd3cca4b76cbeed8fd225090

  • /data/data/nrbumsc.miyxazmyz.omherq/files/b
    Filesize

    446KB

    MD5

    4f4569db9ddb90b5f60c424621cf3a72

    SHA1

    63c79e63187921b33d30c66de3e791e3f51d746e

    SHA256

    18c14954e985db1a807189513a739c2ccb9ad37bba6cc9f8a61f0c42edffda4c

    SHA512

    cf1c150f19ccc58441ac38060fe80961bbc9ea575a69c4437bd04be7555b92a3422490a4358f720450492edf5780d3d76eed4e02493c184bb3f13a8ab5ec4929

  • /data/user/0/nrbumsc.miyxazmyz.omherq/app_picture/1.jpg
    Filesize

    161KB

    MD5

    c77f0f8d14126bf094163044fddb74fa

    SHA1

    e4b07f70b1ed8d2657105a49a2b574ff141acb6b

    SHA256

    96dd3810db310a9e51a75a2f5bae5f1590fbcb337a328bb5ad15a9b2c94f9536

    SHA512

    3da49ae1419bb33cb99bb7b683df3f1412db97bee442ff7c6d43f19768c345f1405f0caddeaff95d73b21c21afd0d02d53c9536fe28a377b30682a6cd2b733e6

  • /storage/emulated/0/.msg_device_id.txt
    Filesize

    36B

    MD5

    ae99eae91d7db00062dea3447c4e6fa2

    SHA1

    de9f94b0c7871cc9125f65bc4a9aafd042e2f7c9

    SHA256

    9ca9f7e739c4542bd9022f4f2a671058c27dd8a996943d3303b0b8f7f6e201bd

    SHA512

    1feaa179d02735756fd8db0994d2831a3330f11d215ac0996cebd40f87bfa5f3c67f9611331e1888af7b23cab5db1e200cd94a037f74882c40b4db22f4f405bc