Analysis

  • max time kernel
    179s
  • max time network
    186s
  • platform
    android_x64
  • resource
    android-x64-20240611.1-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240611.1-enlocale:en-usos:android-10-x64system
  • submitted
    20-06-2024 00:58

General

  • Target

    b5ace4423834ffae49a20b72a7c8609b77c5981112d1aca1b38bc0864c08a82e.apk

  • Size

    432KB

  • MD5

    994f041d2071f2c1988a8b217c601bc7

  • SHA1

    fdb15c79e9d066fa5419d639b923709830125dfa

  • SHA256

    b5ace4423834ffae49a20b72a7c8609b77c5981112d1aca1b38bc0864c08a82e

  • SHA512

    e6b227e1463e32c8ae7c37abdbca3403f660a0f69fb3fb25a68e6f67b5f589cd04a851bdc314f33d9d498e3ae7669a191596a8caaa0baca56cb25e6a7ebd8457

  • SSDEEP

    12288:Xi55i13uMY6yPiG/4jO2k76KFiZLNRfBsS+b4dMoY3:ckuMY6qiW4O6K8ZZkS+cdMz

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.39:28844

DES_key

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.vhrb.gbfe
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5094

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.vhrb.gbfe/files/dex
    Filesize

    766KB

    MD5

    7962ea579bddfb2d56deaeb75556d33a

    SHA1

    292c29c70d73caff3148eb993fc389c58b966cde

    SHA256

    ff87cb92852a7d77c93494f73a3876fb3c3570115ffe73c2fcd08ae3ac1e3551

    SHA512

    bad435e79acad4d6c25ea5a580a12dde0e065a85677744c6428bf20ee03a55972d20416ca719f9254be886f20a00c2cd3e4816911e05ebab199e398bc4c6a0f4

  • /data/data/com.vhrb.gbfe/files/oat/dex.cur.prof
    Filesize

    1KB

    MD5

    bd1f4867293f5c75aeda11dbddb13bb4

    SHA1

    49bb60b69d7c99273d4feec2d1b825ae6e9f9c62

    SHA256

    bb20cbe068e4465e6ee72255c718933b8c97ad29d5700e764b6fcd05d292adb2

    SHA512

    76091fa0807a48331b4847e1df450c3744bb0caa58ceedddd6f03f9918f98b9969ed7e1747d36c41fb1da3d060867759272d40ca05f192b2b18ca7329f448b66