Analysis
-
max time kernel
179s -
max time network
186s -
platform
android_x64 -
resource
android-x64-20240611.1-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240611.1-enlocale:en-usos:android-10-x64system -
submitted
20-06-2024 00:58
Static task
static1
Behavioral task
behavioral1
Sample
b5ace4423834ffae49a20b72a7c8609b77c5981112d1aca1b38bc0864c08a82e.apk
Resource
android-x86-arm-20240611.1-en
Behavioral task
behavioral2
Sample
b5ace4423834ffae49a20b72a7c8609b77c5981112d1aca1b38bc0864c08a82e.apk
Resource
android-x64-20240611.1-en
Behavioral task
behavioral3
Sample
b5ace4423834ffae49a20b72a7c8609b77c5981112d1aca1b38bc0864c08a82e.apk
Resource
android-x64-arm64-20240611.1-en
General
-
Target
b5ace4423834ffae49a20b72a7c8609b77c5981112d1aca1b38bc0864c08a82e.apk
-
Size
432KB
-
MD5
994f041d2071f2c1988a8b217c601bc7
-
SHA1
fdb15c79e9d066fa5419d639b923709830125dfa
-
SHA256
b5ace4423834ffae49a20b72a7c8609b77c5981112d1aca1b38bc0864c08a82e
-
SHA512
e6b227e1463e32c8ae7c37abdbca3403f660a0f69fb3fb25a68e6f67b5f589cd04a851bdc314f33d9d498e3ae7669a191596a8caaa0baca56cb25e6a7ebd8457
-
SSDEEP
12288:Xi55i13uMY6yPiG/4jO2k76KFiZLNRfBsS+b4dMoY3:ckuMY6qiW4O6K8ZZkS+cdMz
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 1 IoCs
Processes:
resource yara_rule /data/data/com.vhrb.gbfe/files/dex family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
Processes:
com.vhrb.gbfeioc process /system/bin/su com.vhrb.gbfe /system/xbin/su com.vhrb.gbfe /sbin/su com.vhrb.gbfe -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.vhrb.gbfeioc pid process /data/user/0/com.vhrb.gbfe/files/dex 5094 com.vhrb.gbfe /data/user/0/com.vhrb.gbfe/files/dex 5094 com.vhrb.gbfe -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
Processes:
com.vhrb.gbfedescription ioc process Framework service call android.accounts.IAccountManager.getAccounts com.vhrb.gbfe -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
com.vhrb.gbfedescription ioc process URI accessed for read content://mms/ com.vhrb.gbfe -
Acquires the wake lock 1 IoCs
Processes:
com.vhrb.gbfedescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.vhrb.gbfe -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.vhrb.gbfedescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.vhrb.gbfe -
Queries information about active data network 1 TTPs 1 IoCs
Processes:
com.vhrb.gbfedescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.vhrb.gbfe -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.vhrb.gbfedescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.vhrb.gbfe -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.vhrb.gbfedescription ioc process Framework API call javax.crypto.Cipher.doFinal com.vhrb.gbfe
Processes
-
com.vhrb.gbfe1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.vhrb.gbfe/files/dexFilesize
766KB
MD57962ea579bddfb2d56deaeb75556d33a
SHA1292c29c70d73caff3148eb993fc389c58b966cde
SHA256ff87cb92852a7d77c93494f73a3876fb3c3570115ffe73c2fcd08ae3ac1e3551
SHA512bad435e79acad4d6c25ea5a580a12dde0e065a85677744c6428bf20ee03a55972d20416ca719f9254be886f20a00c2cd3e4816911e05ebab199e398bc4c6a0f4
-
/data/data/com.vhrb.gbfe/files/oat/dex.cur.profFilesize
1KB
MD5bd1f4867293f5c75aeda11dbddb13bb4
SHA149bb60b69d7c99273d4feec2d1b825ae6e9f9c62
SHA256bb20cbe068e4465e6ee72255c718933b8c97ad29d5700e764b6fcd05d292adb2
SHA51276091fa0807a48331b4847e1df450c3744bb0caa58ceedddd6f03f9918f98b9969ed7e1747d36c41fb1da3d060867759272d40ca05f192b2b18ca7329f448b66