Analysis
-
max time kernel
179s -
max time network
175s -
platform
android_x86 -
resource
android-x86-arm-20240611.1-en -
submitted
20-06-2024 01:13
General
-
Target
3c571e1af876577c9e2463aa6fe7171d455702392f6f3b4a0423249f4d409208.apk
-
Size
452KB
-
MD5
abaa278932de410b1fb76f932e329e61
-
SHA1
0e312f7dfcff2f17270e555392d39269bdef7c21
-
SHA256
3c571e1af876577c9e2463aa6fe7171d455702392f6f3b4a0423249f4d409208
-
SHA512
48ef1e6ad876872d044e8da4dde0369364a73129abecbf0b59f9e8a33046f9fbd771838aed21f452895415a2739fb9cb1f9983a631a947307df45e256194120b
-
SSDEEP
12288:KE+PfVHuSb68alcATXHKKSz0Xk4LE1innQRZrV:KP3VOSHLqo0XkowVRL
Malware Config
Extracted
xloader_apk
https://docs.google.com/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasic
-
user_agent
Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Xloader_apk family
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.qwhf.ttgv1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
781KB
MD573b9230a0727b26baf79445044cf9c0d
SHA13c7f917eec8b3e39865c7629ac9af567880ad221
SHA2563db4dfd3242ed9a5f6bc6a777a212f87726c79273eaa876250b931f9a990a208
SHA5129065da8e871f316ba64424f3d3fdd75f3bf3c14298ba6bbaeac70a0e1e2332dc5035b9b513c6242dc6ff539b63297dbad38fd4cf649162df39c924dca408f99c
-
Filesize
1KB
MD5f8f4bcb342b833b85aaf8663aa0bd3f5
SHA14a2a1f691830cefabbca106eb23a93914cf70617
SHA25601ff3acef253563d9dc10ef8f0e6a121954c3018b06453988c7bebdabbb779d9
SHA5120aa99148848b5e53f7a9b54fddf4e80c5a07f4055a30ba375cbeff6ed7d38a415920d465ccc45f2f5faf17485d080b6b3fd265794e993fb52dd25e6ee4060269