Analysis
-
max time kernel
179s -
max time network
185s -
platform
android_x86 -
resource
android-x86-arm-20240611.1-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system -
submitted
20-06-2024 01:27
Static task
static1
Behavioral task
behavioral1
Sample
c6b739429cab0aa5167e59dbc2af543107e3b77db1e7223093f3ea57e605cd46.apk
Resource
android-x86-arm-20240611.1-en
General
-
Target
c6b739429cab0aa5167e59dbc2af543107e3b77db1e7223093f3ea57e605cd46.apk
-
Size
412KB
-
MD5
b1a0bf3db876a50ce25d53aca40ea7ea
-
SHA1
13eec713c1b93a43b84984c8418adfc16ab53063
-
SHA256
c6b739429cab0aa5167e59dbc2af543107e3b77db1e7223093f3ea57e605cd46
-
SHA512
9df57b7c121d80efb1523ef9726a94c25797fc1d3ec4a79f4e509da999d46816bc6b42b9569fccb8f93569fce0b7618b53ec9d3aba9cb0c438e8e97fd45094aa
-
SSDEEP
12288:oeN7UbyIehC7RlScl3evk6OR7jwflvqn+4:oC72yszlj60s9Z4
Malware Config
Extracted
xloader_apk
http://91.204.227.50:28899
Signatures
-
XLoader payload 1 IoCs
Processes:
resource yara_rule /data/data/ivczsvd.rzitcfdpw.clhanu/files/b family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
Processes:
ivczsvd.rzitcfdpw.clhanuioc process /sbin/su ivczsvd.rzitcfdpw.clhanu /system/bin/su ivczsvd.rzitcfdpw.clhanu /system/xbin/su ivczsvd.rzitcfdpw.clhanu -
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
Processes:
ivczsvd.rzitcfdpw.clhanuioc pid process /data/user/0/ivczsvd.rzitcfdpw.clhanu/app_picture/1.jpg 4216 ivczsvd.rzitcfdpw.clhanu /data/user/0/ivczsvd.rzitcfdpw.clhanu/app_picture/1.jpg 4216 ivczsvd.rzitcfdpw.clhanu /data/user/0/ivczsvd.rzitcfdpw.clhanu/files/b 4216 ivczsvd.rzitcfdpw.clhanu /data/user/0/ivczsvd.rzitcfdpw.clhanu/files/b 4216 ivczsvd.rzitcfdpw.clhanu -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
Processes:
ivczsvd.rzitcfdpw.clhanudescription ioc process Framework service call android.accounts.IAccountManager.getAccounts ivczsvd.rzitcfdpw.clhanu -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
ivczsvd.rzitcfdpw.clhanudescription ioc process URI accessed for read content://mms/ ivczsvd.rzitcfdpw.clhanu -
Acquires the wake lock 1 IoCs
Processes:
ivczsvd.rzitcfdpw.clhanudescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock ivczsvd.rzitcfdpw.clhanu -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
ivczsvd.rzitcfdpw.clhanudescription ioc process Framework service call android.app.IActivityManager.setServiceForeground ivczsvd.rzitcfdpw.clhanu -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
ivczsvd.rzitcfdpw.clhanudescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS ivczsvd.rzitcfdpw.clhanu -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
ivczsvd.rzitcfdpw.clhanudescription ioc process Framework service call android.app.IActivityManager.registerReceiver ivczsvd.rzitcfdpw.clhanu -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
ivczsvd.rzitcfdpw.clhanudescription ioc process Framework API call javax.crypto.Cipher.doFinal ivczsvd.rzitcfdpw.clhanu -
Checks CPU information 2 TTPs 1 IoCs
Processes
-
ivczsvd.rzitcfdpw.clhanu1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/ivczsvd.rzitcfdpw.clhanu/app_picture/1.jpgFilesize
171KB
MD50c96daa00b745eca1e228c022f92a052
SHA1473cc175ef4e347c7d80fe9126ccd1713564037e
SHA256b521478a512c0eefec42e4a2e8e3b74f22bd34bd1b8dfa78970dfeb768c9d9e3
SHA512154dcdbfa11c4e0133c9b346aaf5729b866999f59bc7c6068e4664f897498109789192ab40f6a1634309a49cae91e222eb44f7f065236d8bfb15f4ae27302134
-
/data/data/ivczsvd.rzitcfdpw.clhanu/files/bFilesize
446KB
MD54f4569db9ddb90b5f60c424621cf3a72
SHA163c79e63187921b33d30c66de3e791e3f51d746e
SHA25618c14954e985db1a807189513a739c2ccb9ad37bba6cc9f8a61f0c42edffda4c
SHA512cf1c150f19ccc58441ac38060fe80961bbc9ea575a69c4437bd04be7555b92a3422490a4358f720450492edf5780d3d76eed4e02493c184bb3f13a8ab5ec4929
-
/storage/emulated/0/.msg_device_id.txtFilesize
36B
MD5888fc9dc6a62292866426d453e8cbaa3
SHA1fad9a84673d342bca395e229a47b333ff9611df9
SHA256f2160269dab2c229ffdb43f1785030f7c0b8110b95f0c9a8c7724c35ecaf9ca3
SHA5127a7fb54b1e110e629eefeca7dfc24c591445d43cfd095db003cc87d8dbf69f7c93006de65ee5c90dbe9cd0bd841cf2c8ffc441caf41a28c65991598e4967b0ec