Analysis
-
max time kernel
179s -
max time network
183s -
platform
android_x86 -
resource
android-x86-arm-20240611.1-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system -
submitted
20-06-2024 01:31
Static task
static1
Behavioral task
behavioral1
Sample
fbeaab3eecf66707d6fbff97b3e37a11f35ad7d11782149a32087151faaa7c39.apk
Resource
android-x86-arm-20240611.1-en
General
-
Target
fbeaab3eecf66707d6fbff97b3e37a11f35ad7d11782149a32087151faaa7c39.apk
-
Size
412KB
-
MD5
a33daa67c25c01cdfeed6e8eb7f61d3e
-
SHA1
b5355542adddbebecbef32de7ea843226f77ab5f
-
SHA256
fbeaab3eecf66707d6fbff97b3e37a11f35ad7d11782149a32087151faaa7c39
-
SHA512
c266bf661671925cdad77282e7c1b9ef754ba43be059d49bfa01c66af7a30f3639b5afdbb2d0e42eaa4a716e661b165aab88d88d1dbda6b926433f8c1496c647
-
SSDEEP
6144:rHMiRT1HEEq65Eh7RlLMbOFljLevI16OR7rf51Z32ByyflvQ8Xo8EeTwhI2/BA:r1hHEXdh7RlScl3evk6OR7jwflvqn+uA
Malware Config
Extracted
xloader_apk
http://91.204.227.50:28899
Signatures
-
XLoader payload 1 IoCs
Processes:
resource yara_rule /data/data/qhxcgqi.iggiwmdpi.ynzwru/files/b family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
Processes:
qhxcgqi.iggiwmdpi.ynzwruioc process /system/bin/su qhxcgqi.iggiwmdpi.ynzwru /system/xbin/su qhxcgqi.iggiwmdpi.ynzwru /sbin/su qhxcgqi.iggiwmdpi.ynzwru -
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
Processes:
qhxcgqi.iggiwmdpi.ynzwruioc pid process /data/user/0/qhxcgqi.iggiwmdpi.ynzwru/app_picture/1.jpg 4284 qhxcgqi.iggiwmdpi.ynzwru /data/user/0/qhxcgqi.iggiwmdpi.ynzwru/app_picture/1.jpg 4284 qhxcgqi.iggiwmdpi.ynzwru /data/user/0/qhxcgqi.iggiwmdpi.ynzwru/files/b 4284 qhxcgqi.iggiwmdpi.ynzwru /data/user/0/qhxcgqi.iggiwmdpi.ynzwru/files/b 4284 qhxcgqi.iggiwmdpi.ynzwru -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
Processes:
qhxcgqi.iggiwmdpi.ynzwrudescription ioc process Framework service call android.accounts.IAccountManager.getAccounts qhxcgqi.iggiwmdpi.ynzwru -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
qhxcgqi.iggiwmdpi.ynzwrudescription ioc process URI accessed for read content://mms/ qhxcgqi.iggiwmdpi.ynzwru -
Acquires the wake lock 1 IoCs
Processes:
qhxcgqi.iggiwmdpi.ynzwrudescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock qhxcgqi.iggiwmdpi.ynzwru -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
qhxcgqi.iggiwmdpi.ynzwrudescription ioc process Framework service call android.app.IActivityManager.setServiceForeground qhxcgqi.iggiwmdpi.ynzwru -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
qhxcgqi.iggiwmdpi.ynzwrudescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS qhxcgqi.iggiwmdpi.ynzwru -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
qhxcgqi.iggiwmdpi.ynzwrudescription ioc process Framework service call android.app.IActivityManager.registerReceiver qhxcgqi.iggiwmdpi.ynzwru -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
qhxcgqi.iggiwmdpi.ynzwrudescription ioc process Framework API call javax.crypto.Cipher.doFinal qhxcgqi.iggiwmdpi.ynzwru -
Checks CPU information 2 TTPs 1 IoCs
Processes
-
qhxcgqi.iggiwmdpi.ynzwru1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/qhxcgqi.iggiwmdpi.ynzwru/app_picture/1.jpgFilesize
171KB
MD555b123db49b96215e0ad2337121ad5da
SHA19f255e89dc72812fe59b4c3de870c1eff041b081
SHA2569461ecb8576b1004b3faa39e69b8f8e86b5772c24bce4b5c8934566847389d7f
SHA512017fa689ce91e53d257ada34658668b16b4c38e2eb7aba389de34f3e11f3a4beeaf059c79fd3a76535ce8c85ee5bbd0f0ae89c61c8b62df1dcf40cab268df91d
-
/data/data/qhxcgqi.iggiwmdpi.ynzwru/files/bFilesize
446KB
MD54f4569db9ddb90b5f60c424621cf3a72
SHA163c79e63187921b33d30c66de3e791e3f51d746e
SHA25618c14954e985db1a807189513a739c2ccb9ad37bba6cc9f8a61f0c42edffda4c
SHA512cf1c150f19ccc58441ac38060fe80961bbc9ea575a69c4437bd04be7555b92a3422490a4358f720450492edf5780d3d76eed4e02493c184bb3f13a8ab5ec4929
-
/data/user/0/qhxcgqi.iggiwmdpi.ynzwru/app_picture/1.jpgFilesize
171KB
MD51261623c91cac60d91e6e86c67231594
SHA1fb166afc95b8ae08d1ea30c46b4927b7fcf29ed8
SHA256e427b4757dbad8548a5b98257268a08c510c53e2ecc42c472fce302cbac360c2
SHA512da4ba9b993a6b078a12afb1d868a41f2c565c095d6fb76782261bd90afd6885c7f38c263dd20ec9644c27a0e36c75de775e3e826310813fd641ffd7950f1eaaa
-
/storage/emulated/0/.msg_device_id.txtFilesize
36B
MD591c3e307adb93b60c93b4839f32925e5
SHA1e6bc6f4b97c912e6dd8fc97636d7b18ff1695081
SHA2560316a106ed14aab6bba3fbd5082b5debc8fd6718014fe78a1eddeabc5f94886c
SHA5126b137d852c6e8d8ff5ddff25a817f65fd7e4ff0552a3051b794f406835e81b709f5ba612dc680bbdfb7dc565b608a7c6d53216e099d9cf8e1423e1ee3050315a