Analysis
-
max time kernel
179s -
max time network
185s -
platform
android_x86 -
resource
android-x86-arm-20240611.1-en -
resource tags
-
submitted
20-06-2024 02:10
General
-
Target
6154954d792c69706cf9ef6be3cff04e04c011572228d692c68bc76b84840fb7.apk
-
Size
412KB
-
MD5
e55eb2b9dc03e4bdafb9960719189197
-
SHA1
896f3fcfe80ded2c26861500a1707dd7f50e0596
-
SHA256
6154954d792c69706cf9ef6be3cff04e04c011572228d692c68bc76b84840fb7
-
SHA512
e5df93d2df5c0f55f4b792468eec28babbfff215b9511383d5602329e9de258113b44d2b5d77228061f7f63ce1fcc01d7520182b91f8460660935bbe8a058c7e
-
SSDEEP
6144:Meq+XdkjP3CaI8yA2mVx7RlLMbOFljLevI16OR7rf51Z32ByyflvQ8Xo8EeTwhIt:hy3C1W77RlScl3evk6OR7jwflvqn+3
Malware Config
Extracted
xloader_apk
http://91.204.227.50:28899
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
Processes
-
lfignvw.ypmmomlmq.usgrst1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170KB
MD5eb678026016854f9d482e1b4788001fb
SHA1cd4dc5395e4d2c7d76d996f62f58d94a82802865
SHA2566b09c076eed368f2169585d6f305005cd16b196d4c5eafb16b366c2848de18fc
SHA5129516950365079bcf4505d2723764a19564574ac4b5d980855762f638538c67835742d59405dd69532d8c7447d541391e1047152147764c28af1ff9b016667aae
-
Filesize
446KB
MD54f4569db9ddb90b5f60c424621cf3a72
SHA163c79e63187921b33d30c66de3e791e3f51d746e
SHA25618c14954e985db1a807189513a739c2ccb9ad37bba6cc9f8a61f0c42edffda4c
SHA512cf1c150f19ccc58441ac38060fe80961bbc9ea575a69c4437bd04be7555b92a3422490a4358f720450492edf5780d3d76eed4e02493c184bb3f13a8ab5ec4929
-
Filesize
36B
MD567df2f49c04c5848536012752bedd2d6
SHA1710602525b440bf2d9f470f864fbfe958e0489bf
SHA256f22ceee3e26f349146749fa38ef63b13846b8e70cf9e24eb73c295d398df9c36
SHA512e350ac602cc43aee018ff8e53e278dd1269d6dc055f4662939702f64607dda0a2bef36497506d6d87881ef14de9f8ba5e6772efdd232e9718623f4b63f106060
