Analysis
-
max time kernel
179s -
max time network
174s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
24-06-2024 18:04
General
-
Target
0593b38073a8ec33b2ceb75360f0a2c2586cccfc31053d7d6d55f365378b131e.apk
-
Size
454KB
-
MD5
8afffc9ee07d329e8edf54d26e4851dc
-
SHA1
4465da623b6120494111f4c074be5b686b5594f0
-
SHA256
0593b38073a8ec33b2ceb75360f0a2c2586cccfc31053d7d6d55f365378b131e
-
SHA512
b84b528cf442e1cf4c5dd90c69ac739ebe2f04f2c507ca73958bd39d1a090dae9ad8734b91f0c0785e931eabae2e810f3e609f01ed2895adf6ecb31090891c89
-
SSDEEP
12288:ukcln12dfXGFu6oQ6WvfpafuwiZgpL6xy:Aln1mXGFzoQ6Mf0uwHQxy
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Removes its main activity from the application launcher 1 TTPs 2 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.djmf.cnjb1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
ping -c 4 91.204.227.392⤵
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
782KB
MD581943f38b95891a341744d62af70fecb
SHA1f5e17b93b21e2d2907a1f4f1f3eba612c0f79fe1
SHA25613012f75645636977b362f60c3215f018092a02cb69db5fc0ba24f850fc034e8
SHA512bbe47a808c18120b67460b521bc487bf4ba7bb09efd85bcefbd2810b2dc8b74732b3eca5874e51db100465b4df116d09919862b381cba26c56c22fcee2080cbc
-
Filesize
1KB
MD5be90d2da70050b976b8b041c772305f4
SHA1cbb3d19588a50d89dc41e8a276eee510de12a107
SHA256e19b118f3759bdf71a686c7aea359f7611953859631b9fc4f1bd2d8913910819
SHA5128aedb60c6dcef1c53aa7cc3413bf3f9c0736e2af9ab28e50ceee183f61c81820573f93588cc13822aa3fa4662a9ac96d7bdea720ca0a570256e7895428554617