Malware Analysis Report

2024-09-09 13:07

Sample ID 240624-wnsjnsydlq
Target 0593b38073a8ec33b2ceb75360f0a2c2586cccfc31053d7d6d55f365378b131e.bin
SHA256 0593b38073a8ec33b2ceb75360f0a2c2586cccfc31053d7d6d55f365378b131e
Tags
xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0593b38073a8ec33b2ceb75360f0a2c2586cccfc31053d7d6d55f365378b131e

Threat Level: Known bad

The file 0593b38073a8ec33b2ceb75360f0a2c2586cccfc31053d7d6d55f365378b131e.bin was found to be: Known bad.

Malicious Activity Summary

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan

XLoader, MoqHao

XLoader payload

Checks if the Android device is rooted.

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Reads the content of the MMS message.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests changing the default SMS application.

Makes use of the framework's foreground persistence service

Queries information about active data network

Acquires the wake lock

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-24 18:04

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 18:04

Reported

2024-06-24 18:14

Platform

android-x86-arm-20240624-en

Max time kernel

179s

Max time network

174s

Command Line

com.djmf.cnjb

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /sbin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.djmf.cnjb/files/dex N/A N/A
N/A /data/user/0/com.djmf.cnjb/files/dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.djmf.cnjb

ping -c 4 91.204.227.39

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 docs.google.com udp
GB 216.58.201.110:443 docs.google.com tcp
GB 216.58.201.110:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
US 1.1.1.1:53 smtp-mail.outlook.com udp
GB 40.99.150.150:587 smtp-mail.outlook.com tcp
US 1.1.1.1:53 smtp-mail.outlook.com udp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp

Files

/data/data/com.djmf.cnjb/files/dex

MD5 81943f38b95891a341744d62af70fecb
SHA1 f5e17b93b21e2d2907a1f4f1f3eba612c0f79fe1
SHA256 13012f75645636977b362f60c3215f018092a02cb69db5fc0ba24f850fc034e8
SHA512 bbe47a808c18120b67460b521bc487bf4ba7bb09efd85bcefbd2810b2dc8b74732b3eca5874e51db100465b4df116d09919862b381cba26c56c22fcee2080cbc

/data/data/com.djmf.cnjb/files/oat/dex.cur.prof

MD5 be90d2da70050b976b8b041c772305f4
SHA1 cbb3d19588a50d89dc41e8a276eee510de12a107
SHA256 e19b118f3759bdf71a686c7aea359f7611953859631b9fc4f1bd2d8913910819
SHA512 8aedb60c6dcef1c53aa7cc3413bf3f9c0736e2af9ab28e50ceee183f61c81820573f93588cc13822aa3fa4662a9ac96d7bdea720ca0a570256e7895428554617

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 18:04

Reported

2024-06-24 18:14

Platform

android-x64-20240624-en

Max time kernel

179s

Max time network

180s

Command Line

com.djmf.cnjb

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/xbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /system/bin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.djmf.cnjb/files/dex N/A N/A
N/A /data/user/0/com.djmf.cnjb/files/dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.djmf.cnjb

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 docs.google.com udp
GB 216.58.213.14:443 docs.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
GB 216.58.213.14:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
KR 91.204.227.39:28844 tcp
US 1.1.1.1:53 smtp-mail.outlook.com udp
GB 40.99.201.246:587 smtp-mail.outlook.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp

Files

/data/data/com.djmf.cnjb/files/dex

MD5 81943f38b95891a341744d62af70fecb
SHA1 f5e17b93b21e2d2907a1f4f1f3eba612c0f79fe1
SHA256 13012f75645636977b362f60c3215f018092a02cb69db5fc0ba24f850fc034e8
SHA512 bbe47a808c18120b67460b521bc487bf4ba7bb09efd85bcefbd2810b2dc8b74732b3eca5874e51db100465b4df116d09919862b381cba26c56c22fcee2080cbc

/data/data/com.djmf.cnjb/files/oat/dex.cur.prof

MD5 41480d660e073ca5d735e9baa48ddf8b
SHA1 10f8eb101c0e445697bcc824dd5fe0505a079b9c
SHA256 ec06ede0707c2125a11eb0f0f6f4160f7335686970396750c70e510428b37a3d
SHA512 22b85bef873b19dcd2eae471645541cd33c4cab7424fdd79c9024aafb393311a285c5e466de2b35f31d28d09099c020daa9ce2ff0dabf0a6ea04ee1297fd9d77

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-24 18:04

Reported

2024-06-24 18:14

Platform

android-x64-arm64-20240624-en

Max time kernel

179s

Max time network

177s

Command Line

com.djmf.cnjb

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.djmf.cnjb/files/dex N/A N/A
N/A /data/user/0/com.djmf.cnjb/files/dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.djmf.cnjb

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 docs.google.com udp
GB 172.217.16.238:443 docs.google.com tcp
GB 172.217.16.238:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
US 1.1.1.1:53 smtp-mail.outlook.com udp
GB 40.99.150.150:587 smtp-mail.outlook.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp

Files

/data/user/0/com.djmf.cnjb/files/dex

MD5 81943f38b95891a341744d62af70fecb
SHA1 f5e17b93b21e2d2907a1f4f1f3eba612c0f79fe1
SHA256 13012f75645636977b362f60c3215f018092a02cb69db5fc0ba24f850fc034e8
SHA512 bbe47a808c18120b67460b521bc487bf4ba7bb09efd85bcefbd2810b2dc8b74732b3eca5874e51db100465b4df116d09919862b381cba26c56c22fcee2080cbc

/data/user/0/com.djmf.cnjb/files/oat/dex.cur.prof

MD5 a2470fd8be23758408cd0c6627cfc968
SHA1 bb78462bda15393ffcafe651065e1998883df573
SHA256 6722f8d22e88689e3d0a3441a8214f0ff5b6eba7b7e666e395dc5ca36c288374
SHA512 a62614cd1d4c43385e4ab397d14a4a89344d046689e4259800557a58d0f22f97cd7461d228c3371c8658f907a5a1de2cb5af0088342f67ff11f6886635db1d9a