Analysis
-
max time kernel
178s -
max time network
185s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
29-06-2024 22:02
Static task
static1
Behavioral task
behavioral1
Sample
ad60bc1a352100f162691afcbc7bd5c32c4be5f6d636845f644d3e2a0820c703.apk
Resource
android-x86-arm-20240624-en
General
-
Target
ad60bc1a352100f162691afcbc7bd5c32c4be5f6d636845f644d3e2a0820c703.apk
-
Size
404KB
-
MD5
c6521aef642508fd79a27f6abf9e3a52
-
SHA1
bc3283f706cfbc5fd7559cbea6f0054bfbe8427a
-
SHA256
ad60bc1a352100f162691afcbc7bd5c32c4be5f6d636845f644d3e2a0820c703
-
SHA512
96a33c8c4791e0d07d0cb13f210d9ea111fe90256136bf26829c18526ad8508a67e446d8b1a017f25d5c338bf2f3e464474afc36aa2c2d2d996a1f1f8653bc0d
-
SSDEEP
6144:/yQDz3a12UH/aiNBkcnOxH2R30vUEbObpm8jYJAwu1meY7Dd5+Hw+k3R:TDNUHiiQDhu0vUEbqmEYxfDdi4R
Malware Config
Extracted
xloader_apk
http://91.204.227.50:28899
Signatures
-
XLoader payload 1 IoCs
Processes:
resource yara_rule /data/data/cnwkvds.gqxlibjhj.ybvhhv/files/b family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
Processes:
cnwkvds.gqxlibjhj.ybvhhvioc process /system/bin/su cnwkvds.gqxlibjhj.ybvhhv /system/xbin/su cnwkvds.gqxlibjhj.ybvhhv /sbin/su cnwkvds.gqxlibjhj.ybvhhv -
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
Processes:
cnwkvds.gqxlibjhj.ybvhhvioc pid process /data/user/0/cnwkvds.gqxlibjhj.ybvhhv/app_picture/1.jpg 4349 cnwkvds.gqxlibjhj.ybvhhv /data/user/0/cnwkvds.gqxlibjhj.ybvhhv/app_picture/1.jpg 4349 cnwkvds.gqxlibjhj.ybvhhv /data/user/0/cnwkvds.gqxlibjhj.ybvhhv/files/b 4349 cnwkvds.gqxlibjhj.ybvhhv /data/user/0/cnwkvds.gqxlibjhj.ybvhhv/files/b 4349 cnwkvds.gqxlibjhj.ybvhhv -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
Processes:
cnwkvds.gqxlibjhj.ybvhhvdescription ioc process Framework service call android.accounts.IAccountManager.getAccounts cnwkvds.gqxlibjhj.ybvhhv -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
cnwkvds.gqxlibjhj.ybvhhvdescription ioc process URI accessed for read content://mms/ cnwkvds.gqxlibjhj.ybvhhv -
Acquires the wake lock 1 IoCs
Processes:
cnwkvds.gqxlibjhj.ybvhhvdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock cnwkvds.gqxlibjhj.ybvhhv -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
cnwkvds.gqxlibjhj.ybvhhvdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground cnwkvds.gqxlibjhj.ybvhhv -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
cnwkvds.gqxlibjhj.ybvhhvdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS cnwkvds.gqxlibjhj.ybvhhv -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
cnwkvds.gqxlibjhj.ybvhhvdescription ioc process Framework service call android.app.IActivityManager.registerReceiver cnwkvds.gqxlibjhj.ybvhhv -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
cnwkvds.gqxlibjhj.ybvhhvdescription ioc process Framework API call javax.crypto.Cipher.doFinal cnwkvds.gqxlibjhj.ybvhhv -
Checks CPU information 2 TTPs 1 IoCs
Processes
-
cnwkvds.gqxlibjhj.ybvhhv1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/cnwkvds.gqxlibjhj.ybvhhv/app_picture/1.jpgFilesize
160KB
MD5577e96365f374d7ebe76ae891851fa04
SHA1daee1785ef3063077660ba1649fc32f196a5e1fc
SHA256955a88e88ee7f11c7ab4270b5d6c0c99ee503334c89d03f6a09b7f2462ec5e2b
SHA51283ee04dd8d3b9e73a58665d98306f4f67376dc3234cce322caefebe197756e85269483de9e8d7c3c9a64f6465b80f71181f89be00a8fe0f55216a377bd098aba
-
/data/data/cnwkvds.gqxlibjhj.ybvhhv/files/bFilesize
446KB
MD55daa1f3756c6785b25d466ca6b7bdc50
SHA1ad6a6880ad1b812434e5bd3b2c1717ba11b54cf6
SHA256a1695cf685fbf9712a67bbc7f9bf82c6d6fe5f8ef185f1ede33fcb76526143c7
SHA5122dbeab1cfd8658b6681d3bda791f2fd3f1199c9aee135b1baa1e91abf87d20de221eec1027f611356781b7c6dbb823b8b157509ced30b03a62f6842fbde0e7e9
-
/data/user/0/cnwkvds.gqxlibjhj.ybvhhv/app_picture/1.jpgFilesize
160KB
MD585066017489f8535cb48da07bff86656
SHA1a5629558f46833733eda26678e97281cd07a3a61
SHA25664bd297fc36c77b2ae42829fb560f973a4b56b89232bbd15cb80a41fcb65f06b
SHA51285aeadd19c92069ad3d6234cf46af583b5e3bbf73468502f2f73df6c07957376427163a772c366ae41167e7eed29b26b0f61ad8031dd3d3fb1796e90a2a0d643
-
/storage/emulated/0/.msg_device_id.txtFilesize
36B
MD576b6c38a0628e6c1a221861fec50db23
SHA195b66e452335ce296d29db358c2000523a93d56a
SHA2564c1da0b5455254d6378d979422785fad78edea9f76080486412a05c076cb9ef0
SHA51292cfb951cd33da8bca8d07dc53496f7ceae7f2ffba2f43bf8a33fd4f328e5695c5f4185347cadb97c81e52af3872299656c9d3d1c8aece5b6e4e8f2f3f9faca9