Overview

overview

10

Static

static

6

05473ed7a1...a5.apk

android-9-x86

10

Analysis

  • max time kernel
    11s
  • max time network
    186s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    30-06-2024 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05473ed7a13b17325d053213813bdcba5ee07ef482c2dae366e86ed9eee5eda5.apk

  • Size

    412KB

  • MD5

    c5d3d2673a38e51b5fbb80a3f354da9b

  • SHA1

    2bb40947f527ca627dd4be6be15bcdb7f43c064c

  • SHA256

    05473ed7a13b17325d053213813bdcba5ee07ef482c2dae366e86ed9eee5eda5

  • SHA512

    2e10453301904aa886fe719b50a2986c7e98c7a0419ae88e10c014e6f2d32c5899598453d2df20a94c945b4123a2d93e00630e45ec4c35c9a225e4ad5c0c661a

  • SSDEEP

    12288:4DNUHiiQDhu0vUEbqmEYxqnDyOf/6xeBP:S+HiiQFvUE+JVnGi/6xeBP

Score
10/10
xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.50:28899

DES_key

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

    trojaninfostealerbankerxloader_apk
  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
    evasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • knynyfy.yqxylkapr.swpvws
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    PID:4305

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/knynyfy.yqxylkapr.swpvws/app_picture/1.jpg
    Filesize

    172KB

    MD5

    ad1c42df6c625770c2884e8bed2efd67

    SHA1

    8a523e9474208514c977aca2a14cb489910d907b

    SHA256

    b7673ffb55573f85d8015ee905862e481ef6aa51c7b607c88dbd77b5b33344a7

    SHA512

    da62b8bfc9505539f287afec4fd19bb7fa056a0e7b26918da6ae3e1924766c5d27fc6ddb5a0a97892e0395d3faf748f4e2158ec049761c235f7bf122fdbd2b5e

    Download Submit

  • /data/data/knynyfy.yqxylkapr.swpvws/files/b
    Filesize

    446KB

    MD5

    5daa1f3756c6785b25d466ca6b7bdc50

    SHA1

    ad6a6880ad1b812434e5bd3b2c1717ba11b54cf6

    SHA256

    a1695cf685fbf9712a67bbc7f9bf82c6d6fe5f8ef185f1ede33fcb76526143c7

    SHA512

    2dbeab1cfd8658b6681d3bda791f2fd3f1199c9aee135b1baa1e91abf87d20de221eec1027f611356781b7c6dbb823b8b157509ced30b03a62f6842fbde0e7e9

    Download Submit

  • /data/user/0/knynyfy.yqxylkapr.swpvws/app_picture/1.jpg
    Filesize

    172KB

    MD5

    f5ad0500743b6bc37bee2a970540af00

    SHA1

    0459d12e5305c5a9d75f80698e76fe38108ea876

    SHA256

    9ce135754da686ec72712892cefeb334f02b82d1892000d5fc13d4dd9af4d6a6

    SHA512

    88a57b7450a4e314bb0599553d81220dcab2df10cb9a6d5cf7d9e242277c647892e5feca208733bf9618e82e6a57f29df5d79424615ad41cd1601ec2d40ad809

    Download Submit

  • /storage/emulated/0/.msg_device_id.txt
    Filesize

    36B

    MD5

    f26173a0d86f609de78f6e55f4ff7640

    SHA1

    fdef92f8fc3dafa34a853c00f9c6c4638ae2ea4c

    SHA256

    a68b18168eaedba81d108a9c78916ccddb6a10299c7a2f5252d9395b057bc6a9

    SHA512

    4718c597fddf5c35413d456cafc0a52126590d44efd74d8fb5641a0fb5bd3db879fe05beec10558c9882b0626e7860a8cdb3dbe28ff94b37908d212d404b9cca

    Download Submit