Analysis
-
max time kernel
179s -
max time network
151s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system -
submitted
08-07-2024 22:08
Static task
static1
Behavioral task
behavioral1
Sample
1be925b187df6d1ff6d061d78da611e7aa1509ab1bcac7b82e1f5ead390bdb12.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
1be925b187df6d1ff6d061d78da611e7aa1509ab1bcac7b82e1f5ead390bdb12.apk
-
Size
284KB
-
MD5
be25c6934800527bbcf3d1ebbe1d4289
-
SHA1
ad336b1553bf6905be6cfc19d765a3fa89a91231
-
SHA256
1be925b187df6d1ff6d061d78da611e7aa1509ab1bcac7b82e1f5ead390bdb12
-
SHA512
41d486dbb37472180875ebbf21f5b796d3bdb25d7f98dca6957e95f37d794d2c9688a989d22bfd0e38734c74c15499a9cc7584d4d8f7956ac895f7b3a0fc077b
-
SSDEEP
6144:QmAvDJjJ/XH/vl1FeaRNVI5xtq+EXkVJLAbnt13Jl:QmALJdf//Fea1DOvLALtLl
Malware Config
Signatures
-
XLoader payload 2 IoCs
Processes:
resource yara_rule /data/user/0/oye.ubfdm.nzpr.yelj/files/b family_xloader_apk /data/user/0/oye.ubfdm.nzpr.yelj/files/b family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
Processes:
oye.ubfdm.nzpr.yeljioc pid process /data/user/0/oye.ubfdm.nzpr.yelj/files/b 4347 oye.ubfdm.nzpr.yelj -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
oye.ubfdm.nzpr.yeljdescription ioc process URI accessed for read content://mms/ oye.ubfdm.nzpr.yelj -
Acquires the wake lock 1 IoCs
Processes:
oye.ubfdm.nzpr.yeljdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock oye.ubfdm.nzpr.yelj -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
oye.ubfdm.nzpr.yeljdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground oye.ubfdm.nzpr.yelj -
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
oye.ubfdm.nzpr.yeljdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS oye.ubfdm.nzpr.yelj
Processes
-
oye.ubfdm.nzpr.yelj1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/oye.ubfdm.nzpr.yelj/files/bFilesize
509KB
MD5bfdbd4f0c54d94a77396090fdd2ef05d
SHA1f5c4c5f50dd7dc47dad13751ec6fb36a13bbc24a
SHA25694a589ac1c8e11fef7d1a5b453132800c80a24e021823234c62fc1f593f7d840
SHA5120a1a1416b32cbd70f5f6211786977a80e70199a27a235bb2c6dd8da19edfb55878444793617f58e6d08e0decefe352118235beffa7e199b65c8683c2305b2ab7