Analysis

  • max time kernel
    179s
  • max time network
    137s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    08-07-2024 22:05

General

  • Target

    d153ff4d72ee2dd5b894b147c9266f792ad024b2beaa18ace87b3325520a8851.apk

  • Size

    500KB

  • MD5

    44ade6d6ad4fe2e46a7d54d964feb968

  • SHA1

    018ea89729bbeec09fd3b371354a8ea162361231

  • SHA256

    d153ff4d72ee2dd5b894b147c9266f792ad024b2beaa18ace87b3325520a8851

  • SHA512

    b7779f0cef185c15dacdf78eb90bf92a0f663829c72bbb0e168ce1cfe446645de7701860e07ee823f59b48c408ea67df768cd6a1aedd1e5d31b49f79e48c847d

  • SSDEEP

    12288:X59jmqS8w8dIqNIK2IGMICBtgLm/4KWxaC/eHm9oZyt8kd1fochB:XrSV8KqKK2I/I36wKXIoQ1w4B

Malware Config

Extracted

Family

xloader_apk

C2

http://23.236.67.46:8080

DES_key

Signatures

  • XLoader payload 2 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

  • Checks if the Android device is rooted. 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Requests changing the default SMS application. 2 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • dzxi.zji7.pa7k
    1⤵
    • Checks if the Android device is rooted.
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests changing the default SMS application.
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4354

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/dzxi.zji7.pa7k/app_picture/1.jpg
    Filesize

    8KB

    MD5

    8024b5b170b0c64174420b78a45f318b

    SHA1

    04792912e6f118996c67dc439e3af674548a15e4

    SHA256

    8ddfd519931d5896f4cda1d5359c969e21ce26e0aefb797534f6dcc7388a81c7

    SHA512

    d1172a4412425ba534db89cd20c48ed63e1d2c6cf1bc50d9e2a68f7fe1fd9d387308403ddb96b9ad6dc9efe1974875e3e4150616beecf424dc45c2e3ae4da3de

  • /data/user/0/dzxi.zji7.pa7k/app_picture/2.jpg
    Filesize

    140B

    MD5

    6ceb6f454e31d55f7a0c4bf3000b26f9

    SHA1

    eb8fd3e0609f2f3db8bce7bd3ae426f3eacbec38

    SHA256

    e0aeaa1d698e1d1149ffdcf116e7b3e98b3a3097814e01718c80caaee147b7ae

    SHA512

    ed7a03de9547f858965a449d39fad799c7ff9c2fe66c9c256d4a1549d785b60a3207a4db6e5cc8438839161dc1fe4e9575329db2f5185960b3429a435532c3fd

  • /data/user/0/dzxi.zji7.pa7k/files/b
    Filesize

    509KB

    MD5

    988bb23df026025a9253a2cfd6d664ee

    SHA1

    2865ce90d20b0d546e17e53c133b3b12a8adae28

    SHA256

    26617e95452e5316ab6678baf7039c7c0d4f555a0a41f3e7c0a11b1c1859893d

    SHA512

    55181716c84880bfc2e7d4917cf1179dc83c6849e2b05b1d95cd5f670cf4e411ed36ea46e59191f42426f018cd8bf5d92ab782f4237a6db218c79d7013590705

  • /storage/emulated/0/.msg_device_id.txt
    Filesize

    36B

    MD5

    4e40f779864bc3403f6d2d13065a24bd

    SHA1

    a6a50fbab2323cef1ffca930440a7a50e0085a5e

    SHA256

    cfa3d8b0aa681753ff78b94faa9c241c89eb6630f5826cb6844c15226a29eacd

    SHA512

    be4211f4986d84f90df95d19b216652fd2772a0d181d808081253573742dc4edffba135877a33151b65f9a9d80a4c6dd4681501a4193178f178ea5f67c430b7f