Analysis
-
max time kernel
179s -
max time network
137s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system -
submitted
08-07-2024 22:05
Static task
static1
Behavioral task
behavioral1
Sample
d153ff4d72ee2dd5b894b147c9266f792ad024b2beaa18ace87b3325520a8851.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
d153ff4d72ee2dd5b894b147c9266f792ad024b2beaa18ace87b3325520a8851.apk
-
Size
500KB
-
MD5
44ade6d6ad4fe2e46a7d54d964feb968
-
SHA1
018ea89729bbeec09fd3b371354a8ea162361231
-
SHA256
d153ff4d72ee2dd5b894b147c9266f792ad024b2beaa18ace87b3325520a8851
-
SHA512
b7779f0cef185c15dacdf78eb90bf92a0f663829c72bbb0e168ce1cfe446645de7701860e07ee823f59b48c408ea67df768cd6a1aedd1e5d31b49f79e48c847d
-
SSDEEP
12288:X59jmqS8w8dIqNIK2IGMICBtgLm/4KWxaC/eHm9oZyt8kd1fochB:XrSV8KqKK2I/I36wKXIoQ1w4B
Malware Config
Extracted
xloader_apk
http://23.236.67.46:8080
Signatures
-
XLoader payload 2 IoCs
Processes:
resource yara_rule /data/user/0/dzxi.zji7.pa7k/files/b family_xloader_apk /data/user/0/dzxi.zji7.pa7k/files/b family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
Processes:
dzxi.zji7.pa7kioc pid process /data/user/0/dzxi.zji7.pa7k/app_picture/1.jpg 4354 dzxi.zji7.pa7k /data/user/0/dzxi.zji7.pa7k/app_picture/2.jpg 4354 dzxi.zji7.pa7k /data/user/0/dzxi.zji7.pa7k/files/b 4354 dzxi.zji7.pa7k -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
Processes:
dzxi.zji7.pa7kdescription ioc process Framework service call android.accounts.IAccountManager.getAccountsAsUser dzxi.zji7.pa7k -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
dzxi.zji7.pa7kdescription ioc process URI accessed for read content://mms/ dzxi.zji7.pa7k -
Acquires the wake lock 1 IoCs
Processes:
dzxi.zji7.pa7kdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock dzxi.zji7.pa7k -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
dzxi.zji7.pa7kdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground dzxi.zji7.pa7k -
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
dzxi.zji7.pa7kdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS dzxi.zji7.pa7k -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
dzxi.zji7.pa7kdescription ioc process Framework API call javax.crypto.Cipher.doFinal dzxi.zji7.pa7k
Processes
-
dzxi.zji7.pa7k1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/dzxi.zji7.pa7k/app_picture/1.jpgFilesize
8KB
MD58024b5b170b0c64174420b78a45f318b
SHA104792912e6f118996c67dc439e3af674548a15e4
SHA2568ddfd519931d5896f4cda1d5359c969e21ce26e0aefb797534f6dcc7388a81c7
SHA512d1172a4412425ba534db89cd20c48ed63e1d2c6cf1bc50d9e2a68f7fe1fd9d387308403ddb96b9ad6dc9efe1974875e3e4150616beecf424dc45c2e3ae4da3de
-
/data/user/0/dzxi.zji7.pa7k/app_picture/2.jpgFilesize
140B
MD56ceb6f454e31d55f7a0c4bf3000b26f9
SHA1eb8fd3e0609f2f3db8bce7bd3ae426f3eacbec38
SHA256e0aeaa1d698e1d1149ffdcf116e7b3e98b3a3097814e01718c80caaee147b7ae
SHA512ed7a03de9547f858965a449d39fad799c7ff9c2fe66c9c256d4a1549d785b60a3207a4db6e5cc8438839161dc1fe4e9575329db2f5185960b3429a435532c3fd
-
/data/user/0/dzxi.zji7.pa7k/files/bFilesize
509KB
MD5988bb23df026025a9253a2cfd6d664ee
SHA12865ce90d20b0d546e17e53c133b3b12a8adae28
SHA25626617e95452e5316ab6678baf7039c7c0d4f555a0a41f3e7c0a11b1c1859893d
SHA51255181716c84880bfc2e7d4917cf1179dc83c6849e2b05b1d95cd5f670cf4e411ed36ea46e59191f42426f018cd8bf5d92ab782f4237a6db218c79d7013590705
-
/storage/emulated/0/.msg_device_id.txtFilesize
36B
MD54e40f779864bc3403f6d2d13065a24bd
SHA1a6a50fbab2323cef1ffca930440a7a50e0085a5e
SHA256cfa3d8b0aa681753ff78b94faa9c241c89eb6630f5826cb6844c15226a29eacd
SHA512be4211f4986d84f90df95d19b216652fd2772a0d181d808081253573742dc4edffba135877a33151b65f9a9d80a4c6dd4681501a4193178f178ea5f67c430b7f