Analysis
-
max time kernel
179s -
max time network
173s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
12-07-2024 22:05
Static task
static1
Behavioral task
behavioral1
Sample
76647b8d60a05247ddb7ac0f70f546be904718091113240f06213af02874f385.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
76647b8d60a05247ddb7ac0f70f546be904718091113240f06213af02874f385.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
76647b8d60a05247ddb7ac0f70f546be904718091113240f06213af02874f385.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
76647b8d60a05247ddb7ac0f70f546be904718091113240f06213af02874f385.apk
-
Size
305KB
-
MD5
3319d7d73a64f5417e56087976b29eb9
-
SHA1
550f607d2a83b47780d16d95541efc11e18f833a
-
SHA256
76647b8d60a05247ddb7ac0f70f546be904718091113240f06213af02874f385
-
SHA512
d4f669fb6b693dbefae70c291701880829698dce1f9107b9e2dd44709ec905e87bcaec07139120e4f7610848471cf0ab73f4907699d64cd0067636f60bae9976
-
SSDEEP
6144:czPXCFOBbcMS/v+gaq658AC8mqNscZlCbeVyxCaYZ:MM6cMSH+gZAClqKxhKZ
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 2 IoCs
Processes:
resource yara_rule /data/data/pdqb.yx.ln/files/dex family_xloader_apk /data/data/pdqb.yx.ln/files/dex family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
Processes:
pdqb.yx.lnioc process /system/xbin/su pdqb.yx.ln /sbin/su pdqb.yx.ln /system/bin/su pdqb.yx.ln -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
pdqb.yx.lnioc pid process /data/user/0/pdqb.yx.ln/files/dex 4243 pdqb.yx.ln /data/user/0/pdqb.yx.ln/files/dex 4243 pdqb.yx.ln -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
Processes:
pdqb.yx.lndescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock pdqb.yx.ln -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
pdqb.yx.lndescription ioc process Framework service call android.app.IActivityManager.setServiceForeground pdqb.yx.ln -
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
pdqb.yx.lndescription ioc process Framework service call android.app.IActivityManager.registerReceiver pdqb.yx.ln -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
pdqb.yx.lndescription ioc process Framework API call javax.crypto.Cipher.doFinal pdqb.yx.ln
Processes
-
pdqb.yx.ln1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests changing the default SMS application.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/pdqb.yx.ln/files/dexFilesize
580KB
MD5ed9219be2761d62f01f05dee71f02df3
SHA1c2b904961f519a66052c04d444b34ef4c3f00e67
SHA256b8f6a3769331039a5f2dc29eba3adc431a7b086d47ec579cd143da11f137f13d
SHA512420dc0fa4e231a66fa5c26fbd7952f574aa24aec62ecdf387dd376e98dac93cbea493785d67a030bd6d6745b00c7f3b14b693f906124ee6438b6a227d682f8bd