Analysis
-
max time kernel
179s -
max time network
182s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
15-07-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
7965b9f5cc0bc6ebe6f33d8db1e52189c56c7c740e434fab1c398573253259ca.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
7965b9f5cc0bc6ebe6f33d8db1e52189c56c7c740e434fab1c398573253259ca.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
7965b9f5cc0bc6ebe6f33d8db1e52189c56c7c740e434fab1c398573253259ca.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
7965b9f5cc0bc6ebe6f33d8db1e52189c56c7c740e434fab1c398573253259ca.apk
-
Size
302KB
-
MD5
7585bfdea42501a398df9206d93072d6
-
SHA1
9b029336c6853669567feb21dac7b9bd5d0a2e07
-
SHA256
7965b9f5cc0bc6ebe6f33d8db1e52189c56c7c740e434fab1c398573253259ca
-
SHA512
951e7ae167f36270a5d1c0c529d87a02a17bb4579c17a92d974c498d429a44abd5134b982c9a00df61933d327a4b0d6ec32dbdc48e38453bcaccbfb4485155bc
-
SSDEEP
6144:9dqmlibfH/Sx/tMRQK310FytkshMAzBhvVskFogs:zj8biYyoksh5nVFmgs
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 2 IoCs
Processes:
resource yara_rule /data/user/0/xcpj.dnywt.dbsve/files/dex family_xloader_apk /data/user/0/xcpj.dnywt.dbsve/files/dex family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
xcpj.dnywt.dbsveioc pid process /data/user/0/xcpj.dnywt.dbsve/files/dex 4479 xcpj.dnywt.dbsve /data/user/0/xcpj.dnywt.dbsve/files/dex 4479 xcpj.dnywt.dbsve -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
xcpj.dnywt.dbsvedescription ioc process URI accessed for read content://mms/ xcpj.dnywt.dbsve -
Acquires the wake lock 1 IoCs
Processes:
xcpj.dnywt.dbsvedescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock xcpj.dnywt.dbsve -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
xcpj.dnywt.dbsvedescription ioc process Framework service call android.app.IActivityManager.setServiceForeground xcpj.dnywt.dbsve -
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
xcpj.dnywt.dbsvedescription ioc process Framework API call javax.crypto.Cipher.doFinal xcpj.dnywt.dbsve
Processes
-
xcpj.dnywt.dbsve1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests changing the default SMS application.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/xcpj.dnywt.dbsve/files/dexFilesize
580KB
MD5f51fa0481451ad4df6c3686f2a41e29a
SHA1c38c35f5da0921eedeb256986fbd6bb00314ec0e
SHA2567a60fc73f461b0c1dfb9c9786b44abd00e1c2034440397019a5225631e4679e4
SHA512af7cbefadd5fce52a10daffb4073154dfab2240616669d3050910eb03a254a6d73932caf5db827fd12d35f217bc79e75524c81b41a7740e050468e37ff96efd9
-
/data/user/0/xcpj.dnywt.dbsve/files/oat/dex.cur.profFilesize
1008B
MD55919bc7f4560b15a556483932a20ce54
SHA1bfb772c99544b3723b659f647acd9f156ba90085
SHA256009e5031bb3fc3b855b2e7c32d2a13ff4c0e833aeea3709f308dc4cd794cb18c
SHA512e3bdfb783ba65cc702be37a254015d95cebbba1d70e279eb8adc1554c73571be46d342e5b30b8d04ee9cf3186accc7eba18da2ecbde582377adfe593f26b8f8f