Analysis
-
max time kernel
179s -
max time network
146s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
17-07-2024 22:04
Static task
static1
Behavioral task
behavioral1
Sample
96efe7b6f1c7335548b74019a7064f14d9c5d1020a28a0d6b915cb8f43cd7440.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
96efe7b6f1c7335548b74019a7064f14d9c5d1020a28a0d6b915cb8f43cd7440.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
96efe7b6f1c7335548b74019a7064f14d9c5d1020a28a0d6b915cb8f43cd7440.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
96efe7b6f1c7335548b74019a7064f14d9c5d1020a28a0d6b915cb8f43cd7440.apk
-
Size
303KB
-
MD5
17bd7876fdb5c0cdf7c816cc4eef13f9
-
SHA1
fbaa0b486ab06ca5685659439c9828aa7203394f
-
SHA256
96efe7b6f1c7335548b74019a7064f14d9c5d1020a28a0d6b915cb8f43cd7440
-
SHA512
514d4c64d8b90f145090fdc3d16dcc8a75d828bc389f2f5eb1fcba43524c885e0be21e80d3e0402b4525bf7ffc6ac7322ebcd8ad0deea746d60acd5b99a1f21c
-
SSDEEP
6144:h0Qj3rz3G//hgPJPnqe5zfwOXRg1B9REMSvXqc9564DEafEVURbpZg01DZ2tW3wU:h00Ohgh/1750EMSvXqc9NgKRLg01t2IP
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 1 IoCs
Processes:
resource yara_rule /data/data/com.qblj.qinx/files/dex family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
Processes:
com.qblj.qinxioc process /system/bin/su com.qblj.qinx /system/xbin/su com.qblj.qinx /sbin/su com.qblj.qinx -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.qblj.qinxioc pid process /data/user/0/com.qblj.qinx/files/dex 4255 com.qblj.qinx /data/user/0/com.qblj.qinx/files/dex 4255 com.qblj.qinx -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
com.qblj.qinxdescription ioc process URI accessed for read content://mms/ com.qblj.qinx -
Acquires the wake lock 1 IoCs
Processes:
com.qblj.qinxdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.qblj.qinx -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.qblj.qinxdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.qblj.qinx -
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.qblj.qinxdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.qblj.qinx -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.qblj.qinxdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.qblj.qinx -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.qblj.qinxdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.qblj.qinx
Processes
-
com.qblj.qinx1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.qblj.qinx/files/dexFilesize
572KB
MD5e9b14ba46445d4e776c77cb397aaacf2
SHA19159ba397ea55f389c2551a17e998c7f1dd367cf
SHA2564614f98969b993ad6fc3c4d5e1a497404be32d31ac67fcfdbdb14b518720531b
SHA5124cb8ff639ea24b4866dfd1691e5170724dc4c87dda99841c6f2fc2f77a7cc44cd212fac229ad604ea262bb4e2a35aead0f1e59a8e27731296ec4d9e163869e7e
-
/data/data/com.qblj.qinx/files/oat/dex.cur.profFilesize
1KB
MD5ec1cbb8d9311f744bbdb746b553aa850
SHA187b30993b74132a1be41a0a4da4b92639214356f
SHA25680bfda9a2514c5af32737800001c65181b67d39d7c554c0e2df74d6be81ecfa4
SHA512682075c9c46b289a378ed8aa888fe40ecf9dfbf6d47401ded9179e0572f8ee89f69e94811383fa1d6a80a0d918c5092bbb2b1832fb645fae5e85b0eea3564792