Analysis
-
max time kernel
179s -
max time network
171s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
18-07-2024 22:08
Static task
static1
Behavioral task
behavioral1
Sample
29a037d798533361d0cc73de2ab294f0a583b43e54cc7819359a997a2cf0981b.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
29a037d798533361d0cc73de2ab294f0a583b43e54cc7819359a997a2cf0981b.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
29a037d798533361d0cc73de2ab294f0a583b43e54cc7819359a997a2cf0981b.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
29a037d798533361d0cc73de2ab294f0a583b43e54cc7819359a997a2cf0981b.apk
-
Size
205KB
-
MD5
668c717e9ef3066dd20c0bbc5debed85
-
SHA1
9191172e6fc05bf263d5dd1004e26de0d0d8e382
-
SHA256
29a037d798533361d0cc73de2ab294f0a583b43e54cc7819359a997a2cf0981b
-
SHA512
8c033be27262206389f041a2a40222901292e1c81b59ba4ff6c527aacb1fbfdf3590d0784d14ad61b9ff93ccda7a3b4d352295a9d1e16553d9d97b5ec5f901b1
-
SSDEEP
3072:n7FqFkM6NkgVuWXfcse2zsLiaCLCfTgpi/kmL6cOAbYdq8tZAFiuVgBXYW2W:nJqB6NnmskiaCL9i/kW6b1tKFLVgBN2W
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 2 IoCs
Processes:
resource yara_rule /data/user/0/y.mnl.rb/files/dex family_xloader_apk /data/user/0/y.mnl.rb/files/dex family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
y.mnl.rbioc pid process /data/user/0/y.mnl.rb/files/dex 4415 y.mnl.rb /data/user/0/y.mnl.rb/files/dex 4415 y.mnl.rb -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
Processes:
y.mnl.rbdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock y.mnl.rb -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
y.mnl.rbdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground y.mnl.rb -
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
y.mnl.rbdescription ioc process Framework API call javax.crypto.Cipher.doFinal y.mnl.rb
Processes
-
y.mnl.rb1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests changing the default SMS application.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/y.mnl.rb/files/dexFilesize
454KB
MD5dccd8cb67405ad4d9b53e36c040d53b9
SHA1ddba058c9cf0ad4e594c4885e7bb71a7a4442856
SHA2568c221b88e6755f04827bf176521a83a6e06ac054b3edca7aeb7c743a41fa01e6
SHA51228a25885bb0bd38d28ba3118a25253b41e17211fc00af2df6ee55ed70b8ea08862afab0661fd9db3085403bbb224f2231850b695f09bd94044e45574c27114ab