Analysis

  • max time kernel
    179s
  • max time network
    161s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    18-07-2024 22:03

General

  • Target

    9a1d7d079377ad9dbc7aa07a9f2d1b0465cf8f6333c5189aaa2040d840102e25.apk

  • Size

    278KB

  • MD5

    5e1b46b1a66678b85656c9f36cc9892d

  • SHA1

    16a246554233605764ee8221f79ea2a400b35475

  • SHA256

    9a1d7d079377ad9dbc7aa07a9f2d1b0465cf8f6333c5189aaa2040d840102e25

  • SHA512

    1622f82e8b82bb2c415fc4f8f4569da7ef142a8427403c4854f4c5f8751dc653dcd1b2741496eca5766474ab67d7831ba7d7afb7baa719560f24259ce4cac2c5

  • SSDEEP

    6144:/3ekzenc55ymwyZWGrwHYrOBwwsAf669DPV3:hjq+WZH0OaZA75

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.39:28844

DES_key

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

  • Checks if the Android device is rooted. 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • mr.cly.iubmoa.hh
    1⤵
    • Checks if the Android device is rooted.
    • Loads dropped Dex/Jar
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4361

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/mr.cly.iubmoa.hh/files/b
    Filesize

    492KB

    MD5

    7e1b639338295aaf9149d4d5cc496ed6

    SHA1

    d89b93d56bf924551e6b421234179fd4fec859f9

    SHA256

    02fcb596708bde924cdf258495deeb6cdb5a8016d01eff81f1b3ae449c2465fa

    SHA512

    699ae0b027bce12865a1db5890ab38f79b22fa4b64e4739316e50e0f73e0c399ab2d4a2bc939b66b53796b821326e66822ef9102c3bce9b8e3854cabb1fa356f