Analysis
-
max time kernel
179s -
max time network
161s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system -
submitted
18-07-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
9a1d7d079377ad9dbc7aa07a9f2d1b0465cf8f6333c5189aaa2040d840102e25.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
9a1d7d079377ad9dbc7aa07a9f2d1b0465cf8f6333c5189aaa2040d840102e25.apk
-
Size
278KB
-
MD5
5e1b46b1a66678b85656c9f36cc9892d
-
SHA1
16a246554233605764ee8221f79ea2a400b35475
-
SHA256
9a1d7d079377ad9dbc7aa07a9f2d1b0465cf8f6333c5189aaa2040d840102e25
-
SHA512
1622f82e8b82bb2c415fc4f8f4569da7ef142a8427403c4854f4c5f8751dc653dcd1b2741496eca5766474ab67d7831ba7d7afb7baa719560f24259ce4cac2c5
-
SSDEEP
6144:/3ekzenc55ymwyZWGrwHYrOBwwsAf669DPV3:hjq+WZH0OaZA75
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 1 IoCs
Processes:
resource yara_rule /data/user/0/mr.cly.iubmoa.hh/files/b family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
Processes:
mr.cly.iubmoa.hhioc pid process /data/user/0/mr.cly.iubmoa.hh/files/b 4361 mr.cly.iubmoa.hh -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
Processes:
mr.cly.iubmoa.hhdescription ioc process URI accessed for read content://mms/ mr.cly.iubmoa.hh -
Acquires the wake lock 1 IoCs
Processes:
mr.cly.iubmoa.hhdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock mr.cly.iubmoa.hh -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
mr.cly.iubmoa.hhdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground mr.cly.iubmoa.hh -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
mr.cly.iubmoa.hhdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS mr.cly.iubmoa.hh -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
mr.cly.iubmoa.hhdescription ioc process Framework API call javax.crypto.Cipher.doFinal mr.cly.iubmoa.hh
Processes
-
mr.cly.iubmoa.hh1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/mr.cly.iubmoa.hh/files/bFilesize
492KB
MD57e1b639338295aaf9149d4d5cc496ed6
SHA1d89b93d56bf924551e6b421234179fd4fec859f9
SHA25602fcb596708bde924cdf258495deeb6cdb5a8016d01eff81f1b3ae449c2465fa
SHA512699ae0b027bce12865a1db5890ab38f79b22fa4b64e4739316e50e0f73e0c399ab2d4a2bc939b66b53796b821326e66822ef9102c3bce9b8e3854cabb1fa356f