Analysis
-
max time kernel
179s -
max time network
176s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
30-07-2024 22:01
General
-
Target
05424e9de8ec4370e434a7d4f0f80a77ba00739bc5cb7b14d981e1ea94fcdc65.apk
-
Size
432KB
-
MD5
718d3168545398584fbc2b370c0afd85
-
SHA1
9a6ebd3dbc8daf7f1bb4ded3b2ac71cd5f42546e
-
SHA256
05424e9de8ec4370e434a7d4f0f80a77ba00739bc5cb7b14d981e1ea94fcdc65
-
SHA512
f877c31d8b4f04ac222e11f06294adbfbcfed12ca9be0c13b8dc4fb12038b765eb2667e33cf3b6d3e8f1a3eac7830309de6a789bb29a1f1e7d8ce8ba12a9077e
-
SSDEEP
12288:KAcWyysVeDaNju9+HkAbtT4qf0g8rP+WsU21:6ys7udAb1B8r+WW
Malware Config
Extracted
xloader_apk
http://91.204.227.50:28899
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Checks the presence of a debugger
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
Processes
-
aaqt.yvmhhx.ibs1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
162KB
MD5fd6470d97f0863af74ef493f8ca15e71
SHA150a87fb43d885fa7a4ddb2e9356ded398575ae96
SHA256b94be5e1d2151a3557cd58e96923c7252fc381933de49b299ec21b206078ed5c
SHA512451838c1438a7924a2cf367a0aaf6d2497618c066deef158ae37ce3afffa118275c23d4c3382be6785af8248c28b4e947f06f998f85b41434f7464b1c3151140
-
Filesize
444KB
MD55052e382193805f854a17470afdeadc8
SHA1e434b19018b8d0a14c3db4b47318a9e92e9f5148
SHA2566eac212f3e5d11281f0c7263e5795bd74241b233898280b8cb9479443747f52a
SHA512be6fde561141ceebed2f1c98c845fdf247b10aecd15698130bda158484f02309e336a57e1a19fc740137f919904f0c649fcfed6d659b53b0ae6e97aaf794cec7
-
Filesize
162KB
MD5375656f075f843fb857aa452afecf3c6
SHA17dceeef522bc39623731b6fe799230c177b49b4f
SHA2566df7c2f9eada1d0959c24217d6361457e02fd9b0eb0c6bbef1118ebc592fafd4
SHA51291124b971a2fbe7bee98697980acfaf2364ef0b1669099710c42546e7217467ea62e9824f75ef90768c7e3605a3fb42e23029e8104bacbbbc40ff2d0150bc2b5
