Overview

overview

10

Static

static

6

807cccc213...7d.apk

android-9-x86

10

Analysis

  • max time kernel
    179s
  • max time network
    161s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    03-08-2024 22:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    807cccc21399415e085a2d46c5fef587c8627d6af8f643a50bff26b5361afb7d.apk

  • Size

    412KB

  • MD5

    66df38c6226f11fbd300a04f78e8bc1c

  • SHA1

    21f2165c38a60e10f5feb2ff5511ed52c87dddf7

  • SHA256

    807cccc21399415e085a2d46c5fef587c8627d6af8f643a50bff26b5361afb7d

  • SHA512

    5564905c1adf80fce105444540da12e764f1d86ef98d4d3787045dc7180bf230d7c89900d906cd079b78cdb9cb45ebc6abab1d62e67eea4a9728ca8bd547773c

  • SSDEEP

    6144:n2k9yK/TZmjVVzCpiceJ6HBVyQDz3a12UH/aiNBkcnOxH2R30vUEbObpm8jYJAwC:3MdVVmZnHBVDNUHiiQDhu0vUEbqmEYxC

Score
10/10
xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.50:28899

DES_key

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

    trojaninfostealerbankerxloader_apk
  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
    evasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • kfzmdrr.oslyxwhcs.ohdhgj
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    PID:4299

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/kfzmdrr.oslyxwhcs.ohdhgj/app_picture/1.jpg
    Filesize

    171KB

    MD5

    d1bbdccf1e7475b0c290748daa1af23f

    SHA1

    95f08400c97d0d9674804a65240facb4eb75adfa

    SHA256

    2207177d69883217b21c5dd4237de4461f536bc50752934b04b115a9b7c1a8fa

    SHA512

    889ee776fd68709f12a15b9a964186faac6c3121f7d4941a2a438964a898411e089b92c76fb910e7ea415815884f4fc58d17f138a73f1bab3fed810211691a17

    Download Submit

  • /data/data/kfzmdrr.oslyxwhcs.ohdhgj/files/b
    Filesize

    446KB

    MD5

    5daa1f3756c6785b25d466ca6b7bdc50

    SHA1

    ad6a6880ad1b812434e5bd3b2c1717ba11b54cf6

    SHA256

    a1695cf685fbf9712a67bbc7f9bf82c6d6fe5f8ef185f1ede33fcb76526143c7

    SHA512

    2dbeab1cfd8658b6681d3bda791f2fd3f1199c9aee135b1baa1e91abf87d20de221eec1027f611356781b7c6dbb823b8b157509ced30b03a62f6842fbde0e7e9

    Download Submit

  • /data/user/0/kfzmdrr.oslyxwhcs.ohdhgj/app_picture/1.jpg
    Filesize

    171KB

    MD5

    0259e5839ddbf886d8806054ca90c7b1

    SHA1

    171241578a5a3284123dfdd26caa267460a4c675

    SHA256

    e0186322509f6573acb2cdec9b83324afea7b8e3441a606b6bccd79b66891b73

    SHA512

    d0e49ba249c28fe672b819369b68dc7cc6c0409e8dc7813cee6a9cbd25f0f4af92f08d3eb08ca6989219d47e17d0f95594ddd14276ab806527dd9fa96f202398

    Download Submit