Overview

overview

10

Static

static

6

575b4bc37d...cb.apk

android-9-x86

10

Analysis

  • max time kernel
    179s
  • max time network
    179s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    03-08-2024 22:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    575b4bc37dce42315c08541834e032ec6f6c5707d32e73c7874360e835339dcb.apk

  • Size

    412KB

  • MD5

    afb50e73ac789553854c369848c1f78d

  • SHA1

    df5ac851f6ac59ae42cfd0c3e1bcfa0c562786ea

  • SHA256

    575b4bc37dce42315c08541834e032ec6f6c5707d32e73c7874360e835339dcb

  • SHA512

    ff6e9bd3e3fd8465cc4f16c6e3398d8d8f1b9dde8825169f8163059fb8eeb77686e142b290dbccd276126f0b9002532eb22937f9f75c2df21c642437bb6dd959

  • SSDEEP

    6144:zKyQDz3a12UH/aiNBkcnOxH2R30vUEbObpm8jYJAwuLpwO8buU7pdp211U5b:uDNUHiiQDhu0vUEbqmEYxMpwnbvpq1A

Score
10/10
xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.227.50:28899

DES_key

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

    trojaninfostealerbankerxloader_apk
  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
    evasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • oxkcpgj.ravlscdsk.uftwit
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    PID:4306

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/oxkcpgj.ravlscdsk.uftwit/app_picture/1.jpg
    Filesize

    171KB

    MD5

    3fff0cef8d562574d9a523dd63e09ca9

    SHA1

    1306beee17a77d643b2104e968d7016893a4df74

    SHA256

    b31fb55f91f116eef050b6ab626d4ab8efe65e0756c9fed9dd83dd3651a52a88

    SHA512

    856231f1473dfe25482001f793f6a373fec027867205ece5e58f6715d444c180917b80172558461a329d67bc75d5916d89f173ac88c5066a04af396c5982c55f

    Download Submit

  • /data/data/oxkcpgj.ravlscdsk.uftwit/files/b
    Filesize

    446KB

    MD5

    5daa1f3756c6785b25d466ca6b7bdc50

    SHA1

    ad6a6880ad1b812434e5bd3b2c1717ba11b54cf6

    SHA256

    a1695cf685fbf9712a67bbc7f9bf82c6d6fe5f8ef185f1ede33fcb76526143c7

    SHA512

    2dbeab1cfd8658b6681d3bda791f2fd3f1199c9aee135b1baa1e91abf87d20de221eec1027f611356781b7c6dbb823b8b157509ced30b03a62f6842fbde0e7e9

    Download Submit

  • /data/user/0/oxkcpgj.ravlscdsk.uftwit/app_picture/1.jpg
    Filesize

    171KB

    MD5

    ad465932c0b9c24d1393ecc682f40799

    SHA1

    6d32fa04d27715f09aaf739422c4dbb910b9f3d4

    SHA256

    403983879555ff86f2614a2a202bfd01ff24e23f0dcb30dc69a0b86db2733d23

    SHA512

    94a0c6fc0acb8287f7aa1c5037ffd09ac2740af106eff297fe0b776c018b691bf0b529f7a787795a76f2dd76dc963a0394090d94d432e4d62afb90cbd9595a28

    Download Submit