Analysis
-
max time kernel
178s -
max time network
157s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
27-08-2024 22:04
Static task
static1
Behavioral task
behavioral1
Sample
84af57c221c62e6d8951cb6fb67785cee798c193667f8da2003855792748f36c.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
84af57c221c62e6d8951cb6fb67785cee798c193667f8da2003855792748f36c.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
84af57c221c62e6d8951cb6fb67785cee798c193667f8da2003855792748f36c.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
84af57c221c62e6d8951cb6fb67785cee798c193667f8da2003855792748f36c.apk
-
Size
448KB
-
MD5
f3d230afa1efecaf0e445a77cc0d992f
-
SHA1
46f88794d25fb0bb0a7f00208f19ca98c0c48463
-
SHA256
84af57c221c62e6d8951cb6fb67785cee798c193667f8da2003855792748f36c
-
SHA512
615787b5b86e24fb85cfe8482b30ce5f32cf927c721b1e2075804e7bf42e81e92071277bf14eb7ecf07ebfd0baca8e2ad46006c1605e416dad2e8a1372db6819
-
SSDEEP
6144:84HCqqC3BUlHOV/GjFmjmxKaXPzGt39CZ6EsvgHFXFTTFfM+UaEPcDkjjf4difog:P1VYHOV/w7UNCLsvglDfBsS+b4dMoYZJ
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 1 IoCs
resource yara_rule behavioral1/files/fstream-1.dat family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
ioc Process /system/bin/su com.dong.xbes /system/xbin/su com.dong.xbes /sbin/su com.dong.xbes -
pid Process 4249 com.dong.xbes -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.dong.xbes/files/dex 4249 com.dong.xbes /data/user/0/com.dong.xbes/files/dex 4249 com.dong.xbes -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://mms/ com.dong.xbes -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.dong.xbes -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.dong.xbes -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.dong.xbes -
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
description ioc Process Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT com.dong.xbes -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.dong.xbes -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.dong.xbes -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.dong.xbes
Processes
-
com.dong.xbes1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4249 -
ping -c 4 91.204.227.392⤵PID:4450
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
766KB
MD57962ea579bddfb2d56deaeb75556d33a
SHA1292c29c70d73caff3148eb993fc389c58b966cde
SHA256ff87cb92852a7d77c93494f73a3876fb3c3570115ffe73c2fcd08ae3ac1e3551
SHA512bad435e79acad4d6c25ea5a580a12dde0e065a85677744c6428bf20ee03a55972d20416ca719f9254be886f20a00c2cd3e4816911e05ebab199e398bc4c6a0f4