xloader_apk | cf46937d9d4d0a8ff3af48e497474213d37169ec03678a4898bc43909bf1d110

Analysis

max time kernel
179s
max time network
161s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
29-08-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf46937d9d4d0a8ff3af48e497474213d37169ec03678a4898bc43909bf1d110.apk
Size

251KB
MD5

9c5707c445826ed00f8fdee48d498f35
SHA1

a5f944508f05adbcb2e5e0dbcecbe895a69295ce
SHA256

cf46937d9d4d0a8ff3af48e497474213d37169ec03678a4898bc43909bf1d110
SHA512

078415b18c06b02e21d1fa4ed2780d31e852d72109160396f4abc1140bf31f48a1fda2435200e6fc457ed03a7f005230ba6db834cd14df373b26ea518b6863a3
SSDEEP

6144:lL8oDzGu/qWpylu3dbhR1gbJ5HQET0t052+9DjD4B9Cm557MTxxsN:aI/qWAgvgV5wYSE2Q4rR57MTxxsN

Score

10^/10

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan

Malware Config

Extracted

Family

xloader_apk

http://91.204.227.39:28844

DES_key

Signatures

XLoader payload 2 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_xloader_apk
behavioral2/files/fstream-1.dat	family_xloader_apk2

XLoader, MoqHao
An Android banker and info stealer.
trojan infostealer banker xloader_apk

Checks if the Android device is rooted. 1 TTPs 3 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/bin/su	mkew.hhqci.bsmsg
/system/xbin/su	mkew.hhqci.bsmsg
/sbin/su	mkew.hhqci.bsmsg

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
5049	mkew.hhqci.bsmsg

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/mkew.hhqci.bsmsg/files/dex	5049	mkew.hhqci.bsmsg
/data/user/0/mkew.hhqci.bsmsg/files/dex	5049	mkew.hhqci.bsmsg

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Reads the content of the MMS message. 1 TTPs 1 IoCs

collection

SMS Messages

T1636.004

description	ioc	Process
URI accessed for read	content://mms/	mkew.hhqci.bsmsg

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	mkew.hhqci.bsmsg

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	mkew.hhqci.bsmsg

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	mkew.hhqci.bsmsg

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	mkew.hhqci.bsmsg

mkew.hhqci.bsmsg
1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:5049

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Protected User Data

T1636

SMS Messages

T1636.004

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/mkew.hhqci.bsmsg/files/dex

Filesize
580KB

MD5
57284f2b1e742f6b49032b0700cb851a

SHA1
2807f37214f96682e43071794a9f12dbb41bb254

SHA256
e99e7f9f33d02afcdcd006dc5e9468527013e37897114bcc2bbf7f4464d93085

SHA512
dfee6fc0707173b1c0df4bc15372a0546f4f56800eb7db36ac36782a86557bc9b3c20f3d1b6044a0891addb601576e6e4c22aca4e6b52493cd69210e4eea1c9c

Download Submit
/data/data/mkew.hhqci.bsmsg/files/oat/dex.cur.prof

Filesize
1019B

MD5
a804b1eb6074f6bb999919e97f5c035f

SHA1
738b0facb9cb74193ef5a80158866388b033f3d9

SHA256
fa6933b25a733257d9ef0c00d58171f9a155bad85f1e6501b744f4b209c8022f

SHA512
3f2475d6435c86fc7f31f84ece3d337a8e7522e8cdfe3becf9a533d2cae43db34140b74bc9069e0354c7281030eb913d114c4fc06b04f523011a3f36f5d9355b

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads