Malware Analysis Report

2024-10-19 11:53

Sample ID 240908-197b6s1blf
Target 00f846db2c86c023fe19641c10105342d5d4b715c2c50d9790b0458ddcdeb808.bin
SHA256 00f846db2c86c023fe19641c10105342d5d4b715c2c50d9790b0458ddcdeb808
Tags
xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

00f846db2c86c023fe19641c10105342d5d4b715c2c50d9790b0458ddcdeb808

Threat Level: Known bad

The file 00f846db2c86c023fe19641c10105342d5d4b715c2c50d9790b0458ddcdeb808.bin was found to be: Known bad.

Malicious Activity Summary

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan

XLoader, MoqHao

XLoader payload

Removes its main activity from the application launcher

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads the content of the MMS message.

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Requests disabling of battery optimizations (often used to enable hiding in the background).

Acquires the wake lock

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Requests changing the default SMS application.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-08 22:22

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-08 22:22

Reported

2024-09-10 09:57

Platform

android-x86-arm-20240910-en

Max time kernel

149s

Max time network

150s

Command Line

com.zbuu.karr

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /sbin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.zbuu.karr/files/dex N/A N/A
N/A /data/user/0/com.zbuu.karr/files/dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.zbuu.karr

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 docs.google.com udp
GB 142.250.200.14:443 docs.google.com tcp
GB 142.250.200.14:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 142.250.187.226:443 tcp

Files

/data/data/com.zbuu.karr/files/dex

MD5 ae9c12585483e8f440602e44dedfc892
SHA1 9605a4070f7c3d7e180c319b3125751233b655ef
SHA256 6bae5b64c4d0c9b7777a8ff1d198eff5a89fc4b1e2489e0b13e2751b5e2e33cd
SHA512 cf958ae50832841f5921c82a8ac0ed3822afb6361648fb2d2c2cc99a17ff4a22343594e0599836342fd9cbeccc6c05623505f1c0d87197f296d5a917c5e7b33c

/data/data/com.zbuu.karr/files/oat/dex.cur.prof

MD5 e6e36ea6fb2898ec0f8d1da48aa65558
SHA1 cb7edd25f1542bfc7885ee228a7809a1ca6827e5
SHA256 52692886f1d1aa4ae3b25ef55b47e97eec4e965f28b3db8724d5802d6aff403a
SHA512 b496782ddbfeedcdcff411a2f32c747e9945eba3b9bfe8d9f4ce0e969396116ff1005139035b38953e434b510e89b3c604aa147a6179531d05a09fbd109ecc83

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-08 22:22

Reported

2024-09-10 09:18

Platform

android-x64-20240910-en

Max time kernel

149s

Max time network

137s

Command Line

com.zbuu.karr

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /sbin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.zbuu.karr/files/dex N/A N/A
N/A /data/user/0/com.zbuu.karr/files/dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.zbuu.karr

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
GB 216.58.212.226:443 tcp
GB 172.217.169.14:443 tcp
US 216.239.36.223:443 tcp
US 216.239.36.223:443 tcp
US 1.1.1.1:53 docs.google.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.179.238:443 docs.google.com tcp
GB 142.250.179.238:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp

Files

/data/data/com.zbuu.karr/files/dex

MD5 ae9c12585483e8f440602e44dedfc892
SHA1 9605a4070f7c3d7e180c319b3125751233b655ef
SHA256 6bae5b64c4d0c9b7777a8ff1d198eff5a89fc4b1e2489e0b13e2751b5e2e33cd
SHA512 cf958ae50832841f5921c82a8ac0ed3822afb6361648fb2d2c2cc99a17ff4a22343594e0599836342fd9cbeccc6c05623505f1c0d87197f296d5a917c5e7b33c

/data/data/com.zbuu.karr/files/oat/dex.cur.prof

MD5 d5488e8d7d1b64d90191c6d6530d5b00
SHA1 769d7cc38ab4b70b44d644de0444eadf962f4170
SHA256 dc99e36a5e3e218ead993156d515ab8d942f47350d701e76ab59c2bc0cc5032f
SHA512 bb29c96eab565b3eb11b016712db9ed950baad06c7bcbbe28f96ac4f3b0ba20109abc23567bad4b7d942ef6c1180a9d0359568028f76e45dbb20869cef2adda7

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-08 22:22

Reported

2024-09-10 08:53

Platform

android-x64-arm64-20240910-en

Max time kernel

149s

Max time network

153s

Command Line

com.zbuu.karr

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.zbuu.karr/files/dex N/A N/A
N/A /data/user/0/com.zbuu.karr/files/dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.zbuu.karr

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com tcp
GB 142.250.200.14:443 www.youtube.com tcp
US 1.1.1.1:53 docs.google.com udp
GB 142.250.178.14:443 docs.google.com tcp
GB 142.250.178.14:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
KR 91.204.227.39:28844 tcp
GB 142.250.187.238:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 142.250.187.238:443 www.youtube.com tcp
GB 216.58.212.193:443 tcp
US 216.239.38.223:443 tcp
GB 142.250.187.225:443 tcp
US 216.239.38.223:443 tcp

Files

/data/user/0/com.zbuu.karr/files/dex

MD5 ae9c12585483e8f440602e44dedfc892
SHA1 9605a4070f7c3d7e180c319b3125751233b655ef
SHA256 6bae5b64c4d0c9b7777a8ff1d198eff5a89fc4b1e2489e0b13e2751b5e2e33cd
SHA512 cf958ae50832841f5921c82a8ac0ed3822afb6361648fb2d2c2cc99a17ff4a22343594e0599836342fd9cbeccc6c05623505f1c0d87197f296d5a917c5e7b33c