Analysis
-
max time kernel
149s -
max time network
152s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
09-09-2024 22:14
Static task
static1
Behavioral task
behavioral1
Sample
e0aa0bf66c00c8411fbb87f67811d20ed935a9de8d90123a97ccc14d8d802f48.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
e0aa0bf66c00c8411fbb87f67811d20ed935a9de8d90123a97ccc14d8d802f48.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
e0aa0bf66c00c8411fbb87f67811d20ed935a9de8d90123a97ccc14d8d802f48.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
e0aa0bf66c00c8411fbb87f67811d20ed935a9de8d90123a97ccc14d8d802f48.apk
-
Size
217KB
-
MD5
a264cfeb6bfc8e41f1645e78d6c3843a
-
SHA1
f7c72b6111ae384fbfcedf82f4cc2e44ca19f273
-
SHA256
e0aa0bf66c00c8411fbb87f67811d20ed935a9de8d90123a97ccc14d8d802f48
-
SHA512
a9bda9a6d790031978073239ceb66b0c01cecc09bb6d29711fa7556b26648921624bce512e3671f4569249ccafb249d28eda1f1a350b25d74f8b844fb28695f7
-
SSDEEP
6144:MJWit2Kv40g+MFAHxHO+izNzPq6uYarPzR70HI:ME10g+ZHxYzNb9uYarPEI
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 2 IoCs
resource yara_rule behavioral3/files/fstream-1.dat family_xloader_apk behavioral3/files/fstream-1.dat family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
ioc Process /system/bin/su ybdm.bgmdd.ucnxc -
pid Process 4777 ybdm.bgmdd.ucnxc -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/ybdm.bgmdd.ucnxc/files/dex 4777 ybdm.bgmdd.ucnxc /data/user/0/ybdm.bgmdd.ucnxc/files/dex 4777 ybdm.bgmdd.ucnxc -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://mms/ ybdm.bgmdd.ucnxc -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock ybdm.bgmdd.ucnxc -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground ybdm.bgmdd.ucnxc -
Requests changing the default SMS application. 2 TTPs 1 IoCs
description ioc Process Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT ybdm.bgmdd.ucnxc -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal ybdm.bgmdd.ucnxc
Processes
-
ybdm.bgmdd.ucnxc1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests changing the default SMS application.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4777
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
MD56e3d29b5306a57dba7028a8da4609797
SHA1da143c2306182d664c850b74b4afa7fa948c974d
SHA25607f170fb70397d72a187bcdb83adc11f2e7c6d5a928d951d4f24b5e82dc04d96
SHA512e9dadbc1fa4244e681a22178a512bf8ef0b5a41e6b80e54f09ef8f5fd120ac25c55db8a6ff53f748ba0ba22eeee84eb8714bc79468da921d4ec8f0129bd60915