Analysis
-
max time kernel
149s -
max time network
150s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
12-09-2024 22:05
Static task
static1
Behavioral task
behavioral1
Sample
7dc7e21af21b00e8f7e1ac485c5329ce877a14f6afb48be779b1db6b2f5276c8.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
7dc7e21af21b00e8f7e1ac485c5329ce877a14f6afb48be779b1db6b2f5276c8.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
7dc7e21af21b00e8f7e1ac485c5329ce877a14f6afb48be779b1db6b2f5276c8.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
7dc7e21af21b00e8f7e1ac485c5329ce877a14f6afb48be779b1db6b2f5276c8.apk
-
Size
431KB
-
MD5
1878a7c2c086ca200131a91bb011e1a4
-
SHA1
3b92ba8ba4dbceb920cb295e28551be1edac79fc
-
SHA256
7dc7e21af21b00e8f7e1ac485c5329ce877a14f6afb48be779b1db6b2f5276c8
-
SHA512
56c2e200612a7fa94edcd53b5a0c93b128601fdb3ceb8799fe8bf989a8b3ff8040ceb8be2617bb01af931e231b9e460cd9421e9161607dbbcb280f8061c42777
-
SSDEEP
12288://Qjwv7zK1rains2F+u4kaa9FgILmxmvdVvlb7VbZRJ3o:3ewTzK17ns24kZGAtBZro
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 1 IoCs
resource yara_rule behavioral1/files/fstream-1.dat family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
ioc Process /sbin/su com.tcss.lbmm /system/bin/su com.tcss.lbmm /system/xbin/su com.tcss.lbmm -
pid Process 4369 com.tcss.lbmm -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tcss.lbmm/files/dex 4369 com.tcss.lbmm /data/user/0/com.tcss.lbmm/files/dex 4369 com.tcss.lbmm -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://mms/ com.tcss.lbmm -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tcss.lbmm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tcss.lbmm -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.tcss.lbmm -
Requests changing the default SMS application. 2 TTPs 1 IoCs
description ioc Process Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT com.tcss.lbmm -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.tcss.lbmm -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.tcss.lbmm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tcss.lbmm
Processes
-
com.tcss.lbmm1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4369 -
ping -c 4 91.204.227.392⤵PID:4585
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
766KB
MD5b3aa28b0cf2269079fa51c1db9ad032b
SHA1c85618082d725fd8dd4789ecf43ce274b743c9cb
SHA2568933f198d336dc72d7e4c2012cf6ea5356bedf6a97a16c9b74fb2fac63ea02b0
SHA5122c077f33169d2d77a3a64d70c2705e32f46c8addb9299459c97a6ad9d7647fc906c36d172acf5731b53cb461c7eb21c6adfbe10ace50e483e41f55e16f958339