Malware Analysis Report

2024-10-19 11:53

Sample ID 240916-11vxsascpg
Target eec6b19bb5f8efde4871bb11eb98237255828ae05952475a4fa557b3e1d2a79e.bin
SHA256 eec6b19bb5f8efde4871bb11eb98237255828ae05952475a4fa557b3e1d2a79e
Tags
xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eec6b19bb5f8efde4871bb11eb98237255828ae05952475a4fa557b3e1d2a79e

Threat Level: Known bad

The file eec6b19bb5f8efde4871bb11eb98237255828ae05952475a4fa557b3e1d2a79e.bin was found to be: Known bad.

Malicious Activity Summary

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan

XLoader, MoqHao

XLoader payload

Checks if the Android device is rooted.

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads the content of the MMS message.

Acquires the wake lock

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Requests changing the default SMS application.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 22:07

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 22:07

Reported

2024-09-16 22:10

Platform

android-x86-arm-20240910-en

Max time kernel

149s

Max time network

151s

Command Line

lmtq.ipwxs.zqnga

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /sbin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/lmtq.ipwxs.zqnga/files/dex N/A N/A
N/A /data/user/0/lmtq.ipwxs.zqnga/files/dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

lmtq.ipwxs.zqnga

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 docs.google.com udp
GB 216.58.212.238:443 docs.google.com tcp
GB 216.58.212.238:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/lmtq.ipwxs.zqnga/files/dex

MD5 f51fa0481451ad4df6c3686f2a41e29a
SHA1 c38c35f5da0921eedeb256986fbd6bb00314ec0e
SHA256 7a60fc73f461b0c1dfb9c9786b44abd00e1c2034440397019a5225631e4679e4
SHA512 af7cbefadd5fce52a10daffb4073154dfab2240616669d3050910eb03a254a6d73932caf5db827fd12d35f217bc79e75524c81b41a7740e050468e37ff96efd9

/data/data/lmtq.ipwxs.zqnga/files/oat/dex.cur.prof

MD5 7207a82392a05bdb948d8bfe40d49b51
SHA1 c666ef359991207dec69d3a33106a03ed751ee70
SHA256 53eb5366a705d805d7a2e248178205c4e634766349b214b6495cf2b9ed68fcf1
SHA512 74e16b8e691c86a2bd2661ac814a241af3aaf45af326a96f5b73127568556c96e5a1d2e761d4dbf12a859b685b4800e184eab0ae6b90ba0a65a04f79a18017f4

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 22:07

Reported

2024-09-16 22:10

Platform

android-x64-20240910-en

Max time kernel

149s

Max time network

150s

Command Line

lmtq.ipwxs.zqnga

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/xbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /system/bin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/lmtq.ipwxs.zqnga/files/dex N/A N/A
N/A /data/user/0/lmtq.ipwxs.zqnga/files/dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

lmtq.ipwxs.zqnga

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 docs.google.com udp
GB 142.250.200.46:443 docs.google.com tcp
GB 142.250.200.46:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 216.58.213.2:443 tcp

Files

/data/data/lmtq.ipwxs.zqnga/files/dex

MD5 f51fa0481451ad4df6c3686f2a41e29a
SHA1 c38c35f5da0921eedeb256986fbd6bb00314ec0e
SHA256 7a60fc73f461b0c1dfb9c9786b44abd00e1c2034440397019a5225631e4679e4
SHA512 af7cbefadd5fce52a10daffb4073154dfab2240616669d3050910eb03a254a6d73932caf5db827fd12d35f217bc79e75524c81b41a7740e050468e37ff96efd9

/data/data/lmtq.ipwxs.zqnga/files/oat/dex.cur.prof

MD5 158ca6797acbb4fb5d58aaa3c2bef438
SHA1 d95eeb65ec8506f4878dd822d78ca18def62bef3
SHA256 b352a1ba254bff2b917f1ffeb820412f936472874a56ee695489f6ffcb9c3050
SHA512 41d586f36f03963e6dfb818867ba13123f0f4b7182c8bb6a9ec054bc22f1da326462a380a3bac3d2bbec38303957fd2bd5b3dadabe8b03e3febf802f1b7045cc

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-16 22:07

Reported

2024-09-16 22:10

Platform

android-x64-arm64-20240910-en

Max time kernel

149s

Max time network

151s

Command Line

lmtq.ipwxs.zqnga

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/lmtq.ipwxs.zqnga/files/dex N/A N/A
N/A /data/user/0/lmtq.ipwxs.zqnga/files/dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

lmtq.ipwxs.zqnga

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.213.14:443 www.youtube.com udp
GB 216.58.213.14:443 www.youtube.com tcp
US 1.1.1.1:53 docs.google.com udp
GB 172.217.169.14:443 docs.google.com tcp
GB 172.217.169.14:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 216.58.201.110:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
KR 91.204.227.39:28844 tcp
GB 172.217.169.78:443 tcp
GB 172.217.169.33:443 tcp
GB 142.250.200.1:443 tcp
US 216.239.32.223:443 tcp
US 216.239.32.223:443 tcp

Files

/data/user/0/lmtq.ipwxs.zqnga/files/dex

MD5 f51fa0481451ad4df6c3686f2a41e29a
SHA1 c38c35f5da0921eedeb256986fbd6bb00314ec0e
SHA256 7a60fc73f461b0c1dfb9c9786b44abd00e1c2034440397019a5225631e4679e4
SHA512 af7cbefadd5fce52a10daffb4073154dfab2240616669d3050910eb03a254a6d73932caf5db827fd12d35f217bc79e75524c81b41a7740e050468e37ff96efd9