Malware Analysis Report

2024-10-19 11:54

Sample ID 240917-1ygblsxbna
Target bd40d3b1aeeaa8218b98b619ff3f77a3384d737ca4149fbf8ecfe34d7607a884.bin
SHA256 bd40d3b1aeeaa8218b98b619ff3f77a3384d737ca4149fbf8ecfe34d7607a884
Tags
xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd40d3b1aeeaa8218b98b619ff3f77a3384d737ca4149fbf8ecfe34d7607a884

Threat Level: Known bad

The file bd40d3b1aeeaa8218b98b619ff3f77a3384d737ca4149fbf8ecfe34d7607a884.bin was found to be: Known bad.

Malicious Activity Summary

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan

XLoader payload

XLoader, MoqHao

Checks if the Android device is rooted.

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads the content of the MMS message.

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Requests changing the default SMS application.

Acquires the wake lock

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-17 22:03

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-17 22:03

Reported

2024-09-17 22:05

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

148s

Command Line

auvr.gcvgk.rjmpm

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/xbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /system/bin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/auvr.gcvgk.rjmpm/files/dex N/A N/A
N/A /data/user/0/auvr.gcvgk.rjmpm/files/dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

auvr.gcvgk.rjmpm

Network

Country Destination Domain Proto
US 1.1.1.1:53 docs.google.com udp
GB 142.250.180.14:443 docs.google.com tcp
GB 142.250.180.14:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp

Files

/data/data/auvr.gcvgk.rjmpm/files/dex

MD5 c908b637c002940ef72c0f34eda33115
SHA1 c886b4786f696ca4be26516a83e842863e71f728
SHA256 125b57669edb6060fea0e71718ea17c957186496c2c1ea010d95c64218fe31ae
SHA512 57eafa70138d9b97af7c3160306133f1591f015563f4ebe21cb4a0354a6c2a380e246de64ea54d492e84d433b77b50d887ebdd3566002799abdeba66742ec350

/data/data/auvr.gcvgk.rjmpm/files/oat/dex.cur.prof

MD5 c79f7b9dda05f3a482af065acf726d00
SHA1 92ec95aa2a4036e930fa6caba21ea8c22142ac0e
SHA256 93e9b1989c053e6f3e9a039632b812ac0da41c9c649c16dcd21387e95c4087fb
SHA512 8e8c737f3fc1856acdb7970575788f904d0a6566c34145ea69b4558c9922daecc26833f79eb7e7efe752ecceaddebd494f809c97cd7a7434d34df623d7747aa6

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-17 22:03

Reported

2024-09-17 22:05

Platform

android-x64-20240910-en

Max time kernel

149s

Max time network

151s

Command Line

auvr.gcvgk.rjmpm

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /sbin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/auvr.gcvgk.rjmpm/files/dex N/A N/A
N/A /data/user/0/auvr.gcvgk.rjmpm/files/dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

auvr.gcvgk.rjmpm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 docs.google.com udp
GB 216.58.212.206:443 docs.google.com tcp
GB 216.58.212.206:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
KR 91.204.227.39:28844 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 216.58.213.2:443 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp

Files

/data/data/auvr.gcvgk.rjmpm/files/dex

MD5 c908b637c002940ef72c0f34eda33115
SHA1 c886b4786f696ca4be26516a83e842863e71f728
SHA256 125b57669edb6060fea0e71718ea17c957186496c2c1ea010d95c64218fe31ae
SHA512 57eafa70138d9b97af7c3160306133f1591f015563f4ebe21cb4a0354a6c2a380e246de64ea54d492e84d433b77b50d887ebdd3566002799abdeba66742ec350

/data/data/auvr.gcvgk.rjmpm/files/oat/dex.cur.prof

MD5 7597f8aa79493f9079e1ee5cdcbcd601
SHA1 f31543a8cd2de36e000824233631ea2dcee679a0
SHA256 378fc2eaec47c5ab275decf546d2b09bfadcd295197713ff86ff3d0a7eea8468
SHA512 4d3c19dcab103a55bc1e67814d9ea3a00315b9dd9b674faa795ca3333259b29885d9996381a5633e246707d706e98679019b4234007a1b4cd2cc8f19638b9bbf

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-17 22:03

Reported

2024-09-17 22:06

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

154s

Command Line

auvr.gcvgk.rjmpm

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/auvr.gcvgk.rjmpm/files/dex N/A N/A
N/A /data/user/0/auvr.gcvgk.rjmpm/files/dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

auvr.gcvgk.rjmpm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 docs.google.com udp
GB 172.217.16.238:443 docs.google.com tcp
GB 172.217.16.238:443 docs.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
KR 91.204.227.39:28844 tcp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
KR 91.204.227.39:28844 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
KR 91.204.227.39:28844 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp

Files

/data/user/0/auvr.gcvgk.rjmpm/files/dex

MD5 c908b637c002940ef72c0f34eda33115
SHA1 c886b4786f696ca4be26516a83e842863e71f728
SHA256 125b57669edb6060fea0e71718ea17c957186496c2c1ea010d95c64218fe31ae
SHA512 57eafa70138d9b97af7c3160306133f1591f015563f4ebe21cb4a0354a6c2a380e246de64ea54d492e84d433b77b50d887ebdd3566002799abdeba66742ec350