xloader_apk | 47fa634279445320ff247d2d9a3806d6161e3a588a6272f17d875a7f57fe10ed

Analysis

max time kernel
149s
max time network
151s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
17-09-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47fa634279445320ff247d2d9a3806d6161e3a588a6272f17d875a7f57fe10ed.apk
Size

277KB
MD5

96245445773b9245eb78c2968a1340f2
SHA1

4eedf5d07daa9390bae40dc389a67f88376d5307
SHA256

47fa634279445320ff247d2d9a3806d6161e3a588a6272f17d875a7f57fe10ed
SHA512

9b6eb246ef78ad37aeea7f800a5159c1a143f750a0089d15e2e720210da5f42aafd3da386be4bdf004f924e5124906d8651b6f28d0c966a4d6e7c4b8940e5839
SSDEEP

6144:7qoJGeH7Zv8PyA5toP/R91TNOX7p/DN2Qz1QZBBUn0HNMcCHw5rRA:7qojb18PZtgPvu1Dnz2Lqn2M9w59A

Score

10^/10

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan

Malware Config

Extracted

Family

xloader_apk

http://91.204.227.39:28844

DES_key

Signatures

XLoader payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_xloader_apk2

XLoader, MoqHao
An Android banker and info stealer.
trojan infostealer banker xloader_apk

Checks if the Android device is rooted. 1 TTPs 3 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/bin/su	com.pkyo.lbjb
/system/xbin/su	com.pkyo.lbjb
/sbin/su	com.pkyo.lbjb

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4215	com.pkyo.lbjb

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.pkyo.lbjb/files/dex	4215	com.pkyo.lbjb
/data/user/0/com.pkyo.lbjb/files/dex	4215	com.pkyo.lbjb

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Reads the content of the MMS message. 1 TTPs 1 IoCs

collection

SMS Messages

T1636.004

description	ioc	Process
URI accessed for read	content://mms/	com.pkyo.lbjb

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.pkyo.lbjb

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.pkyo.lbjb

Requests changing the default SMS application. 2 TTPs 1 IoCs

collection impact

SMS Messages

T1636.004

SMS Control

T1582

description	ioc	Process
Intent action	android.provider.Telephony.ACTION_CHANGE_DEFAULT	com.pkyo.lbjb

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.pkyo.lbjb

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.pkyo.lbjb

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.pkyo.lbjb

com.pkyo.lbjb
1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4215

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Protected User Data

T1636

SMS Messages

T1636.004

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

SMS Control

T1582

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.pkyo.lbjb/files/dex

Filesize
484KB

MD5
70f95d8cbe97d5c2eba3ea8444ae66ab

SHA1
ceeb757ec23da7c6b127262ae1dd966b4a7a73cc

SHA256
b02e06dfd1642646e5ccf3a06ccfc850edd1ba0464550962a15e69a0b6931426

SHA512
666d43b00bb424631c17248ced477990e5d2375b9ca086aeaf976ec00c44d017ff8e72538afdaa26b918014451382c8462a84c37ad2a597e0ec1c39288c96efa

Download Submit
/data/data/com.pkyo.lbjb/files/oat/dex.cur.prof

Filesize
937B

MD5
e6f75f403aafb07135631c877e4fdb3d

SHA1
ceb38f37d72e8b993ea8412bd76311fbb9b48305

SHA256
4fa632386b787d0f81b56ab1639614f5c3498be80eccb80e52d4cee2f4a2f9ed

SHA512
6c52782a91e11ae3869588acc2fa759554ed293db79ae8c09217419e6cb960d58b3426184aac58390246b475767ff557a5897356f4001f7d78c35d450cf535ab

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads