Analysis
-
max time kernel
149s -
max time network
149s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
28-09-2024 22:08
General
-
Target
1e57614226f4e3f00c9d83ecd5f0db472b629f6c6945177e11a42c875a33f87c.apk
-
Size
277KB
-
MD5
1f17648b932eb426376931553b3c8084
-
SHA1
40c15ad49b175c0fffdd5a928ad442f05e896ca0
-
SHA256
1e57614226f4e3f00c9d83ecd5f0db472b629f6c6945177e11a42c875a33f87c
-
SHA512
816910187bd606e17d59e5935ee255691ded3537cb9edd017d85c036fd3f4759dc92ee3b14315467b47d97e10368947ee05a4a6bb29cfa804c580bb2f044a00d
-
SSDEEP
6144:AAecPHfgcJuTLDmT+Iqm0+b26KphuIVIiI6ggj6NFA2fvxMFhD:T0o+RmnbqdCyl+FA2fvxGD
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.nlhd.zuqj1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
484KB
MD570f95d8cbe97d5c2eba3ea8444ae66ab
SHA1ceeb757ec23da7c6b127262ae1dd966b4a7a73cc
SHA256b02e06dfd1642646e5ccf3a06ccfc850edd1ba0464550962a15e69a0b6931426
SHA512666d43b00bb424631c17248ced477990e5d2375b9ca086aeaf976ec00c44d017ff8e72538afdaa26b918014451382c8462a84c37ad2a597e0ec1c39288c96efa
-
Filesize
895B
MD57867a360c8c789cc1ddd8a32fa90e5dd
SHA1430f1f9692c2be500fcded0f3964cd2fae14211c
SHA256adc54098add833d17265df6553bc4256b1edb635bebf2ff5318c394263801029
SHA512ce71721fb97aeb158bc66daed595d30ed1e9cd2be661cd2d5f8de406802af4df6ac33f51381602db1475f19e8d83761764a6475b5e5ab8f1ba64b71f1a718dde