Analysis
-
max time kernel
149s -
max time network
141s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
08-10-2024 22:08
General
-
Target
99c766f079dae7135e4ab7f93f317547c9d4e6d1bc9a3a26827752387c8070b8.apk
-
Size
275KB
-
MD5
db0b2e1c8f94e7112c0e44424d139fdf
-
SHA1
bae1d9c60eaf48f11c6b735aa5f8651511e42bf1
-
SHA256
99c766f079dae7135e4ab7f93f317547c9d4e6d1bc9a3a26827752387c8070b8
-
SHA512
1be25c6c1b1219b7748f8eccf528b09b4b369507b292b8cb272b0c44d2bb2158b149aff9cec05336b43db41303b37f2584994482c3bc3f7403a1349d0d35e16d
-
SSDEEP
6144:5wGa9gKMYeD/VOmlQHNvbiWg2PPwhrLr/lXw7VV/dOCMSf12:5PaK+eD/wmuHBcPrLr/tw7H/dqk12
Malware Config
Extracted
xloader_apk
http://91.204.227.39:28844
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.cycm.uctm1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
483KB
MD5e12d777273c3f474433d79bc6f46513c
SHA1ded0831d8bda2885bb178161575a3edb4c358549
SHA256bc13812bbf18e78aa81d1e49fd2b62864069620846c56e94d70dbe0c6d64d7f4
SHA512e09b08a56793a36f0ccc40db82f05f0ff8597597cc1b1afd0b1fbdc472a8cfbaae9e40a205f4b85a7652b045a442b0822e808e224d603fdab5e2e5a23141297b
-
Filesize
908B
MD5a30fa5867e1039cd50b58b19f4fcacb8
SHA1dcec03a596b925fcca3fa7ff0f2799f591b26a44
SHA256e490fce06b22dcac9b1266bfb2fad2b722a021d2981306bb8343e9193476dfbc
SHA512e63a0207a49aefe2fc341d2ae687f1fbbd9c21ea7ddb5ccd83d3d79ed641c08108842d1efd36c1549feadf3fccdf58a4e6e1bf97701159c9a094cf02f0eb9316