xloader_apk | ef73e953b840f1e2f792bfe61a83ac4789482585ac07e75c61e1845dee5af5a1

Analysis

max time kernel
149s
max time network
151s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
09-10-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef73e953b840f1e2f792bfe61a83ac4789482585ac07e75c61e1845dee5af5a1.apk
Size

208KB
MD5

5212c5d18e5d2ad8cd16daf82ae79898
SHA1

1fc4c98cd9fe873c0b3659e9e02b823b5931e510
SHA256

ef73e953b840f1e2f792bfe61a83ac4789482585ac07e75c61e1845dee5af5a1
SHA512

5a91329625f76c64fd87be44d8f56ae382735827daa7ac75a123aafe3ba65015b4b435ca81318cf9c6ad4483350f6329274b7d0104134800c08a11a2c3762679
SSDEEP

6144:IuTWitDfcoLORdvVSKz/h9B+STKFlwp8IzJp5:DTWitDkoyvFz/rBfK7wpnL5

Score

10^/10

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan

Malware Config

Extracted

Family

xloader_apk

http://91.204.226.105:28844

DES_key

Signatures

XLoader payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/j.vskj.ar/files/dex	family_xloader_apk
/data/user/0/j.vskj.ar/files/dex	family_xloader_apk2

XLoader, MoqHao
An Android banker and info stealer.
trojan infostealer banker xloader_apk
Checks if the Android device is rooted. 1 TTPs 1 IoCs
evasion

System Information Discovery
T1426

Processes:

j.vskj.ar

ioc process

/system/bin/su j.vskj.ar
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

j.vskj.ar

pid process

4818 j.vskj.ar
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
evasion

Download New Code at Runtime
T1407

Processes:

j.vskj.ar

ioc pid process

/data/user/0/j.vskj.ar/files/dex 4818 j.vskj.ar
/data/user/0/j.vskj.ar/files/dex 4818 j.vskj.ar
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

Stored Application Data
T1409

Processes:

j.vskj.ar

description ioc process

Framework service call android.accounts.IAccountManager.getAccountsAsUser j.vskj.ar
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads the contacts stored on the device. 1 TTPs 1 IoCs
collection

Contact List
T1636.003

Processes:

j.vskj.ar

description ioc process

URI accessed for read content://com.android.contacts/raw_contacts j.vskj.ar
Reads the content of the MMS message. 1 TTPs 1 IoCs
collection

SMS Messages
T1636.004

Processes:

j.vskj.ar

description ioc process

URI accessed for read content://mms/ j.vskj.ar
Acquires the wake lock 1 IoCs

Processes:

j.vskj.ar

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock j.vskj.ar
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

j.vskj.ar

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground j.vskj.ar
Queries information about active data network 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

j.vskj.ar

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo j.vskj.ar
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

j.vskj.ar

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo j.vskj.ar
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Requests changing the default SMS application. 2 TTPs 1 IoCs
collection impact

SMS Messages
T1636.004

SMS Control
T1582

Processes:

j.vskj.ar

description ioc process

Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT j.vskj.ar
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

j.vskj.ar

description ioc process

Framework API call javax.crypto.Cipher.doFinal j.vskj.ar

ioc	process
/system/bin/su	j.vskj.ar

pid	process
4818	j.vskj.ar

ioc	pid	process
/data/user/0/j.vskj.ar/files/dex	4818	j.vskj.ar
/data/user/0/j.vskj.ar/files/dex	4818	j.vskj.ar

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	j.vskj.ar

description	ioc	process
URI accessed for read	content://com.android.contacts/raw_contacts	j.vskj.ar

description	ioc	process
URI accessed for read	content://mms/	j.vskj.ar

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	j.vskj.ar

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	j.vskj.ar

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	j.vskj.ar

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	j.vskj.ar

description	ioc	process
Intent action	android.provider.Telephony.ACTION_CHANGE_DEFAULT	j.vskj.ar

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	j.vskj.ar

j.vskj.ar
1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4818

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Protected User Data

T1636

Contact List

T1636.003

SMS Messages

T1636.004

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

SMS Control

T1582

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/j.vskj.ar/files/dex

Filesize
446KB

MD5
8bb09c2927ef88bda95970b61599f314

SHA1
391656ad53355854928f21a99e995f14e5c75ce7

SHA256
27ec66655a2a5e63f95ec2a4066bf7e64a79d7070923f42ba0cbffe53e2ba2dd

SHA512
94f59ce40f5b0a03c7bf0c4d199b47c4c7f85f98ae686f6994d74119f7c4b76d031d8607a879818d92c9097ce7603dbfef55d850186a21add9dee18f2bf90d68

Download Submit
/storage/emulated/0/.msg_device_id.txt

Filesize
36B

MD5
79e81be156bfd15aabe71739b3b670c0

SHA1
6a39bd13074ce6667eefe7a8306e8ae380b806be

SHA256
e0b5bc0f1030eeb906455b6eb9bd698a9699831a60d95b50029359f835297371

SHA512
ed83ac57fca281315db4ea89c1563523fad129a311bfc33c26cb7d11cfa2a5d7f69b2ac481a05b466813212cf3f2f9d976db445818b287e7ce9266ff5c3a9ed8

Download Submit