Analysis
-
max time kernel
149s -
max time network
138s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
10-10-2024 22:07
General
-
Target
0857b7925c0ab09779ea5bccdf400add91f755b65333a0baef8a6d060149c5e4.apk
-
Size
307KB
-
MD5
22d3566c70d744455e0bc0d6b35b9700
-
SHA1
9e7eb5ac7d50e5c40d53270ad008e4a973d03d25
-
SHA256
0857b7925c0ab09779ea5bccdf400add91f755b65333a0baef8a6d060149c5e4
-
SHA512
41d9e6af47f4b5cc478223778e8cba72733c8948836686bd5ea7c16a6601aa34d95e5089d674c2398c3913706fd7b3f4f423c859d5da559542505e1ad16edbb9
-
SSDEEP
6144:mxxcsbwqBzVFEuELPmrCyiyJ+tyqK02zGVmxJifqk1bdSu1NNg93IFFNz:mXPHEL+iyJcNz2zGVmxJ2xbdzNNg93Mz
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 2 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
iblu.zg.ws1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
580KB
MD5ed9219be2761d62f01f05dee71f02df3
SHA1c2b904961f519a66052c04d444b34ef4c3f00e67
SHA256b8f6a3769331039a5f2dc29eba3adc431a7b086d47ec579cd143da11f137f13d
SHA512420dc0fa4e231a66fa5c26fbd7952f574aa24aec62ecdf387dd376e98dac93cbea493785d67a030bd6d6745b00c7f3b14b693f906124ee6438b6a227d682f8bd
-
Filesize
36B
MD5b7b7af51aace7d8bd41d8f7066d4009d
SHA1bd8afa517a391f047cfa6aa74cfd3a127a749010
SHA2569f03436dc48930e71fe1eb399e623d6134c9418e0f657209502a67be373356a2
SHA5123bf9e45d76174ff7802284403d8745f775cc867ab3bbe5ce5299e213d3632dcf6bf9a29569e358af0bd9542b84cab2600b7e144e2e4aad32638d1741bd109baa