Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
138s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
10/10/2024, 22:07 UTC
General
-
Target
0857b7925c0ab09779ea5bccdf400add91f755b65333a0baef8a6d060149c5e4.apk
-
Size
307KB
-
MD5
22d3566c70d744455e0bc0d6b35b9700
-
SHA1
9e7eb5ac7d50e5c40d53270ad008e4a973d03d25
-
SHA256
0857b7925c0ab09779ea5bccdf400add91f755b65333a0baef8a6d060149c5e4
-
SHA512
41d9e6af47f4b5cc478223778e8cba72733c8948836686bd5ea7c16a6601aa34d95e5089d674c2398c3913706fd7b3f4f423c859d5da559542505e1ad16edbb9
-
SSDEEP
6144:mxxcsbwqBzVFEuELPmrCyiyJ+tyqK02zGVmxJifqk1bdSu1NNg93IFFNz:mXPHEL+iyJcNz2zGVmxJ2xbdzNNg93Mz
Score
10/10
Malware Config
Extracted
Family
xloader_apk
C2
http://91.204.226.105:28844
DES_key
1
4162356431513332
Signatures
-
XLoader payload 2 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
iblu.zg.ws1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
-
DNSdocs.google.comRemote address:1.1.1.1:53Requestdocs.google.comIN AResponsedocs.google.comIN A216.58.204.78 -
DNSdocs.google.comRemote address:1.1.1.1:53Requestdocs.google.comIN A
-
GEThttps://docs.google.com/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasicRemote address:216.58.204.78:443RequestGET /document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasic HTTP/1.1
User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36
Accept: text/html,*/*;q=0.8
Accept-Encoding: gzip
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cache-Control: no-cache
Host: docs.google.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-Robots-Tag: noarchive
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Thu, 10 Oct 2024 22:07:37 GMT
Content-Encoding: gzip
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Content-Security-Policy: require-trusted-types-for 'script';report-uri https://csp.withgoogle.com/csp/docs-tt
Content-Security-Policy: base-uri 'self';object-src 'none';report-uri https://docs.google.com/document/cspreport;script-src 'report-sample' 'nonce-TeBEPPo9bNbLE6qgPS7T2Q' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';worker-src 'self' blob:
Reporting-Endpoints: default="/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/web-reports?bl=editors.documents-frontend_20241001.01_p5&context=eJwV0HtYzdkaB_Dl91vvD7W7aMRIJRRCptBwdFO7vU91lGaG1k_HZbpNT8OpkXAYHJfGc4QzTxmipN29ZGMyHZcQo3LLpUGOxrXjNl3GFLubM3W-88fnWet51_us92L223CbvggWyAXbqQgWOkSwXNhgLpgRTmgEuwr-1oIVgKONYBNtBdNCDUSNEKx6pGBTPxSsDELtBLMbLViEvWCFjoIljBHs_TjBYscLppkgmAOch_eTBbOYKtgwKIUpboJlTBNsu4dgek_B0mAvDHws2PxZgt2ZLdhz8PMV7JOF6EEVbBbcjhTsKeQuFex-lGCvYGisYKPgXpxgM5cLFgitq1ET_rNZsNdQukWwU3Bzq2CPIXCbYAtg9m7BgiBtn2BZ4JIpmCf07xfM8oBgWw-iT9iaixOmGgTzhuxCwcrhmlGwJhh-XDBnOF2J_cGjc4K1w9g6wTxgI-yG4CuCLQL_65gL9PXYHRyAMphyWzAvOHdXsBtQ2ShYLbwF-b5g_3og2CEoasIbnIar8ONjwX4Cx2eCTYPM54KVgNULwcZABfwIddAIr14L1g3RnYIlw0vogmgrlV2A26CxVpk9vBqpshA7lUWC9UyVOcGyj1W2GqrgOmT9SWWHoRFewtBQlfmGqywMvoPtn6lsH5xUVfYsUmVblqgsHfyjVPYJXIxWWQNYr8L_sCBFZXs2qSwbHsJz6IBecPmHytxgPghIhV1wCa5DM7RAO5jgiW0Di5zcKkXDrsUd0nfQFN8hNcM3lzqk3RDf3CklwaiP3kpjITziraTCsWkm6SRcdDdJjkEmaQIs3GiSloD9ZpPkDCO3mqQx0HXGJPXDwVqTVAhXl3dLDbDOu0faAqpPj_Q5RH7RI0VDVVqPdAnqF_ZKd2HW172SH9hc65XsYOjtXmkYeNn0SVoYta1PGgtpO_ukjD8Y-qQsiM_6n5QEqZ_2S7uga6Bf6oez9gNSDSxYPiAtBvd1A9JskNYPSGZQmMzkI9D0lMnNsDd_kBxUOEgOhzG7JXkiXDZI8i2oq8FdluVb4OQqy5Og6lNZvgTLFspyPFRul-ULkFQjy2uh84Us98FqMy7XOnH5BrT9Ooe_A5vuOdwO0lu8-AHY8asXT4fOd168D36e781H7PfmjvDsiDf_BeLtfHgS1Lv6cKfZPnwSpGX68L1g5ezLR8KaGb58E5yP9eV1sCPRl6dDI_nxxxD6rR9fCP1X_Lhy1Y-XNfjx72H0zLl8PDB1Lh8C_vfmcnsHf-4M74P8uRLsz_NC_HkZ3Grz50-gut2fXwYlIIBbQtn-AP49HCsN4NVQXx7A74KtMYA7gPNILZ8KLeFa3gnnvtLyWnizRsu7oXeDlg_aqOUOW7TcBZqOaXkzvKjQ8nb4-o6W74Sz97S8Bpa0ankcOHQgH_RjA3kYmMYFchofyP-uBvJ_wvovA_m-7EBeDG0lgfwdeHUFci3oIBROQBXccdDxn-HhBB1vgxkTdVwL2TE6fjcBcchZqeNFMHeNjgeBWbqO20CMUcdTz-v4Ljh0Wcf9f9LxYDjyUsd_gHNOel4LKzz1PAVezNJzE7xdpufvoS9Kz82i9XzGt3ruBbm2QfwKJDoE8U2wFTJgSkQQnwEZ8UH8_qEg3gzjG4P4Xz8I5jFwdXgwfwBVHwbzOhi8PphbQezgEL4C0sxCeAaUz8-lDz7LpdFQczKX6uGbs7m0Fyxv5lLRo1yqhI-GGsgPnCINNAlGxRlo7B82G8gDnu0x0NoCA-WcMVARJFYZaA34VBtIBxbvDGQLKV0GSoXDPQaqgMxBeVQCE5fm0c2cPHoMyafyaD1MvpFH0yFsII8ioMgnn4zwdHE-vQbNwXwaDi45-eQGpYX5dBwaOvNpT3IBZYMhvYCOw5tHBdQNfa0FJLUVUMKbAloJXCqk4RC5opCiod6xiO6Ca2IRFaUWkRHkH4qoMaSYBv5STIPnFVPMtmJaDjv2FNO1E8XUBKfOFdMlOHqvmP4Ni4wlFAUX_1tCDZA-ppRGeJfSBLi1pZSaQKksJUvwbTlMesj7_TCVwenR5XQRDrmVUxk4hJWTC7DwchoCQ-PKaRi4biqnmeCyr5zcIKOynPJhUu0R2sCNlAo-rkbSwfgpRpoCmZ5GKoGKL410BuatM9ICuFJipNtgccpItrDqtJG-Bqf3RnKH8tCjdALGxRylyWBKOkpFvi1khIy4FsqCEUktNAFKdrfQMdAOa6WkJa20FroetFI_qA9b6XOw92sjZ_hNtFEPTKxoo1mgP9NGYdB9sY0GYK5rO4VDrGc7Tc9qpznQfqGdfgdr1w5yAmOIuVIBfcJckVRz5Vq6udIEESXmylJ49txc-QWqTebKgl5zZVEf4rDaXaNshAGdRhms1yi9SzTKoUSNUgx16zVKI4RlapQIeJutUXpg4KBGscrRKHuTLZQcCKq0UMKh5aSF0glW1ZbKhuuWSs4LK-X4PGtl5XJr5c_hwxQb8yFlhrxTivXxjifz7cxDk6ITVsQFRK1KiBnnGhebkJKUvGpabFLM6r_FJaascvsiOSkxJS4xdtl09-kzPdzdPaa5eyz7yvP_K8Hnrw&build-label=editors.documents-frontend_20241001.01_p5&imp-sid=CPmOnsnphIkDFeCIXQMd3UYotA&is-cached-offline=false"
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Set-Cookie: NID=518=wqp725SU0jtp-GH199wGpaazF81PZ9tUY6eyMkA3RvxebKRhaDhmPOgp5rifIUR8jZhgsO5qC00djOgwhpL4-nvhQzRf2DsKFDTOialj3IzpC8L60VJ-tVnNhCnhLeozcH6LeJpralxcMeHwtVhXBqhoHU3y8dfr2VBqHFxKvIxFuG4N; expires=Fri, 11-Apr-2025 22:07:36 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
x-l2-request-path: l2-managed-5
Transfer-Encoding: chunked
-
GEThttps://docs.google.com/document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/mobilebasicRemote address:216.58.204.78:443RequestGET /document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/mobilebasic HTTP/1.1
User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36
Accept: text/html,*/*;q=0.8
Accept-Encoding: gzip
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cache-Control: no-cache
Host: docs.google.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-Robots-Tag: noindex, nofollow, nosnippet
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Thu, 10 Oct 2024 22:07:38 GMT
Content-Encoding: gzip
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Content-Security-Policy: require-trusted-types-for 'script';report-uri https://csp.withgoogle.com/csp/docs-tt
Content-Security-Policy: base-uri 'self';object-src 'none';report-uri https://docs.google.com/document/cspreport;script-src 'report-sample' 'nonce-LQIoFA_FvWXUm9sQq0J2Gg' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';worker-src 'self' blob:
Reporting-Endpoints: default="/document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/web-reports?bl=editors.documents-frontend_20241001.01_p5&context=eJwV0HdU1FcWB_Dn7_fuT4WhSEQj0lQs2AIq0ZUmDDNnYAVJoryfrCW0cIguRARda2KJm6BuDhhFRWToII4aDMeCikbAhgpRcCXRKGsLRVd0aG5gv_njc947975z733Xon64XV8E26kIFjpEsBxItRRsI5jgpEawaxBgK1g-ONsJNtFeMC1UQ9QIwapGCjb1feQh1EGwEaMFi3AUrMBZsAQXwd6NFSx2nGCaCYI5wQV4N1kwq6mCDYMSmDJNsIzpgu3wFEzvJVga7IWBDwVbMFuwO3MEewL-foJ9tAgzqILNhvpIwR5BzjLB7kUJ9hyGxgo2ChrjBJu1QrAgaEtFT_j3V4K9gJItgp2GW1sFewhB2wRbCHN2C2aAtH2CHYTxmYJ5Qf9-wawPCLb1EOaErTk4YapRMB_IKhCsDGqgEa6bBGuG4ScEc4MzFdgjPDgvWAeMqRXMEzbBbgi-KthiCLiB_4G-DjuEA1AKk-sFmwuld1ELzsNNqGhCT3gD8j3B_nVfsMNQ2IwcnIFr8NNDwX4G58eCTYfMJ4IVg81TwVygHH6CWmiC5y8E64boTsGS4Rl0QbSNyi5CPWhsVeYIz0eqLMRBZZFgO0tlrrD8Q5WlQiXcgIN_UdkRaIJnMDRUZX7hKguD72HHJyrbB6dUlT2OVNmWpSpLh4AolX0El6JV1gC2q1EfFqaobM9mlWVBCZyAZ_ASdF-qLBRuQiO0QCt0gBl-s29gkZPbpGjYteS19D00x7-WWuDry6-l3RDf0iklwagP3khjIDzijaTC8elm6RRc8jBLzgazNAEWbTJLS8HxK7PkBiO3miUX6DprlvrhUI1ZKoBrK7qlBljn0yNtAdW3R_oUIj_rkaKhMq1Hugx1i3qluzB7Q6_kD3bXeyUHGFrfKw0Db7s-SQujtvVJYyBtZ5-U8Sdjn3QQ4g_-T0qC7R_3S7uga6Bf6odzjgNSNSxcMSAtAY91A9IckNYPSBZQkMzko9D8iMktsDdvkGwoGCSHg8tuSZ4IV4ySfBtqq3GXZfk2uLrL8iSo_FiWL8PyRbIcDxU7ZPkiJFXL8lrofCrLfZBqweUaVy7fhPaXc_lbsOueyx0gvdWbH4BvX3rzdOh868374JcFPnzEfh_uDI-P-vDfId7BlydBnbsvd53jyydBWqYv3ws2bn58JKyZ6cc3w4VYP14LXyb68X9CE_nzhxD6nT9fBP1X_blyzZ-XNvjzH2D0rHl8HDB1Hh8CAY3zuKNTAHeDd4YArgQH8NyQAF4Kt9sD-G9Q1RHAr4ASGMitoXR_IP8BjpcE8iqoKwvkd8HeFMidwG2klk-F1nAt74TzX2h5Dbxao-Xd0LtRywdt0nKnLVo-HpqPa3kLPC3X8g7YcEfLd8K5Ri2vhqVtWh4HTq_xHvRjgngYmMcGcRoXxP-hBvFvYP3nQXxfVhAvgvbiIP4WvLuCuBYWgICTUAl3nHT8F_h1go63w8yJOq6FrBgdv5uAOGSv0vFCmLdGxw1gka7jdhBj0vHtF3R8Fxy-ouMBP-t4MBx9puM_wnlXPa-BlV56ngJPZ-u5Gd4s1_N30Bel5xbRej7zOz33hhx7A78KiU4Gvhm2QgZMiTDwmZARb-D3Dht4C4xrMvC_vRfMY-Da8GB-HyrfD-a1MHh9MLeB2MEhfCWkWYTwDChbkEPvfZJDo6H6VA7VwdfncmgvWN_KocIHOVQBHww1kj-4RhppEoyKM9KYP31lJE94vMdIa_ONlH3WSIWQWGmkNeBbZSQdWL01kj2kdBlpOxzpMVI5ZA7KpWKYuCyXbmXn0kNIPp1L62HyzVyaAWEDuRQBhb55ZIJHS_LoBWgO5dFwGJ-dR9OgpCCPTkBDZx7tSc6nLMhJz6fj8OpBPnVDX1s-Se35lPAqn1YBlwpoOESuLKBoqHMupLvgnlhI8o-F1BRSRAN_LaLB84soZlsRrYBv9xTR9ZNF1AynzxfRZVhsKqYouPSfYmqAdJcSGuFTQhPg9pYSagalooSswa_1COkh948jVApnRpfRJTg8rYxKwSmsjMYDCy-jITA0royGgfvmMpoF4_eV0TTIqCijPJhUc5Q2chNtB193E-lg3BQTTYFMLxMVQ_nnJjoL89eZaCFcLTZRPVidNpE9rD5jog3g-s5EHlAWeoxOwtiYYzQZzEnHqNCvlUwwIqmVJkDx7lY6DtphbZS0tI3WQtf9NuoH9dc2-hQc_dvJDf4r2qkHJpa302zQn22nMOi-1E4DMM-9g8Ih1quDZhzsoLnQcbGD_gAb99fkAqYQS6Uc-oSlIqmWyvV0S6UZIootlWXw-Iml8jtUmS2Vhb2WyuI-xCHVQ6NsggGdRhms1yiHEzVKEdSu1yhNEJapUSLgTZZG6YGBQxrFJluj5CRbKcVgqLBSwuHRKSvlBdhUWSsbb1gr2U9tlBPzbZVVK2wVO8shR4y5pxXbbxobFjhYhiZFJ6yMC4xanRAz1j0uNiElKXn19NikmNS_xyWmrJ72WXJSYkpcYuzyGR4zZnl6eHhO9_Bc_oXX_wG1Edt2&build-label=editors.documents-frontend_20241001.01_p5&imp-sid=CKi13MnphIkDFagJGQAdBRkGng&is-cached-offline=false"
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Set-Cookie: NID=518=bULFi_JTu4Jo2nhKFYlQ-OW6j_l22sEDxI5m4Z0WgPBOp9EOTgVPZz-h4wqLQw22yW9Ab1qq4kRsGhdTljo0jkUgQjhdjLFVT0-y6hRC0gMq3eVAHFxFEvY7r2QFFWFosZgVWmBMqvbedrkTtuTftK2n6w8zPb_m7XMrj08tEqlMFWU; expires=Fri, 11-Apr-2025 22:07:38 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
x-l2-request-path: l2-managed-5
Transfer-Encoding: chunked
-
DNSandroid.apis.google.comRemote address:1.1.1.1:53Requestandroid.apis.google.comIN AResponseandroid.apis.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A142.250.180.14
-
216.58.204.78:443https://docs.google.com/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasictls, http
HTTP Request
GET https://docs.google.com/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasicHTTP Response
200 -
216.58.204.78:443https://docs.google.com/document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/mobilebasictls, http
HTTP Request
GET https://docs.google.com/document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/mobilebasicHTTP Response
200 -
91.204.226.105:28844 -
142.250.200.46:443tls, https
-
142.250.180.14:443android.apis.google.comtls
-
224.0.0.251:5353 -
1.1.1.1:53docs.google.comdns
DNS Request
docs.google.com
DNS Request
docs.google.com
DNS Response
216.58.204.78
-
1.1.1.1:53android.apis.google.comdns
DNS Request
android.apis.google.com
DNS Response
142.250.180.14
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
580KB
MD5ed9219be2761d62f01f05dee71f02df3
SHA1c2b904961f519a66052c04d444b34ef4c3f00e67
SHA256b8f6a3769331039a5f2dc29eba3adc431a7b086d47ec579cd143da11f137f13d
SHA512420dc0fa4e231a66fa5c26fbd7952f574aa24aec62ecdf387dd376e98dac93cbea493785d67a030bd6d6745b00c7f3b14b693f906124ee6438b6a227d682f8bd
-
Filesize
36B
MD5b7b7af51aace7d8bd41d8f7066d4009d
SHA1bd8afa517a391f047cfa6aa74cfd3a127a749010
SHA2569f03436dc48930e71fe1eb399e623d6134c9418e0f657209502a67be373356a2
SHA5123bf9e45d76174ff7802284403d8745f775cc867ab3bbe5ce5299e213d3632dcf6bf9a29569e358af0bd9542b84cab2600b7e144e2e4aad32638d1741bd109baa