Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    10/10/2024, 22:07 UTC

General

  • Target

    0857b7925c0ab09779ea5bccdf400add91f755b65333a0baef8a6d060149c5e4.apk

  • Size

    307KB

  • MD5

    22d3566c70d744455e0bc0d6b35b9700

  • SHA1

    9e7eb5ac7d50e5c40d53270ad008e4a973d03d25

  • SHA256

    0857b7925c0ab09779ea5bccdf400add91f755b65333a0baef8a6d060149c5e4

  • SHA512

    41d9e6af47f4b5cc478223778e8cba72733c8948836686bd5ea7c16a6601aa34d95e5089d674c2398c3913706fd7b3f4f423c859d5da559542505e1ad16edbb9

  • SSDEEP

    6144:mxxcsbwqBzVFEuELPmrCyiyJ+tyqK02zGVmxJifqk1bdSu1NNg93IFFNz:mXPHEL+iyJcNz2zGVmxJ2xbdzNNg93Mz

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.226.105:28844

DES_key
1
4162356431513332

Signatures

Processes

  • iblu.zg.ws
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Requests changing the default SMS application.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4217

Network

  • flag-us
    DNS
    docs.google.com
    Remote address:
    1.1.1.1:53
    Request
    docs.google.com
    IN A
    Response
    docs.google.com
    IN A
    216.58.204.78
  • flag-us
    DNS
    docs.google.com
    Remote address:
    1.1.1.1:53
    Request
    docs.google.com
    IN A
  • flag-gb
    GET
    https://docs.google.com/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasic
    Remote address:
    216.58.204.78:443
    Request
    GET /document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasic HTTP/1.1
    User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36
    Accept: text/html,*/*;q=0.8
    Accept-Encoding: gzip
    Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
    Cache-Control: no-cache
    Host: docs.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Type: text/html; charset=utf-8
    X-Robots-Tag: noarchive
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Thu, 10 Oct 2024 22:07:37 GMT
    Content-Encoding: gzip
    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
    Content-Security-Policy: require-trusted-types-for 'script';report-uri https://csp.withgoogle.com/csp/docs-tt
    Content-Security-Policy: base-uri 'self';object-src 'none';report-uri https://docs.google.com/document/cspreport;script-src 'report-sample' 'nonce-TeBEPPo9bNbLE6qgPS7T2Q' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';worker-src 'self' blob:
    Reporting-Endpoints: default="/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/web-reports?bl=editors.documents-frontend_20241001.01_p5&context=eJwV0HtYzdkaB_Dl91vvD7W7aMRIJRRCptBwdFO7vU91lGaG1k_HZbpNT8OpkXAYHJfGc4QzTxmipN29ZGMyHZcQo3LLpUGOxrXjNl3GFLubM3W-88fnWet51_us92L223CbvggWyAXbqQgWOkSwXNhgLpgRTmgEuwr-1oIVgKONYBNtBdNCDUSNEKx6pGBTPxSsDELtBLMbLViEvWCFjoIljBHs_TjBYscLppkgmAOch_eTBbOYKtgwKIUpboJlTBNsu4dgek_B0mAvDHws2PxZgt2ZLdhz8PMV7JOF6EEVbBbcjhTsKeQuFex-lGCvYGisYKPgXpxgM5cLFgitq1ET_rNZsNdQukWwU3Bzq2CPIXCbYAtg9m7BgiBtn2BZ4JIpmCf07xfM8oBgWw-iT9iaixOmGgTzhuxCwcrhmlGwJhh-XDBnOF2J_cGjc4K1w9g6wTxgI-yG4CuCLQL_65gL9PXYHRyAMphyWzAvOHdXsBtQ2ShYLbwF-b5g_3og2CEoasIbnIar8ONjwX4Cx2eCTYPM54KVgNULwcZABfwIddAIr14L1g3RnYIlw0vogmgrlV2A26CxVpk9vBqpshA7lUWC9UyVOcGyj1W2GqrgOmT9SWWHoRFewtBQlfmGqywMvoPtn6lsH5xUVfYsUmVblqgsHfyjVPYJXIxWWQNYr8L_sCBFZXs2qSwbHsJz6IBecPmHytxgPghIhV1wCa5DM7RAO5jgiW0Di5zcKkXDrsUd0nfQFN8hNcM3lzqk3RDf3CklwaiP3kpjITziraTCsWkm6SRcdDdJjkEmaQIs3GiSloD9ZpPkDCO3mqQx0HXGJPXDwVqTVAhXl3dLDbDOu0faAqpPj_Q5RH7RI0VDVVqPdAnqF_ZKd2HW172SH9hc65XsYOjtXmkYeNn0SVoYta1PGgtpO_ukjD8Y-qQsiM_6n5QEqZ_2S7uga6Bf6oez9gNSDSxYPiAtBvd1A9JskNYPSGZQmMzkI9D0lMnNsDd_kBxUOEgOhzG7JXkiXDZI8i2oq8FdluVb4OQqy5Og6lNZvgTLFspyPFRul-ULkFQjy2uh84Us98FqMy7XOnH5BrT9Ooe_A5vuOdwO0lu8-AHY8asXT4fOd168D36e781H7PfmjvDsiDf_BeLtfHgS1Lv6cKfZPnwSpGX68L1g5ezLR8KaGb58E5yP9eV1sCPRl6dDI_nxxxD6rR9fCP1X_Lhy1Y-XNfjx72H0zLl8PDB1Lh8C_vfmcnsHf-4M74P8uRLsz_NC_HkZ3Grz50-gut2fXwYlIIBbQtn-AP49HCsN4NVQXx7A74KtMYA7gPNILZ8KLeFa3gnnvtLyWnizRsu7oXeDlg_aqOUOW7TcBZqOaXkzvKjQ8nb4-o6W74Sz97S8Bpa0ankcOHQgH_RjA3kYmMYFchofyP-uBvJ_wvovA_m-7EBeDG0lgfwdeHUFci3oIBROQBXccdDxn-HhBB1vgxkTdVwL2TE6fjcBcchZqeNFMHeNjgeBWbqO20CMUcdTz-v4Ljh0Wcf9f9LxYDjyUsd_gHNOel4LKzz1PAVezNJzE7xdpufvoS9Kz82i9XzGt3ruBbm2QfwKJDoE8U2wFTJgSkQQnwEZ8UH8_qEg3gzjG4P4Xz8I5jFwdXgwfwBVHwbzOhi8PphbQezgEL4C0sxCeAaUz8-lDz7LpdFQczKX6uGbs7m0Fyxv5lLRo1yqhI-GGsgPnCINNAlGxRlo7B82G8gDnu0x0NoCA-WcMVARJFYZaA34VBtIBxbvDGQLKV0GSoXDPQaqgMxBeVQCE5fm0c2cPHoMyafyaD1MvpFH0yFsII8ioMgnn4zwdHE-vQbNwXwaDi45-eQGpYX5dBwaOvNpT3IBZYMhvYCOw5tHBdQNfa0FJLUVUMKbAloJXCqk4RC5opCiod6xiO6Ca2IRFaUWkRHkH4qoMaSYBv5STIPnFVPMtmJaDjv2FNO1E8XUBKfOFdMlOHqvmP4Ni4wlFAUX_1tCDZA-ppRGeJfSBLi1pZSaQKksJUvwbTlMesj7_TCVwenR5XQRDrmVUxk4hJWTC7DwchoCQ-PKaRi4biqnmeCyr5zcIKOynPJhUu0R2sCNlAo-rkbSwfgpRpoCmZ5GKoGKL410BuatM9ICuFJipNtgccpItrDqtJG-Bqf3RnKH8tCjdALGxRylyWBKOkpFvi1khIy4FsqCEUktNAFKdrfQMdAOa6WkJa20FroetFI_qA9b6XOw92sjZ_hNtFEPTKxoo1mgP9NGYdB9sY0GYK5rO4VDrGc7Tc9qpznQfqGdfgdr1w5yAmOIuVIBfcJckVRz5Vq6udIEESXmylJ49txc-QWqTebKgl5zZVEf4rDaXaNshAGdRhms1yi9SzTKoUSNUgx16zVKI4RlapQIeJutUXpg4KBGscrRKHuTLZQcCKq0UMKh5aSF0glW1ZbKhuuWSs4LK-X4PGtl5XJr5c_hwxQb8yFlhrxTivXxjifz7cxDk6ITVsQFRK1KiBnnGhebkJKUvGpabFLM6r_FJaascvsiOSkxJS4xdtl09-kzPdzdPaa5eyz7yvP_K8Hnrw&build-label=editors.documents-frontend_20241001.01_p5&imp-sid=CPmOnsnphIkDFeCIXQMd3UYotA&is-cached-offline=false"
    Referrer-Policy: strict-origin-when-cross-origin
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    Server: GSE
    Set-Cookie: NID=518=wqp725SU0jtp-GH199wGpaazF81PZ9tUY6eyMkA3RvxebKRhaDhmPOgp5rifIUR8jZhgsO5qC00djOgwhpL4-nvhQzRf2DsKFDTOialj3IzpC8L60VJ-tVnNhCnhLeozcH6LeJpralxcMeHwtVhXBqhoHU3y8dfr2VBqHFxKvIxFuG4N; expires=Fri, 11-Apr-2025 22:07:36 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    x-l2-request-path: l2-managed-5
    Transfer-Encoding: chunked
  • flag-gb
    GET
    https://docs.google.com/document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/mobilebasic
    Remote address:
    216.58.204.78:443
    Request
    GET /document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/mobilebasic HTTP/1.1
    User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36
    Accept: text/html,*/*;q=0.8
    Accept-Encoding: gzip
    Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
    Cache-Control: no-cache
    Host: docs.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Type: text/html; charset=utf-8
    X-Robots-Tag: noindex, nofollow, nosnippet
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Thu, 10 Oct 2024 22:07:38 GMT
    Content-Encoding: gzip
    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
    Content-Security-Policy: require-trusted-types-for 'script';report-uri https://csp.withgoogle.com/csp/docs-tt
    Content-Security-Policy: base-uri 'self';object-src 'none';report-uri https://docs.google.com/document/cspreport;script-src 'report-sample' 'nonce-LQIoFA_FvWXUm9sQq0J2Gg' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';worker-src 'self' blob:
    Reporting-Endpoints: default="/document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/web-reports?bl=editors.documents-frontend_20241001.01_p5&context=eJwV0HdU1FcWB_Dn7_fuT4WhSEQj0lQs2AIq0ZUmDDNnYAVJoryfrCW0cIguRARda2KJm6BuDhhFRWToII4aDMeCikbAhgpRcCXRKGsLRVd0aG5gv_njc947975z733Xon64XV8E26kIFjpEsBxItRRsI5jgpEawaxBgK1g-ONsJNtFeMC1UQ9QIwapGCjb1feQh1EGwEaMFi3AUrMBZsAQXwd6NFSx2nGCaCYI5wQV4N1kwq6mCDYMSmDJNsIzpgu3wFEzvJVga7IWBDwVbMFuwO3MEewL-foJ9tAgzqILNhvpIwR5BzjLB7kUJ9hyGxgo2ChrjBJu1QrAgaEtFT_j3V4K9gJItgp2GW1sFewhB2wRbCHN2C2aAtH2CHYTxmYJ5Qf9-wawPCLb1EOaErTk4YapRMB_IKhCsDGqgEa6bBGuG4ScEc4MzFdgjPDgvWAeMqRXMEzbBbgi-KthiCLiB_4G-DjuEA1AKk-sFmwuld1ELzsNNqGhCT3gD8j3B_nVfsMNQ2IwcnIFr8NNDwX4G58eCTYfMJ4IVg81TwVygHH6CWmiC5y8E64boTsGS4Rl0QbSNyi5CPWhsVeYIz0eqLMRBZZFgO0tlrrD8Q5WlQiXcgIN_UdkRaIJnMDRUZX7hKguD72HHJyrbB6dUlT2OVNmWpSpLh4AolX0El6JV1gC2q1EfFqaobM9mlWVBCZyAZ_ASdF-qLBRuQiO0QCt0gBl-s29gkZPbpGjYteS19D00x7-WWuDry6-l3RDf0iklwagP3khjIDzijaTC8elm6RRc8jBLzgazNAEWbTJLS8HxK7PkBiO3miUX6DprlvrhUI1ZKoBrK7qlBljn0yNtAdW3R_oUIj_rkaKhMq1Hugx1i3qluzB7Q6_kD3bXeyUHGFrfKw0Db7s-SQujtvVJYyBtZ5-U8Sdjn3QQ4g_-T0qC7R_3S7uga6Bf6odzjgNSNSxcMSAtAY91A9IckNYPSBZQkMzko9D8iMktsDdvkGwoGCSHg8tuSZ4IV4ySfBtqq3GXZfk2uLrL8iSo_FiWL8PyRbIcDxU7ZPkiJFXL8lrofCrLfZBqweUaVy7fhPaXc_lbsOueyx0gvdWbH4BvX3rzdOh868374JcFPnzEfh_uDI-P-vDfId7BlydBnbsvd53jyydBWqYv3ws2bn58JKyZ6cc3w4VYP14LXyb68X9CE_nzhxD6nT9fBP1X_blyzZ-XNvjzH2D0rHl8HDB1Hh8CAY3zuKNTAHeDd4YArgQH8NyQAF4Kt9sD-G9Q1RHAr4ASGMitoXR_IP8BjpcE8iqoKwvkd8HeFMidwG2klk-F1nAt74TzX2h5Dbxao-Xd0LtRywdt0nKnLVo-HpqPa3kLPC3X8g7YcEfLd8K5Ri2vhqVtWh4HTq_xHvRjgngYmMcGcRoXxP-hBvFvYP3nQXxfVhAvgvbiIP4WvLuCuBYWgICTUAl3nHT8F_h1go63w8yJOq6FrBgdv5uAOGSv0vFCmLdGxw1gka7jdhBj0vHtF3R8Fxy-ouMBP-t4MBx9puM_wnlXPa-BlV56ngJPZ-u5Gd4s1_N30Bel5xbRej7zOz33hhx7A78KiU4Gvhm2QgZMiTDwmZARb-D3Dht4C4xrMvC_vRfMY-Da8GB-HyrfD-a1MHh9MLeB2MEhfCWkWYTwDChbkEPvfZJDo6H6VA7VwdfncmgvWN_KocIHOVQBHww1kj-4RhppEoyKM9KYP31lJE94vMdIa_ONlH3WSIWQWGmkNeBbZSQdWL01kj2kdBlpOxzpMVI5ZA7KpWKYuCyXbmXn0kNIPp1L62HyzVyaAWEDuRQBhb55ZIJHS_LoBWgO5dFwGJ-dR9OgpCCPTkBDZx7tSc6nLMhJz6fj8OpBPnVDX1s-Se35lPAqn1YBlwpoOESuLKBoqHMupLvgnlhI8o-F1BRSRAN_LaLB84soZlsRrYBv9xTR9ZNF1AynzxfRZVhsKqYouPSfYmqAdJcSGuFTQhPg9pYSagalooSswa_1COkh948jVApnRpfRJTg8rYxKwSmsjMYDCy-jITA0royGgfvmMpoF4_eV0TTIqCijPJhUc5Q2chNtB193E-lg3BQTTYFMLxMVQ_nnJjoL89eZaCFcLTZRPVidNpE9rD5jog3g-s5EHlAWeoxOwtiYYzQZzEnHqNCvlUwwIqmVJkDx7lY6DtphbZS0tI3WQtf9NuoH9dc2-hQc_dvJDf4r2qkHJpa302zQn22nMOi-1E4DMM-9g8Ih1quDZhzsoLnQcbGD_gAb99fkAqYQS6Uc-oSlIqmWyvV0S6UZIootlWXw-Iml8jtUmS2Vhb2WyuI-xCHVQ6NsggGdRhms1yiHEzVKEdSu1yhNEJapUSLgTZZG6YGBQxrFJluj5CRbKcVgqLBSwuHRKSvlBdhUWSsbb1gr2U9tlBPzbZVVK2wVO8shR4y5pxXbbxobFjhYhiZFJ6yMC4xanRAz1j0uNiElKXn19NikmNS_xyWmrJ72WXJSYkpcYuzyGR4zZnl6eHhO9_Bc_oXX_wG1Edt2&build-label=editors.documents-frontend_20241001.01_p5&imp-sid=CKi13MnphIkDFagJGQAdBRkGng&is-cached-offline=false"
    Referrer-Policy: strict-origin-when-cross-origin
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    Server: GSE
    Set-Cookie: NID=518=bULFi_JTu4Jo2nhKFYlQ-OW6j_l22sEDxI5m4Z0WgPBOp9EOTgVPZz-h4wqLQw22yW9Ab1qq4kRsGhdTljo0jkUgQjhdjLFVT0-y6hRC0gMq3eVAHFxFEvY7r2QFFWFosZgVWmBMqvbedrkTtuTftK2n6w8zPb_m7XMrj08tEqlMFWU; expires=Fri, 11-Apr-2025 22:07:38 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    x-l2-request-path: l2-managed-5
    Transfer-Encoding: chunked
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.180.14
  • 216.58.204.78:443
    https://docs.google.com/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasic
    tls, http
    1.7kB
    19.4kB
    15
    20

    HTTP Request

    GET https://docs.google.com/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasic

    HTTP Response

    200
  • 216.58.204.78:443
    https://docs.google.com/document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/mobilebasic
    tls, http
    1.4kB
    19.6kB
    14
    21

    HTTP Request

    GET https://docs.google.com/document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/mobilebasic

    HTTP Response

    200
  • 91.204.226.105:28844
    2.1kB
    1.3kB
    31
    21
  • 142.250.200.46:443
    tls, https
    858 B
    40 B
    1
    1
  • 142.250.180.14:443
    android.apis.google.com
    tls
    5.0kB
    8.8kB
    21
    24
  • 224.0.0.251:5353
    3.8kB
    12
  • 1.1.1.1:53
    docs.google.com
    dns
    122 B
    77 B
    2
    1

    DNS Request

    docs.google.com

    DNS Request

    docs.google.com

    DNS Response

    216.58.204.78

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.180.14

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/iblu.zg.ws/files/dex

    Filesize

    580KB

    MD5

    ed9219be2761d62f01f05dee71f02df3

    SHA1

    c2b904961f519a66052c04d444b34ef4c3f00e67

    SHA256

    b8f6a3769331039a5f2dc29eba3adc431a7b086d47ec579cd143da11f137f13d

    SHA512

    420dc0fa4e231a66fa5c26fbd7952f574aa24aec62ecdf387dd376e98dac93cbea493785d67a030bd6d6745b00c7f3b14b693f906124ee6438b6a227d682f8bd

  • /storage/emulated/0/.msg_device_id.txt

    Filesize

    36B

    MD5

    b7b7af51aace7d8bd41d8f7066d4009d

    SHA1

    bd8afa517a391f047cfa6aa74cfd3a127a749010

    SHA256

    9f03436dc48930e71fe1eb399e623d6134c9418e0f657209502a67be373356a2

    SHA512

    3bf9e45d76174ff7802284403d8745f775cc867ab3bbe5ce5299e213d3632dcf6bf9a29569e358af0bd9542b84cab2600b7e144e2e4aad32638d1741bd109baa

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.