Analysis
-
max time kernel
149s -
max time network
152s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
-
submitted
10-10-2024 22:07
General
-
Target
0857b7925c0ab09779ea5bccdf400add91f755b65333a0baef8a6d060149c5e4.apk
-
Size
307KB
-
MD5
22d3566c70d744455e0bc0d6b35b9700
-
SHA1
9e7eb5ac7d50e5c40d53270ad008e4a973d03d25
-
SHA256
0857b7925c0ab09779ea5bccdf400add91f755b65333a0baef8a6d060149c5e4
-
SHA512
41d9e6af47f4b5cc478223778e8cba72733c8948836686bd5ea7c16a6601aa34d95e5089d674c2398c3913706fd7b3f4f423c859d5da559542505e1ad16edbb9
-
SSDEEP
6144:mxxcsbwqBzVFEuELPmrCyiyJ+tyqK02zGVmxJifqk1bdSu1NNg93IFFNz:mXPHEL+iyJcNz2zGVmxJ2xbdzNNg93Mz
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 2 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
iblu.zg.ws1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
580KB
MD5ed9219be2761d62f01f05dee71f02df3
SHA1c2b904961f519a66052c04d444b34ef4c3f00e67
SHA256b8f6a3769331039a5f2dc29eba3adc431a7b086d47ec579cd143da11f137f13d
SHA512420dc0fa4e231a66fa5c26fbd7952f574aa24aec62ecdf387dd376e98dac93cbea493785d67a030bd6d6745b00c7f3b14b693f906124ee6438b6a227d682f8bd
-
Filesize
1KB
MD5e6572ffced0809697e851aec3fb67eed
SHA1414779b6720ae759c92d0730c01cf372855068a9
SHA256bf206b38d928e87091094457898de2632df71b6bcea8095e0cc84e145785f6d9
SHA51277cf373232f936b46aae67d5c3b23ace0e409100bad3ee0f67151f2edc6f995853f286ffc08eb58657ab5285626e43460e402ca7a8c500bcd5769ddb859e717d
-
Filesize
36B
MD56d8e7465eacc005c39e73af47d6e3af0
SHA15c3ff3b850900a9705f78c5239ef03c63b0ca51a
SHA2567924787c9f690ebe0e0e1b1113a133b14c49117ddd94fad21f71b619c55d9b2a
SHA512e9555e77decb20d39003d3b2fb068c15cd6a35c9fb8793132ecf9d95fb7ff1d208b4219933cfe80bc22474c77600f36e26732cf39574fd1fc63b2706384d3b18