Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
-
submitted
10-10-2024 22:09
General
-
Target
395013b3b96a7c44253339a1107a04ca26487a1d21d6e6368760544babed0eec.apk
-
Size
308KB
-
MD5
12a3be032a691156786b4e8f5c7f33d2
-
SHA1
d68dbbc4ecfc600b0d15ba67c77f5b3e728ff493
-
SHA256
395013b3b96a7c44253339a1107a04ca26487a1d21d6e6368760544babed0eec
-
SHA512
fc8efcc67a4b0f3c1947e926cb06cb59e9b8f0c20e93e38742d54f00e442368a7cdb96fc6f8374355e01e463501fecf07db0fd5651e5f84552df741e0574d296
-
SSDEEP
6144:0myKa/KHXh1JUZcdkn0aVwi7rrpZtJ7uc2hWAnFXMemm1NdwV:07K0KHTJU4aVwCr7zAn1Q
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 2 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
igcx.kg.ah1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
580KB
MD5ed9219be2761d62f01f05dee71f02df3
SHA1c2b904961f519a66052c04d444b34ef4c3f00e67
SHA256b8f6a3769331039a5f2dc29eba3adc431a7b086d47ec579cd143da11f137f13d
SHA512420dc0fa4e231a66fa5c26fbd7952f574aa24aec62ecdf387dd376e98dac93cbea493785d67a030bd6d6745b00c7f3b14b693f906124ee6438b6a227d682f8bd
-
Filesize
1KB
MD511a277236fc19fa0c7c210d18c4847ac
SHA1f9c4639dae65b79a963fb895f80065967cfaf86f
SHA256007c14fe7b0679d12d2121494dd522d56d27f86e916d8dfa811976b2ee76719d
SHA51291b7a7862e431746b4be6c239abf9b4155dc46aff70ae9f57c7c2780e75c68e91c67cc75a9f8b472b3aec4b94516b85278dd403506f820022b12d1ef28909210
-
Filesize
36B
MD5edd6e1cdbf31e2d3f26d09d088294f87
SHA1f26554a4294e4ab36cdb9b840e07f7f1885ad241
SHA256bd2d95175e693e3f371aab104a32ee4e44d54a2d665dc14d61e6e9e125b3efcb
SHA512f74500eb7d33b0211a8cd2cf5bb2bfe3825e59cc69dc28f2fbffe10d01eab012b2fe5fdb643529af658c1915626d0008167d423e2e9d4cf2a5f93c7f36f13c5a