Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
-
submitted
10-10-2024 22:05
General
-
Target
5a1e13dd40d81bc6aaaecc4eaccb24f39f38cba058f90f54d2b4d53a77961535.apk
-
Size
307KB
-
MD5
28cd7252257c13b1a151700a2a4c3724
-
SHA1
0725ba92d97e4c709f5a99999d1867f61f1d6f53
-
SHA256
5a1e13dd40d81bc6aaaecc4eaccb24f39f38cba058f90f54d2b4d53a77961535
-
SHA512
b229962b40b0ef2998b40b80a0873659cd294452bd7a6772ab1a6d54ed9f5d3109635db92adbfd978cd3bd97a74ffa000f7d22d50db206437a16c4bb9f2088b7
-
SSDEEP
6144:9Y/2chJ+C4YMagWWYo4a7YXeWRj5p9J2EXkzGVmxJifqk1bdSu1NNg93IPDkeT:9z7C4XWWY1XeWRVrJvkzGVmxJ2xbdzNL
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 2 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
dkob.al.ea1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
580KB
MD5ed9219be2761d62f01f05dee71f02df3
SHA1c2b904961f519a66052c04d444b34ef4c3f00e67
SHA256b8f6a3769331039a5f2dc29eba3adc431a7b086d47ec579cd143da11f137f13d
SHA512420dc0fa4e231a66fa5c26fbd7952f574aa24aec62ecdf387dd376e98dac93cbea493785d67a030bd6d6745b00c7f3b14b693f906124ee6438b6a227d682f8bd
-
Filesize
36B
MD50f8facf1e92ded42ee5dc0805234e242
SHA15a210edeef4ab7bc687f26cf3bed3345d50c2f77
SHA25641e15105bc19489845e09efe74d4340f2908bdaaec24719f014d005bf16f359c
SHA51288137d7da6fec207da75d436e267a57514ee3d6d0ae5c3b722119eb1f32da13aaffca05db2123bf321127af1eae95f31bd740eab362d937c19c5b737516184cf