Analysis
-
max time kernel
149s -
max time network
150s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
10-10-2024 22:05
General
-
Target
4ed001e63e8f594f0ac0b02b130c0371e7ac501803f27f768fbbc3ea1ff8d7c7.apk
-
Size
302KB
-
MD5
e377c7fea94a948b81749ae97ef3168c
-
SHA1
f1a13e75c8cbf305f0929eb91c70f6d9a2b40727
-
SHA256
4ed001e63e8f594f0ac0b02b130c0371e7ac501803f27f768fbbc3ea1ff8d7c7
-
SHA512
868a35fb88b3e5b448ef7109b9a7b53493df32eb46776348c3b75cfa463dd70fff95818e23de0b2cb7c8ab838b6130460f36248ddc83de20474b49d749f93e85
-
SSDEEP
6144:X87BxLXrQ14+GXX7iu32fVOlJIj6QPX3z2p9ToCBTzg4i6eWK:XMLXh+GX2u3QVQIjJP3Ixo0eD
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 2 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
jfha.bzxri.zhxik1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
1System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
580KB
MD58c7542abcfd5e2c08e99555d8d0bc605
SHA15f40007a5343603be18a1ce3c39ce43604099be5
SHA2560cd2b17aa21cd8de63842da21e3464df7bb2bd4a278fffbbfea6b294c3ca9e6d
SHA512362c7dd23aa52a9c72e9d90eebb99e1d4e4cd01b68348249bbeee4bb407728aabd30874488926635bacb2e1d640ad4e95852e345afa8ad66057c80c8f768ed88
-
Filesize
36B
MD5411ae090e5f58b78dda90c5c2860bb90
SHA1c4ecbc7d986f8fc86a2d28b7fff5f80f287eb468
SHA256aac6b1a5fe60c7ff34857441b875f90de1e971abae2ab1c3e62ef618a2af1128
SHA512105b59a87507f93918b02d4fa8bacaeb55715b1368ebc074cbed9a2ac150741ab7b6ff53dd1c18d4faf0756c3f292cf9245b35974d2b949b81017b922021f7d2