Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    11-10-2024 22:09

General

  • Target

    bc3ffed68094f196e616baaca4626123b8f45bd3c42032535cae50d2034c64c8.apk

  • Size

    306KB

  • MD5

    51f32b1f01d6f4e65472647907d3d72c

  • SHA1

    13a5622bd29c7405303b7a4f55f5bc99f6fa0e7f

  • SHA256

    bc3ffed68094f196e616baaca4626123b8f45bd3c42032535cae50d2034c64c8

  • SHA512

    a2b3c44a9c2973fc088ede0e66740bd4a380ae557c03492176ba4a93f92253280c7589c3fd41d588b186edaf12f44553feea88bd5b526cae863849ad9e95311a

  • SSDEEP

    6144:XNUSkNSGkM5y22bmwNR61auBHgQ1RX7z0WPTHeoZH+hBR5KmFzWizZs:X6S9D9EAE+oeBz5yS+

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.226.105:28844

DES_key

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Requests changing the default SMS application. 2 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.bnen.baft
    1⤵
    • Checks if the Android device is rooted.
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the contacts stored on the device.
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Requests changing the default SMS application.
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4213

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.bnen.baft/files/dex

    Filesize

    572KB

    MD5

    1f8e738d4543767332a7d9f9f963b779

    SHA1

    7c7f9149b41bb2d7af38fb596a79b453b2786115

    SHA256

    ebc10f9d55656de2b07cf3600c3db028b860b725748d29bc2ba71ba8d7b5f00a

    SHA512

    287341becae8f4b7d25da6f854edf55a1ff6cc6a92d8e5f7569d89e791e042db97cf60bec626e9c6b3ab6cd9a7e2eef7958ab795accdc710b625eabb2ab5891b