Analysis
-
max time kernel
149s -
max time network
139s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
-
submitted
11-10-2024 22:09
General
-
Target
bc3ffed68094f196e616baaca4626123b8f45bd3c42032535cae50d2034c64c8.apk
-
Size
306KB
-
MD5
51f32b1f01d6f4e65472647907d3d72c
-
SHA1
13a5622bd29c7405303b7a4f55f5bc99f6fa0e7f
-
SHA256
bc3ffed68094f196e616baaca4626123b8f45bd3c42032535cae50d2034c64c8
-
SHA512
a2b3c44a9c2973fc088ede0e66740bd4a380ae557c03492176ba4a93f92253280c7589c3fd41d588b186edaf12f44553feea88bd5b526cae863849ad9e95311a
-
SSDEEP
6144:XNUSkNSGkM5y22bmwNR61auBHgQ1RX7z0WPTHeoZH+hBR5KmFzWizZs:X6S9D9EAE+oeBz5yS+
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.bnen.baft1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
3System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
572KB
MD51f8e738d4543767332a7d9f9f963b779
SHA17c7f9149b41bb2d7af38fb596a79b453b2786115
SHA256ebc10f9d55656de2b07cf3600c3db028b860b725748d29bc2ba71ba8d7b5f00a
SHA512287341becae8f4b7d25da6f854edf55a1ff6cc6a92d8e5f7569d89e791e042db97cf60bec626e9c6b3ab6cd9a7e2eef7958ab795accdc710b625eabb2ab5891b
-
Filesize
1KB
MD5206cd9a77066a9380e49a082a880bf79
SHA1ee5bf0435d5fe7133a7b54e9fe18649724503a0e
SHA256657425024fa7b54369eef501b19b86203b8eacf70eb8d59ba1331926b99b52a3
SHA5122cd2b71fb06603e4573a282ff40367ce1c9b563e4689126a16db02273fe4f60342eb089c4f15f77885e33af3c92b075405a3e82d6f7a4c5796fff7f2b9091422