xloader_apk | bc3ffed68094f196e616baaca4626123b8f45bd3c42032535cae50d2034c64c8

Analysis

max time kernel
149s
max time network
151s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
11-10-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc3ffed68094f196e616baaca4626123b8f45bd3c42032535cae50d2034c64c8.apk
Size

306KB
MD5

51f32b1f01d6f4e65472647907d3d72c
SHA1

13a5622bd29c7405303b7a4f55f5bc99f6fa0e7f
SHA256

bc3ffed68094f196e616baaca4626123b8f45bd3c42032535cae50d2034c64c8
SHA512

a2b3c44a9c2973fc088ede0e66740bd4a380ae557c03492176ba4a93f92253280c7589c3fd41d588b186edaf12f44553feea88bd5b526cae863849ad9e95311a
SSDEEP

6144:XNUSkNSGkM5y22bmwNR61auBHgQ1RX7z0WPTHeoZH+hBR5KmFzWizZs:X6S9D9EAE+oeBz5yS+

Score

10^/10

xloader_apk banker collection discovery evasion impact infostealer persistence trojan

Malware Config

Extracted

Family

xloader_apk

http://91.204.226.105:28844

DES_key

Signatures

XLoader payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.bnen.baft/files/dex	family_xloader_apk2

XLoader, MoqHao
An Android banker and info stealer.
trojan infostealer banker xloader_apk
Checks if the Android device is rooted. 1 TTPs 1 IoCs
evasion

System Information Discovery
T1426

Processes:

com.bnen.baft

ioc process

/system/bin/su com.bnen.baft
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
evasion

Download New Code at Runtime
T1407

Processes:

com.bnen.baft

ioc pid process

/data/user/0/com.bnen.baft/files/dex 4714 com.bnen.baft
/data/user/0/com.bnen.baft/files/dex 4714 com.bnen.baft
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

Stored Application Data
T1409

Processes:

com.bnen.baft

description ioc process

Framework service call android.accounts.IAccountManager.getAccountsAsUser com.bnen.baft
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads the contacts stored on the device. 1 TTPs 1 IoCs
collection

Contact List
T1636.003

Processes:

com.bnen.baft

description ioc process

URI accessed for read content://com.android.contacts/raw_contacts com.bnen.baft
Reads the content of the MMS message. 1 TTPs 1 IoCs
collection

SMS Messages
T1636.004

Processes:

com.bnen.baft

description ioc process

URI accessed for read content://mms/ com.bnen.baft
Acquires the wake lock 1 IoCs

Processes:

com.bnen.baft

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.bnen.baft
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.bnen.baft

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.bnen.baft
Queries information about active data network 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.bnen.baft

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.bnen.baft
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.bnen.baft

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.bnen.baft
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Requests changing the default SMS application. 2 TTPs 1 IoCs
collection impact

SMS Messages
T1636.004

SMS Control
T1582

Processes:

com.bnen.baft

description ioc process

Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT com.bnen.baft
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.bnen.baft

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.bnen.baft
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.bnen.baft

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.bnen.baft

ioc	process
/system/bin/su	com.bnen.baft

ioc	pid	process
/data/user/0/com.bnen.baft/files/dex	4714	com.bnen.baft
/data/user/0/com.bnen.baft/files/dex	4714	com.bnen.baft

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.bnen.baft

description	ioc	process
URI accessed for read	content://com.android.contacts/raw_contacts	com.bnen.baft

description	ioc	process
URI accessed for read	content://mms/	com.bnen.baft

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.bnen.baft

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.bnen.baft

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.bnen.baft

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.bnen.baft

description	ioc	process
Intent action	android.provider.Telephony.ACTION_CHANGE_DEFAULT	com.bnen.baft

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.bnen.baft

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.bnen.baft

com.bnen.baft
1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4714

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Protected User Data

T1636

Contact List

T1636.003

SMS Messages

T1636.004

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

SMS Control

T1582

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.bnen.baft/files/dex

Filesize
572KB

MD5
1f8e738d4543767332a7d9f9f963b779

SHA1
7c7f9149b41bb2d7af38fb596a79b453b2786115

SHA256
ebc10f9d55656de2b07cf3600c3db028b860b725748d29bc2ba71ba8d7b5f00a

SHA512
287341becae8f4b7d25da6f854edf55a1ff6cc6a92d8e5f7569d89e791e042db97cf60bec626e9c6b3ab6cd9a7e2eef7958ab795accdc710b625eabb2ab5891b

Download Submit