xloader_apk | 5505895e10ce5303711b9d45cf4af5654f9611571f10e574fa9de554c1fcf693

Analysis

max time kernel
149s
max time network
150s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
12-10-2024 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5505895e10ce5303711b9d45cf4af5654f9611571f10e574fa9de554c1fcf693.apk
Size

209KB
MD5

959828a11d73bb18838c1e202a2356ed
SHA1

08ad4ba4d59cfb5372e1f09ad307e45ea901c50c
SHA256

5505895e10ce5303711b9d45cf4af5654f9611571f10e574fa9de554c1fcf693
SHA512

0d5fa446cf1b30b970813a62a3e6666b240f0ec064785dc84ddb1da864775ebfa4403e81efbaa9fac01751a5579aa405c4209629863c3732ff7cd2bc2cdf3963
SSDEEP

6144:QBgvSY6FBI+r3VTOeIGH3nPH/yps0ozi40hmj2vgxStI2weI3:QBgmzIo3VTOeIGXd9imjM5t1hI3

Score

10^/10

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan

Malware Config

Extracted

Family

xloader_apk

http://91.204.226.105:28844

DES_key

Signatures

XLoader payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/z.ahv.nmmp/files/d	family_xloader_apk
/data/user/0/z.ahv.nmmp/files/d	family_xloader_apk2

XLoader, MoqHao
An Android banker and info stealer.
trojan infostealer banker xloader_apk
Checks if the Android device is rooted. 1 TTPs 1 IoCs
evasion

System Information Discovery
T1426

Processes:

z.ahv.nmmp

ioc process

/system/bin/su z.ahv.nmmp
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

z.ahv.nmmp

pid process

4501 z.ahv.nmmp
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
evasion

Download New Code at Runtime
T1407

Processes:

z.ahv.nmmp

ioc pid process

/data/user/0/z.ahv.nmmp/files/d 4501 z.ahv.nmmp
/data/user/0/z.ahv.nmmp/files/d 4501 z.ahv.nmmp
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

Stored Application Data
T1409

Processes:

z.ahv.nmmp

description ioc process

Framework service call android.accounts.IAccountManager.getAccountsAsUser z.ahv.nmmp
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads the contacts stored on the device. 1 TTPs 1 IoCs
collection

Contact List
T1636.003

Processes:

z.ahv.nmmp

description ioc process

URI accessed for read content://com.android.contacts/raw_contacts z.ahv.nmmp
Reads the content of the MMS message. 1 TTPs 1 IoCs
collection

SMS Messages
T1636.004

Processes:

z.ahv.nmmp

description ioc process

URI accessed for read content://mms/ z.ahv.nmmp
Acquires the wake lock 1 IoCs

Processes:

z.ahv.nmmp

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock z.ahv.nmmp
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

z.ahv.nmmp

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground z.ahv.nmmp
Queries information about active data network 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

z.ahv.nmmp

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo z.ahv.nmmp
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

z.ahv.nmmp

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo z.ahv.nmmp
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Requests changing the default SMS application. 2 TTPs 1 IoCs
collection impact

SMS Messages
T1636.004

SMS Control
T1582

Processes:

z.ahv.nmmp

description ioc process

Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT z.ahv.nmmp
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

z.ahv.nmmp

description ioc process

Framework API call javax.crypto.Cipher.doFinal z.ahv.nmmp

ioc	process
/system/bin/su	z.ahv.nmmp

pid	process
4501	z.ahv.nmmp

ioc	pid	process
/data/user/0/z.ahv.nmmp/files/d	4501	z.ahv.nmmp
/data/user/0/z.ahv.nmmp/files/d	4501	z.ahv.nmmp

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	z.ahv.nmmp

description	ioc	process
URI accessed for read	content://com.android.contacts/raw_contacts	z.ahv.nmmp

description	ioc	process
URI accessed for read	content://mms/	z.ahv.nmmp

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	z.ahv.nmmp

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	z.ahv.nmmp

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	z.ahv.nmmp

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	z.ahv.nmmp

description	ioc	process
Intent action	android.provider.Telephony.ACTION_CHANGE_DEFAULT	z.ahv.nmmp

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	z.ahv.nmmp

z.ahv.nmmp
1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4501

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Protected User Data

T1636

Contact List

T1636.003

SMS Messages

T1636.004

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

SMS Control

T1582

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/z.ahv.nmmp/files/d

Filesize
453KB

MD5
303ba9f99e501b9d01b3c4e8036f7995

SHA1
53196b13f94d7797527cc57742ce6d7b62aae36e

SHA256
9614110dedb36006ad490df5f5ab55975d8c7ea20c24f4a6479b9da8a946e7f0

SHA512
ef95d56bd53bc3098985a279922657d66d08912bbfe1b5e5c7adb3c4d6267e79ecea28c15036ae023b3c1b052cca9e3111f9a868f7f4178f14db7eaa297e432d

Download Submit
/storage/emulated/0/.msg_device_id.txt

Filesize
36B

MD5
c0e01b943c2ad81529dfe46d3942f0f7

SHA1
9cb0d2e2c46ae2df25b95c0123a008287fee02e7

SHA256
4e43b3d03e5aa13148bedaf72194acd7aad273fee26e13d7188145f3ddfd2656

SHA512
cd31aba19ff81ac0960d02caaba0339abe2cf53f29ba1b0ce8444456cc6bd2779e051ee296d18145eaa1ecfb04ce869d1e33881007b1534362248524d76d9d92

Download Submit