Analysis
-
max time kernel
149s -
max time network
155s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
-
submitted
13-10-2024 22:04
General
-
Target
a7785fd1e6819409cbba7c2f4be79fa3cf13ad5ce10353ac07f5eaf1ccc6111d.apk
-
Size
205KB
-
MD5
20c14add61e01e2f4ebf4dd3927869e2
-
SHA1
255025116ebe94afc079b24aa2fc4337552e9d1a
-
SHA256
a7785fd1e6819409cbba7c2f4be79fa3cf13ad5ce10353ac07f5eaf1ccc6111d
-
SHA512
6f2251ca239c3ba15b5a096e1d94aff88ef9a8234747acccfd42645f9c3f8f1d23814fa1ca776c2e7d88e138f3c9f68b2e416ec4c8cb0c75af43e9350fcd972b
-
SSDEEP
6144:Mbk5Aoycx5L9DIdLulwVRGQyGWxCLTJK08LDYIro:r5wcxx9D6AwHGQyGWwRR8LDYIro
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 2 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
sp.nlsfub.yswev1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
454KB
MD5dccd8cb67405ad4d9b53e36c040d53b9
SHA1ddba058c9cf0ad4e594c4885e7bb71a7a4442856
SHA2568c221b88e6755f04827bf176521a83a6e06ac054b3edca7aeb7c743a41fa01e6
SHA51228a25885bb0bd38d28ba3118a25253b41e17211fc00af2df6ee55ed70b8ea08862afab0661fd9db3085403bbb224f2231850b695f09bd94044e45574c27114ab
-
Filesize
36B
MD54d79eef93cff443e1bfce95c942c3f11
SHA19a3bd8613c41565d9d59a980e3280f573cf1d210
SHA2560cfa5e4e5823830e476f403064b7675f8f9bd49b22084e66016734feba6e6399
SHA512675d5a7d2dd6b6402f47a0f751ddd328e951d2c49251bc2ed410961f84e8e34d7b9c66be61c7c9a6dc86f2fb1501f285bbe5bcad342e9d0dbb75bb8a7d9eb466