Analysis
-
max time kernel
149s -
max time network
149s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
15-10-2024 22:07
General
-
Target
2ef0d6f07ff60aad3b7bce536114c2d581bc0c45592326486056e9082cf77ff0.apk
-
Size
441KB
-
MD5
9a78f2cb88518fa674d01d281f6f24f0
-
SHA1
fb007cd09f40c415bfe1bbd48e981a1a5c329216
-
SHA256
2ef0d6f07ff60aad3b7bce536114c2d581bc0c45592326486056e9082cf77ff0
-
SHA512
9deabb87586a9bb74469da84d9386d3f4200f8ad5f0d19e23de869cf0ce443f8ebee6d15766888f888b9eede077275947bf2ca2192abcb05395fb50bf24657d7
-
SSDEEP
12288:CwelOA5hQ97AycRz8eogPvcuovupKomj3:delOA5htUe/sTvAKo2
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.fkkv.vkcr1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
782KB
MD581943f38b95891a341744d62af70fecb
SHA1f5e17b93b21e2d2907a1f4f1f3eba612c0f79fe1
SHA25613012f75645636977b362f60c3215f018092a02cb69db5fc0ba24f850fc034e8
SHA512bbe47a808c18120b67460b521bc487bf4ba7bb09efd85bcefbd2810b2dc8b74732b3eca5874e51db100465b4df116d09919862b381cba26c56c22fcee2080cbc