Analysis
-
max time kernel
149s -
max time network
150s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
15-10-2024 22:07
General
-
Target
2ef0d6f07ff60aad3b7bce536114c2d581bc0c45592326486056e9082cf77ff0.apk
-
Size
441KB
-
MD5
9a78f2cb88518fa674d01d281f6f24f0
-
SHA1
fb007cd09f40c415bfe1bbd48e981a1a5c329216
-
SHA256
2ef0d6f07ff60aad3b7bce536114c2d581bc0c45592326486056e9082cf77ff0
-
SHA512
9deabb87586a9bb74469da84d9386d3f4200f8ad5f0d19e23de869cf0ce443f8ebee6d15766888f888b9eede077275947bf2ca2192abcb05395fb50bf24657d7
-
SSDEEP
12288:CwelOA5hQ97AycRz8eogPvcuovupKomj3:delOA5htUe/sTvAKo2
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.fkkv.vkcr1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
3System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
782KB
MD581943f38b95891a341744d62af70fecb
SHA1f5e17b93b21e2d2907a1f4f1f3eba612c0f79fe1
SHA25613012f75645636977b362f60c3215f018092a02cb69db5fc0ba24f850fc034e8
SHA512bbe47a808c18120b67460b521bc487bf4ba7bb09efd85bcefbd2810b2dc8b74732b3eca5874e51db100465b4df116d09919862b381cba26c56c22fcee2080cbc
-
Filesize
1KB
MD5fcfc457d7c831cb326c1e0b2cec93e6c
SHA1f6d1bc819b7d0ca175fd92740e3d8c8a6d09f867
SHA2569b14c6bdbf3c9d978747a6eb6c7127a22e7a57772fb557aa9ea77981db10153c
SHA512770a330a228b19abd7a72438238c860b49ec8e9601c753f00285d3afe93cc5613aba5ac91e09e429e6ffe5fe9c3340006a20ba34c9e74db38b0194d11e990d3e