Analysis
-
max time kernel
149s -
max time network
139s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
-
submitted
15-10-2024 22:05
General
-
Target
f29d1e12c33ecc01d2bdf8a25420f01bbfdd32acbda2deefe5c81c009f4654ca.apk
-
Size
440KB
-
MD5
7bd0478785df8d4498fa4a1a2792ee3e
-
SHA1
c398f51e1daaf36361efe69d9918336873166057
-
SHA256
f29d1e12c33ecc01d2bdf8a25420f01bbfdd32acbda2deefe5c81c009f4654ca
-
SHA512
39fdefe2cf3e104f8fc340e65dfaa1e56ce56ce885e43bc8efb4508b497761ff0915ce8bf6a22435fdb5b845ce1a5f57da610007853dafbe07524bc443c459c6
-
SSDEEP
6144:6wjDIzw4hDo1oqospYLBR4UeevisUZeA8VVydrwGL/URoRU5moQiupKFf3CO/zo5:6Sgw4h01HoM63Nw34ydfTpovupKomk5
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.yagh.gpnk1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
3System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
782KB
MD581943f38b95891a341744d62af70fecb
SHA1f5e17b93b21e2d2907a1f4f1f3eba612c0f79fe1
SHA25613012f75645636977b362f60c3215f018092a02cb69db5fc0ba24f850fc034e8
SHA512bbe47a808c18120b67460b521bc487bf4ba7bb09efd85bcefbd2810b2dc8b74732b3eca5874e51db100465b4df116d09919862b381cba26c56c22fcee2080cbc
-
Filesize
1KB
MD5f23b2f57f1bd99c8c97e1c293f55f8ab
SHA17b2b9c7e13f6af2c17eb36dbaaab7859d57862cb
SHA256045b90582c80ca793c5356e79f314097db0deda3833a4f3ec7e68c454232b08b
SHA512ac6e149b805a92f67cd294d9868bd86de464e2ec5ca1331cb7d00ad2dac7fadd123ca6c886f1429aedff81f35039b4aa936705b9b7a40b6eb4c4b33e00596dc4