xloader_apk | c4aaa1c4a7ee7ffd5e6d84afa6dcb173713a20e1bed31501f713e1548e7d5ee9

Analysis

max time kernel
149s
max time network
140s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
16-10-2024 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4aaa1c4a7ee7ffd5e6d84afa6dcb173713a20e1bed31501f713e1548e7d5ee9.apk
Size

206KB
MD5

7c51da33b3cc61cea943a7beb6f90ab9
SHA1

2b4e86be4a48f1108272a438c527456c758dc790
SHA256

c4aaa1c4a7ee7ffd5e6d84afa6dcb173713a20e1bed31501f713e1548e7d5ee9
SHA512

98f0dd2f7e209232e2adf1a923fbd357fab353038a74c2284a9cea5c1b3185207722bc242af58e573acd037a444150e4aafb9ec489b184e156af06374e969f43
SSDEEP

6144:gV7aBmLIvnfndb7iEpeLJpkqb+bFwcuIj:gVeBbh7iqeLJpkqbefTj

Score

10^/10

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan

Malware Config

Extracted

Family

xloader_apk

http://91.204.226.105:28844

DES_key

Signatures

XLoader payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/tjau.ofxew.wwbwn/files/dex	family_xloader_apk
/data/user/0/tjau.ofxew.wwbwn/files/dex	family_xloader_apk2

XLoader, MoqHao
An Android banker and info stealer.
trojan infostealer banker xloader_apk
Checks if the Android device is rooted. 1 TTPs 1 IoCs
evasion

System Information Discovery
T1426

Processes:

tjau.ofxew.wwbwn

ioc process

/system/bin/su tjau.ofxew.wwbwn
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

tjau.ofxew.wwbwn

pid process

4542 tjau.ofxew.wwbwn
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
evasion

Download New Code at Runtime
T1407

Processes:

tjau.ofxew.wwbwn

ioc pid process

/data/user/0/tjau.ofxew.wwbwn/files/dex 4542 tjau.ofxew.wwbwn
/data/user/0/tjau.ofxew.wwbwn/files/dex 4542 tjau.ofxew.wwbwn
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

Stored Application Data
T1409

Processes:

tjau.ofxew.wwbwn

description ioc process

Framework service call android.accounts.IAccountManager.getAccountsAsUser tjau.ofxew.wwbwn
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads the contacts stored on the device. 1 TTPs 1 IoCs
collection

Contact List
T1636.003

Processes:

tjau.ofxew.wwbwn

description ioc process

URI accessed for read content://com.android.contacts/raw_contacts tjau.ofxew.wwbwn
Reads the content of the MMS message. 1 TTPs 1 IoCs
collection

SMS Messages
T1636.004

Processes:

tjau.ofxew.wwbwn

description ioc process

URI accessed for read content://mms/ tjau.ofxew.wwbwn
Acquires the wake lock 1 IoCs

Processes:

tjau.ofxew.wwbwn

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock tjau.ofxew.wwbwn
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

tjau.ofxew.wwbwn

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground tjau.ofxew.wwbwn
Queries information about active data network 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

tjau.ofxew.wwbwn

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo tjau.ofxew.wwbwn
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

tjau.ofxew.wwbwn

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo tjau.ofxew.wwbwn
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Requests changing the default SMS application. 2 TTPs 1 IoCs
collection impact

SMS Messages
T1636.004

SMS Control
T1582

Processes:

tjau.ofxew.wwbwn

description ioc process

Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT tjau.ofxew.wwbwn
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

tjau.ofxew.wwbwn

description ioc process

Framework API call javax.crypto.Cipher.doFinal tjau.ofxew.wwbwn

ioc	process
/system/bin/su	tjau.ofxew.wwbwn

pid	process
4542	tjau.ofxew.wwbwn

ioc	pid	process
/data/user/0/tjau.ofxew.wwbwn/files/dex	4542	tjau.ofxew.wwbwn
/data/user/0/tjau.ofxew.wwbwn/files/dex	4542	tjau.ofxew.wwbwn

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	tjau.ofxew.wwbwn

description	ioc	process
URI accessed for read	content://com.android.contacts/raw_contacts	tjau.ofxew.wwbwn

description	ioc	process
URI accessed for read	content://mms/	tjau.ofxew.wwbwn

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	tjau.ofxew.wwbwn

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	tjau.ofxew.wwbwn

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	tjau.ofxew.wwbwn

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	tjau.ofxew.wwbwn

description	ioc	process
Intent action	android.provider.Telephony.ACTION_CHANGE_DEFAULT	tjau.ofxew.wwbwn

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	tjau.ofxew.wwbwn

tjau.ofxew.wwbwn
1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4542

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Protected User Data

T1636

Contact List

T1636.003

SMS Messages

T1636.004

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

SMS Control

T1582

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/tjau.ofxew.wwbwn/files/dex

Filesize
456KB

MD5
a528b034f05069ba64c868aebe4667ea

SHA1
980b3bec0396befc4ae838feaf8c7fdcf827cce1

SHA256
4441dfe8763a31ee11bddeac399b41cd9f7cbe68afc7d67599d7dcc14460c6a4

SHA512
2165abe1cc38aec0f5d67f41bd4215f8a3b13b13aab590a4a7d75807f9a29a20d66eccc8056038a1fa05a5fba2ffe0b181f88d026584e6960b520289b726408b

Download Submit
/storage/emulated/0/.msg_device_id.txt

Filesize
36B

MD5
02bf82a02874a41b9d03d0c925a38f07

SHA1
2b4dc24553d30b5320eaafb6f00429be4e2e5ca4

SHA256
a51d361c06bf727b371123fec193cb29570d8b47c0eea0bacfcdc4c6c3aa6486

SHA512
e0b17c4d5cb40a5d24d1abed2c4a0c2accc2947e11c3923f1caf58a4d0888c7a517c86baf0e5c63bf1d441443e30baf390137bbb1a2e6ad9d7a01e23d15e7c58

Download Submit