Analysis
-
max time kernel
149s -
max time network
152s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
-
submitted
19-10-2024 22:09
General
-
Target
b2af5e161a222f1d404275c0276494a929c1c857c7d4ded48af86ee03cb74c81.apk
-
Size
284KB
-
MD5
e8f3a5e2e4e392fb7caf08738ab2a510
-
SHA1
8b44801f482e05865c4cf50fc87080695f86026e
-
SHA256
b2af5e161a222f1d404275c0276494a929c1c857c7d4ded48af86ee03cb74c81
-
SHA512
6e804b90ba162646e894cfad2d7f6d9d37d3bdb7af4ee5a91ccccd058c6bdc366b02c3a467758e1ee48e6a6d9ae70b5ccf1793abff6fe6b364387087aa03e5c6
-
SSDEEP
6144:UYkX0usLaONTrsGD4/urPlDVXxF6tSVKvB7qTV+BcE0R:y0usLTwaiQ91KSSBCE0R
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 2 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
sg.ccspkk.vf.hng.oxmr.jv1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
509KB
MD556cdeb711771883abba58bf795547d6b
SHA1b8681cb2081046dc3c6effebd4aca20fa35833dc
SHA256e29751533b08a75674acdf64a56219c35364c62a4559e18ca941821c21af304d
SHA512079dcc4c8000f74de910b9477919b595315181531cb804587165d8ebed6777f86c0379eae4409804035870d1468b6101883acf35d394638afcd79163d41b4a4d
-
Filesize
36B
MD534a6d7839368372c1f2ffe340e8d8247
SHA1752f1f997a2047425f740e1a49a3669fae868e8e
SHA256f17a92345d21643225d6ae115e57c86f1386f70b3b36777eb807f1f094c72b1f
SHA512343d31184500f7ece395f32ae52956bd61523113c3ed68a62c4efe39297bbdd80d2dadbf40edce52f6e17601fb94150b839dfe0423fc2aceb0b5663cd72488b0