Analysis
-
max time kernel
149s -
max time network
152s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
-
submitted
20-10-2024 22:07
General
-
Target
b70a0bbbb80e8d824d22a0c0ee5da8ca570171c08e9664466382b4ca0d5a7c6b.apk
-
Size
302KB
-
MD5
6fec6864fb7239b050fcb35f10d35ef3
-
SHA1
16dfe402658628f6cfa13824082b62f83593c4f1
-
SHA256
b70a0bbbb80e8d824d22a0c0ee5da8ca570171c08e9664466382b4ca0d5a7c6b
-
SHA512
243396e4a7b5e0bd168198fc1b103865e4c581bd8e0679908175442767bcd62447dc5071f870a185bb901186f7c2bd0f6d63c96cf14af13e80d42e897939d74f
-
SSDEEP
6144:9WbuHeOjsj06Lvqd9kmKiKlruJ+ea9rqmVMt8vp2bgTnt/aHzBO:94ajs4QvqdXZmre+xRqmO8vPDt/UBO
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.sgyi.dyhd1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
572KB
MD5e9b14ba46445d4e776c77cb397aaacf2
SHA19159ba397ea55f389c2551a17e998c7f1dd367cf
SHA2564614f98969b993ad6fc3c4d5e1a497404be32d31ac67fcfdbdb14b518720531b
SHA5124cb8ff639ea24b4866dfd1691e5170724dc4c87dda99841c6f2fc2f77a7cc44cd212fac229ad604ea262bb4e2a35aead0f1e59a8e27731296ec4d9e163869e7e