Analysis
-
max time kernel
33s -
max time network
156s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
-
submitted
21-10-2024 22:07
General
-
Target
59efc82bcef2f2c4b5ad0e8c19e3730d5af2cc356c64486dfd49ae9cbb36a65b.apk
-
Size
217KB
-
MD5
234464f2c0bdddfa469a290246ec7c24
-
SHA1
f3f1dcc25cb2ef0ab2990af5395931211886398b
-
SHA256
59efc82bcef2f2c4b5ad0e8c19e3730d5af2cc356c64486dfd49ae9cbb36a65b
-
SHA512
2a2bbc98490e7af205f9347eaaacc276d482689c6702b58b6e4fddf0e3602291ca824d6a06f8de296024f7c8bdcc20a1f37f9079a9d25b049c1873aec8f44861
-
SSDEEP
3072:GMm+j5Y8OnH9xmf/g1yZUn5hXmLtiDfEvcMdbXeJpFv2Wzz2HyBBvrfYVQiGK:a+j7y9YHgXn58YDfEjreJpY9SjY8K
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 2 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
dznz.vdhdx.qdhkn1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
3System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
MD5c5654523e4899cf11630fe902e74b494
SHA1d51781ac831b0442d5aaa8fb801d664f0daeb1c4
SHA256fd7e515d5732df7cc5632a8411671fdad79815c7df963ef68f728398c8c8db31
SHA51219e1fdb04673dec606e0376b0ffb4e32bd12d37cf50d22815c114ccc2a76824b114835ef858e0fbc84d89dc6be1e1951be047e24521771c05d6ce43fac137bdb
-
Filesize
36B
MD57fbaaed65d3e3ac1baf581839acf033f
SHA1b5a84e48b18f19f64a82637ce81011ed1d069ea8
SHA2568c20c2dc5eea9a777bdc7a86645dea0289af68bad02202969df1208366bf2c4b
SHA51205e5e29a43500f33615d96c7e46bcef0ed8fd5a45cc70021ee252a37423e2ac2c88d1a3276758ed79857fc48a5c7c6caa4c9467500f886c65a90acc71762aee8