Analysis
-
max time kernel
149s -
max time network
153s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
-
submitted
22-10-2024 22:11
General
-
Target
db38af5228d5b81300343d1cf9eed7ff65c488b21454d5fa9df989c27be1b4ba.apk
-
Size
205KB
-
MD5
3f54fe5daf08a1026e50e59d417d4f31
-
SHA1
3ddd382226110d15ee7f90e597fa19ee73e0b1c3
-
SHA256
db38af5228d5b81300343d1cf9eed7ff65c488b21454d5fa9df989c27be1b4ba
-
SHA512
ab64a38a5fd2e6fe05f2e570dcb6716ce26eaeeec986782685892e3e187308690c7852c47566a0854e8fe4d07ef6b809d888731e3065ca55dce4d937006be708
-
SSDEEP
6144:FP4x2Y8Dqsz3PlMHKLATFhjHCORXelZGUXx++oPnOvC7:FPA2YLKf+MCb1efBk+VvC7
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 2 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
jtiq.fknpp.ektiz1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
454KB
MD5c908b637c002940ef72c0f34eda33115
SHA1c886b4786f696ca4be26516a83e842863e71f728
SHA256125b57669edb6060fea0e71718ea17c957186496c2c1ea010d95c64218fe31ae
SHA51257eafa70138d9b97af7c3160306133f1591f015563f4ebe21cb4a0354a6c2a380e246de64ea54d492e84d433b77b50d887ebdd3566002799abdeba66742ec350
-
Filesize
36B
MD5da014ab7873f5939b645447fa7c8c7a1
SHA1bbc285f55a5e54980804a953361386795bd22868
SHA25627c4265a5966bdbf0508f0e39f9cc66947772bb7d3628ba0acc2eece7a537feb
SHA51237b8fc99c359e952416e22b1fe0eb42f8ff657657459649daad996863722805b4b5771bd43e7a70ed4c55e4cd8b5b2b0bbb8e93c8699770ccdabc441570ff8b0