Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

ad951bc800...08.apk

android-9-x86

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    22/10/2024, 22:13 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad951bc8007b1c7da2dd3ddcfa077aa8fe0ea58e54f866ddc04f7649505c2908.apk

  • Size

    212KB

  • MD5

    37bd366052add0c4a5e15814d60e4f94

  • SHA1

    5c3ef5696999300785ee94af5b114c689a05229e

  • SHA256

    ad951bc8007b1c7da2dd3ddcfa077aa8fe0ea58e54f866ddc04f7649505c2908

  • SHA512

    3c6c508c70167f82d9d4a5e9357117db81ce299f8f9f9e201dd6bf36c91a3c1ffd8ef6c6356f516693de44a6aa7294310a9bfc04713e3f4edcd74557923c1f18

  • SSDEEP

    6144:vYnAaRKPniQpXc+9HW1puiU9MgPVEWSDchP:zaRKPlpM2gDsrT

Score
10/10
xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.226.54:28899

DES_key
1
4162356431513332

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

    trojaninfostealerbankerxloader_apk
  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
    evasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • mghzcnh.emgtlvbaj.chldju
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    PID:4300

Network

  • flag-us
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
  • flag-us
    DNS
    m.vk.com
    Remote address:
    1.1.1.1:53
    Request
    m.vk.com
    IN A
    Response
    m.vk.com
    IN A
    93.186.225.194
    m.vk.com
    IN A
    87.240.132.78
    m.vk.com
    IN A
    87.240.129.133
    m.vk.com
    IN A
    87.240.132.67
    m.vk.com
    IN A
    87.240.132.72
    m.vk.com
    IN A
    87.240.137.164
  • flag-ru
    GET
    https://m.vk.com/id730149630?act=info
    Remote address:
    93.186.225.194:443
    Request
    GET /id730149630?act=info HTTP/1.1
    User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Mobile Safari/537.36 Edg/112.0.0.0
    Upgrade-Insecure-Requests: 1
    Cookie: remixmdevice=390/844/3/!!!!!!!!!!!
    Referer: https://m.vk.com/id730149630?act=info
    Accept: text/html,*/*;q=0.8
    Accept-Encoding: gzip
    Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
    Host: m.vk.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: kittenx
    Date: Tue, 22 Oct 2024 22:13:22 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    X-Powered-By: KPHP/7.4.118972
    Set-Cookie: remixir=DELETED; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; domain=.vk.com; secure; HttpOnly; SameSite=None
    Set-Cookie: remixlang=18; expires=Thu, 23 Oct 2025 11:34:16 GMT; path=/; domain=.vk.com; secure; SameSite=None
    Set-Cookie: remixstlid=9092250881709577273_tuQnlo9jfZk33OKNlHfYL9Tqzkl8zIphc9y45mV7P04; expires=Wed, 22 Oct 2025 22:13:22 GMT; path=/; domain=.vk.com; secure; SameSite=None
    Set-Cookie: remixir=DELETED; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; domain=.vk.com; secure; HttpOnly; SameSite=None
    Cache-control: no-store
    Content-Security-Policy: default-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://*.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://*.yandex.ru https://*.google-analytics.com https://*.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://*.google.com https://google.com https://*.vkpartner.ru https://*.moatads.com https://*.adlooxtracking.ru https://*.serving-sys.ru https://*.weborama-tech.ru https://*.gstatic.com https://*.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://*.vk-cdn.net https://*.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://r.mradx.net https://ton.twimg.com https://tagmanager.google.com https://platform.twitter.com https://*.googleapis.com 'self' 'unsafe-inline'
    X-XSS-Protection: 1; report=/xss_reports
    Reporting-Endpoints: default="https://m.vk.com/browser_reports?dest=default_reports"
    Content-Encoding: gzip
    Strict-Transport-Security: max-age=15768000
    X-Trace-Id: m-6kzqvr0pXvRdJ6O2R61P8MhfcIog
    Server-Timing: tid;desc="m-6kzqvr0pXvRdJ6O2R61P8MhfcIog"
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.200.14
  • 142.250.200.42:443
    tls, https
    202 B
     40 B
     1
    1
  • 93.186.225.194:443
    https://m.vk.com/id730149630?act=info
    tls, http
    4.2kB
     155.2kB
     66
    108

    HTTP Request

    GET https://m.vk.com/id730149630?act=info

    HTTP Response

    200
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 216.58.204.78:443
    tls, https
    858 B
     40 B
     1
    1
  • 142.250.200.14:443
    android.apis.google.com
    tls
    4.7kB
     8.5kB
     14
    22
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    567 B
     132 B
     8
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    567 B
     132 B
     8
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 91.204.226.54:28899
    447 B
     132 B
     6
    3
  • 91.204.226.54:28899
    407 B
     132 B
     5
    3
  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
     256 B
     1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    172.217.16.234
    216.58.204.74
    172.217.169.10
    142.250.200.10
    142.250.180.10
    142.250.187.202
    142.250.179.234
    216.58.201.106
    142.250.187.234
    142.250.178.10
    142.250.200.42

  • 1.1.1.1:53
    m.vk.com
    dns
    54 B
     150 B
     1
    1

    DNS Request

    m.vk.com

    DNS Response

    93.186.225.194
    87.240.132.78
    87.240.129.133
    87.240.132.67
    87.240.132.72
    87.240.137.164

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.200.14

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/mghzcnh.emgtlvbaj.chldju/app_picture/1.jpg
    Filesize

    8KB

    MD5

    057cdc19c8bacde2e26cecbfa682f5d1

    SHA1

    fddf4c999f8675319b6a969f393e0160eda85122

    SHA256

    15ac92fbb6f6adff93f6cae33e126d64529e7ada14fc6a74fd00ca2fbe93f09b

    SHA512

    bbd81da3860784eb8a7379c3ff7eb4ccf557b32482766a5f8213c904929079895a6e2af3401404d3e0f1e8ce2b45ca654ff50aa10305d9374af8f69618054947

    Download Submit

  • /data/data/mghzcnh.emgtlvbaj.chldju/files/b
    Filesize

    446KB

    MD5

    5705e5b58e9503402cf66c15fbc1d854

    SHA1

    ac943d94e87db55183a1cf24517c3d40361a2d03

    SHA256

    c8e371d5021bc1f77ea2062c2a568ada090e464099596476536816b4feb1f5e8

    SHA512

    46ed8f6f3a670ef3dbf0477353d3da5a19f3a188b51ee8cea492e3a6ffed77d14663eb1732bc084bdd78f4fea0a4190c39399a20aa2f6b6c92fc91bded97e70d

    Download Submit

  • /data/user/0/mghzcnh.emgtlvbaj.chldju/app_picture/1.jpg
    Filesize

    8KB

    MD5

    366459f9f710d70058a33dd9924d0fc5

    SHA1

    bbe3f211e0c5a2432633561a56e884bddccf5cf4

    SHA256

    9137d229c19dbf32bd2e9f71c16b60e9313fab9bab9d4a540b105648b1bc7343

    SHA512

    53fc0870add4416449f157c05509333bd9c7300efa25664f6ad9564fe83fef9103a466245fb77dedf78bf103d6c77fc2d4ac917e598db39b5dd56735d824d025

    Download Submit

  • /storage/emulated/0/.msg_device_id.txt
    Filesize

    36B

    MD5

    96caf772e3c6c9db8a7f91580724e873

    SHA1

    aaa4dbc75dc5941189277d011e48873e5e2afd42

    SHA256

    78948147d6f77b4d8bd1c12b0793595d0fc256ea8158854223285d9820d24f7f

    SHA512

    8d47aa3ba06b925f1467b8c1c60243bf3068ea7bbf71daa4e6c416156439f7e332b30b154f8848a160ad221be8e83cad8c0a1716f58241e1fecbb4e7ff8f9160

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.