xloader_apk | 6088d74c622aeb5187d0aeb257d0ca8e0ee009e9f69e204be10c4736ece0aca1

Analysis

max time kernel
149s
max time network
152s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
22-10-2024 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6088d74c622aeb5187d0aeb257d0ca8e0ee009e9f69e204be10c4736ece0aca1.apk
Size

278KB
MD5

769340c0fcb9bad35a0916636286f776
SHA1

b812f5aaff6843bbf9ae091bf0fb6e9cd4b40fed
SHA256

6088d74c622aeb5187d0aeb257d0ca8e0ee009e9f69e204be10c4736ece0aca1
SHA512

6306af45ea8eedea1f648410212adf17c5935e6456914856ac04a6b301714b7c5aeee0dbbeb26962ea61dda2a6e77db412f126cebecfd1c02bb902d7dcdac713
SSDEEP

6144:ldQvSjB6WhOxaP3qXHsbdA1Vj2WqW5TKpC6y6DSent7gtpS85N5+4+:lmvSjJqbXHwATjJY4yDp7g7SQ8F

Score

10^/10

xloader_apk banker collection discovery evasion impact infostealer persistence trojan

Malware Config

Extracted

Family

xloader_apk

http://91.204.226.105:28844

DES_key

Signatures

XLoader payload 1 IoCs

resource	yara_rule
behavioral1/memory/4476-0.dex	family_xloader_apk2

XLoader, MoqHao
An Android banker and info stealer.
trojan infostealer banker xloader_apk

Checks if the Android device is rooted. 1 TTPs 1 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/bin/su	ke.sod.zp.kwlip

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/ke.sod.zp.kwlip/files/b	4476	ke.sod.zp.kwlip

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	ke.sod.zp.kwlip

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Reads the contacts stored on the device. 1 TTPs 1 IoCs

collection

Contact List

T1636.003

description	ioc	Process
URI accessed for read	content://com.android.contacts/raw_contacts	ke.sod.zp.kwlip

Reads the content of the MMS message. 1 TTPs 1 IoCs

collection

SMS Messages

T1636.004

description	ioc	Process
URI accessed for read	content://mms/	ke.sod.zp.kwlip

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	ke.sod.zp.kwlip

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	ke.sod.zp.kwlip

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	ke.sod.zp.kwlip

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	ke.sod.zp.kwlip

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	ke.sod.zp.kwlip

ke.sod.zp.kwlip
1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4476

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Protected User Data

T1636

Contact List

T1636.003

SMS Messages

T1636.004

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/ke.sod.zp.kwlip/files/b

Filesize
492KB

MD5
7e1b639338295aaf9149d4d5cc496ed6

SHA1
d89b93d56bf924551e6b421234179fd4fec859f9

SHA256
02fcb596708bde924cdf258495deeb6cdb5a8016d01eff81f1b3ae449c2465fa

SHA512
699ae0b027bce12865a1db5890ab38f79b22fa4b64e4739316e50e0f73e0c399ab2d4a2bc939b66b53796b821326e66822ef9102c3bce9b8e3854cabb1fa356f

Download Submit
/storage/emulated/0/.msg_device_id.txt

Filesize
36B

MD5
8df20ddea122b44f0382257baea5286d

SHA1
ac6dee766e71b8bc8739910e1cf081d633730f56

SHA256
b5d9581d97b17a17e4e05a08eab3c31d6d021e5fa6735ca2c62ff0ef83cc819d

SHA512
6ec0c5129aaf0d4c19790543a45fe77931c8a5eb5d411389e4827df6a14ddb8f79b04f7bc6ae50fa8b5839b1b5a08476eff00e74d2f535cbd3fa691c759e44d3

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads