Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
-
submitted
23-10-2024 22:06
General
-
Target
5c498d0dc3e785c25ada99d3f49ec920d3ad8ff8cba4273813d3f0a52e859ee0.apk
-
Size
278KB
-
MD5
58ea4097104e05dbbcfc5421c5a9ee93
-
SHA1
7fe8a9bd522dec48e51af010366e50ea06620b08
-
SHA256
5c498d0dc3e785c25ada99d3f49ec920d3ad8ff8cba4273813d3f0a52e859ee0
-
SHA512
ede4bdb8c7ce40aff2a4bbc5411291cce838744968f6d81258be0150b18ac3e92319cbeddaf5e4eaf3332d681e1a0cf5c2859c833357322de943496cf8909db2
-
SSDEEP
6144:BQvSjB6WhOxaP9t/XHsbdA1Vj2WqW5TKpC6y6DSent7gtpS85N5S:qvSjJqot/XHwATjJY4yDp7g7SQ0
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
fsoscx.cti.lg.ykl1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
492KB
MD57e1b639338295aaf9149d4d5cc496ed6
SHA1d89b93d56bf924551e6b421234179fd4fec859f9
SHA25602fcb596708bde924cdf258495deeb6cdb5a8016d01eff81f1b3ae449c2465fa
SHA512699ae0b027bce12865a1db5890ab38f79b22fa4b64e4739316e50e0f73e0c399ab2d4a2bc939b66b53796b821326e66822ef9102c3bce9b8e3854cabb1fa356f
-
Filesize
36B
MD50242e0797e3d34d1cd23bb6263e8aebb
SHA1306612717de1d658bf784046a1cb8935675c26f7
SHA2566523e1a94ba9db6295ea73e8a4519c907caff222335f0e0f883ecb05887181ed
SHA5122c259c64ea18cb42f74e1efb6c33ab4958d3a3386f494100540621aa8360d22a6cfbe6aee7b1692163bab12bec01458c3268c24314c855ea5276a9a594ed2697