Analysis
-
max time kernel
149s -
max time network
150s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
-
submitted
26-10-2024 22:00
General
-
Target
493d7817985ec344186af767841c59b5fa1b29b0071363a606baaafc834237f8.apk
-
Size
208KB
-
MD5
71dee152c04bfdd026bd8fb8e5544296
-
SHA1
6dd5305c562eec513c8955f93d827f28866ada35
-
SHA256
493d7817985ec344186af767841c59b5fa1b29b0071363a606baaafc834237f8
-
SHA512
83546ad8689327be7849cc31c082975d18c9d1e2f8d68a184131da9f38a712f0de705ee2adcf97f451e293744374085a6108d2b0f070029a7c6fc7848b1aae49
-
SSDEEP
6144:b38jvNJqZ/P7WIEqgQlGUoq3OIEuWJk1D:ojFmXSIbV7FyJk1D
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 2 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Xloader_apk family
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
l.clq.yfepwz1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
446KB
MD58bb09c2927ef88bda95970b61599f314
SHA1391656ad53355854928f21a99e995f14e5c75ce7
SHA25627ec66655a2a5e63f95ec2a4066bf7e64a79d7070923f42ba0cbffe53e2ba2dd
SHA51294f59ce40f5b0a03c7bf0c4d199b47c4c7f85f98ae686f6994d74119f7c4b76d031d8607a879818d92c9097ce7603dbfef55d850186a21add9dee18f2bf90d68
-
Filesize
36B
MD5d07e782ce774d9a1a7d30e6915f29074
SHA103791aa9cf79378fa804a06a8e7c750db9452214
SHA2566c1af05efa86a8d62b468e2d7cdac4797cfb23e8735328f9de37e20999f57bd0
SHA5124b33f6304c42e49a18f72545c3b140fa1c40138f10b4c08e82dd11eab1ad43139d6136837ae10eeba3e81fa5cd779b4d5fe6a3ca79b99ff0a51bd5aa2407bc6a