Analysis
-
max time kernel
149s -
max time network
140s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
-
submitted
26-10-2024 22:00
General
-
Target
e727bd1145b6eb9b4ab02364eb8d7bf29025b954d4b78fc89dc7501dbe375f43.apk
-
Size
274KB
-
MD5
2d5204a9b777c5b9537f8b45e4083e6d
-
SHA1
14edc8b3bb39e02863558a4802361bbb2a784d54
-
SHA256
e727bd1145b6eb9b4ab02364eb8d7bf29025b954d4b78fc89dc7501dbe375f43
-
SHA512
7ce3725ba88fdb8ba6db21128eee0e1738d3a66fd40a51ef62ea524968a82a6897189af4119ec0babba056579d49aa7cda49ad7753fd680093b10108e4ff6161
-
SSDEEP
6144:Jjj+x+xLAPZ65jg1RlE4w3muxxwMTAnIuPNGIdF03aqb8:JjjxA65jgNwWujMnIuFG6KBb8
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 2 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Xloader_apk family
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
x.mwlpw.td1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
453KB
MD5303ba9f99e501b9d01b3c4e8036f7995
SHA153196b13f94d7797527cc57742ce6d7b62aae36e
SHA2569614110dedb36006ad490df5f5ab55975d8c7ea20c24f4a6479b9da8a946e7f0
SHA512ef95d56bd53bc3098985a279922657d66d08912bbfe1b5e5c7adb3c4d6267e79ecea28c15036ae023b3c1b052cca9e3111f9a868f7f4178f14db7eaa297e432d
-
Filesize
36B
MD5356331b824fa6d487e38ee13553055a1
SHA1dc0ea637c21cefb21155b8072858fcc93a50658b
SHA256eae87ae30842db53245c3017542565ec4bcd7eb1456531bd77d294b793f7ce3c
SHA512866b0c0259f72faa9bff14845e1f1edd28757f72a2a514ee6c6b579a54426c6eba8a026ba28f054ce9969297bcce1e8f055d1636a4756c50801d4cde94754233