Analysis
-
max time kernel
149s -
max time network
151s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
-
submitted
27-10-2024 22:02
General
-
Target
b0fc509c9a3107b9df85b554107a1ae6b787687401aa8b4e01ca3ffe395adbae.apk
-
Size
207KB
-
MD5
40f0d7ddf98c880d93ee41139b3a6b5a
-
SHA1
58e98d1b12d58c327d2aa25c9c8d03a7c1b55b3b
-
SHA256
b0fc509c9a3107b9df85b554107a1ae6b787687401aa8b4e01ca3ffe395adbae
-
SHA512
f96a6aacddbd14a8119cbbfe42c54f44039cd8ce82a7eb77fde5582e7273a834e3e7fa092e71d7d69299caa2c3ab2fb43182294aaedecf9d2107c5eaf9e45d4b
-
SSDEEP
6144:aQiPd1yj5HrFM4y1QXnXf/G/DaxS96vrucoAl:at1EHoiXGraxS9o66
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 2 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Xloader_apk family
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
ozur.tduux.mppmu1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
MD56e3d29b5306a57dba7028a8da4609797
SHA1da143c2306182d664c850b74b4afa7fa948c974d
SHA25607f170fb70397d72a187bcdb83adc11f2e7c6d5a928d951d4f24b5e82dc04d96
SHA512e9dadbc1fa4244e681a22178a512bf8ef0b5a41e6b80e54f09ef8f5fd120ac25c55db8a6ff53f748ba0ba22eeee84eb8714bc79468da921d4ec8f0129bd60915
-
Filesize
36B
MD5b0a3adf9b34218a830b59956f69178bb
SHA1dee803ec9730264dee8094afb75ffe170e94706d
SHA256085594fa18994ded615de9a0e85274276f2cdc693bd9abfa2f654a54e3bb56aa
SHA512b6172cb251890f135dc3d751dcc64e8422ac30912c2f496720cd8bdb7d3ee4eeb618f940c5366319641233f447f101835238fef77fc259c725a18e63f1566004