Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
27/10/2024, 22:02
Static task
static1
Behavioral task
behavioral1
Sample
c295c25e6fd8963b2a77e6f4a0a4f9c48703763297276b7e9ad2b3f3ed672850.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
c295c25e6fd8963b2a77e6f4a0a4f9c48703763297276b7e9ad2b3f3ed672850.apk
-
Size
209KB
-
MD5
ec0115a2d43efa9caa8e20ffab746cc6
-
SHA1
58da04b774e7602cd16dd4d8fb718bee9b89e7b2
-
SHA256
c295c25e6fd8963b2a77e6f4a0a4f9c48703763297276b7e9ad2b3f3ed672850
-
SHA512
d13be482823a142ba22280a1cd6e756ab07a3c99d9b509a9bbd8e7fa12eddc5d677dfce2e6f2cb7a012a386ace598b463ff4423ad3132cfa9c0272e52ff4d0ae
-
SSDEEP
6144:jSnwVofClI+u5mUqbTVm94FNIdlebxFJY:unKofCFu8U4TAivIdIbxFJY
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 2 IoCs
resource yara_rule behavioral1/files/fstream-1.dat family_xloader_apk behavioral1/files/fstream-1.dat family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Xloader_apk family
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
ioc Process /system/bin/su p.lm.nv -
pid Process 4852 p.lm.nv -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/p.lm.nv/files/d 4852 p.lm.nv /data/user/0/p.lm.nv/files/d 4852 p.lm.nv -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser p.lm.nv -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/raw_contacts p.lm.nv -
Reads the content of the MMS message. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://mms/ p.lm.nv -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock p.lm.nv -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground p.lm.nv -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo p.lm.nv -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo p.lm.nv -
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
description ioc Process Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT p.lm.nv -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal p.lm.nv
Processes
-
p.lm.nv1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4852
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
453KB
MD5303ba9f99e501b9d01b3c4e8036f7995
SHA153196b13f94d7797527cc57742ce6d7b62aae36e
SHA2569614110dedb36006ad490df5f5ab55975d8c7ea20c24f4a6479b9da8a946e7f0
SHA512ef95d56bd53bc3098985a279922657d66d08912bbfe1b5e5c7adb3c4d6267e79ecea28c15036ae023b3c1b052cca9e3111f9a868f7f4178f14db7eaa297e432d
-
Filesize
36B
MD58ca037df7bd2b54a293c4faba1d7f209
SHA150f34c23fbcb6beb6d35bebae9476c85e8660e62
SHA2566079473ab1ee76295f98ec86f24c4e745b4d0ecee4fd105bd70eccde71629393
SHA512907e4f6e62b0d3b30c8b36c9bb7c4e710f03adeebfddac547fa86076b7540c0e6b68fa45689355cb7825f44d183ff77d6ed96cb7773e61c98607df97eea1f058