Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
158s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
29/10/2024, 22:10
Static task
static1
Behavioral task
behavioral1
Sample
6f990853acc20179f1ff98bcd347516f5ed721ce724d3a791062553cbd3b82b9.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
6f990853acc20179f1ff98bcd347516f5ed721ce724d3a791062553cbd3b82b9.apk
-
Size
208KB
-
MD5
e4b9c58e4086f82e004b204c496bc26d
-
SHA1
6b2f711db8e3689ddf5ef727ba836d6265b5fcb1
-
SHA256
6f990853acc20179f1ff98bcd347516f5ed721ce724d3a791062553cbd3b82b9
-
SHA512
e96b92661508b41f5436ba1f8c47ea8af03d783198fab1fc8359f77e0b2baf8e2f064857196e208b53ba1a8a6d4e9cb16dc1b47251b647a6c0efb79997cf9c08
-
SSDEEP
6144:OUu4eBrl4+EHlc78JFnrOXMWUzSfNwmvADj6:OF4er4mgrO8JzSGmvo6
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 2 IoCs
resource yara_rule behavioral1/files/fstream-1.dat family_xloader_apk behavioral1/files/fstream-1.dat family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Xloader_apk family
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
ioc Process /system/bin/su q.ailaj.eqodnl -
pid Process 4486 q.ailaj.eqodnl -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/q.ailaj.eqodnl/files/d 4486 q.ailaj.eqodnl /data/user/0/q.ailaj.eqodnl/files/d 4486 q.ailaj.eqodnl -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser q.ailaj.eqodnl -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://com.android.contacts/raw_contacts q.ailaj.eqodnl -
Reads the content of the MMS message. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://mms/ q.ailaj.eqodnl -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock q.ailaj.eqodnl -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground q.ailaj.eqodnl -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo q.ailaj.eqodnl -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo q.ailaj.eqodnl -
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
description ioc Process Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT q.ailaj.eqodnl -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal q.ailaj.eqodnl
Processes
-
q.ailaj.eqodnl1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4486
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
446KB
MD58bb09c2927ef88bda95970b61599f314
SHA1391656ad53355854928f21a99e995f14e5c75ce7
SHA25627ec66655a2a5e63f95ec2a4066bf7e64a79d7070923f42ba0cbffe53e2ba2dd
SHA51294f59ce40f5b0a03c7bf0c4d199b47c4c7f85f98ae686f6994d74119f7c4b76d031d8607a879818d92c9097ce7603dbfef55d850186a21add9dee18f2bf90d68
-
Filesize
36B
MD5e2a23b7503ab331b7fbaa0c7aeec8b5b
SHA14875f5686d35cb644523e8c7622b9321ce26b3b6
SHA256d40e61578b8f05f760077fff4fd91b0ab141a21da0e98ebf1b740c1ef9ffb514
SHA512c796f515aa41b8c5a3c6430001875d878ac61f95503822737e200c37e74f2c93d5073f358cfb616b6bf706c634ae14b2aa292f5878208d83afb6be466210a24c