Overview

overview

10

Static

static

6

a8ed1a6d07...12.apk

android-9-x86

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    04-11-2024 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8ed1a6d07cce19523b09a09a793129bd7dc14c8fefde4e2baaf4f19f978a012.apk

  • Size

    212KB

  • MD5

    7024928adfbf5ce77d0a5b0cd5653f55

  • SHA1

    a8e7c132f3911e0f50e2278f13111280ad539fb9

  • SHA256

    a8ed1a6d07cce19523b09a09a793129bd7dc14c8fefde4e2baaf4f19f978a012

  • SHA512

    486215477b5fee167f4c807225596e92bd34244dd43c6dd7416825f6d7274abbab336b5d9d4c0523f8d2f172558afff89433db00458b7e5cd91d51d6f240f8b5

  • SSDEEP

    3072:saoOPQomYZtPOEa09KJVaRIJvSYlETVmdtVIoHpwGw+fvsIMcJgcE5ozh427:voLomYZ1SYmaRIJvLEsrpw/+ecpU27

Score
10/10
xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.226.54:28899

DES_key

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

    trojaninfostealerbankerxloader_apk
  • Xloader_apk family
    xloader_apk
  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
    evasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • reifysy.vdeshlhen.kdslni
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    PID:4262
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/reifysy.vdeshlhen.kdslni/app_picture/1.jpg --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/reifysy.vdeshlhen.kdslni/app_picture/oat/x86/1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4289

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/reifysy.vdeshlhen.kdslni/app_picture/1.jpg
    Filesize

    7KB

    MD5

    81c7c3c1ee1f5fe8041bc3bccc551da3

    SHA1

    81e7031b50afa2c623c93a334da65ca383951e1e

    SHA256

    43451eef052eabb0468d8f07a2564170f7e94948d36704e1d431882abc1aec71

    SHA512

    094bf3d87ac04bb51d5120120c79fe668e068d5304ee86fb782c2a56394ec85031fa17846b6330dbdc27a26723f2f7c020d793cdf2c5082e63c7a42096a3b8c1

    Download Submit

  • /data/data/reifysy.vdeshlhen.kdslni/files/b
    Filesize

    446KB

    MD5

    a08eb40c8f41932cdfbb171b11047499

    SHA1

    640df821c78b575ddc1fb1ba3150795ae8a38af2

    SHA256

    21de04b706537eb676cda25497d25ce84e45d132232f715656f81c1e66ea4767

    SHA512

    03512be8115948dadefab3d4490e82fe8ebf5baa79765ecb63aec0b1ffa97c29ab37d68abf628e35ecb186ac1e81b2f259d392891eef2633707288803921442c

    Download Submit

  • /data/data/reifysy.vdeshlhen.kdslni/files/oat/b.cur.prof
    Filesize

    1KB

    MD5

    1a7ef5a4ba01a8ef4ff622ffb81f8b54

    SHA1

    21f6c6aa0c7ca2ac75d4ed43464c335f05d065fa

    SHA256

    121841a66cf8e57c215b2805e4bc7b007c64776a9f853dd6491e72b560377989

    SHA512

    4317dcfb81983f773278b4df07a3d10013c1779e716315f1b9ac02d68a55c4c9c12de489ec42541b941948418a11916f839642327d5f5462aa35baf4a6366a92

    Download Submit

  • /data/data/reifysy.vdeshlhen.kdslni/files/oat/b.cur.prof
    Filesize

    1KB

    MD5

    244f2579e1da6d92691cbaf6e283c380

    SHA1

    2ca1013823663fb163b56efd181f08abe8e909f2

    SHA256

    5b8e16b3e5d07ecdb60f4d55d6425cae9ad7317fddb8aca409ee39b9d3f47d3d

    SHA512

    df78ae9ee5f16e5a7f76066cd361701b0cfc5a9e37b81461b5cc016a8e821fa198650120f169cb267d5e32b9df128c63a902f7647c2e2033f43730165eea3915

    Download Submit

  • /data/data/reifysy.vdeshlhen.kdslni/files/oat/b.cur.prof
    Filesize

    1KB

    MD5

    6006e6ce7b9d553041639d01a4982f70

    SHA1

    b80b8f6ac0b835d0de68772793702e3cac3f45bb

    SHA256

    b5d82b3046e83509d6a991c14b7e0aa683f8cc676e8d7efdc82dd337c03d2e95

    SHA512

    4689d83e6530137097fd1d1aff194bf3fc853a1c7d473e0924a51d36abc233a054e9ed3e9905924caad49d7c787ec7f90a96c22c99d7cb7df1684bcb8496a0ac

    Download Submit

  • /data/user/0/reifysy.vdeshlhen.kdslni/app_picture/1.jpg
    Filesize

    7KB

    MD5

    2e6baaa89e07b59ae874dfb75b31ec98

    SHA1

    c5a2cfb91921350810122ec061ba160a9d67c184

    SHA256

    1bcc29ecfcb001008fa9010ddb8c6de79cce39c8f29d7f8630e3137dd0b4de9d

    SHA512

    9674a4a7870786b429f07216cd882eb9aa551201a1b6b6827fe04a82ad8834cf0bf030501f2c93717e83aa6b63fa7336433275dd7acd3d8bf514a3582e74e898

    Download Submit

  • /storage/emulated/0/.msg_device_id.txt
    Filesize

    36B

    MD5

    b3c25c7c0d2d65cb0233cfd04d7630b0

    SHA1

    e7c169cc38dfae738bc5c6b95272eb75b8986087

    SHA256

    a9cd1300f59bd3f7bae3434ee6c5afde6b676185f68127b8c0408e091084f6d9

    SHA512

    ebe94aeb66272f53daa35db3303301b552c758f7aaab4d8c77eac6b00a2e5dde58c2683675f90ba76ab773db5191f4c2f4534b695d8e9c2f7135d395d7c356c6

    Download Submit