Analysis
-
max time kernel
149s -
max time network
136s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
-
submitted
04-11-2024 22:10
General
-
Target
d9e5ba25f033f441917a75f25dcec28ab67aa30b60b9c9dc06de627961c95e45.apk
-
Size
209KB
-
MD5
1afbd43fc446aa883463177417a21497
-
SHA1
2c946502f7dcccd62fe697b554c8f67dad3a18b2
-
SHA256
d9e5ba25f033f441917a75f25dcec28ab67aa30b60b9c9dc06de627961c95e45
-
SHA512
1353816d99113852739f75f5047913738b63f346d00547055c20b54d8b8730601bad08587aaf160f8a054a699cd2e5ebe4d6eabf5c6eb6c597b101419b9547ea
-
SSDEEP
6144:oJVofClI+u5mUqbTVm94FNIdlebxFdOKv6a:o7ofCFu8U4TAivIdIbxFdOKya
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 2 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Xloader_apk family
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
w.qskup.ekv1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
453KB
MD5303ba9f99e501b9d01b3c4e8036f7995
SHA153196b13f94d7797527cc57742ce6d7b62aae36e
SHA2569614110dedb36006ad490df5f5ab55975d8c7ea20c24f4a6479b9da8a946e7f0
SHA512ef95d56bd53bc3098985a279922657d66d08912bbfe1b5e5c7adb3c4d6267e79ecea28c15036ae023b3c1b052cca9e3111f9a868f7f4178f14db7eaa297e432d
-
Filesize
36B
MD5867d938a7cbe9249ee7b2d6e215a561c
SHA13bbcb2bf2aab8566d1c6ceb4f96f9f59904e502c
SHA2561c64823fffec8291e75ca24db615a8bab086a661b916350bc9569565e4fab7fc
SHA5121d8393ae49e53582c16cbd1773a74fb7dd05868497f86e6749d6eed05247334723fe4b462349ccb25620b4dcb629ce270d72d7ad4544c6e2c0c1264b34215594