Analysis
-
max time kernel
149s -
max time network
154s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
-
submitted
04-11-2024 22:03
General
-
Target
776840b5a98e36ae3157731d6111c5de2d511b81b68be6db3d287cec3845eb37.apk
-
Size
217KB
-
MD5
53a56f3f2686a0190a35fdb304b4ad8a
-
SHA1
2cc0ab0d59a24102e725430598d69d0f5394186b
-
SHA256
776840b5a98e36ae3157731d6111c5de2d511b81b68be6db3d287cec3845eb37
-
SHA512
c092a0c28a4c491b4eb44bd3f87a8df83acb0521183cf882f5dff4fd9eafe1a3b919692e8a93917c42ba1fa6bbc2f26faf33914b3a0fae83abf148ff2bd96a9e
-
SSDEEP
6144:AW76JSFUv40g+MFAHxHO+izNzPq6uYarPzR70FT:AWWY0g+ZHxYzNb9uYarPcT
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 2 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Xloader_apk family
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
aget.zowzh.lfouw1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
MD56e3d29b5306a57dba7028a8da4609797
SHA1da143c2306182d664c850b74b4afa7fa948c974d
SHA25607f170fb70397d72a187bcdb83adc11f2e7c6d5a928d951d4f24b5e82dc04d96
SHA512e9dadbc1fa4244e681a22178a512bf8ef0b5a41e6b80e54f09ef8f5fd120ac25c55db8a6ff53f748ba0ba22eeee84eb8714bc79468da921d4ec8f0129bd60915
-
Filesize
36B
MD5e4b3cb9b1a79d574d65bd51e5b2d7531
SHA1f740b08b30780891cbb64d011f925a23a9a488f8
SHA2569046dfe374802ac81a4fe5ad2b5d2d17aa0b7f40a72036a3ad797e0dfadd8720
SHA512b125bdf212686f8cddd231f8c02b7cc5db3d4fdf1d1e79acc6e91515d03862fef6c6f60ffb0fbdd8a1baffaaa7a91d167b7e2876197524b0417de2a0c8d22d93