Analysis
-
max time kernel
149s -
max time network
150s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
05-11-2024 22:02
General
-
Target
6bb12fbafb0bb76860b90fad8bef580a101cede0a4a03a9afec1ab41d01f1095.apk
-
Size
286KB
-
MD5
6767e77acd30bfe634ef45e8a5f4e825
-
SHA1
1ee5572a483f28dea99e65225193a8b2e3248f20
-
SHA256
6bb12fbafb0bb76860b90fad8bef580a101cede0a4a03a9afec1ab41d01f1095
-
SHA512
abb00e1bd17393be4dc6d350225f39f763b7abaefddd164cbaaf5a208e85a9d2176353b1d6a140f64d7cd7151f56222cccc2c8691b0355e913cfe5a4fb8c9581
-
SSDEEP
6144:0L0LBcE724FKKPQhkPSjF6t4CR4fRqp4STg0TXmTjcaM+seXf6x7z:04VY4F/PJSwt68HTXm8F+ssMv
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Xloader_apk family
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.qiqt.igam1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
483KB
MD5ae9c12585483e8f440602e44dedfc892
SHA19605a4070f7c3d7e180c319b3125751233b655ef
SHA2566bae5b64c4d0c9b7777a8ff1d198eff5a89fc4b1e2489e0b13e2751b5e2e33cd
SHA512cf958ae50832841f5921c82a8ac0ed3822afb6361648fb2d2c2cc99a17ff4a22343594e0599836342fd9cbeccc6c05623505f1c0d87197f296d5a917c5e7b33c