Analysis
-
max time kernel
149s -
max time network
157s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
05/11/2024, 22:04
General
-
Target
35292d17cbf814403137cbeaf00758e3222879231d2f7d8b9d810568169aefaa.apk
-
Size
446KB
-
MD5
66f1063270eda1e1e83d51a5618bb379
-
SHA1
503ee3f58922e1811df56be863c6573684e0c1da
-
SHA256
35292d17cbf814403137cbeaf00758e3222879231d2f7d8b9d810568169aefaa
-
SHA512
c0971215837d46f8eaee2e75fd05d9f53e2854f7838bb7612f98e1fac53311686d01f6e821397bcc74ba78bb1e8210c2fe721f632f150890257db3a1e71443c5
-
SSDEEP
12288:ouZjy0QPkbDOL7pFtUKcWJo1FfBsS+b4dMoY+:XtEgCL7pFt6gS+cdMa
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Xloader_apk family
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.kbqb.mtuw1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
3System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
766KB
MD57962ea579bddfb2d56deaeb75556d33a
SHA1292c29c70d73caff3148eb993fc389c58b966cde
SHA256ff87cb92852a7d77c93494f73a3876fb3c3570115ffe73c2fcd08ae3ac1e3551
SHA512bad435e79acad4d6c25ea5a580a12dde0e065a85677744c6428bf20ee03a55972d20416ca719f9254be886f20a00c2cd3e4816911e05ebab199e398bc4c6a0f4
-
Filesize
1KB
MD5ea4d68aeca86a7c9fe61a7e5aa90a4d9
SHA1a1c781b2783fb4af743d0140818b6e2fd5657702
SHA2561afa87fbdad60d9b55d0eb3a1351f09102eaea20e6493a01f90fd688ef67eee2
SHA5129d47ea6282fd4e5c7e1946d38e56f6cb722b124f73c5e49f9167dee6711549434292b15c8292f0cf4af6113054a7348954deddbff2cf9bd57955760b6999e2bd