Analysis
-
max time kernel
149s -
max time network
163s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
-
submitted
05/11/2024, 22:04
General
-
Target
a7c3977f45ccfaf721de278cea38b029323cc178d1fd3a5b7c859957f07e5790.apk
-
Size
278KB
-
MD5
a12f5c20439d4cb1ff3b8d2e15c9440c
-
SHA1
0b261bafe34a2d11f101273cf5743d82370ba7e1
-
SHA256
a7c3977f45ccfaf721de278cea38b029323cc178d1fd3a5b7c859957f07e5790
-
SHA512
ab9cc37252319bf7e59b529a05f1c3bf0899df5d28bacd6f7d6cdf19c75452e32dda37c38191f97dfa4abb66ab46757c958124a470340274e2fd3095582ffa86
-
SSDEEP
6144:N2+NMc8Sy1W0UXDZIk8K3eIKEoY49q6l2dPg3nfsYkQA67ySS/FM8+:VNmU9Ikj3eIln49q6l2do3fIQA67ySSW
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Xloader_apk family
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.qooc.zhxb1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
484KB
MD570f95d8cbe97d5c2eba3ea8444ae66ab
SHA1ceeb757ec23da7c6b127262ae1dd966b4a7a73cc
SHA256b02e06dfd1642646e5ccf3a06ccfc850edd1ba0464550962a15e69a0b6931426
SHA512666d43b00bb424631c17248ced477990e5d2375b9ca086aeaf976ec00c44d017ff8e72538afdaa26b918014451382c8462a84c37ad2a597e0ec1c39288c96efa