Analysis
-
max time kernel
149s -
max time network
157s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
-
submitted
05-11-2024 22:44
General
-
Target
11f7551bb2730904f759d6449d1e92c864f8180ccfc2d50c26ebab01ca854e53.apk
-
Size
283KB
-
MD5
259bc8224ba34817720041299693cd1a
-
SHA1
29d8c753b940fae4a0d68088cc62377d452eeda3
-
SHA256
11f7551bb2730904f759d6449d1e92c864f8180ccfc2d50c26ebab01ca854e53
-
SHA512
d89fff0f439a8788c7846cdf0b7585a2de04168fe1fd269d20b1c3ea04fd60c991b3c3eaf74026f8727f2f94b10e06381462e42bb30ec20da69a731468f0d987
-
SSDEEP
6144:5UvE02OuAoogmp6uIZkpBcxqjpDYepUt2YM7o5jnqogd:2vEVogO6H0xYQcmoshd
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 1 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Xloader_apk family
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
kukidc.ljik.ydm.gxnyd1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
505KB
MD51948f47b3ea40b56b95c2afea1715414
SHA15c690f45283971be674c6d8a2e54175b0ecf55eb
SHA25655e4054d9045b3a34d808883c387d64cbae6a402ba7551f1c7a19d6b2bcc5ae7
SHA5128f3e40ff08f864901147cd60dd88191b9f792a746f0d923e3fea3a30f1ce951ec984013641b32ce1130b764f3d27974ac1a4a9d281090c8bbbff02808ffeb436
-
Filesize
36B
MD54480c0c4d581cabf1dfbe922a14921d6
SHA1cc32851b714a60e345824ea87fbde80f1ce63997
SHA25644b9b30f7733cd6ff44d88f8728c220691bf4edbf378538f9acb59cf6e3f90fd
SHA5123d17f1afb8f72d2513d10d0211a2dd3192f26e9cefc1176ab958a8432da75c584f50f1d9dc6cf8cc4573d295b3d51c282556060ae29f0e4ac28242377f9264ca