Overview

overview

10

Static

static

6

6c05973f2f...c1.apk

android-9-x86

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    06-11-2024 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c05973f2ff2f4cf12c8e102e7e80ddd1281353ddde67ad835e8fd6968d47ac1.apk

  • Size

    212KB

  • MD5

    4efd58e418536190ec8f33f04bb9b50e

  • SHA1

    c0538370ff81c1878b8a01e3ec658a9119562e9a

  • SHA256

    6c05973f2ff2f4cf12c8e102e7e80ddd1281353ddde67ad835e8fd6968d47ac1

  • SHA512

    b630d1bdad243acba13bbd15b25fff57690aba6a97001c6471dbddfa6cc94669d64a8f2b63e195f422eeb1899099c7e291269b8a5e39eb897883be8108ec7e99

  • SSDEEP

    3072:Af4rcPraEopc4P5WVTSpKmJ+D9KJXuRIJvSYpETVmdDVIojpwGwsfvsIMaJgcE5Q:AwrqS5WhxIuRIJvfEslpw/seapg/KzV

Score
10/10
xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.226.54:28899

DES_key

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

    trojaninfostealerbankerxloader_apk
  • Xloader_apk family
    xloader_apk
  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
    evasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Checks the presence of a debugger
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • veqsvax.qglfjucep.mmkxho
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    PID:4261
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/veqsvax.qglfjucep.mmkxho/app_picture/1.jpg --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/veqsvax.qglfjucep.mmkxho/app_picture/oat/x86/1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4288

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/veqsvax.qglfjucep.mmkxho/app_picture/1.jpg
    Filesize

    7KB

    MD5

    eaaa1d89b3a694327b39eaf4418a4287

    SHA1

    3b31ceec9e3412bd90ca1f6db973bcce203bdbb4

    SHA256

    bbf740b34322cd1fb708de98d3f9c38e3d21b359c5c0576fecf00747dc99e12b

    SHA512

    243b534c00e482c4f30c68ab355e3f550387b0a3d7932e7046acca1dccf6ca758781ee8a98db9d96430097f40b9068c1dcd2cc0aa42e4d6d98da3fc3ca294dda

    Download Submit

  • /data/data/veqsvax.qglfjucep.mmkxho/files/b
    Filesize

    446KB

    MD5

    a08eb40c8f41932cdfbb171b11047499

    SHA1

    640df821c78b575ddc1fb1ba3150795ae8a38af2

    SHA256

    21de04b706537eb676cda25497d25ce84e45d132232f715656f81c1e66ea4767

    SHA512

    03512be8115948dadefab3d4490e82fe8ebf5baa79765ecb63aec0b1ffa97c29ab37d68abf628e35ecb186ac1e81b2f259d392891eef2633707288803921442c

    Download Submit

  • /data/data/veqsvax.qglfjucep.mmkxho/files/oat/b.cur.prof
    Filesize

    1KB

    MD5

    6a253ab89537ee81674bab1ca220850e

    SHA1

    c5fdcf1dc76cf098343ad739f27dc668cc4f6654

    SHA256

    aec3cb75098ebd162abac14f745b4c1e8fc1d9c34eacc36bcc50a1a9dceda14c

    SHA512

    99230686aa07a36545119d0f515a3fdcbde82ed3ad7f86c69d7a56c23cc0e9772fbb69917bf9a5950506b1a5eb1af7ba6b582603ab0bbee873cc2e8538fdbae4

    Download Submit

  • /data/data/veqsvax.qglfjucep.mmkxho/files/oat/b.cur.prof
    Filesize

    1KB

    MD5

    12af5e0862a8586918d61320b8e1fd52

    SHA1

    821546edf662bcf88ba8781f330fca18cb69ed8a

    SHA256

    42b929e6207df39b05d57bad5f2f0b0230125c2bb3cb22508b52fce6a2ece13c

    SHA512

    e2b5f7b21f636436e2da3b2876b578a27562742d493ea6270ab981b357ac554ae5a12c5b585df3ad219c3123ab2b3510009f632a1fc863b298e083b0ec73e81b

    Download Submit

  • /data/data/veqsvax.qglfjucep.mmkxho/files/oat/b.cur.prof
    Filesize

    1016B

    MD5

    256cb9c0a9a2b814e94b5816f0bcc692

    SHA1

    5e453e63cc714a9f136c7bfc3be6df5255fba992

    SHA256

    66a39a7176569bfe27310b0c636be7cf5c50f2762b06b1b5cc672c105569665e

    SHA512

    f814692106250d112baf62bb392b123bc3ee86c9de7304eb8392d0e4054c10ae56c12c09948feb9d942790ca08808914d8b01376f07c425c8eae7af1bc386939

    Download Submit

  • /data/user/0/veqsvax.qglfjucep.mmkxho/app_picture/1.jpg
    Filesize

    7KB

    MD5

    8fae78e06c96d85a6083febde2082c82

    SHA1

    b19d886e88e2c88f75f5582123743508d5e110a2

    SHA256

    167e0262230f34214944c44536e8aeaaa22a160cd172527f3938e04839a1a829

    SHA512

    342c3d981445104ec60a943928c276302ff99eeb4281e737b609bccf126b9491a4017b2c0f6b56f68a97ed37c22b399cc66a1d97618f06a17d939f4065cc27a9

    Download Submit

  • /storage/emulated/0/.msg_device_id.txt
    Filesize

    36B

    MD5

    4fb3692d4d1a9c184d0bd24187f7aa86

    SHA1

    22a9d0a3e314fe3a789cdfc88133a06188f30ecf

    SHA256

    fea7b47abcc2d5af559675f189c4a6c5afd41e64b253befde96a98ecc4aa6e57

    SHA512

    bab1ef087968f74352feafbe30c59d8b6d30c503dd97efbb71503d0d0dcc1f30171f124d6a7b394d13a670132f39d905bd3bb68c9408d66f2eccc4277ddd2547

    Download Submit