xloader_apk | 8d6e5bcf2da07578f1ef6493363090d10ba05a65619a5072863d02af21ef4c4b

Analysis

max time kernel
149s
max time network
151s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
07-11-2024 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d6e5bcf2da07578f1ef6493363090d10ba05a65619a5072863d02af21ef4c4b.apk
Size

272KB
MD5

abb4ce69aab1843b401e55633ebfe48c
SHA1

15739c3ab0be6737ca1c91d8409629ad6f608885
SHA256

8d6e5bcf2da07578f1ef6493363090d10ba05a65619a5072863d02af21ef4c4b
SHA512

d60f24c046d42079e7103a0c9e11e2948961400416603a5a8b6edceee1e70a86f5c38f85ddbd55617b951881db93d8a09d33c54101902f0f37a84037f29559ad
SSDEEP

6144:7tc2NHUvcCRFWacVmUkfQtDAE7hVLR7p0iD/LzxMJGyon5oziokB5:7tVGoa8mLYtkQVN72iD/Lx5oLa5

Score

10^/10

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan

Malware Config

Signatures

XLoader payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.bbau.lvpz/files/dex	family_xloader_apk2

XLoader, MoqHao
An Android banker and info stealer.
trojan infostealer banker xloader_apk
Xloader_apk family
xloader_apk
Checks if the Android device is rooted. 1 TTPs 1 IoCs
evasion

System Information Discovery
T1426

Processes:

com.bbau.lvpz

ioc process

/system/bin/su com.bbau.lvpz
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.bbau.lvpz

pid process

4775 com.bbau.lvpz
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
evasion

Download New Code at Runtime
T1407

Processes:

com.bbau.lvpz

ioc pid process

/data/user/0/com.bbau.lvpz/files/dex 4775 com.bbau.lvpz
/data/user/0/com.bbau.lvpz/files/dex 4775 com.bbau.lvpz
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads the content of the MMS message. 1 TTPs 1 IoCs
collection

SMS Messages
T1636.004

Processes:

com.bbau.lvpz

description ioc process

URI accessed for read content://mms/ com.bbau.lvpz
Acquires the wake lock 1 IoCs

Processes:

com.bbau.lvpz

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.bbau.lvpz
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.bbau.lvpz

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.bbau.lvpz
Requests changing the default SMS application. 2 TTPs 1 IoCs
collection impact

SMS Messages
T1636.004

SMS Control
T1582

Processes:

com.bbau.lvpz

description ioc process

Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT com.bbau.lvpz
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.bbau.lvpz

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.bbau.lvpz

ioc	process
/system/bin/su	com.bbau.lvpz

pid	process
4775	com.bbau.lvpz

ioc	pid	process
/data/user/0/com.bbau.lvpz/files/dex	4775	com.bbau.lvpz
/data/user/0/com.bbau.lvpz/files/dex	4775	com.bbau.lvpz

description	ioc	process
URI accessed for read	content://mms/	com.bbau.lvpz

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.bbau.lvpz

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.bbau.lvpz

description	ioc	process
Intent action	android.provider.Telephony.ACTION_CHANGE_DEFAULT	com.bbau.lvpz

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.bbau.lvpz

com.bbau.lvpz
1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4775

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Protected User Data

T1636

SMS Messages

T1636.004

Command and Control

Exfiltration

Impact

SMS Control

T1582

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.bbau.lvpz/files/dex

Filesize
484KB

MD5
5026dedcd4001a94b54c749a391afe4c

SHA1
76650b19d4e3545b6665f0daa376a6f62c1259f0

SHA256
f95a9d2a29299504d9f16f1e177fdaeeab335c4bcfe3abe861a23939d863f246

SHA512
b3aec452eac6c59dfb09d482e8951dde7c165ad71960174297d6ff6ec51f93fc6cdc08e9ebe4996e38a1e1233420249ea308f4afcfd41d61259d55cdacf1369a

Download Submit