Overview

overview

10

Static

static

6

cf00f2155c...c0.apk

android-9-x86

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    08-11-2024 22:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf00f2155c76f98dd7207780aa064818b6abe3d45b28debf2fc1cbc91b6913c0.apk

  • Size

    212KB

  • MD5

    be310a8567bf87111d80643df540b399

  • SHA1

    174645a3bc0a05ecee278f026235dc5c2452762e

  • SHA256

    cf00f2155c76f98dd7207780aa064818b6abe3d45b28debf2fc1cbc91b6913c0

  • SHA512

    792a24a7c1499bff5613f7e172b02421b47b4be265b5d188d77ee691389c679e214bfe03863c93b451cc97d1c1870c349160944665a49dc26fc33da3349d7143

  • SSDEEP

    6144:bZXomYAPdo8SRIJvVEsTpw/+ekpqYLsTI:99YAd3SRYVl4+MM

Score
10/10
xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.226.54:28899

DES_key

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

    trojaninfostealerbankerxloader_apk
  • Xloader_apk family
    xloader_apk
  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
    evasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • fsyidet.ewcuondkg.vzvmbn.msmmjsve.adxns.rhyya
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    PID:4264
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/fsyidet.ewcuondkg.vzvmbn.msmmjsve.adxns.rhyya/app_picture/1.jpg --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/fsyidet.ewcuondkg.vzvmbn.msmmjsve.adxns.rhyya/app_picture/oat/x86/1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4290

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/fsyidet.ewcuondkg.vzvmbn.msmmjsve.adxns.rhyya/app_picture/1.jpg
    Filesize

    7KB

    MD5

    b8c9caebfe490e691382dbd66e54dcd7

    SHA1

    25e39705b669cab639e20981328daee3b466551c

    SHA256

    861a6e321d2b4330dd5472db76de7f2e735a7e4b45be9e1d52144db51e19b96b

    SHA512

    6e7add9c0057d42d885214ab8258a1fda36b0a2e4ce05c7498244a0f5857895bac6c1047a54a028b742da0f4416a5f4cd193f302ad1a941b4e5f25b39250d5fd

    Download Submit

  • /data/data/fsyidet.ewcuondkg.vzvmbn.msmmjsve.adxns.rhyya/files/b
    Filesize

    446KB

    MD5

    a08eb40c8f41932cdfbb171b11047499

    SHA1

    640df821c78b575ddc1fb1ba3150795ae8a38af2

    SHA256

    21de04b706537eb676cda25497d25ce84e45d132232f715656f81c1e66ea4767

    SHA512

    03512be8115948dadefab3d4490e82fe8ebf5baa79765ecb63aec0b1ffa97c29ab37d68abf628e35ecb186ac1e81b2f259d392891eef2633707288803921442c

    Download Submit

  • /data/data/fsyidet.ewcuondkg.vzvmbn.msmmjsve.adxns.rhyya/files/oat/b.cur.prof
    Filesize

    1KB

    MD5

    ca531e4e1e3b83e39a3b3aeba3eb3740

    SHA1

    8f505dc5b6ddae365da0878190c2aa9b05a59c16

    SHA256

    ee441541be4a0624c118e0690c0818d41c0e94ffc793e0038f49987743d478b5

    SHA512

    ebe1991f5a716969254acf8c11b4bbd5a2992743d275c199c8665972b0970525c4ad7b36c1d0debbff718eb30f44e1fce7ca336bda7ae822fc94d03c9297d9bc

    Download Submit

  • /data/user/0/fsyidet.ewcuondkg.vzvmbn.msmmjsve.adxns.rhyya/app_picture/1.jpg
    Filesize

    7KB

    MD5

    d0c4fc2ef9b4599f1f81451f31a2c032

    SHA1

    0a8d361bb88dfee03504e36722709d84702e3be7

    SHA256

    ec9dc87c2ca20b8be735fd45f22e397a41e9ee28ca8d6bd27f0768af8dc1b5e5

    SHA512

    e84eb536ea75ea79bcf55241b656e674fcc4221135b88255c4d5e4de0c4b567cba98645d7280ec2e2fc23d158e35ff8fd7a674674de1383a82c8b723183fb9c7

    Download Submit

  • /storage/emulated/0/.msg_device_id.txt
    Filesize

    36B

    MD5

    fb688f85a835ec250e82daedcf406318

    SHA1

    8c49d4c1d0d59e6b7076cd3ae9b2304a836968c4

    SHA256

    a791a8b2687d6365287467a08e97e92fcecbbf830fec9b82e38076a1558d51a2

    SHA512

    c29e466346dcd6256afd4b98752de2dd5ddebc72ceb949e812da048f905495c8574a45a4f4e027c0cb2dbc6a9254c8a3f4dd92fb24f16c4256eff0ee3fa07e45

    Download Submit