Malware Analysis Report

2024-11-13 17:37

Sample ID 241109-26ch3athnq
Target 0374d515d1b036eab62ead6e095c3a4b845c3dc7ca10e095c4804b03a6aaf983.bin
SHA256 0374d515d1b036eab62ead6e095c3a4b845c3dc7ca10e095c4804b03a6aaf983
Tags
xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0374d515d1b036eab62ead6e095c3a4b845c3dc7ca10e095c4804b03a6aaf983

Threat Level: Known bad

The file 0374d515d1b036eab62ead6e095c3a4b845c3dc7ca10e095c4804b03a6aaf983.bin was found to be: Known bad.

Malicious Activity Summary

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan

XLoader payload

Xloader_apk family

XLoader, MoqHao

Checks if the Android device is rooted.

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads the content of the MMS message.

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Queries account information for other applications stored on the device

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Acquires the wake lock

Declares services with permission to bind to the system

Attempts to obfuscate APK file format

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 23:11

Signatures

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 23:11

Reported

2024-11-09 23:13

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

153s

Command Line

clwkgnl.kaxkneytg.ihdbbj.tczfdaot.hfanx.uuuyp

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Xloader_apk family

xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /sbin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/clwkgnl.kaxkneytg.ihdbbj.tczfdaot.hfanx.uuuyp/app_picture/1.jpg N/A N/A
N/A /data/user/0/clwkgnl.kaxkneytg.ihdbbj.tczfdaot.hfanx.uuuyp/app_picture/1.jpg N/A N/A
N/A /data/user/0/clwkgnl.kaxkneytg.ihdbbj.tczfdaot.hfanx.uuuyp/app_picture/1.jpg N/A N/A
N/A /data/user/0/clwkgnl.kaxkneytg.ihdbbj.tczfdaot.hfanx.uuuyp/files/b N/A N/A
N/A /data/user/0/clwkgnl.kaxkneytg.ihdbbj.tczfdaot.hfanx.uuuyp/files/b N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

clwkgnl.kaxkneytg.ihdbbj.tczfdaot.hfanx.uuuyp

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/clwkgnl.kaxkneytg.ihdbbj.tczfdaot.hfanx.uuuyp/app_picture/1.jpg --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/clwkgnl.kaxkneytg.ihdbbj.tczfdaot.hfanx.uuuyp/app_picture/oat/x86/1.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 m.vk.com udp
RU 87.240.132.67:443 m.vk.com tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp

Files

/data/data/clwkgnl.kaxkneytg.ihdbbj.tczfdaot.hfanx.uuuyp/app_picture/1.jpg

MD5 f1aa997367d5a8522736b95c8aa3935c
SHA1 b0c52f041f7104b31bd7344e301678707ba8a347
SHA256 751cdcc000eb40e7a5ba7c89a4b04f53e5f51c096bf9ac6bc2b55b9dc37e9eb4
SHA512 42556202518e007c760f9e025439ce9817148b289907607961a880ded926f7b2d489566945e619f6bc1cda693ce94dc62a42411f8b4ba5c8a73c6f3b8bb1bde8

/data/user/0/clwkgnl.kaxkneytg.ihdbbj.tczfdaot.hfanx.uuuyp/app_picture/1.jpg

MD5 9843aa53ebda84c8f0028add0e80d7ea
SHA1 1de1d10820460ac353ac6be407ecf2425576e121
SHA256 80a13bea3d86f8ef8573fcf741edfe5af98f71329fe3ec59c3a69ddff1201c1c
SHA512 b32e54d6c30aed42906ccb29e4da56e8a4acad04d287a554a0e1bad8b279a331c16caf732a2291a841fb3ee8cb83d098fd3278c0dbd973403eae792e38c51c69

/data/data/clwkgnl.kaxkneytg.ihdbbj.tczfdaot.hfanx.uuuyp/files/b

MD5 a08eb40c8f41932cdfbb171b11047499
SHA1 640df821c78b575ddc1fb1ba3150795ae8a38af2
SHA256 21de04b706537eb676cda25497d25ce84e45d132232f715656f81c1e66ea4767
SHA512 03512be8115948dadefab3d4490e82fe8ebf5baa79765ecb63aec0b1ffa97c29ab37d68abf628e35ecb186ac1e81b2f259d392891eef2633707288803921442c

/storage/emulated/0/.msg_device_id.txt

MD5 3a842487a779920e8364dcf847befbee
SHA1 dac50fe1a61a5588ffc0cbb6da0628ef000c79f9
SHA256 04ad3effbca573725e6cc22218d9438ff625efbed34da78a3975d9f1c0b51574
SHA512 acb9ecaad71ac614251f1e741814ed5c5098917e77fdf859256abc2856dbab965410d2f25baa81405bd1bfe3ce011e5d8895192b635a6ebb4d0e8c19dcea5176

/data/data/clwkgnl.kaxkneytg.ihdbbj.tczfdaot.hfanx.uuuyp/files/oat/b.cur.prof

MD5 d6fda1016bfee233b9c18e2d2f0f10ce
SHA1 7685e4cb4171c601284ca4a773177394e98daaf2
SHA256 0177084e32a284df96c972089929fe1465ce316edfb282ef10121459a872db8c
SHA512 f880eaf75ad92071c454413bcf9aa5aabaaa3e2963e3ee37ed904da2483c40462bd4349dbe4522816fa54e5007d0006c245e4f55dcaada7c86f097b1b6310e05