Malware Analysis Report

2024-11-13 17:37

Sample ID 241109-3x354avenb
Target 04a0b54d73a800d7086cde9188bdb132b0c2412c0a7077fb3872f111de7119f0.bin
SHA256 04a0b54d73a800d7086cde9188bdb132b0c2412c0a7077fb3872f111de7119f0
Tags
xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

04a0b54d73a800d7086cde9188bdb132b0c2412c0a7077fb3872f111de7119f0

Threat Level: Known bad

The file 04a0b54d73a800d7086cde9188bdb132b0c2412c0a7077fb3872f111de7119f0.bin was found to be: Known bad.

Malicious Activity Summary

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan

XLoader payload

XLoader, MoqHao

Xloader_apk family

Checks if the Android device is rooted.

Removes its main activity from the application launcher

Queries account information for other applications stored on the device

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Reads the content of the MMS message.

Acquires the wake lock

Reads information about phone network operator.

Attempts to obfuscate APK file format

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 23:54

Signatures

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 23:54

Reported

2024-11-09 23:57

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

153s

Command Line

bxzjnzo.wftphjhmf.cdlotw.jgdgjmbh.meuad.nxcip

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Xloader_apk family

xloader_apk

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/xbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /system/bin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/bxzjnzo.wftphjhmf.cdlotw.jgdgjmbh.meuad.nxcip/app_picture/1.jpg N/A N/A
N/A /data/user/0/bxzjnzo.wftphjhmf.cdlotw.jgdgjmbh.meuad.nxcip/app_picture/1.jpg N/A N/A
N/A /data/user/0/bxzjnzo.wftphjhmf.cdlotw.jgdgjmbh.meuad.nxcip/app_picture/1.jpg N/A N/A
N/A /data/user/0/bxzjnzo.wftphjhmf.cdlotw.jgdgjmbh.meuad.nxcip/files/b N/A N/A
N/A /data/user/0/bxzjnzo.wftphjhmf.cdlotw.jgdgjmbh.meuad.nxcip/files/b N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

bxzjnzo.wftphjhmf.cdlotw.jgdgjmbh.meuad.nxcip

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/bxzjnzo.wftphjhmf.cdlotw.jgdgjmbh.meuad.nxcip/app_picture/1.jpg --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/bxzjnzo.wftphjhmf.cdlotw.jgdgjmbh.meuad.nxcip/app_picture/oat/x86/1.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 m.vk.com udp
RU 87.240.132.67:443 m.vk.com tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp
KR 91.204.226.54:28899 tcp

Files

/data/data/bxzjnzo.wftphjhmf.cdlotw.jgdgjmbh.meuad.nxcip/app_picture/1.jpg

MD5 d20ab3a32b5c00f82014922a703708b5
SHA1 9591ee19ff3233214f65199e83faedf4482d9c80
SHA256 adce7f2c7f3c1840856ff8c288a3fc9f6befde33189b771ae4a36178d5f3390e
SHA512 ae4f55d6ca7161a0d4442e2211ee4125a637e722646a498e5ed3a62125cca2d1fdd984487cda8a2525add4e5deffae191c165fb023c9ed4855f66cb459b9a093

/data/user/0/bxzjnzo.wftphjhmf.cdlotw.jgdgjmbh.meuad.nxcip/app_picture/1.jpg

MD5 7641c90b33c42dc7b5e7ddef6c968073
SHA1 a49cc7bca4c8a77126dc420f171017b8d2f7fd8a
SHA256 e7d50555e8206e041dc83faeb914a04f0033548fbd8c80fee1bfaa648c9178b6
SHA512 515b6f06cb907e8dc95caf3aa8a5ad9783c291dce9c132f9ea0dddbcd1019d44bea43e8d3b9d55305b3d15ce8dd8740917830a4f3f5e3aad8438e3b015fea172

/data/data/bxzjnzo.wftphjhmf.cdlotw.jgdgjmbh.meuad.nxcip/files/b

MD5 a08eb40c8f41932cdfbb171b11047499
SHA1 640df821c78b575ddc1fb1ba3150795ae8a38af2
SHA256 21de04b706537eb676cda25497d25ce84e45d132232f715656f81c1e66ea4767
SHA512 03512be8115948dadefab3d4490e82fe8ebf5baa79765ecb63aec0b1ffa97c29ab37d68abf628e35ecb186ac1e81b2f259d392891eef2633707288803921442c

/storage/emulated/0/.msg_device_id.txt

MD5 2e31384e090539cce5b362765402c09d
SHA1 f98a5f1a526a8a05e258a4aa4af3ee5319b2511d
SHA256 0e4f6d45dee7d598c6f3e13b4f5d7aa025f6f7434b419d0590bb1dcbfa8ef9ca
SHA512 276c98e2c93b6a8f44ed725794e58a33e917c4a25f45d32104266ae6ffb8004cdda4dfb2cbff7c553f68e17630ee6e3723cd7ea0228b31665224efaa06fae561

/data/data/bxzjnzo.wftphjhmf.cdlotw.jgdgjmbh.meuad.nxcip/files/oat/b.cur.prof

MD5 97203ece84dcf1eaea8d36b0a4d630ec
SHA1 6e82c98368221333bc31f4adb8b540e2f993cee9
SHA256 c3119a74673fe0a7fc4de24cf7f3f74d49fabd0e31bf51950a6efd1b23cabac9
SHA512 82d9633c61096de9bcec9635e1ccaad8e05f7f1bb4463edb2d6a516495b50005f98c60d57d683df02b5eb411cf7e308b045e0bb785c573df9b6d1df5cdb14700