xloader_apk | 2e5201fbc9dddbb5da33258097547005492d097af3ff388406b480b421b1aa12

Analysis

max time kernel
149s
max time network
154s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
14-11-2024 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e5201fbc9dddbb5da33258097547005492d097af3ff388406b480b421b1aa12.apk
Size

260KB
MD5

17d0ecc32350c9243575177f81a72e80
SHA1

0e97a9878161f55c7b73e0d89da9a404794e7d88
SHA256

2e5201fbc9dddbb5da33258097547005492d097af3ff388406b480b421b1aa12
SHA512

1231917e8bdfb4a04e840e8a2636d18382762715ad264368c40033639adb91472a3706da1ed91b387471fa84bced73334845e5d5ee1ebbf4a59ea2ea4a34d048
SSDEEP

6144:fMpVMfeUwgDW/tP7g5h67Xcb0RiKLuiCTPm4G4mIGKeCYGn7Vecd:UZAWB5XcbUh2TO4MHGnF

Score

10^/10

xloader_apk banker collection discovery evasion impact infostealer persistence stealth trojan

Malware Config

Extracted

Family

xloader_apk

http://91.204.226.54:28899

DES_key

Signatures

XLoader payload 1 IoCs

Processes:

resource	yara_rule
/data/data/jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv/files/b	family_xloader_apk2

XLoader, MoqHao
An Android banker and info stealer.
trojan infostealer banker xloader_apk
Xloader_apk family
xloader_apk

Checks if the Android device is rooted. 1 TTPs 3 IoCs

evasion

System Information Discovery

T1426

Processes:

jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv

ioc	process
/system/xbin/su	jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv
/sbin/su	jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv
/system/bin/su	jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv

Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv

pid process

4316 jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv

pid	process
4316	jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv

Loads dropped Dex/Jar 1 TTPs 5 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv/app_picture/1.jpg --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv/app_picture/oat/x86/1.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/user/0/jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv/app_picture/1.jpg	4316	jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv
/data/user/0/jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv/app_picture/1.jpg	4342	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv/app_picture/1.jpg --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv/app_picture/oat/x86/1.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv/app_picture/1.jpg	4316	jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv
/data/user/0/jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv/files/b	4316	jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv
/data/user/0/jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv/files/b	4316	jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

Stored Application Data
T1409

Processes:

jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv

description ioc process

Framework service call android.accounts.IAccountManager.getAccounts jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads the content of the MMS message. 1 TTPs 1 IoCs
collection

SMS Messages
T1636.004

Processes:

jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv

description ioc process

URI accessed for read content://mms/ jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv
Acquires the wake lock 1 IoCs

Processes:

jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv

description ioc process

Framework service call android.app.IActivityManager.registerReceiver jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv

description ioc process

Framework API call javax.crypto.Cipher.doFinal jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv
Checks CPU information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv

description ioc process

File opened for read /proc/cpuinfo jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccounts	jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv

description	ioc	process
URI accessed for read	content://mms/	jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv

description	ioc	process
File opened for read	/proc/cpuinfo	jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv

jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv
1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:4316
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv/app_picture/1.jpg --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv/app_picture/oat/x86/1.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4342

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Protected User Data

T1636

SMS Messages

T1636.004

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv/app_picture/1.jpg

Filesize
7KB

MD5
be58665373b29cf312659fc3749f513e

SHA1
ae5aca5f0ea5d2204800feb6df5690066c37de53

SHA256
b8f86dbad2e37fc15ee44a515e51d0b052716945548b6103c78961308a899082

SHA512
a5034667a06acebecf05b43b8448cf72ab1b478648a1a4d0348027f6f844baac2cc74e2edca0b2e1a0d582d8dd5dff243c8ada3f88c1c51788ee9fe2bd37365c

Download Submit
/data/data/jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv/files/b

Filesize
446KB

MD5
3e04a3b314779ab7b515b04648084b64

SHA1
4b76a4fb951eb54b6c8593f50f4b7cc58b2997f1

SHA256
d24fc9979ea6d5e9a278ac59c422f3b189adbe5671a3be0f8e44c52a50af78b7

SHA512
cc87dbada39c5c2396c105d0a7dc9351ef70621261f5a892ecee526b4eac769e721f97ec1913f37dc092d46393c0f6a5d75dfb43fdcb6270236fa8a633ffe984

Download Submit
/data/data/jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv/files/oat/b.cur.prof

Filesize
1KB

MD5
e1ca883290714c50bffadc3f19b3a6fb

SHA1
7eb98b8bd4ddd3f6e712cc212ad9ef96bea58077

SHA256
965ec3971e5566a3e3743e320dd98afe4e6ebe33248d04aac9dca005dc001e45

SHA512
ffcced80a09eede4a2164b4d0b5cb6203df9e5461781430df7f00e5f39ae584380779c2d8996f700d32e13594477508b9cc0faea2a17502cc0bc658db8bce326

Download Submit
/data/data/jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv/files/oat/b.cur.prof

Filesize
1KB

MD5
e998f70c3c1d41f8a7f2f1ff724d72d3

SHA1
8cd22c7a7ac598b3296ebff7b48296fa9a71254d

SHA256
2ec9c205d283108d0cc09b1d91b871d6ae20d69140920fd830e3d3fc0eed1dd2

SHA512
efb62fbd5fca1ba21ac1bccd7b2c92cd4dd9497217326e6e356bb30372175df68ecc8796847f770cee85d5c2c0246b9d1f816ee30081ef6c193604d904ec9831

Download Submit
/data/data/jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv/files/oat/b.cur.prof

Filesize
1KB

MD5
127a036e92df6387c1d842ac90cc63f3

SHA1
80c1606bbdcce0735e35d762cb5c92abddc788c0

SHA256
d371942b6f61c91295d2b3333f302fbd5e522dd739301178af563949ac246f85

SHA512
60d10108d0efde043a59fc50d17a8339be448cebc1a5bd143720192e8b9ba05e57266129e39dcd4881d6475e8c6b820c63de28f1a481c7cebe7a34a809070269

Download Submit
/data/user/0/jwnywtq.rusofrzmr.xtvede.ahwpqmgm.vqghh.rdzdv/app_picture/1.jpg

Filesize
7KB

MD5
d43279394ef3ae6d1969087560e15169

SHA1
fe8e2f8453187fd566c28090ad55b29c5032107b

SHA256
a11156410ecfec0d5aebb3c2056414b45ce0d12d590296cc71957f64f7fb7466

SHA512
044bb2af652210eb49c8bb769d32c60bbc3a7b7ad70109f3f15d8e8d3e1a62d55ed028916dd2cdb52a8eec9079333f663563fd6fb4f49de7b57ca69b70d93781

Download Submit
/storage/emulated/0/.msg_device_id.txt

Filesize
36B

MD5
1e1058eb10d7eeeb07f11e9066cac1da

SHA1
d3729236b07461ec2da277d93456768c01a45465

SHA256
55ba33a4bf4771c58df7e0ff8ae961d621edbcc9a49f2af76594007627f7d63f

SHA512
5b6191d67b583e0a91da34eb2c49e65540e7ed9977306623b09b8b82b06a477464cf3344c6b6dde6a422ae9267d45d1cf8c01e141b0eeb28b0a8d4d58c7641f4

Download Submit