Analysis
-
max time kernel
149s -
max time network
152s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
17-11-2024 22:05
Static task
static1
Behavioral task
behavioral1
Sample
fec5a2da9514383e4ce09e855dbef2161601925bff8a15000358b083672eed7d.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
fec5a2da9514383e4ce09e855dbef2161601925bff8a15000358b083672eed7d.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
fec5a2da9514383e4ce09e855dbef2161601925bff8a15000358b083672eed7d.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
fec5a2da9514383e4ce09e855dbef2161601925bff8a15000358b083672eed7d.apk
-
Size
429KB
-
MD5
c48c6cce68b536f24db5d6aa055af8a1
-
SHA1
e638aa4e31ff5335121e07b80906d38a1fc660ca
-
SHA256
fec5a2da9514383e4ce09e855dbef2161601925bff8a15000358b083672eed7d
-
SHA512
c391711cacda670f8bfbc7c412a646b53b29280ba67c7253d2f4b783b66884ac0c1be5f64946e10e113820c44a38a5805b5c41058e8fea51d0ed272bd16e3029
-
SSDEEP
12288:GJbw6387oCRCGsz0f60mKaimKTm0IawfCsvvihxRxg:GJbqfLmgm0VeKxRO
Malware Config
Signatures
-
XLoader payload 1 IoCs
resource yara_rule behavioral1/files/fstream-1.dat family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Xloader_apk family
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
ioc Process /system/bin/su com.xwh.ostp /system/xbin/su com.xwh.ostp /sbin/su com.xwh.ostp -
pid Process 4215 com.xwh.ostp -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.xwh.ostp/files/dex 4215 com.xwh.ostp /data/user/0/com.xwh.ostp/files/dex 4215 com.xwh.ostp -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://mms/ com.xwh.ostp -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.xwh.ostp -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.xwh.ostp -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.xwh.ostp -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.xwh.ostp
Processes
-
com.xwh.ostp1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4215
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
679KB
MD51f89f8d0a3382d159d9dc1e2bc8bdb77
SHA1496bf9154ee301dac61f51c0ea5ab08fc92aa1b2
SHA256cab54f7117f2f589638caa01ba22eab869cace5d0d4d2d6dfd2a5324a965647d
SHA51220b0dff779594e941ddf953be851c0166b305d5896b6f541fee3bdcb31a9db6627ea306d2b553a2a8fae0f9664cceeecbba773019d5595ef61d9735e6cb2f604