Overview

overview

10

Static

static

6

43cfd99c3b...1a.apk

android-9-x86

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    22-11-2024 22:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43cfd99c3be5ae2b4ca1148564da562d0dbe98748ba09e465de2d2ec0d775b1a.apk

  • Size

    260KB

  • MD5

    84e0de91d83746dc611ef6853652d76a

  • SHA1

    3a2741d9756f4c7a79487ecbacd9d2712f4526f3

  • SHA256

    43cfd99c3be5ae2b4ca1148564da562d0dbe98748ba09e465de2d2ec0d775b1a

  • SHA512

    fb155a932bcf41465522f00ecf5dc9163e36ab665aeb41b4bc998bf77ea93500b16009b8a3409fe31c0bc5da0e402416a3d7bce000dd423954287d5b94c9bd1b

  • SSDEEP

    6144:RBeUwUngxlfbwxh67rcbSRUKLuiWTPm4S4mEGAeCYggn:+n9rcbO3qTO44BN

Score
10/10
xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.226.54:28899

DES_key

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

    trojaninfostealerbankerxloader_apk
  • Xloader_apk family
    xloader_apk
  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
    evasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • cdevgpe.lfwynbrsd.jfiktu.velulwrp.uydev.eqcjd
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    PID:4340
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/cdevgpe.lfwynbrsd.jfiktu.velulwrp.uydev.eqcjd/app_picture/1.jpg --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/cdevgpe.lfwynbrsd.jfiktu.velulwrp.uydev.eqcjd/app_picture/oat/x86/1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4365

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/cdevgpe.lfwynbrsd.jfiktu.velulwrp.uydev.eqcjd/app_picture/1.jpg
    Filesize

    7KB

    MD5

    53f8ff9d95d4298abee77f4c9bf97153

    SHA1

    26ba45003685a0e7acbc9e79b3ba9c0d7cbfbf17

    SHA256

    c30dff1e8d0501e89bbf00d4e9cc03b65400750097a9eb7ec48c889b2715873b

    SHA512

    faf4de5d3ad72071d2293ca0757f51d36154b902dc0613003f1c025402f697b562b6acf34cec229d87bd63162448c9288a2639e39cdd2404e78fa38d6987567d

    Download Submit

  • /data/data/cdevgpe.lfwynbrsd.jfiktu.velulwrp.uydev.eqcjd/files/b
    Filesize

    446KB

    MD5

    3e04a3b314779ab7b515b04648084b64

    SHA1

    4b76a4fb951eb54b6c8593f50f4b7cc58b2997f1

    SHA256

    d24fc9979ea6d5e9a278ac59c422f3b189adbe5671a3be0f8e44c52a50af78b7

    SHA512

    cc87dbada39c5c2396c105d0a7dc9351ef70621261f5a892ecee526b4eac769e721f97ec1913f37dc092d46393c0f6a5d75dfb43fdcb6270236fa8a633ffe984

    Download Submit

  • /data/data/cdevgpe.lfwynbrsd.jfiktu.velulwrp.uydev.eqcjd/files/oat/b.cur.prof
    Filesize

    1KB

    MD5

    ca746b4260cbd4a8658833113ca955c9

    SHA1

    750bdd055abf32ffd9d9278c6f9f8c2684e1f2ad

    SHA256

    995db17768a2185ad924973e7b5c6f1b8ae38e0c31188dea9a1484f447f38a5f

    SHA512

    ba90f70b91738983e5da05d8fd71c2063ebd6a48f38ff3859da9db7966fb447350b38541c195bc52cd5fcf6cb64edc2066099ce65d05de966de184048cad1831

    Download Submit

  • /data/user/0/cdevgpe.lfwynbrsd.jfiktu.velulwrp.uydev.eqcjd/app_picture/1.jpg
    Filesize

    7KB

    MD5

    75ffbced0e29d00766dd997a69c94348

    SHA1

    6df8d6fbb3075eff624020a50f222951676cda83

    SHA256

    9b94d57d447aa179ad7593ea45f99fb4e20740ee5d3518376e1047193b71812e

    SHA512

    75dc4b940d2bbfcfa5d3ec680c989a8ea926e3d4757a2d8c26d81a995dcdb3ca36f897a42678256c85f38e3751f74533e4b9162fe1865bc56afb5354d785a716

    Download Submit

  • /storage/emulated/0/.msg_device_id.txt
    Filesize

    36B

    MD5

    df02a3873edcdd0405656e643982bf85

    SHA1

    bc579151dc72e0357bbbde9f3f768c6816bdef9a

    SHA256

    9f9e60d6ee7e506ab543e72357aea8a145d1ba259a43c25e04eda696a3777db7

    SHA512

    4f046cff4591785a3ed9e5dde28cf225aed84ebce9d31987e17368bd6277b1d73b6363a93f1fcaa03251b957a41dd740e70a22a239f8a53aeed568842499e3af

    Download Submit