Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    11/12/2024, 22:06 UTC

General

  • Target

    a828dd226fc53b5fc16af89c8386f2381551a0c1620f2a81564b3fd8b9ffb5ce.apk

  • Size

    260KB

  • MD5

    9f5e7fabc04eb71311931f5a9d045dea

  • SHA1

    e917690b247178b292748d17f8c88a003aba16c6

  • SHA256

    a828dd226fc53b5fc16af89c8386f2381551a0c1620f2a81564b3fd8b9ffb5ce

  • SHA512

    b3d353ad0e46216de5c98a03043fd509b486cc33904719c7909926315a5b2cdbbc47fb7bf7d681796ba5061ef42ca98aedd3dfbe00391e0d46e53b2da1922493

  • SSDEEP

    6144:OLZbLMpu6uRIgWSAnlJ04I+q5FHJtl1rrAjEzjwFaJHP:OdLeSIgilJc5FzHCuwUJv

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.226.54:28899

DES_key
1
4162356431513332

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

  • Xloader_apk family
  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • qjvxvwo.yivpeirix.jxoukm.mxcxzpaw
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    PID:4259
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/qjvxvwo.yivpeirix.jxoukm.mxcxzpaw/app_picture/1.jpg --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/user/0/qjvxvwo.yivpeirix.jxoukm.mxcxzpaw/app_picture/oat/x86/1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4284

Network

  • flag-us
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
    semanticlocation-pa.googleapis.com
    IN A
    216.58.213.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.202
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.74
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
  • flag-us
    DNS
    m.vk.com
    Remote address:
    1.1.1.1:53
    Request
    m.vk.com
    IN A
    Response
    m.vk.com
    IN A
    93.186.225.194
    m.vk.com
    IN A
    87.240.132.72
    m.vk.com
    IN A
    87.240.132.78
    m.vk.com
    IN A
    87.240.129.133
    m.vk.com
    IN A
    87.240.132.67
    m.vk.com
    IN A
    87.240.137.164
  • flag-ru
    GET
    https://m.vk.com/id730149630?act=info
    Remote address:
    93.186.225.194:443
    Request
    GET /id730149630?act=info HTTP/1.1
    User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Mobile Safari/537.36 Edg/112.0.0.0
    Upgrade-Insecure-Requests: 1
    Cookie: remixmdevice=390/844/3/!!!!!!!!!!!
    Referer: https://m.vk.com/id730149630?act=info
    Accept: text/html,*/*;q=0.8
    Accept-Encoding: gzip
    Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
    Host: m.vk.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: kittenx
    Date: Wed, 11 Dec 2024 22:07:11 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    X-Powered-By: KPHP/7.4.120092
    Set-Cookie: remixir=DELETED; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; domain=.vk.com; secure; HttpOnly; SameSite=None
    Set-Cookie: remixlang=18; expires=Sat, 13 Dec 2025 16:09:53 GMT; path=/; domain=.vk.com; secure; SameSite=None
    Set-Cookie: remixstlid=9121247123939550213_Ox3hvZ6I3KCdyAucnKVzB3AkfgBzkuQeMG4znk0sneg; expires=Thu, 11 Dec 2025 22:07:11 GMT; path=/; domain=.vk.com; secure; SameSite=None
    Set-Cookie: remixir=DELETED; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; domain=.vk.com; secure; HttpOnly; SameSite=None
    Set-Cookie: remixstid=1825916410_MMxWS1nrLIzmST1SQIyZFpAj2SQVwARnEB5U5tGwHYH; expires=Mon, 08 Dec 2025 23:21:00 GMT; path=/; domain=.vk.com; secure; SameSite=None
    Cache-control: no-store
    Content-Security-Policy: default-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://*.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://*.yandex.ru https://*.google-analytics.com https://*.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://*.google.com https://google.com https://*.vkpartner.ru https://*.moatads.com https://*.adlooxtracking.ru https://*.serving-sys.ru https://*.weborama-tech.ru https://*.gstatic.com https://*.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://*.vk-cdn.net https://*.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://r.mradx.net https://ton.twimg.com https://tagmanager.google.com https://platform.twitter.com https://*.googleapis.com 'self' 'unsafe-inline';report-uri /csp
    X-XSS-Protection: 1; report=/xss_reports
    Reporting-Endpoints: default="https://m.vk.com/browser_reports?dest=default_reports"
    Content-Encoding: gzip
    Strict-Transport-Security: max-age=15768000
    X-Trace-Id: 7I0VtRx3F3xS5dc04YZkiQ1SX6oIIA
    Server-Timing: tid;desc="7I0VtRx3F3xS5dc04YZkiQ1SX6oIIA",front;dur=0.553
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    216.58.204.78
  • 142.250.200.42:443
    tls, https
    202 B
    40 B
    1
    1
  • 93.186.225.194:443
    https://m.vk.com/id730149630?act=info
    tls, http
    2.8kB
    87.9kB
    40
    64

    HTTP Request

    GET https://m.vk.com/id730149630?act=info

    HTTP Response

    200
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 216.58.204.78:443
    tls, https
    858 B
    40 B
    1
    1
  • 216.58.204.78:443
    android.apis.google.com
    tls
    4.7kB
    8.6kB
    14
    23
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    407 B
    132 B
    5
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    407 B
    132 B
    5
    3
  • 91.204.226.54:28899
    407 B
    132 B
    5
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    407 B
    132 B
    5
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    407 B
    132 B
    5
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    407 B
    132 B
    5
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    407 B
    132 B
    5
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    407 B
    132 B
    5
    3
  • 91.204.226.54:28899
    407 B
    132 B
    5
    3
  • 91.204.226.54:28899
    407 B
    132 B
    5
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    407 B
    132 B
    5
    3
  • 91.204.226.54:28899
    407 B
    132 B
    5
    3
  • 91.204.226.54:28899
    407 B
    132 B
    5
    3
  • 91.204.226.54:28899
    407 B
    132 B
    5
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    407 B
    132 B
    5
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    407 B
    132 B
    5
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    407 B
    132 B
    5
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 91.204.226.54:28899
    447 B
    132 B
    6
    3
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
    304 B
    1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    142.250.200.42
    216.58.213.10
    216.58.212.202
    142.250.187.202
    172.217.169.74
    172.217.169.10
    216.58.204.74
    142.250.187.234
    142.250.178.10
    172.217.16.234
    142.250.180.10
    142.250.200.10
    216.58.201.106
    142.250.179.234

  • 1.1.1.1:53
    m.vk.com
    dns
    54 B
    150 B
    1
    1

    DNS Request

    m.vk.com

    DNS Response

    93.186.225.194
    87.240.132.72
    87.240.132.78
    87.240.129.133
    87.240.132.67
    87.240.137.164

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    216.58.204.78

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/qjvxvwo.yivpeirix.jxoukm.mxcxzpaw/app_picture/1.jpg

    Filesize

    7KB

    MD5

    ceb69db381c34be30a7452a4949e4bf9

    SHA1

    c0c45a2dd8f4cc88e95c415ae9db7ab704d71f04

    SHA256

    14d83213740ca6999833970af132527cf3b6b4c469100a17e313e12830395fb5

    SHA512

    9c9bfc382870558dcc2094970ccff9fea3037fec5ed5c1ec954db9c08f441f92465b3756fcd2ccbb6a044cf7e5737548523a662bc9dd522185f40c2e53ca3a82

  • /data/data/qjvxvwo.yivpeirix.jxoukm.mxcxzpaw/files/b

    Filesize

    446KB

    MD5

    3e04a3b314779ab7b515b04648084b64

    SHA1

    4b76a4fb951eb54b6c8593f50f4b7cc58b2997f1

    SHA256

    d24fc9979ea6d5e9a278ac59c422f3b189adbe5671a3be0f8e44c52a50af78b7

    SHA512

    cc87dbada39c5c2396c105d0a7dc9351ef70621261f5a892ecee526b4eac769e721f97ec1913f37dc092d46393c0f6a5d75dfb43fdcb6270236fa8a633ffe984

  • /data/data/qjvxvwo.yivpeirix.jxoukm.mxcxzpaw/files/oat/b.cur.prof

    Filesize

    1KB

    MD5

    898780ae455b3c908750c2a43405d152

    SHA1

    acbd107482dceb503e8ea610e14343d93bbed6c4

    SHA256

    b1c20475cb162c31de27f020a857a135e032aa02dae1cee04f4d3ab44a08b61c

    SHA512

    d3eb411b33074da998921243dc3807a1184ed41979fad673b596c179a13654f1cf88ca44aee32976f8e6659fac34795ce8655ef1adc98de6a9a0be86609d2f68

  • /data/user/0/qjvxvwo.yivpeirix.jxoukm.mxcxzpaw/app_picture/1.jpg

    Filesize

    7KB

    MD5

    7f00109e5773636d65e0b276b64971d1

    SHA1

    0d63627cd2b490b7ecdfe8d7ac96eec7e50cb613

    SHA256

    04dd1ab07b152eabc6d397ad9ef2a5efbce167931e9cb597458d0630217db1f3

    SHA512

    7f9d457bdc9f5e4e01d7816e65bcdf8402e398adb16a3df8a382ce99b6c8176c5a638eb8dd1268c318263aee3575970c41c1a0f5d5ff62c87e865b35f8afcfd7

  • /storage/emulated/0/.msg_device_id.txt

    Filesize

    36B

    MD5

    f8a8b8930e39bf309c309e3149ada7ed

    SHA1

    5f781a8c0b3372f1ec8f9a759dc106b3d2457017

    SHA256

    a24f9917f449234fff8a72941b4b315be2c6b8cef7b87fb2780265fc19ce18f3

    SHA512

    10d5e8f982c80c6397d0434cff2a53f134358164b72dec68e46a3b09a87f76411c043e6402c26e3c3d71863ce070275f918e8ebb889fbfaf6c3d1bf6b90df50a

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.