Overview

overview

10

Static

static

6

a828dd226f...ce.apk

android-9-x86

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    11-12-2024 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a828dd226fc53b5fc16af89c8386f2381551a0c1620f2a81564b3fd8b9ffb5ce.apk

  • Size

    260KB

  • MD5

    9f5e7fabc04eb71311931f5a9d045dea

  • SHA1

    e917690b247178b292748d17f8c88a003aba16c6

  • SHA256

    a828dd226fc53b5fc16af89c8386f2381551a0c1620f2a81564b3fd8b9ffb5ce

  • SHA512

    b3d353ad0e46216de5c98a03043fd509b486cc33904719c7909926315a5b2cdbbc47fb7bf7d681796ba5061ef42ca98aedd3dfbe00391e0d46e53b2da1922493

  • SSDEEP

    6144:OLZbLMpu6uRIgWSAnlJ04I+q5FHJtl1rrAjEzjwFaJHP:OdLeSIgilJc5FzHCuwUJv

Score
10/10
xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.226.54:28899

DES_key

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

    trojaninfostealerbankerxloader_apk
  • Xloader_apk family
    xloader_apk
  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
    evasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • qjvxvwo.yivpeirix.jxoukm.mxcxzpaw
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    PID:4259
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/qjvxvwo.yivpeirix.jxoukm.mxcxzpaw/app_picture/1.jpg --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/user/0/qjvxvwo.yivpeirix.jxoukm.mxcxzpaw/app_picture/oat/x86/1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4284

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/qjvxvwo.yivpeirix.jxoukm.mxcxzpaw/app_picture/1.jpg
    Filesize

    7KB

    MD5

    ceb69db381c34be30a7452a4949e4bf9

    SHA1

    c0c45a2dd8f4cc88e95c415ae9db7ab704d71f04

    SHA256

    14d83213740ca6999833970af132527cf3b6b4c469100a17e313e12830395fb5

    SHA512

    9c9bfc382870558dcc2094970ccff9fea3037fec5ed5c1ec954db9c08f441f92465b3756fcd2ccbb6a044cf7e5737548523a662bc9dd522185f40c2e53ca3a82

    Download Submit

  • /data/data/qjvxvwo.yivpeirix.jxoukm.mxcxzpaw/files/b
    Filesize

    446KB

    MD5

    3e04a3b314779ab7b515b04648084b64

    SHA1

    4b76a4fb951eb54b6c8593f50f4b7cc58b2997f1

    SHA256

    d24fc9979ea6d5e9a278ac59c422f3b189adbe5671a3be0f8e44c52a50af78b7

    SHA512

    cc87dbada39c5c2396c105d0a7dc9351ef70621261f5a892ecee526b4eac769e721f97ec1913f37dc092d46393c0f6a5d75dfb43fdcb6270236fa8a633ffe984

    Download Submit

  • /data/data/qjvxvwo.yivpeirix.jxoukm.mxcxzpaw/files/oat/b.cur.prof
    Filesize

    1KB

    MD5

    898780ae455b3c908750c2a43405d152

    SHA1

    acbd107482dceb503e8ea610e14343d93bbed6c4

    SHA256

    b1c20475cb162c31de27f020a857a135e032aa02dae1cee04f4d3ab44a08b61c

    SHA512

    d3eb411b33074da998921243dc3807a1184ed41979fad673b596c179a13654f1cf88ca44aee32976f8e6659fac34795ce8655ef1adc98de6a9a0be86609d2f68

    Download Submit

  • /data/user/0/qjvxvwo.yivpeirix.jxoukm.mxcxzpaw/app_picture/1.jpg
    Filesize

    7KB

    MD5

    7f00109e5773636d65e0b276b64971d1

    SHA1

    0d63627cd2b490b7ecdfe8d7ac96eec7e50cb613

    SHA256

    04dd1ab07b152eabc6d397ad9ef2a5efbce167931e9cb597458d0630217db1f3

    SHA512

    7f9d457bdc9f5e4e01d7816e65bcdf8402e398adb16a3df8a382ce99b6c8176c5a638eb8dd1268c318263aee3575970c41c1a0f5d5ff62c87e865b35f8afcfd7

    Download Submit

  • /storage/emulated/0/.msg_device_id.txt
    Filesize

    36B

    MD5

    f8a8b8930e39bf309c309e3149ada7ed

    SHA1

    5f781a8c0b3372f1ec8f9a759dc106b3d2457017

    SHA256

    a24f9917f449234fff8a72941b4b315be2c6b8cef7b87fb2780265fc19ce18f3

    SHA512

    10d5e8f982c80c6397d0434cff2a53f134358164b72dec68e46a3b09a87f76411c043e6402c26e3c3d71863ce070275f918e8ebb889fbfaf6c3d1bf6b90df50a

    Download Submit