Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
155s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
11/12/2024, 22:06 UTC
Static task
static1
Behavioral task
behavioral1
Sample
a828dd226fc53b5fc16af89c8386f2381551a0c1620f2a81564b3fd8b9ffb5ce.apk
Resource
android-x86-arm-20240624-en
General
-
Target
a828dd226fc53b5fc16af89c8386f2381551a0c1620f2a81564b3fd8b9ffb5ce.apk
-
Size
260KB
-
MD5
9f5e7fabc04eb71311931f5a9d045dea
-
SHA1
e917690b247178b292748d17f8c88a003aba16c6
-
SHA256
a828dd226fc53b5fc16af89c8386f2381551a0c1620f2a81564b3fd8b9ffb5ce
-
SHA512
b3d353ad0e46216de5c98a03043fd509b486cc33904719c7909926315a5b2cdbbc47fb7bf7d681796ba5061ef42ca98aedd3dfbe00391e0d46e53b2da1922493
-
SSDEEP
6144:OLZbLMpu6uRIgWSAnlJ04I+q5FHJtl1rrAjEzjwFaJHP:OdLeSIgilJc5FzHCuwUJv
Malware Config
Extracted
xloader_apk
http://91.204.226.54:28899
Signatures
-
XLoader payload 1 IoCs
resource yara_rule behavioral1/files/fstream-5.dat family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Xloader_apk family
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
ioc Process /system/bin/su qjvxvwo.yivpeirix.jxoukm.mxcxzpaw /system/xbin/su qjvxvwo.yivpeirix.jxoukm.mxcxzpaw /sbin/su qjvxvwo.yivpeirix.jxoukm.mxcxzpaw -
pid Process 4259 qjvxvwo.yivpeirix.jxoukm.mxcxzpaw -
Loads dropped Dex/Jar 1 TTPs 5 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/qjvxvwo.yivpeirix.jxoukm.mxcxzpaw/app_picture/1.jpg 4259 qjvxvwo.yivpeirix.jxoukm.mxcxzpaw /data/user/0/qjvxvwo.yivpeirix.jxoukm.mxcxzpaw/app_picture/1.jpg 4284 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/qjvxvwo.yivpeirix.jxoukm.mxcxzpaw/app_picture/1.jpg --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/user/0/qjvxvwo.yivpeirix.jxoukm.mxcxzpaw/app_picture/oat/x86/1.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/qjvxvwo.yivpeirix.jxoukm.mxcxzpaw/app_picture/1.jpg 4259 qjvxvwo.yivpeirix.jxoukm.mxcxzpaw /data/user/0/qjvxvwo.yivpeirix.jxoukm.mxcxzpaw/files/b 4259 qjvxvwo.yivpeirix.jxoukm.mxcxzpaw /data/user/0/qjvxvwo.yivpeirix.jxoukm.mxcxzpaw/files/b 4259 qjvxvwo.yivpeirix.jxoukm.mxcxzpaw -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts qjvxvwo.yivpeirix.jxoukm.mxcxzpaw -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://mms/ qjvxvwo.yivpeirix.jxoukm.mxcxzpaw -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock qjvxvwo.yivpeirix.jxoukm.mxcxzpaw -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground qjvxvwo.yivpeirix.jxoukm.mxcxzpaw -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS qjvxvwo.yivpeirix.jxoukm.mxcxzpaw -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver qjvxvwo.yivpeirix.jxoukm.mxcxzpaw -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal qjvxvwo.yivpeirix.jxoukm.mxcxzpaw -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo qjvxvwo.yivpeirix.jxoukm.mxcxzpaw
Processes
-
qjvxvwo.yivpeirix.jxoukm.mxcxzpaw1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:4259 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/qjvxvwo.yivpeirix.jxoukm.mxcxzpaw/app_picture/1.jpg --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/user/0/qjvxvwo.yivpeirix.jxoukm.mxcxzpaw/app_picture/oat/x86/1.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4284
-
Network
-
Remote address:1.1.1.1:53Requestsemanticlocation-pa.googleapis.comIN AResponsesemanticlocation-pa.googleapis.comIN A142.250.200.42semanticlocation-pa.googleapis.comIN A216.58.213.10semanticlocation-pa.googleapis.comIN A216.58.212.202semanticlocation-pa.googleapis.comIN A142.250.187.202semanticlocation-pa.googleapis.comIN A172.217.169.74semanticlocation-pa.googleapis.comIN A172.217.169.10semanticlocation-pa.googleapis.comIN A216.58.204.74semanticlocation-pa.googleapis.comIN A142.250.187.234semanticlocation-pa.googleapis.comIN A142.250.178.10semanticlocation-pa.googleapis.comIN A172.217.16.234semanticlocation-pa.googleapis.comIN A142.250.180.10semanticlocation-pa.googleapis.comIN A142.250.200.10semanticlocation-pa.googleapis.comIN A216.58.201.106semanticlocation-pa.googleapis.comIN A142.250.179.234
-
Remote address:1.1.1.1:53Requestm.vk.comIN AResponsem.vk.comIN A93.186.225.194m.vk.comIN A87.240.132.72m.vk.comIN A87.240.132.78m.vk.comIN A87.240.129.133m.vk.comIN A87.240.132.67m.vk.comIN A87.240.137.164
-
Remote address:93.186.225.194:443RequestGET /id730149630?act=info HTTP/1.1
User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Mobile Safari/537.36 Edg/112.0.0.0
Upgrade-Insecure-Requests: 1
Cookie: remixmdevice=390/844/3/!!!!!!!!!!!
Referer: https://m.vk.com/id730149630?act=info
Accept: text/html,*/*;q=0.8
Accept-Encoding: gzip
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Host: m.vk.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Wed, 11 Dec 2024 22:07:11 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: KPHP/7.4.120092
Set-Cookie: remixir=DELETED; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; domain=.vk.com; secure; HttpOnly; SameSite=None
Set-Cookie: remixlang=18; expires=Sat, 13 Dec 2025 16:09:53 GMT; path=/; domain=.vk.com; secure; SameSite=None
Set-Cookie: remixstlid=9121247123939550213_Ox3hvZ6I3KCdyAucnKVzB3AkfgBzkuQeMG4znk0sneg; expires=Thu, 11 Dec 2025 22:07:11 GMT; path=/; domain=.vk.com; secure; SameSite=None
Set-Cookie: remixir=DELETED; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; domain=.vk.com; secure; HttpOnly; SameSite=None
Set-Cookie: remixstid=1825916410_MMxWS1nrLIzmST1SQIyZFpAj2SQVwARnEB5U5tGwHYH; expires=Mon, 08 Dec 2025 23:21:00 GMT; path=/; domain=.vk.com; secure; SameSite=None
Cache-control: no-store
Content-Security-Policy: default-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://*.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://*.yandex.ru https://*.google-analytics.com https://*.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://*.google.com https://google.com https://*.vkpartner.ru https://*.moatads.com https://*.adlooxtracking.ru https://*.serving-sys.ru https://*.weborama-tech.ru https://*.gstatic.com https://*.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://*.vk-cdn.net https://*.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://*.vk.com https://vk.ru https://*.vk.ru https://static.vk.me https://r.mradx.net https://ton.twimg.com https://tagmanager.google.com https://platform.twitter.com https://*.googleapis.com 'self' 'unsafe-inline';report-uri /csp
X-XSS-Protection: 1; report=/xss_reports
Reporting-Endpoints: default="https://m.vk.com/browser_reports?dest=default_reports"
Content-Encoding: gzip
Strict-Transport-Security: max-age=15768000
X-Trace-Id: 7I0VtRx3F3xS5dc04YZkiQ1SX6oIIA
Server-Timing: tid;desc="7I0VtRx3F3xS5dc04YZkiQ1SX6oIIA",front;dur=0.553
-
Remote address:1.1.1.1:53Requestandroid.apis.google.comIN AResponseandroid.apis.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A216.58.204.78
-
202 B 40 B 1 1
-
2.8kB 87.9kB 40 64
HTTP Request
GET https://m.vk.com/id730149630?act=infoHTTP Response
200 -
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
858 B 40 B 1 1
-
4.7kB 8.6kB 14 23
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
407 B 132 B 5 3
-
447 B 132 B 6 3
-
407 B 132 B 5 3
-
407 B 132 B 5 3
-
447 B 132 B 6 3
-
407 B 132 B 5 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
407 B 132 B 5 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
407 B 132 B 5 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
407 B 132 B 5 3
-
447 B 132 B 6 3
-
407 B 132 B 5 3
-
407 B 132 B 5 3
-
407 B 132 B 5 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
407 B 132 B 5 3
-
407 B 132 B 5 3
-
407 B 132 B 5 3
-
407 B 132 B 5 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
407 B 132 B 5 3
-
447 B 132 B 6 3
-
407 B 132 B 5 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
407 B 132 B 5 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
447 B 132 B 6 3
-
3.7kB 11
-
80 B 304 B 1 1
DNS Request
semanticlocation-pa.googleapis.com
DNS Response
142.250.200.42216.58.213.10216.58.212.202142.250.187.202172.217.169.74172.217.169.10216.58.204.74142.250.187.234142.250.178.10172.217.16.234142.250.180.10142.250.200.10216.58.201.106142.250.179.234
-
54 B 150 B 1 1
DNS Request
m.vk.com
DNS Response
93.186.225.19487.240.132.7287.240.132.7887.240.129.13387.240.132.6787.240.137.164
-
69 B 109 B 1 1
DNS Request
android.apis.google.com
DNS Response
216.58.204.78
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5ceb69db381c34be30a7452a4949e4bf9
SHA1c0c45a2dd8f4cc88e95c415ae9db7ab704d71f04
SHA25614d83213740ca6999833970af132527cf3b6b4c469100a17e313e12830395fb5
SHA5129c9bfc382870558dcc2094970ccff9fea3037fec5ed5c1ec954db9c08f441f92465b3756fcd2ccbb6a044cf7e5737548523a662bc9dd522185f40c2e53ca3a82
-
Filesize
446KB
MD53e04a3b314779ab7b515b04648084b64
SHA14b76a4fb951eb54b6c8593f50f4b7cc58b2997f1
SHA256d24fc9979ea6d5e9a278ac59c422f3b189adbe5671a3be0f8e44c52a50af78b7
SHA512cc87dbada39c5c2396c105d0a7dc9351ef70621261f5a892ecee526b4eac769e721f97ec1913f37dc092d46393c0f6a5d75dfb43fdcb6270236fa8a633ffe984
-
Filesize
1KB
MD5898780ae455b3c908750c2a43405d152
SHA1acbd107482dceb503e8ea610e14343d93bbed6c4
SHA256b1c20475cb162c31de27f020a857a135e032aa02dae1cee04f4d3ab44a08b61c
SHA512d3eb411b33074da998921243dc3807a1184ed41979fad673b596c179a13654f1cf88ca44aee32976f8e6659fac34795ce8655ef1adc98de6a9a0be86609d2f68
-
Filesize
7KB
MD57f00109e5773636d65e0b276b64971d1
SHA10d63627cd2b490b7ecdfe8d7ac96eec7e50cb613
SHA25604dd1ab07b152eabc6d397ad9ef2a5efbce167931e9cb597458d0630217db1f3
SHA5127f9d457bdc9f5e4e01d7816e65bcdf8402e398adb16a3df8a382ce99b6c8176c5a638eb8dd1268c318263aee3575970c41c1a0f5d5ff62c87e865b35f8afcfd7
-
Filesize
36B
MD5f8a8b8930e39bf309c309e3149ada7ed
SHA15f781a8c0b3372f1ec8f9a759dc106b3d2457017
SHA256a24f9917f449234fff8a72941b4b315be2c6b8cef7b87fb2780265fc19ce18f3
SHA51210d5e8f982c80c6397d0434cff2a53f134358164b72dec68e46a3b09a87f76411c043e6402c26e3c3d71863ce070275f918e8ebb889fbfaf6c3d1bf6b90df50a