Analysis
-
max time kernel
149s -
max time network
155s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
21-12-2024 22:02
Static task
static1
Behavioral task
behavioral1
Sample
4416cb1fe7a7cba896575ea981c4aa6bf42a89527a4948380a7da3ed9a93200e.apk
Resource
android-x86-arm-20240624-en
General
-
Target
4416cb1fe7a7cba896575ea981c4aa6bf42a89527a4948380a7da3ed9a93200e.apk
-
Size
212KB
-
MD5
82212b8f69467ed3fbdd2977bce0e05c
-
SHA1
23950ff791c6b95aa6856d864fd9de7144aad614
-
SHA256
4416cb1fe7a7cba896575ea981c4aa6bf42a89527a4948380a7da3ed9a93200e
-
SHA512
db4aaa97e4604d020136b74a4536972038d4d2a7b5835341df7dc17d9208411b757669ebffe59042952f752523394cea79ccd6bbf489eba36cf10015c9cdbdab
-
SSDEEP
3072:8BvV//AapbWfPP5d7G3ASs7Dcgh9J3hH21Bvu4MiUDxML0vpN0GoY0UXULcnjn:eNnAaRKPniQpXc+9HW1puiU9MgPV5n
Malware Config
Extracted
xloader_apk
http://91.204.226.54:28899
Signatures
-
XLoader payload 1 IoCs
resource yara_rule behavioral1/files/fstream-3.dat family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Xloader_apk family
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
ioc Process /system/xbin/su qdphrbx.tdhsdpmvw.zjsjfa /sbin/su qdphrbx.tdhsdpmvw.zjsjfa /system/bin/su qdphrbx.tdhsdpmvw.zjsjfa -
pid Process 4298 qdphrbx.tdhsdpmvw.zjsjfa -
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/qdphrbx.tdhsdpmvw.zjsjfa/app_picture/1.jpg 4298 qdphrbx.tdhsdpmvw.zjsjfa /data/user/0/qdphrbx.tdhsdpmvw.zjsjfa/app_picture/1.jpg 4298 qdphrbx.tdhsdpmvw.zjsjfa /data/user/0/qdphrbx.tdhsdpmvw.zjsjfa/files/b 4298 qdphrbx.tdhsdpmvw.zjsjfa /data/user/0/qdphrbx.tdhsdpmvw.zjsjfa/files/b 4298 qdphrbx.tdhsdpmvw.zjsjfa -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts qdphrbx.tdhsdpmvw.zjsjfa -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://mms/ qdphrbx.tdhsdpmvw.zjsjfa -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock qdphrbx.tdhsdpmvw.zjsjfa -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground qdphrbx.tdhsdpmvw.zjsjfa -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS qdphrbx.tdhsdpmvw.zjsjfa -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver qdphrbx.tdhsdpmvw.zjsjfa -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal qdphrbx.tdhsdpmvw.zjsjfa -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo qdphrbx.tdhsdpmvw.zjsjfa
Processes
-
qdphrbx.tdhsdpmvw.zjsjfa1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:4298
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5a9ed18f4a7df5fcb9726dbadbf577040
SHA1955607c6b17e2faac25d25be3f1ec2587d56a5b6
SHA256603edb097f33b983d16801efce73aa3106dc2d2bab3e03e5f02762cb5fcf9ac9
SHA512e993c2359fa16263b58eea5f9168b607b75e09833da1ac4fc629457601300af980b4a1e8b380c7254b6e67520d18353b2297eb7bc15a0242b171272d5419a891
-
Filesize
446KB
MD55705e5b58e9503402cf66c15fbc1d854
SHA1ac943d94e87db55183a1cf24517c3d40361a2d03
SHA256c8e371d5021bc1f77ea2062c2a568ada090e464099596476536816b4feb1f5e8
SHA51246ed8f6f3a670ef3dbf0477353d3da5a19f3a188b51ee8cea492e3a6ffed77d14663eb1732bc084bdd78f4fea0a4190c39399a20aa2f6b6c92fc91bded97e70d
-
Filesize
8KB
MD576e66fb25aa32dcf4ae2a9877f7b5992
SHA188055c1676a67b1a2f5cf4fff0da94cdc270bf82
SHA2568cbf7c42d01754d0aa78d6adf612439b3f9a8a902f53a6a514ba470850128098
SHA51259f6461a1feefb754bbf8d2b8c04700612965d8d4d529201d35c60ddf5f2b15680b3934934e5f730dab4c0b0d9b08b6cb4dfd9b6cb5559298c4c26a530892ce5
-
Filesize
36B
MD54d474fec54f80b942681b99b49a5f2c3
SHA14b2671e6bd7c3d2092f000fcb5fefa4da656f602
SHA256e846a080bc98fdb553ce7a6234521da2b7d3fd9ee36b1bbe91dc7922d4976b66
SHA51284d61a19d4bc226fac474a28dde49717a46b6bcbe4d3a8370e71df9e55f3ab7e0d6e774b7d7667453c1f07dd047743372cebe8dc5216600321b1b01c53c227f4