Overview

overview

10

Static

static

6

f6075dda5d...5e.apk

android-9-x86

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    21-12-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6075dda5dc907b510adf4143abb2e4fa5d5b051a9f63449b10429c22406555e.apk

  • Size

    212KB

  • MD5

    9e0204762ec9f7f4c793c921814474f9

  • SHA1

    da8af6748128aef605f428b59b08958d39fa70d4

  • SHA256

    f6075dda5dc907b510adf4143abb2e4fa5d5b051a9f63449b10429c22406555e

  • SHA512

    c6f20af547663b0035d18e045c254ca0bedc3d950a55eb2acc6df46df90da49b2c1b280603cf0be63fe5b82a59d41bb86f1e2710e3961300f317a158cb7151a3

  • SSDEEP

    6144:2xGnAaRKPniQpXc+9HW1puiU9MgPVIyUP:2xlaRKPlpM2gDsIyUP

Score
10/10
xloader_apkbankercollectiondiscoveryevasionimpactinfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.226.54:28899

DES_key

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

    trojaninfostealerbankerxloader_apk
  • Xloader_apk family
    xloader_apk
  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
    evasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • oiixqpn.rgoglsuct.yvnmom
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    PID:4307

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/oiixqpn.rgoglsuct.yvnmom/app_picture/1.jpg
    Filesize

    8KB

    MD5

    2ed60d658c8e7821898858e81a67964b

    SHA1

    9be37586008d6f25adae8daa3c6deaf62cf82400

    SHA256

    01fb87e54367ed4c4e4d447b4063627a4ff04ace16914d1834772c597223dcbb

    SHA512

    09c78a724e8c7028fecdcae28549ff3477c067d7bea15157cfe655c4f5395d340faf689095d6bfd6c090dede67bd17d2cee391c0fcdb79008dec4bdaccb1d116

    Download Submit

  • /data/data/oiixqpn.rgoglsuct.yvnmom/files/b
    Filesize

    446KB

    MD5

    5705e5b58e9503402cf66c15fbc1d854

    SHA1

    ac943d94e87db55183a1cf24517c3d40361a2d03

    SHA256

    c8e371d5021bc1f77ea2062c2a568ada090e464099596476536816b4feb1f5e8

    SHA512

    46ed8f6f3a670ef3dbf0477353d3da5a19f3a188b51ee8cea492e3a6ffed77d14663eb1732bc084bdd78f4fea0a4190c39399a20aa2f6b6c92fc91bded97e70d

    Download Submit

  • /data/user/0/oiixqpn.rgoglsuct.yvnmom/app_picture/1.jpg
    Filesize

    8KB

    MD5

    5cb855f810c3955a276df815838981ba

    SHA1

    31eb5a8e16270b5f02fe160d7fb8af086f271b55

    SHA256

    83a4e3d40c555feac74aa781ad3d3cabe49e0307bc8293610338de27304ef634

    SHA512

    aeaea733cbc189a05ff1e88eb204e36b4feb822b166f49487cbfe5daaa827d87fe1e615c591c86ebae4f9b56139bd9d1a42ab5c9a7d6bed922a9ec79d646cfa7

    Download Submit

  • /storage/emulated/0/.msg_device_id.txt
    Filesize

    36B

    MD5

    b920a39b8a0ecf35a7c0d1112e3c7171

    SHA1

    5dd26b4cdbe719105a7791a2c7278cb966364625

    SHA256

    72e099248583258590a00904587c56a31ed5d9beb4c222f5e65b9d21f2af0c47

    SHA512

    23da81b21b972d45447ab0c8cc51ea6388da25a898754b3caf3850e2102cc8356f00b59cb4a88aa6c01bbd9a512dd5ea7dce41430eec0a7f7567216cbede989a

    Download Submit