Overview

overview

10

Static

static

6

11eb1c66ce...10.apk

android-9-x86

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    24-12-2024 22:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11eb1c66ce2fb405f9ef3d0be024c63a483bc3fcd305a2a934f79dd1b1380410.apk

  • Size

    260KB

  • MD5

    614abba41eb22e1a1be4e895ebcea1db

  • SHA1

    c799dd0fa2205b6638eb5a7276ce2ff87074c36b

  • SHA256

    11eb1c66ce2fb405f9ef3d0be024c63a483bc3fcd305a2a934f79dd1b1380410

  • SHA512

    f89f00a8f8cf4983c8803cd2e3934c4e8dd0a1a0f77db1259d7fe5b4b12e3cf50e87996010399dcd6ac883bcd1ce79d5ebf5f59162a81ab04f8e6ca52b5f5f30

  • SSDEEP

    6144:O/WPyHSBsMZIxEA+zLFPH+YIXvv96/zbPeZz056KIxMMMs7HiQfSTG:OH8FZvLFPeYWviIr7HHf

Score
10/10
xloader_apkbankercollectiondiscoveryevasioninfostealerpersistencestealthtrojan

Malware Config

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

    trojaninfostealerbankerxloader_apk
  • Xloader_apk family
    xloader_apk
  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
    evasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • utcyonp.lvljylpix.llhgnu.ofmhrrrv
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    PID:4260
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/utcyonp.lvljylpix.llhgnu.ofmhrrrv/app_picture/1.jpg --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/utcyonp.lvljylpix.llhgnu.ofmhrrrv/app_picture/oat/x86/1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4286

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/utcyonp.lvljylpix.llhgnu.ofmhrrrv/app_picture/1.jpg
    Filesize

    7KB

    MD5

    50f923692ea23a756d3205a8b99047de

    SHA1

    de21f2f2232b9b24bab2c868bb66b864cb8a40f7

    SHA256

    e783c0de85ebaf450b6c0b7ba7cecb1c91584edcfa55eab7c7357a814699c74b

    SHA512

    b41eae84c5543071d0f2f70a99be77ebd0769208d94298bae13bd8468467ed1e8bd9e89e9f5a71b8da0faf11d3f2bc4a9b37785575cc05e0d95152e86cf78e62

    Download Submit

  • /data/data/utcyonp.lvljylpix.llhgnu.ofmhrrrv/files/b
    Filesize

    446KB

    MD5

    3e04a3b314779ab7b515b04648084b64

    SHA1

    4b76a4fb951eb54b6c8593f50f4b7cc58b2997f1

    SHA256

    d24fc9979ea6d5e9a278ac59c422f3b189adbe5671a3be0f8e44c52a50af78b7

    SHA512

    cc87dbada39c5c2396c105d0a7dc9351ef70621261f5a892ecee526b4eac769e721f97ec1913f37dc092d46393c0f6a5d75dfb43fdcb6270236fa8a633ffe984

    Download Submit

  • /data/user/0/utcyonp.lvljylpix.llhgnu.ofmhrrrv/app_picture/1.jpg
    Filesize

    7KB

    MD5

    351e1ff9f86cf15301726946e8e42631

    SHA1

    d53a6763f4fae2092ffd0fac9ab4bb6ce078c25e

    SHA256

    c12aa2a970637b03051c0b859c36ca075864668aa9b9994e6b1bdf81255e3db0

    SHA512

    49bf5c4bdbeac8b3779d56fcde9c8ccca5ee1d2de10ed489c62efc19cd709d3bf07d823dab48efb5a9aa93cd0deb6e00984de0c862582a517add2c864a24f1ce

    Download Submit