Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
05/03/2025, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
6ea56206401410abdf8d540b4b8d2aec1c3fdf5a8c6a6e2c3ddcfb72f558e0b3.apk
Resource
android-x86-arm-20240910-en
General
-
Target
6ea56206401410abdf8d540b4b8d2aec1c3fdf5a8c6a6e2c3ddcfb72f558e0b3.apk
-
Size
164KB
-
MD5
d4e6ba09a765f987aaa44b61fe0bd7d2
-
SHA1
7ae166683b062b619c2a9db3e3630671406d9513
-
SHA256
6ea56206401410abdf8d540b4b8d2aec1c3fdf5a8c6a6e2c3ddcfb72f558e0b3
-
SHA512
02afbca80cb9a5ce98cfd150336a8baf4b08bcd4bbd418af3d8580ab396a9bf4ef4ab2813523ae14f5bda9a3b9001679fa3d11fb498c4f4115dc3a415634ea7b
-
SSDEEP
3072:9fqgVyDS1CIVysC+A5+CBljscfhNY5bpfXC03ZOrurjdf2kmFmovmGKWaPvzP9C:9f1yDRoeBJffhNY5bpbZO6rwkx/rWa3A
Malware Config
Extracted
xloader_apk
http://91.204.226.54:28899
Signatures
-
XLoader payload 1 IoCs
resource yara_rule behavioral1/files/fstream-5.dat family_xloader_apk2 -
XLoader, MoqHao
An Android banker and info stealer.
-
Xloader_apk family
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
ioc Process /system/bin/su oagdola.gtgzmvnul.mpuvyx.kkstcrwi /system/xbin/su oagdola.gtgzmvnul.mpuvyx.kkstcrwi /sbin/su oagdola.gtgzmvnul.mpuvyx.kkstcrwi -
pid Process 4364 oagdola.gtgzmvnul.mpuvyx.kkstcrwi -
Loads dropped Dex/Jar 1 TTPs 5 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/oagdola.gtgzmvnul.mpuvyx.kkstcrwi/app_picture/1.jpg 4364 oagdola.gtgzmvnul.mpuvyx.kkstcrwi /data/user/0/oagdola.gtgzmvnul.mpuvyx.kkstcrwi/app_picture/1.jpg 4399 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/oagdola.gtgzmvnul.mpuvyx.kkstcrwi/app_picture/1.jpg --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/oagdola.gtgzmvnul.mpuvyx.kkstcrwi/app_picture/oat/x86/1.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/oagdola.gtgzmvnul.mpuvyx.kkstcrwi/app_picture/1.jpg 4364 oagdola.gtgzmvnul.mpuvyx.kkstcrwi /data/user/0/oagdola.gtgzmvnul.mpuvyx.kkstcrwi/files/b 4364 oagdola.gtgzmvnul.mpuvyx.kkstcrwi /data/user/0/oagdola.gtgzmvnul.mpuvyx.kkstcrwi/files/b 4364 oagdola.gtgzmvnul.mpuvyx.kkstcrwi -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts oagdola.gtgzmvnul.mpuvyx.kkstcrwi -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
description ioc Process URI accessed for read content://mms/ oagdola.gtgzmvnul.mpuvyx.kkstcrwi -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock oagdola.gtgzmvnul.mpuvyx.kkstcrwi -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground oagdola.gtgzmvnul.mpuvyx.kkstcrwi -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS oagdola.gtgzmvnul.mpuvyx.kkstcrwi -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver oagdola.gtgzmvnul.mpuvyx.kkstcrwi -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal oagdola.gtgzmvnul.mpuvyx.kkstcrwi -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo oagdola.gtgzmvnul.mpuvyx.kkstcrwi
Processes
-
oagdola.gtgzmvnul.mpuvyx.kkstcrwi1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:4364 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/oagdola.gtgzmvnul.mpuvyx.kkstcrwi/app_picture/1.jpg --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/oagdola.gtgzmvnul.mpuvyx.kkstcrwi/app_picture/oat/x86/1.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4399
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5b1bd5525ae832533959575e305efb4d2
SHA157bef44903a4fd320b913a026f6b0535663db88a
SHA2567a5aad47f43ee816b70aff4a96795fd47e72ba1ddac4524a3c6911f4f2546aa9
SHA51242059e8dd751b85d62be1d51aae15893d26a32c9ac86f84daee2328f3565088285fc7e3a70e41f81c893aadeab5042ff263575c770721db1c670ad1dd53abe60
-
Filesize
300KB
MD5f60877a1602c5eaf2c76739c48fece05
SHA17a4ca110ca810e1d5b458455f6800d5ffe313dad
SHA256d2e257a9eb736324f1cf91ba4aaf483fea82ee96ce9c499f16b4dab2879c0070
SHA512862a34c8ae8dc16f74c0e4b32ab5210700a7dffd3cdd78d0838db43e52a1cbaf5d1eebfc84ede67bffc5a4c8d0085ed45fca428a086a3aac595986553fb8e8b9
-
Filesize
708B
MD53b330d23095a7e34b45e5026916ccf31
SHA131f332919356ecd72fc40180d9a0523e68de89eb
SHA256de9b07e1d54a7f5e929ca8f7c2573dcd5b7c9c8888b8a02ebbcfbf4fd2c30ad2
SHA5120fea40a2dc38e1ab6fe343ab742ff8d3de75c4a3ebfee81b57f143044e5076820a1f1b6980fbc1a51d1e91b435da8b8985027530f8bcf1ed8ca69eb6137fa1d4
-
Filesize
796B
MD52ba41855ce89007873c1f925a7e7ab6c
SHA1ed8b97b443189a62d8c754f82543f31b63c97f84
SHA256b0d7d23f61b089ccfc904682acf0d7866f84b5c43cd48a2394e70d627f721782
SHA512f57091903f8114df638fec945c4234181247ef1045113d45434950c7764b4e4f90def92cac4879832a95ece277b5ef1f7c42dc65e8cf333aedcc9ac226cda0c7
-
Filesize
610B
MD5d7fd5691d99f2aab5d9fb86ad80de206
SHA1997d0b8948e9d7dc745c7b545c63564bf00bb048
SHA256c965a941eb3e95c512967e660e2f4e59e35bdd1cfab54dd0c536917a501f291d
SHA5120090e457213edc3633720a05ae25f4c0cffeaaddd87aae3e7ab8630ac344da03fb1406e0e8d569a3fe1e0e71da8b50fcfb8560da62120181048cbfcdb8024e06
-
Filesize
6KB
MD58291dfb31559c01a68f2b13a9de6e39b
SHA1f1db0b08c72c56bde7fe5fbcfa732f69f479cd2a
SHA256fbff46e6a4df7276e60bba43a3e75ece8037e91df2eba37507930bdc5e6dd381
SHA5121aa0b45779883bbfd2619b55a1e5cf49f98b9d50dc545a2672fac602f820eab60952c1c6c3464d49c49a6cd5107fa9d4184967e845c65a8fd641fd1599937ffb
-
Filesize
36B
MD505064cf1d6490e4e37653e7cc22912d5
SHA1592e11cc301081af759213f924cb23813ec76a09
SHA256c9597c449cdce5e06e3028ce0636f064dc1cde491dea029c1551c67f271a34ef
SHA5121b0e6e79e76d01f25828d25a6622cf5c3de2180d1c5367d676eba25d1b3d7c6e4f7337d304bca3e64a178d7f8b85cf3693cea368142c5e93099f2ee6c20d41df