Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    05/03/2025, 22:06

General

  • Target

    6ea56206401410abdf8d540b4b8d2aec1c3fdf5a8c6a6e2c3ddcfb72f558e0b3.apk

  • Size

    164KB

  • MD5

    d4e6ba09a765f987aaa44b61fe0bd7d2

  • SHA1

    7ae166683b062b619c2a9db3e3630671406d9513

  • SHA256

    6ea56206401410abdf8d540b4b8d2aec1c3fdf5a8c6a6e2c3ddcfb72f558e0b3

  • SHA512

    02afbca80cb9a5ce98cfd150336a8baf4b08bcd4bbd418af3d8580ab396a9bf4ef4ab2813523ae14f5bda9a3b9001679fa3d11fb498c4f4115dc3a415634ea7b

  • SSDEEP

    3072:9fqgVyDS1CIVysC+A5+CBljscfhNY5bpfXC03ZOrurjdf2kmFmovmGKWaPvzP9C:9f1yDRoeBJffhNY5bpbZO6rwkx/rWa3A

Malware Config

Extracted

Family

xloader_apk

C2

http://91.204.226.54:28899

DES_key

Signatures

  • XLoader payload 1 IoCs
  • XLoader, MoqHao

    An Android banker and info stealer.

  • Xloader_apk family
  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Reads the content of the MMS message. 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

Processes

  • oagdola.gtgzmvnul.mpuvyx.kkstcrwi
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Reads the content of the MMS message.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    PID:4364
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/oagdola.gtgzmvnul.mpuvyx.kkstcrwi/app_picture/1.jpg --output-vdex-fd=46 --oat-fd=47 --oat-location=/data/user/0/oagdola.gtgzmvnul.mpuvyx.kkstcrwi/app_picture/oat/x86/1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4399

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/oagdola.gtgzmvnul.mpuvyx.kkstcrwi/app_picture/1.jpg

    Filesize

    6KB

    MD5

    b1bd5525ae832533959575e305efb4d2

    SHA1

    57bef44903a4fd320b913a026f6b0535663db88a

    SHA256

    7a5aad47f43ee816b70aff4a96795fd47e72ba1ddac4524a3c6911f4f2546aa9

    SHA512

    42059e8dd751b85d62be1d51aae15893d26a32c9ac86f84daee2328f3565088285fc7e3a70e41f81c893aadeab5042ff263575c770721db1c670ad1dd53abe60

  • /data/data/oagdola.gtgzmvnul.mpuvyx.kkstcrwi/files/b

    Filesize

    300KB

    MD5

    f60877a1602c5eaf2c76739c48fece05

    SHA1

    7a4ca110ca810e1d5b458455f6800d5ffe313dad

    SHA256

    d2e257a9eb736324f1cf91ba4aaf483fea82ee96ce9c499f16b4dab2879c0070

    SHA512

    862a34c8ae8dc16f74c0e4b32ab5210700a7dffd3cdd78d0838db43e52a1cbaf5d1eebfc84ede67bffc5a4c8d0085ed45fca428a086a3aac595986553fb8e8b9

  • /data/data/oagdola.gtgzmvnul.mpuvyx.kkstcrwi/files/oat/b.cur.prof

    Filesize

    708B

    MD5

    3b330d23095a7e34b45e5026916ccf31

    SHA1

    31f332919356ecd72fc40180d9a0523e68de89eb

    SHA256

    de9b07e1d54a7f5e929ca8f7c2573dcd5b7c9c8888b8a02ebbcfbf4fd2c30ad2

    SHA512

    0fea40a2dc38e1ab6fe343ab742ff8d3de75c4a3ebfee81b57f143044e5076820a1f1b6980fbc1a51d1e91b435da8b8985027530f8bcf1ed8ca69eb6137fa1d4

  • /data/data/oagdola.gtgzmvnul.mpuvyx.kkstcrwi/files/oat/b.cur.prof

    Filesize

    796B

    MD5

    2ba41855ce89007873c1f925a7e7ab6c

    SHA1

    ed8b97b443189a62d8c754f82543f31b63c97f84

    SHA256

    b0d7d23f61b089ccfc904682acf0d7866f84b5c43cd48a2394e70d627f721782

    SHA512

    f57091903f8114df638fec945c4234181247ef1045113d45434950c7764b4e4f90def92cac4879832a95ece277b5ef1f7c42dc65e8cf333aedcc9ac226cda0c7

  • /data/data/oagdola.gtgzmvnul.mpuvyx.kkstcrwi/files/oat/b.cur.prof

    Filesize

    610B

    MD5

    d7fd5691d99f2aab5d9fb86ad80de206

    SHA1

    997d0b8948e9d7dc745c7b545c63564bf00bb048

    SHA256

    c965a941eb3e95c512967e660e2f4e59e35bdd1cfab54dd0c536917a501f291d

    SHA512

    0090e457213edc3633720a05ae25f4c0cffeaaddd87aae3e7ab8630ac344da03fb1406e0e8d569a3fe1e0e71da8b50fcfb8560da62120181048cbfcdb8024e06

  • /data/user/0/oagdola.gtgzmvnul.mpuvyx.kkstcrwi/app_picture/1.jpg

    Filesize

    6KB

    MD5

    8291dfb31559c01a68f2b13a9de6e39b

    SHA1

    f1db0b08c72c56bde7fe5fbcfa732f69f479cd2a

    SHA256

    fbff46e6a4df7276e60bba43a3e75ece8037e91df2eba37507930bdc5e6dd381

    SHA512

    1aa0b45779883bbfd2619b55a1e5cf49f98b9d50dc545a2672fac602f820eab60952c1c6c3464d49c49a6cd5107fa9d4184967e845c65a8fd641fd1599937ffb

  • /storage/emulated/0/.msg_device_id.txt

    Filesize

    36B

    MD5

    05064cf1d6490e4e37653e7cc22912d5

    SHA1

    592e11cc301081af759213f924cb23813ec76a09

    SHA256

    c9597c449cdce5e06e3028ce0636f064dc1cde491dea029c1551c67f271a34ef

    SHA512

    1b0e6e79e76d01f25828d25a6622cf5c3de2180d1c5367d676eba25d1b3d7c6e4f7337d304bca3e64a178d7f8b85cf3693cea368142c5e93099f2ee6c20d41df