Analysis
-
max time kernel
718084s -
max time network
1200s -
platform
android_x86 -
resource
android-x86-arm-20220823-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20220823-enlocale:en-usos:android-9-x86system -
submitted
29-03-2023 00:17
Static task
static1
Behavioral task
behavioral1
Sample
YouTube_obf.apk
Resource
android-x86-arm-20220823-en
Behavioral task
behavioral2
Sample
YouTube_obf.apk
Resource
android-x64-20220823-en
Behavioral task
behavioral3
Sample
YouTube_obf.apk
Resource
android-x64-arm64-20220823-en
General
-
Target
YouTube_obf.apk
-
Size
2.6MB
-
MD5
9a04cd4b51e74d6951c2c7f78cb0b7bd
-
SHA1
791880e2417efebdec3bb56c66d9ac18e32c96d1
-
SHA256
e4fc786d2c691c5e735db758881b9f7a455148615a4bc140ba286a1caab4254f
-
SHA512
add5a5cca243b1260cdb635d18ca0addaec009f32ca6fbef5e6a8c3debe92c65fc35ed78bc40f6efd1eba6bb004976b7242385613ffe290e5789765456d65947
-
SSDEEP
49152:5G+mYa9G5wqCZhjz6UYSWrqWZJ/9h0D/Yw36O8RJtnkats10N4NIJ:5GYa9G2VGUs9eb8RLnt54NIJ
Malware Config
Extracted
hook
http://176.100.42.11:3434
Extracted
hook
http://176.100.42.11:3434
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Makes use of the framework's Accessibility service. 3 IoCs
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.cinecaluxozixu.benama Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.cinecaluxozixu.benama Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.cinecaluxozixu.benama -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
description ioc Process Framework service call android.content.pm.IPackageManager.getInstalledApplications com.cinecaluxozixu.benama -
Acquires the wake lock. 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.cinecaluxozixu.benama -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.cinecaluxozixu.benama/app_DynamicOptDex/ODNGfSF.json 4176 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cinecaluxozixu.benama/app_DynamicOptDex/ODNGfSF.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.cinecaluxozixu.benama/app_DynamicOptDex/oat/x86/ODNGfSF.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.cinecaluxozixu.benama/app_DynamicOptDex/ODNGfSF.json 4130 com.cinecaluxozixu.benama -
Reads information about phone network operator.
-
Removes a system notification. 1 IoCs
description ioc Process Framework service call android.app.INotificationManager.cancelNotificationWithTag com.cinecaluxozixu.benama -
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.cinecaluxozixu.benama
Processes
-
com.cinecaluxozixu.benama1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4130 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cinecaluxozixu.benama/app_DynamicOptDex/ODNGfSF.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.cinecaluxozixu.benama/app_DynamicOptDex/oat/x86/ODNGfSF.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4176
-
Network
-
Remote address:1.1.1.1:53Requestandroid.apis.google.comIN AResponseandroid.apis.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A172.217.168.206
-
Remote address:1.1.1.1:53Requestinfinitedata-pa.googleapis.comIN AResponseinfinitedata-pa.googleapis.comIN A142.250.179.170infinitedata-pa.googleapis.comIN A172.217.168.234infinitedata-pa.googleapis.comIN A142.251.36.42infinitedata-pa.googleapis.comIN A142.251.39.106infinitedata-pa.googleapis.comIN A172.217.168.202infinitedata-pa.googleapis.comIN A142.251.36.10infinitedata-pa.googleapis.comIN A142.250.179.202infinitedata-pa.googleapis.comIN A142.250.179.138
-
Remote address:176.100.42.11:3434RequestGET /socket.io/?EIO=3&transport=polling HTTP/1.1
Accept: */*
Host: 176.100.42.11:3434
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/3.8.1
ResponseHTTP/1.1 200 OK
Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
Access-Control-Allow-Origin: http://176.100.42.11/
Content-Type: application/octet-stream
Date: Wed, 29 Mar 2023 00:18:32 GMT
Content-Length: 87
-
Remote address:176.100.42.11:3434RequestGET /socket.io/?EIO=3&transport=polling&sid=3nosp HTTP/1.1
Accept: */*
Host: 176.100.42.11:3434
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/3.8.1
ResponseHTTP/1.1 200 OK
Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
Access-Control-Allow-Origin: http://176.100.42.11/
Content-Type: application/octet-stream
Date: Wed, 29 Mar 2023 00:18:32 GMT
Content-Length: 5
-
Remote address:176.100.42.11:3434RequestPOST /socket.io/?EIO=3&transport=polling&sid=3nosp HTTP/1.1
Accept: */*
Content-Type: text/plain;charset=UTF-8
Content-Length: 64
Host: 176.100.42.11:3434
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/3.8.1
ResponseHTTP/1.1 200 OK
Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
Access-Control-Allow-Origin: http://176.100.42.11/
Date: Wed, 29 Mar 2023 00:18:32 GMT
Content-Length: 2
Content-Type: text/plain; charset=utf-8
-
Remote address:176.100.42.11:3434RequestGET /socket.io/?EIO=3&transport=websocket&sid=3nosp HTTP/1.1
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: j3Hz/6BqKnSOsenW8cz3ew==
Sec-WebSocket-Version: 13
Host: 176.100.42.11:3434
Accept-Encoding: gzip
User-Agent: okhttp/3.8.1
ResponseHTTP/1.1 101 Switching Protocols
Connection: Upgrade
Sec-WebSocket-Accept: mLp//iLT2ieMOytgcsdPcSI4nEo=
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
Access-Control-Allow-Origin: http://176.100.42.11/
-
Remote address:176.100.42.11:3434RequestGET /socket.io/?EIO=3&transport=polling&sid=3nosp HTTP/1.1
Accept: */*
Host: 176.100.42.11:3434
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/3.8.1
ResponseHTTP/1.1 200 OK
Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
Access-Control-Allow-Origin: http://176.100.42.11/
Content-Type: application/octet-stream
Date: Wed, 29 Mar 2023 00:18:32 GMT
Content-Length: 4
-
6.1kB 9.4kB 25 23
-
2.1kB 2.9kB 28 27
HTTP Request
GET http://176.100.42.11:3434/socket.io/?EIO=3&transport=pollingHTTP Response
200HTTP Request
GET http://176.100.42.11:3434/socket.io/?EIO=3&transport=polling&sid=3nospHTTP Response
200HTTP Request
POST http://176.100.42.11:3434/socket.io/?EIO=3&transport=polling&sid=3nospHTTP Response
200 -
26.9kB 13.9kB 247 246
HTTP Request
GET http://176.100.42.11:3434/socket.io/?EIO=3&transport=websocket&sid=3nospHTTP Response
101 -
1.5kB 1.7kB 25 23
HTTP Request
GET http://176.100.42.11:3434/socket.io/?EIO=3&transport=polling&sid=3nospHTTP Response
200 -
832 B 3.5kB 9 6
-
958 B 4.0kB 10 9
-
1.5kB 1.7kB 12 11
-
520 B 10
-
135 B 40 B 2 1
-
1.2kB 4.6kB 12 10
-
1.3kB 1.2kB 11 11
-
958 B 4.0kB 10 8
-
3.7kB 11
-
69 B 109 B 1 1
DNS Request
android.apis.google.com
DNS Response
172.217.168.206
-
76 B 204 B 1 1
DNS Request
infinitedata-pa.googleapis.com
DNS Response
142.250.179.170172.217.168.234142.251.36.42142.251.39.106172.217.168.202142.251.36.10142.250.179.202142.250.179.138
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
704KB
MD56d5e9bcdab546a41a32dc134a0ca23e1
SHA1272c6afdaebbf7a6bb78f42f659d5806b30a6907
SHA2561a80d8632f0dc7d62711f32af196dd4ed98654453bc261288dc52c164f086071
SHA51254d31460ce8dd7b0616000bbb6ecbcd49860583b08578af5023bbbdf91705de04cd51ee7d919eaf56b40b6acac0f30df05921c5254dbdbfb1e5ec68c42c17ac3
-
Filesize
1.5MB
MD52f014c008012e9eb8c1d2ad8cd3bc0cc
SHA1b131858e915215e3d0f9c8c0a863b74289f1b9ac
SHA2565d47e9802a60d0c0f374be499c0a6c4e52cda4b21cf202f0c5cfeb962ae3ead2
SHA5128e4928abbd70451e9fd7bf8027abc93c0c0ad23d0eef1cc728e8c36c30c5d8288580821583e887cac0d5f79316bbf2fd5645c4079480362996ddbe34405ad7ae
-
Filesize
1.5MB
MD5089544070959213580514e7b1587508e
SHA12e65d6a4b733fac241243dcbb3f45924358fa263
SHA256204e9b3006016eae2c3b6323483c02515a158e722bf205571ec576e25d52b4e4
SHA512f398f8ebcdfd628ca78fd17d74c9b72932987d81a94d2db8aceea692e274f6a9b7df751ff73b69526e87f6e379f1f412235ecdd8c72de7d51b3e44e8ec8192f0
-
Filesize
20B
MD593027d42b314432c4216e6cfca48b384
SHA143448dd8102979c3926828182579691945eedd4e
SHA2563cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c
SHA512a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e
-
Filesize
48B
MD52d1cf9829b8c210c3204692dbe323d42
SHA19477b74c52f80715e433c733fd755050d2a7b610
SHA2566aefae08c14ac3f45bacb072ef6689e0097bba0f0921eb6c13a82d9d32d47897
SHA51225bee513eeaea04f0ad180d8b4738226283c32b291a6b297c388f90de71c15df72656af8c4460063a6da4e0c526bbc0aad38b7a6a3ffa4b0944b5a39ce3bbacf
-
Filesize
48B
MD5b819eb3804f436baec4a8f2efeb71696
SHA183ddce7fa7ac3ddefc165540206a2a8ef44d50db
SHA256efa116113121e6961281d1e9709113900d19310177ece4d7e2eb3bb43885542d
SHA5124095e7fc303d5a32f6171b19b2b3df0954d091a20a78e14cea37188fa3989d04c97546d9a1a177299e995b0983197264132665c0f8a36456abecfb201deef262
-
Filesize
104KB
MD5dc79f9ce5f3ab5270b33e61119dfc959
SHA11844bf222a5144b513dcf2fb50a18c011701c647
SHA25647e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65
SHA51218b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e
-
Filesize
1KB
MD56624c4ad2a113476f7ea14260a724f8f
SHA1391f8458c48b99f45635a9d9cce3d945a086d91e
SHA256d910e7d1cb0f4bbb03046f76aa2deba48fb20d5f46106f2cded66d45397775d6
SHA5128f9351394ced6ddcf1cf8ed094a9409416be79eda486ad8d8725d1bf4aa3a7774cfeeafb0f30980416c8cb361ac6f204774bb1c20790e19500dcbe40f510626d
-
Filesize
36B
MD59f3f5e4aaf49f96672cebcb479649f7a
SHA15a51cfbc53cc3e086416b52512aa1623ab39cbbd
SHA25687d5d137cf4d3cf534fa6ad2ec6ff7d178e1f8d643752311538e1a46c5e44c85
SHA5122750ca5c68805c6ec55f59488a05c49b0b433633b5f3a81d7490a38cf10503d3c318e8da292a3f4df5d7d6783526829601011f8a2306074d7183b307c502e1f3
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
524B
MD52efd5f91d1b414e3e0b4986f5980b1e9
SHA1753a4c84217c980948222858274ae0e36fc275d9
SHA256c7c8a161515742857d2abd5ea653549f5b024c5b43ec792d1be873089e17d4ee
SHA5124023ef970b5802c2daedfb47458ae1c111fbcc34d7d440560377727e3f38ba5bbe356bcca8ad1d5fc61323b1ba55e8e55e7532837c2e253eb9ce1103446780cf
-
Filesize
8B
MD57dea362b3fac8e00956a4952a3d4f474
SHA105fe405753166f125559e7c9ac558654f107c7e9
SHA256af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc
SHA5121b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b
-
Filesize
197KB
MD587288cbcc0b491bc0d980519b69dafbf
SHA106871dbffec53d4e551914c23428b66bad24d128
SHA2564e84f87821e39363bbd0ecde3faaf855a4be09450a4c62ab1a16ee494c8da9a5
SHA5128b226909d5c9fbde52fc7118fd396659361baa962ce89670441d824576bf7cd306f6f3b321ed723cd450da208b26703a619c9be7191cf562b05204c04e8465bb
-
Filesize
127B
MD521223e9184445fe043476484cd8cb1f9
SHA12b4813f849121d60ba35eb0889080668bb62c778
SHA256bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af
SHA512be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48
-
Filesize
138B
MD57ceae0a9d45f1c82277d4a61b25e06fd
SHA1d50d12087085a2a4022ab438544ff5cb21b877d9
SHA256546f08d3ef03531c006fbe4271232b5d3056da72465664a8363bb1411fa1e147
SHA512043b7f77726684a39dd67340a2e1e2cbc3fe101acf088d8acc0220e7a1d4cdef48232cd613c59057c7ed717a631a0e09766995c2f8f755887a53c411b2fa2800