Resubmissions

29-03-2023 00:17

230329-alflfafg2s 10

27-03-2023 10:02

230327-l3abjacg95 10

Analysis

  • max time kernel
    718084s
  • max time network
    1200s
  • platform
    android_x86
  • resource
    android-x86-arm-20220823-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20220823-enlocale:en-usos:android-9-x86system
  • submitted
    29-03-2023 00:17

General

  • Target

    YouTube_obf.apk

  • Size

    2.6MB

  • MD5

    9a04cd4b51e74d6951c2c7f78cb0b7bd

  • SHA1

    791880e2417efebdec3bb56c66d9ac18e32c96d1

  • SHA256

    e4fc786d2c691c5e735db758881b9f7a455148615a4bc140ba286a1caab4254f

  • SHA512

    add5a5cca243b1260cdb635d18ca0addaec009f32ca6fbef5e6a8c3debe92c65fc35ed78bc40f6efd1eba6bb004976b7242385613ffe290e5789765456d65947

  • SSDEEP

    49152:5G+mYa9G5wqCZhjz6UYSWrqWZJ/9h0D/Yw36O8RJtnkats10N4NIJ:5GYa9G2VGUs9eb8RLnt54NIJ

Malware Config

Extracted

Family

hook

C2

http://176.100.42.11:3434

Extracted

Family

hook

C2

http://176.100.42.11:3434

AES_key
1
3141317a5031655035514765666932444d505466544c35534c6d763744697666

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Makes use of the framework's Accessibility service. 3 IoCs
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Reads information about phone network operator.
  • Removes a system notification. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

Processes

  • com.cinecaluxozixu.benama
    1⤵
    • Makes use of the framework's Accessibility service.
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Removes a system notification.
    • Uses Crypto APIs (Might try to encrypt user data).
    PID:4130
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cinecaluxozixu.benama/app_DynamicOptDex/ODNGfSF.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.cinecaluxozixu.benama/app_DynamicOptDex/oat/x86/ODNGfSF.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4176

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    172.217.168.206
  • flag-us
    DNS
    infinitedata-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    infinitedata-pa.googleapis.com
    IN A
    Response
    infinitedata-pa.googleapis.com
    IN A
    142.250.179.170
    infinitedata-pa.googleapis.com
    IN A
    172.217.168.234
    infinitedata-pa.googleapis.com
    IN A
    142.251.36.42
    infinitedata-pa.googleapis.com
    IN A
    142.251.39.106
    infinitedata-pa.googleapis.com
    IN A
    172.217.168.202
    infinitedata-pa.googleapis.com
    IN A
    142.251.36.10
    infinitedata-pa.googleapis.com
    IN A
    142.250.179.202
    infinitedata-pa.googleapis.com
    IN A
    142.250.179.138
  • flag-ru
    GET
    http://176.100.42.11:3434/socket.io/?EIO=3&transport=polling
    Remote address:
    176.100.42.11:3434
    Request
    GET /socket.io/?EIO=3&transport=polling HTTP/1.1
    Accept: */*
    Host: 176.100.42.11:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/3.8.1
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://176.100.42.11/
    Content-Type: application/octet-stream
    Date: Wed, 29 Mar 2023 00:18:32 GMT
    Content-Length: 87
  • flag-ru
    GET
    http://176.100.42.11:3434/socket.io/?EIO=3&transport=polling&sid=3nosp
    Remote address:
    176.100.42.11:3434
    Request
    GET /socket.io/?EIO=3&transport=polling&sid=3nosp HTTP/1.1
    Accept: */*
    Host: 176.100.42.11:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/3.8.1
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://176.100.42.11/
    Content-Type: application/octet-stream
    Date: Wed, 29 Mar 2023 00:18:32 GMT
    Content-Length: 5
  • flag-ru
    POST
    http://176.100.42.11:3434/socket.io/?EIO=3&transport=polling&sid=3nosp
    Remote address:
    176.100.42.11:3434
    Request
    POST /socket.io/?EIO=3&transport=polling&sid=3nosp HTTP/1.1
    Accept: */*
    Content-Type: text/plain;charset=UTF-8
    Content-Length: 64
    Host: 176.100.42.11:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/3.8.1
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://176.100.42.11/
    Date: Wed, 29 Mar 2023 00:18:32 GMT
    Content-Length: 2
    Content-Type: text/plain; charset=utf-8
  • flag-ru
    GET
    http://176.100.42.11:3434/socket.io/?EIO=3&transport=websocket&sid=3nosp
    Remote address:
    176.100.42.11:3434
    Request
    GET /socket.io/?EIO=3&transport=websocket&sid=3nosp HTTP/1.1
    Upgrade: websocket
    Connection: Upgrade
    Sec-WebSocket-Key: j3Hz/6BqKnSOsenW8cz3ew==
    Sec-WebSocket-Version: 13
    Host: 176.100.42.11:3434
    Accept-Encoding: gzip
    User-Agent: okhttp/3.8.1
    Response
    HTTP/1.1 101 Switching Protocols
    Upgrade: websocket
    Connection: Upgrade
    Sec-WebSocket-Accept: mLp//iLT2ieMOytgcsdPcSI4nEo=
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Origin: http://176.100.42.11/
  • flag-ru
    GET
    http://176.100.42.11:3434/socket.io/?EIO=3&transport=polling&sid=3nosp
    Remote address:
    176.100.42.11:3434
    Request
    GET /socket.io/?EIO=3&transport=polling&sid=3nosp HTTP/1.1
    Accept: */*
    Host: 176.100.42.11:3434
    Connection: Keep-Alive
    Accept-Encoding: gzip
    User-Agent: okhttp/3.8.1
    Response
    HTTP/1.1 200 OK
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Content-Length, X-CSRF-Token, Token, session, Origin, Host, Connection, Accept-Encoding, Accept-Language, X-Requested-With
    Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT, DELETE
    Access-Control-Allow-Origin: http://176.100.42.11/
    Content-Type: application/octet-stream
    Date: Wed, 29 Mar 2023 00:18:32 GMT
    Content-Length: 4
  • 172.217.168.206:443
    android.apis.google.com
    tls
    6.1kB
    9.4kB
    25
    23
  • 176.100.42.11:3434
    http://176.100.42.11:3434/socket.io/?EIO=3&transport=polling&sid=3nosp
    http
    2.1kB
    2.9kB
    28
    27

    HTTP Request

    GET http://176.100.42.11:3434/socket.io/?EIO=3&transport=polling

    HTTP Response

    200

    HTTP Request

    GET http://176.100.42.11:3434/socket.io/?EIO=3&transport=polling&sid=3nosp

    HTTP Response

    200

    HTTP Request

    POST http://176.100.42.11:3434/socket.io/?EIO=3&transport=polling&sid=3nosp

    HTTP Response

    200
  • 176.100.42.11:3434
    http://176.100.42.11:3434/socket.io/?EIO=3&transport=websocket&sid=3nosp
    http
    26.9kB
    13.9kB
    247
    246

    HTTP Request

    GET http://176.100.42.11:3434/socket.io/?EIO=3&transport=websocket&sid=3nosp

    HTTP Response

    101
  • 176.100.42.11:3434
    http://176.100.42.11:3434/socket.io/?EIO=3&transport=polling&sid=3nosp
    http
    1.5kB
    1.7kB
    25
    23

    HTTP Request

    GET http://176.100.42.11:3434/socket.io/?EIO=3&transport=polling&sid=3nosp

    HTTP Response

    200
  • 1.1.1.1:853
    tls
    832 B
    3.5kB
    9
    6
  • 1.1.1.1:853
    tls
    958 B
    4.0kB
    10
    9
  • 1.1.1.1:853
    tls
    1.5kB
    1.7kB
    12
    11
  • 142.251.36.35:80
    520 B
    10
  • 172.217.168.228:443
    tls
    135 B
    40 B
    2
    1
  • 1.1.1.1:853
    tls
    1.2kB
    4.6kB
    12
    10
  • 1.1.1.1:853
    tls
    1.3kB
    1.2kB
    11
    11
  • 1.1.1.1:853
    tls
    958 B
    4.0kB
    10
    8
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    172.217.168.206

  • 1.1.1.1:53
    infinitedata-pa.googleapis.com
    dns
    76 B
    204 B
    1
    1

    DNS Request

    infinitedata-pa.googleapis.com

    DNS Response

    142.250.179.170
    172.217.168.234
    142.251.36.42
    142.251.39.106
    172.217.168.202
    142.251.36.10
    142.250.179.202
    142.250.179.138

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.cinecaluxozixu.benama/app_DynamicOptDex/ODNGfSF.json

    Filesize

    704KB

    MD5

    6d5e9bcdab546a41a32dc134a0ca23e1

    SHA1

    272c6afdaebbf7a6bb78f42f659d5806b30a6907

    SHA256

    1a80d8632f0dc7d62711f32af196dd4ed98654453bc261288dc52c164f086071

    SHA512

    54d31460ce8dd7b0616000bbb6ecbcd49860583b08578af5023bbbdf91705de04cd51ee7d919eaf56b40b6acac0f30df05921c5254dbdbfb1e5ec68c42c17ac3

  • /data/user/0/com.cinecaluxozixu.benama/app_DynamicOptDex/ODNGfSF.json

    Filesize

    1.5MB

    MD5

    2f014c008012e9eb8c1d2ad8cd3bc0cc

    SHA1

    b131858e915215e3d0f9c8c0a863b74289f1b9ac

    SHA256

    5d47e9802a60d0c0f374be499c0a6c4e52cda4b21cf202f0c5cfeb962ae3ead2

    SHA512

    8e4928abbd70451e9fd7bf8027abc93c0c0ad23d0eef1cc728e8c36c30c5d8288580821583e887cac0d5f79316bbf2fd5645c4079480362996ddbe34405ad7ae

  • /data/user/0/com.cinecaluxozixu.benama/app_DynamicOptDex/ODNGfSF.json

    Filesize

    1.5MB

    MD5

    089544070959213580514e7b1587508e

    SHA1

    2e65d6a4b733fac241243dcbb3f45924358fa263

    SHA256

    204e9b3006016eae2c3b6323483c02515a158e722bf205571ec576e25d52b4e4

    SHA512

    f398f8ebcdfd628ca78fd17d74c9b72932987d81a94d2db8aceea692e274f6a9b7df751ff73b69526e87f6e379f1f412235ecdd8c72de7d51b3e44e8ec8192f0

  • /data/user/0/com.cinecaluxozixu.benama/app_webview/GPUCache/index

    Filesize

    20B

    MD5

    93027d42b314432c4216e6cfca48b384

    SHA1

    43448dd8102979c3926828182579691945eedd4e

    SHA256

    3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

    SHA512

    a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

  • /data/user/0/com.cinecaluxozixu.benama/app_webview/GPUCache/index-dir/temp-index

    Filesize

    48B

    MD5

    2d1cf9829b8c210c3204692dbe323d42

    SHA1

    9477b74c52f80715e433c733fd755050d2a7b610

    SHA256

    6aefae08c14ac3f45bacb072ef6689e0097bba0f0921eb6c13a82d9d32d47897

    SHA512

    25bee513eeaea04f0ad180d8b4738226283c32b291a6b297c388f90de71c15df72656af8c4460063a6da4e0c526bbc0aad38b7a6a3ffa4b0944b5a39ce3bbacf

  • /data/user/0/com.cinecaluxozixu.benama/app_webview/GPUCache/index-dir/temp-index

    Filesize

    48B

    MD5

    b819eb3804f436baec4a8f2efeb71696

    SHA1

    83ddce7fa7ac3ddefc165540206a2a8ef44d50db

    SHA256

    efa116113121e6961281d1e9709113900d19310177ece4d7e2eb3bb43885542d

    SHA512

    4095e7fc303d5a32f6171b19b2b3df0954d091a20a78e14cea37188fa3989d04c97546d9a1a177299e995b0983197264132665c0f8a36456abecfb201deef262

  • /data/user/0/com.cinecaluxozixu.benama/app_webview/Web Data

    Filesize

    104KB

    MD5

    dc79f9ce5f3ab5270b33e61119dfc959

    SHA1

    1844bf222a5144b513dcf2fb50a18c011701c647

    SHA256

    47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

    SHA512

    18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

  • /data/user/0/com.cinecaluxozixu.benama/app_webview/Web Data-journal

    Filesize

    1KB

    MD5

    6624c4ad2a113476f7ea14260a724f8f

    SHA1

    391f8458c48b99f45635a9d9cce3d945a086d91e

    SHA256

    d910e7d1cb0f4bbb03046f76aa2deba48fb20d5f46106f2cded66d45397775d6

    SHA512

    8f9351394ced6ddcf1cf8ed094a9409416be79eda486ad8d8725d1bf4aa3a7774cfeeafb0f30980416c8cb361ac6f204774bb1c20790e19500dcbe40f510626d

  • /data/user/0/com.cinecaluxozixu.benama/app_webview/metrics_guid

    Filesize

    36B

    MD5

    9f3f5e4aaf49f96672cebcb479649f7a

    SHA1

    5a51cfbc53cc3e086416b52512aa1623ab39cbbd

    SHA256

    87d5d137cf4d3cf534fa6ad2ec6ff7d178e1f8d643752311538e1a46c5e44c85

    SHA512

    2750ca5c68805c6ec55f59488a05c49b0b433633b5f3a81d7490a38cf10503d3c318e8da292a3f4df5d7d6783526829601011f8a2306074d7183b307c502e1f3

  • /data/user/0/com.cinecaluxozixu.benama/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/user/0/com.cinecaluxozixu.benama/no_backup/androidx.work.workdb-journal

    Filesize

    524B

    MD5

    2efd5f91d1b414e3e0b4986f5980b1e9

    SHA1

    753a4c84217c980948222858274ae0e36fc275d9

    SHA256

    c7c8a161515742857d2abd5ea653549f5b024c5b43ec792d1be873089e17d4ee

    SHA512

    4023ef970b5802c2daedfb47458ae1c111fbcc34d7d440560377727e3f38ba5bbe356bcca8ad1d5fc61323b1ba55e8e55e7532837c2e253eb9ce1103446780cf

  • /data/user/0/com.cinecaluxozixu.benama/no_backup/androidx.work.workdb-shm

    Filesize

    8B

    MD5

    7dea362b3fac8e00956a4952a3d4f474

    SHA1

    05fe405753166f125559e7c9ac558654f107c7e9

    SHA256

    af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc

    SHA512

    1b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b

  • /data/user/0/com.cinecaluxozixu.benama/no_backup/androidx.work.workdb-wal

    Filesize

    197KB

    MD5

    87288cbcc0b491bc0d980519b69dafbf

    SHA1

    06871dbffec53d4e551914c23428b66bad24d128

    SHA256

    4e84f87821e39363bbd0ecde3faaf855a4be09450a4c62ab1a16ee494c8da9a5

    SHA512

    8b226909d5c9fbde52fc7118fd396659361baa962ce89670441d824576bf7cd306f6f3b321ed723cd450da208b26703a619c9be7191cf562b05204c04e8465bb

  • /data/user/0/com.cinecaluxozixu.benama/shared_prefs/WebViewChromiumPrefs.xml

    Filesize

    127B

    MD5

    21223e9184445fe043476484cd8cb1f9

    SHA1

    2b4813f849121d60ba35eb0889080668bb62c778

    SHA256

    bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

    SHA512

    be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

  • /data/user/0/com.cinecaluxozixu.benama/shared_prefs/settings.xml

    Filesize

    138B

    MD5

    7ceae0a9d45f1c82277d4a61b25e06fd

    SHA1

    d50d12087085a2a4022ab438544ff5cb21b877d9

    SHA256

    546f08d3ef03531c006fbe4271232b5d3056da72465664a8363bb1411fa1e147

    SHA512

    043b7f77726684a39dd67340a2e1e2cbc3fe101acf088d8acc0220e7a1d4cdef48232cd613c59057c7ed717a631a0e09766995c2f8f755887a53c411b2fa2800

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.