Resubmissions
08-09-2023 03:26
230908-dzpm2sgc54 1001-08-2023 11:42
230801-nvdp4agf6v 1001-08-2023 11:24
230801-nhn1asge81 10Analysis
-
max time kernel
1926665s -
max time network
159s -
platform
android_x86 -
resource
android-x86-arm-20230831-en -
resource tags
-
submitted
08-09-2023 03:26
General
-
Target
Lol.apk
-
Size
3.7MB
-
MD5
10f5a518febd8b0b08b7f69982bc0a7d
-
SHA1
77137ca4881b82a9baf3dea99e03ce92c89cc742
-
SHA256
238cdfbab88cbcb6b1a2379b2a18c993640c1f498c4cb0e9faef408331f41c0b
-
SHA512
52c557425b2eff4f244c2c34280118e913574c0b3a51bff966c4fb4538afdc1220ad6f94956098aeb53cee4984aeff30142f148f6e19c1a978af6d0e7801f918
-
SSDEEP
98304:z/Se3GAtk9/CYItyoKmFTwgzOOH2qWS9Rr:+e33tcPItTvFcg5W6b
Malware Config
Extracted
hook
http://193.233.196.2:3434
Extracted
hook
http://193.233.196.2:3434
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Makes use of the framework's Accessibility service. 3 IoCs
-
Acquires the wake lock. 1 IoCs
-
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
-
Reads information about phone network operator.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
-
Removes a system notification. 1 IoCs
Processes
-
com.dogilowopuna.zico1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/oat/x86/pskPXGY.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53acbcf62324f2658dcded6fe36ca9aa9
SHA19c8a773b4407e9c11462372ad21ecd975bfd6723
SHA256f83b521aa47b26f1531a2e47d62ea67b8a034f4ff6a5ebda03f549afd9b73aff
SHA51295261f77321e9c3cbfeecae49b469d60dd5113feac6ff5d1f254179185ec2cbe9d67effe0356d0a04dd3201db64e562ce6ab9c6fa3b90c4a8d87631dd89e97f3
-
Filesize
4KB
MD5ed540288b396c674ba0a3e60dbe9b4eb
SHA1eba0fbb7dc17fde0baf538bbca1bef11f4386d34
SHA256fee549d071fc50a2ca63880055955a9ccdd76df33cec629358b71972d2af6a65
SHA5127f159fed436578a21436f133a451c34a6362b7797f7fc8b580187c4a9619c3707886321b788da29e6aeab9237265199d6a18c5466d7da35037279bc33080ac3e
-
Filesize
704KB
MD59bfea1b2027ec1635c3590e0ea14e3cf
SHA19cc1ea7f49e361961be1f5d2ab43658d41f86d59
SHA256f2620b302348120f00c9bd7a3e0a6cbef991b484edcdcdd915fbbd13ac861eb4
SHA5124e17d67bcd5f5361a3d9b27f4fbc29969b25a2686edffa9872e7bca1a6528b4eaaf7f90541eda8d31583d8e515b1a20d4d1b20dd4a88c9e83e07d91d525de4a1
-
Filesize
704KB
MD54c5cc08fbf8fe10e34fc490fef580f3c
SHA192f11a0ec664e21d5546109af27ac481d4741b8f
SHA256604976f65004e5c54cd7ded095be2b42aae134c7e48c4bbef1faea342b8ed878
SHA512f69b6877c057b0907b60a429d20af46f48931b3e95ab429ec2f580e1c6fa61232b0177a3dac18292f7bb4cef82d3dfe9e9263d929ffa1a8ffc1fb0319d3ab214
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5f1ab5a7520e069f5b4659c8770c83168
SHA181c6546546294ce416c5ed6b05d51f47075e17a6
SHA25603053e106e85cbc8ac17c674eddf5e7a851f2747ffa5c39ba60a6c7ebbb925bb
SHA51276f0c98879071b48ca55757b2bae0f47b191fad99d821135bb2e6fec76509ce3e003198d8c7c5647bfdc041cab5c46a58642031828ba57e14472428965c71c1e
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5ae60635d87c7eb9c0c2cb4c6f4429630
SHA1ec36c9477ee8c54f30c1f212073a4a8619c8a55d
SHA2565ffd6a636fc4eef7b5c0830617f3eaa5e1eb735dc1a9b800fceecfef0a7037e2
SHA512ee84a6d1482e378eaf1d51fe4f3fdf0a78b9079068e5c0aca68fcefb335ab75f6e144994d14fe010c7578d80838b126801cf0c7a4244306a45c143785fdfcd16
-
Filesize
173KB
MD57a214acb0e8af6cf66401f855816b240
SHA1674fa7c2c2ae76a7eaeefadf2edd0dcfa0b3f1db
SHA2564853a604096f8f8c570e1a2fe597b1be5fa273171e619c24a7efcbde31513b6c
SHA512591cff4bc3396fe4b255b432752fa573b89da0f546033a8973772a3af52a4a72a5bac49dfed8c389ebc1b48ae8c4b3786e0d5cdd86bd863ed4b29096651d347d
-
Filesize
16KB
MD5f1526c64ea7cf68aab166ae9d153400a
SHA15d69e7b725a2845a05d33262fd6b135c4e9e42a2
SHA2566f0f175fa7783ba2720e4f752ff23b76b031cd3ebcdf326e07b77530ad3a39b4
SHA51294006634d6f90a856ace8bf2e11d76f9f762a4f4d472cf0fb22a3ab90b0de6113e3170831c1671878d3184082100b7e15476e62ab0bf4dc880d427e4bf49e34e
-
Filesize
1.5MB
MD57ffa71e1e1ae0b4b47d6be864fc29366
SHA18f19d6ff1a28b1737f298a22c19009782ef84331
SHA256593b12a640d78ee06f6b74458c7f456eaff676b68dca095de5feeb86adeae18e
SHA512f017f92ccbb379f7fae44df3473c12b03200081263c9f5187b929db49887f4af0498f46697cb51cfab0901f5b04c133f10b7d7b2291a8832a9e7f1b9082f5d9d
-
Filesize
1.5MB
MD5cf80a0964d7adb2dc9ab389185abcff1
SHA1a630b6d63b9be79f2fe9f2fc38c91fcbc1d8d6ea
SHA256f90f95cb686db2f9ce0607038438527e3665ca8e33c38fd168834f6d96def4ed
SHA512ef1a6f7c47772fd49ae2fda552df4f54fea83e30c99980ae8e0863b4abcfe2d7cb9869449962129cb560760d49ee6349add36e6ca7417e6cf0e9f99d86a3ee53