General
-
Target
8df476be832a1204480d301c7579597bcdafc690b77d1f5c64dc6fb80c0d90d2.apk
-
Size
1.1MB
-
Sample
240507-v8m91sge9y
-
MD5
3f9a142aeabaaff9857056dc4a35d495
-
SHA1
246c4122861876151b6d3e0f17e0460e26bc5956
-
SHA256
8df476be832a1204480d301c7579597bcdafc690b77d1f5c64dc6fb80c0d90d2
-
SHA512
1e55f09d8f8e72f9a3cd8ad0e7a986acffe88b5b34f9df7a2e39c4cd2e9cb34b1d85ef72678bc00bc0b6599fa7621518205706342e5c30c207c35a27d993d7b7
-
SSDEEP
24576:k60U4F837q36KFQLGldSsEEolIYDEBojyFng/lUsY:onKJyldGziXFng/JY
Behavioral task
behavioral1
Sample
8df476be832a1204480d301c7579597bcdafc690b77d1f5c64dc6fb80c0d90d2.apk
Resource
android-x86-arm-20240506-en
Behavioral task
behavioral2
Sample
8df476be832a1204480d301c7579597bcdafc690b77d1f5c64dc6fb80c0d90d2.apk
Resource
android-x64-20240506-en
Behavioral task
behavioral3
Sample
8df476be832a1204480d301c7579597bcdafc690b77d1f5c64dc6fb80c0d90d2.apk
Resource
android-x64-arm64-20240506-en
Malware Config
Extracted
hook
http://23.224.233.76:3434
Targets
-
-
Target
8df476be832a1204480d301c7579597bcdafc690b77d1f5c64dc6fb80c0d90d2.apk
-
Size
1.1MB
-
MD5
3f9a142aeabaaff9857056dc4a35d495
-
SHA1
246c4122861876151b6d3e0f17e0460e26bc5956
-
SHA256
8df476be832a1204480d301c7579597bcdafc690b77d1f5c64dc6fb80c0d90d2
-
SHA512
1e55f09d8f8e72f9a3cd8ad0e7a986acffe88b5b34f9df7a2e39c4cd2e9cb34b1d85ef72678bc00bc0b6599fa7621518205706342e5c30c207c35a27d993d7b7
-
SSDEEP
24576:k60U4F837q36KFQLGldSsEEolIYDEBojyFng/lUsY:onKJyldGziXFng/JY
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Makes use of the framework's Accessibility service
Retrieves information displayed on the phone screen using AccessibilityService.
-
Makes use of the framework's foreground persistence service
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about running processes on the device
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Queries information about the current Wi-Fi connection
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the mobile country code (MCC)
-
Queries the phone number (MSISDN for GSM devices)
-
Registers a broadcast receiver at runtime (usually for listening for system events)
-
Requests enabling of the accessibility settings.
-
Acquires the wake lock
-
Reads information about phone network operator.
-
Schedules tasks to execute at a specified time
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Process Discovery
1System Network Configuration Discovery
3System Network Connections Discovery
1