Analysis
-
max time kernel
175s -
max time network
182s -
platform
android_x64 -
resource
android-x64-arm64-20240514-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system -
submitted
19-05-2024 01:11
Behavioral task
behavioral1
Sample
326bae40845ecc9f7b6b5ae516906efef331960ecb76433debfac1690c29699e.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
326bae40845ecc9f7b6b5ae516906efef331960ecb76433debfac1690c29699e.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral3
Sample
326bae40845ecc9f7b6b5ae516906efef331960ecb76433debfac1690c29699e.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
326bae40845ecc9f7b6b5ae516906efef331960ecb76433debfac1690c29699e.apk
-
Size
1.1MB
-
MD5
4845a6d28d60044a50d6bd32cf015fdc
-
SHA1
c0dd4408017dc1b661abafb27171c23d5f9a2ffa
-
SHA256
326bae40845ecc9f7b6b5ae516906efef331960ecb76433debfac1690c29699e
-
SHA512
44165efd87985d42fdf14fc8c81df04605dc4228159b5e68cd040e59c3180eaf18fd6da11ef3830f1523d351d9594ba0b6d9282ebcde81b6ab84ae81a3b4b9b7
-
SSDEEP
24576:fGN2Z2u9tt/EvTVNIM49BJEs1vV/ojyx3g/lnXa:eN0h3tMvTl4PuK/Xx3g/Ra
Malware Config
Extracted
hook
http://89.116.27.45:3434
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mm -
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mm -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
pid Process 4683 com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.tencent.mm -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.tencent.mm -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS com.tencent.mm -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.tencent.mm -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Removes its main activity from the application launcher
- Makes use of the framework's foreground persistence service
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests enabling of the accessibility settings.
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4683
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD589e1f2fc8576120329ca5b1f5caa1978
SHA1a1c67a2c951ccb5e217dc65041196e3644fe9b3c
SHA256aa2e5c7bcf23f55139edf438a9d1cc23f185a6aea61a852152e7ae6613e62cd5
SHA512e65438074c57aa768b8983295e42237abc0bd72df99b19a47187ac737ce482e253318aea1f9e672e0cc45b9c9aeab928423d1404abaa767d141883cc25ebb6f8
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD503f601c47d880ccdc24f73e981dad886
SHA109b1ecfe8b8e0c43f32be04acdbe9a3ff15cda43
SHA2563e1404bcd976eb24bc924e0affd25a4ef0467ab5ef224a61b051ababd71c8313
SHA512890324804ee06fa813585df4619e35a509ae87072940395be360e84761427aa92b1887ebd9fc826f2de07e29b0bff47b4f64f5eac4417892ffa94fd4e5e83ad5
-
Filesize
108KB
MD54baeba65ff25c6217218afb3e5e2819c
SHA11702ce58def42162593181f01750a17cd1a1b935
SHA25602843a20aa473b930afd52e90ddee292a4e6ec462ee946add5927e382f12ecd2
SHA512375b356aa064d3f594a5a1cc0bd55fa387bdbce4c265e27a993788b786a213f9b86ffcc288af1081ecc788517d97cfd09315c7ec4702815596924ff14db20391
-
Filesize
173KB
MD59e39162b872928fa7054a8cf19882756
SHA134e780d0f810f8e94ca6cde348d94358b6d214b3
SHA256191a1574a465091132517ec340c8db0f8c01b3c54ec6918ed8069c1d30b2ca6d
SHA512994567dd9074e56fcc64983332ea6affdfd0a68d24ee3c6434cc60ce52f205bfcd3ad9421feb96170f51f587e05a9d39f5f7da6bc902a646286cdb851667cec9