Analysis
-
max time kernel
177s -
max time network
187s -
platform
android_x64 -
resource
android-x64-20240514-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system -
submitted
23-05-2024 22:04
Behavioral task
behavioral1
Sample
665c30775389ee045d29325a474303df23a624b0be68a606de388cee6dff7f28.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
665c30775389ee045d29325a474303df23a624b0be68a606de388cee6dff7f28.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral3
Sample
665c30775389ee045d29325a474303df23a624b0be68a606de388cee6dff7f28.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
665c30775389ee045d29325a474303df23a624b0be68a606de388cee6dff7f28.apk
-
Size
1.1MB
-
MD5
8e9a5a4af5a5859c1c7c4221c9ac3d1c
-
SHA1
461f82ab3208b92275ee24b41578390c5fc23287
-
SHA256
665c30775389ee045d29325a474303df23a624b0be68a606de388cee6dff7f28
-
SHA512
b2bc45b9f970bb6ee494a495f6d5928e7d5808dc6f3739bc1c694ae737480609e50b5d180f2ed28de2510214ad99a3664c39f13278e21ab9aa3a294db19e72ef
-
SSDEEP
24576:84E4q69LyChXcrl9kKB2actpMeEgojyrbg/0BKF:84E4R9LnFch9N8acrB3Xrbg/dF
Malware Config
Extracted
hook
http://89.116.27.45:3434
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.musezurivowateru.figedescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.musezurivowateru.fige Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.musezurivowateru.fige Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.musezurivowateru.fige -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.musezurivowateru.figedescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.musezurivowateru.fige -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.musezurivowateru.figedescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.musezurivowateru.fige -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.musezurivowateru.figedescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.musezurivowateru.fige -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.musezurivowateru.figedescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.musezurivowateru.fige -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.musezurivowateru.figedescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.musezurivowateru.fige -
Acquires the wake lock 1 IoCs
Processes:
com.musezurivowateru.figedescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.musezurivowateru.fige -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes:
com.musezurivowateru.figedescription ioc process Framework service call android.app.job.IJobScheduler.schedule com.musezurivowateru.fige -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.musezurivowateru.figedescription ioc process Framework API call javax.crypto.Cipher.doFinal com.musezurivowateru.fige
Processes
-
com.musezurivowateru.fige1⤵
- Makes use of the framework's Accessibility service
- Checks CPU information
- Checks memory information
- Makes use of the framework's foreground persistence service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.musezurivowateru.fige/no_backup/androidx.work.workdbFilesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
/data/data/com.musezurivowateru.fige/no_backup/androidx.work.workdb-journalFilesize
512B
MD55e268031a23efbc06a10ad485641354a
SHA1a405a4e212ce06b910e5157fd0584918720d84f2
SHA256d6a8b11ff6ca697a0560ac09a12d4adf8db13ccc67d428adb943fe8e2251588a
SHA512ed7de9bad32f68a6ca6de80fd7088fbf21187b89051824b7c41b142fe971ce44209e3dfc4636bcac7fa7aea38f03286b8c1218c927bf01462b84c85c84e4b36f
-
/data/data/com.musezurivowateru.fige/no_backup/androidx.work.workdb-shmFilesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
/data/data/com.musezurivowateru.fige/no_backup/androidx.work.workdb-walFilesize
16KB
MD5c609bc189c529bdf4a9000a2a575d1b8
SHA12e665c31ded541532628558ca35e308928c2984d
SHA256e58cb95555eb31b818704ac1b2ff75aaf27cea6849bfb9b59ed9cd8efdbb8344
SHA5125ec5d1a627b8257a36ca6c31664a22e617275adce4dfe739844ad948ef767a79c11ffb9d514556164582c6038064da72d77240f4a1094b7b89a8f6bbe6c72e95
-
/data/data/com.musezurivowateru.fige/no_backup/androidx.work.workdb-walFilesize
108KB
MD5bbec4b0efeec0e90e90d6c3d764dffbe
SHA10084b393ef18bb84d94edd91607e33b98789ec5b
SHA256056fab5254b26f50c9228972bc555d7cbe3e29ffcc71c53ae12cc4cc1a0803d1
SHA5124f318508b9c974a16fd934cb3bba5b2d5028a6eef272aeec44f60b470062257cb2d5ca6ae137faff675443acf5f5ff7518c94a9a5cc76b1e0e1b9d5185c4e1fd
-
/data/data/com.musezurivowateru.fige/no_backup/androidx.work.workdb-walFilesize
173KB
MD5710bf72c8a6457f3357ca25cbb8e3c0d
SHA1f16efcd4d30fd9d440022e6fbfa5df7d9160e7f0
SHA256b18496a914b34bf6f160286bbee42cbb6f13a3adce45e275230192f67a8c79ff
SHA512e1794eb6fbcdc7090ba0c02b567fcc7f3fe0beb5369f06b93edf448c8153ed2776b27f99c87e3944034d1a76dec6ed9035d7a8539d2b63a44576b00993c8148c