Analysis
-
max time kernel
175s -
max time network
181s -
platform
android_x64 -
resource
android-x64-arm64-20240514-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system -
submitted
01-06-2024 23:14
Behavioral task
behavioral1
Sample
816cfa04a65c253039007b879c5b92f53493dc515712f3045df091c70b694200.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
816cfa04a65c253039007b879c5b92f53493dc515712f3045df091c70b694200.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral3
Sample
816cfa04a65c253039007b879c5b92f53493dc515712f3045df091c70b694200.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
816cfa04a65c253039007b879c5b92f53493dc515712f3045df091c70b694200.apk
-
Size
1.1MB
-
MD5
681d8dc873df588407c3b1d8a9882455
-
SHA1
413e3ed5c68886bffab9bca18ace8b544776fbbc
-
SHA256
816cfa04a65c253039007b879c5b92f53493dc515712f3045df091c70b694200
-
SHA512
f8e60b33e49296aa6eb9b006ba2616367498ec053c39a219a8734b2863f9bc1c4153b456ffa8bf6f731822d32ffa1ae2e5f335bb2ffc02a005fdcdd4cb04d258
-
SSDEEP
24576:paBjhuzkXgqzNJVwf0nIG/+zQPaqrfXoxykbg/3cP9:pyjhuzkwWNJLIGGcFZkbg/I9
Malware Config
Extracted
hook
http://89.116.27.45:3434
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/cpuinfo com.tencent.mm -
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
description ioc Process File opened for read /proc/meminfo com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.tencent.mm -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.tencent.mm -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.tencent.mm -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Makes use of the framework's Accessibility service
- Checks CPU information
- Checks memory information
- Makes use of the framework's foreground persistence service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Acquires the wake lock
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4580
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD5814e6d8d43fe7a4b6cf7bf303db27cdb
SHA1d3d5d72a5beaac62403cc6e29402d371162d391a
SHA2567bd07e78184308e4b389f8bfc2ec961556af953cb98577d6eba306b47373b9c5
SHA51257fe1a61fea641ee7d19873cfff40e7c81caba1866327a2b20f564f038abcd0fda7c0f2d03739d00824aa5f178eeab3d516f775357504b6bb6ccc8ea0b78dca2
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD517872e6a346b3d4f6f5fac0caf4fe953
SHA12a9dfb5cc4fa40c1c7692dd8b68a3a2502d5d4da
SHA2567faf97083df617ee4c947b28a5776ae24af63186d2d7a82ec6ff321aed2a37f6
SHA512ad8d497c20d55a3c8cdf5cec1cc88bcb8571e794c0ea9e75dd43a9a0b614ce33db2df3bfb460e26b0d8ad8a683d8b72e9379c8df790b9e092d62f5118b855502
-
Filesize
108KB
MD5b577119badfb36e3ca5e6cfa1139e508
SHA10bd3e0a37e77eb2856239005366a157c77fc94f5
SHA256a47fb08b13ae921f79f305cc3694a58c109bc50bfc415ceaa86acb145a93a59f
SHA512012308e8ec355107222ec5632f500245f74ce8ef3304b55e61dec7e7771d34b2565264e05ec9472d293113649222a917e538eccbd0c355f97c92d7ac6db269a1
-
Filesize
173KB
MD507ec31727e5ebe97f493831ab85cfc24
SHA1971ad4f8f2a7350acde955355e46bcbeb5d6f6f5
SHA256fae260619f8b3bf404a3a42f8f7d4eba11698ed44543b7d75f93c4b539cd77e4
SHA51260ce1702678ad1aac26ba8d099868bb6d211d38596712db93b65077147555fdc9e17c81c34eadac187eff11bba52fb942a0b8a99e7a1e10c57e70263220eea0f