c8037e71f38e39b55c81d71b62aca6b330e2b763e54eb3c0b50dd90b71257b0a

Analysis

max time kernel
179s
max time network
178s
platform
android_x64
resource
android-x64-arm64-20240611.1-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240611.1-enlocale:en-usos:android-11-x64system
submitted
14-06-2024 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a28c89841d88c0a759ac1b022af073e8.apk
Size

1.3MB
MD5

a28c89841d88c0a759ac1b022af073e8
SHA1

45e60a8e3c957089574e9696f7298727be3c05ea
SHA256

c8037e71f38e39b55c81d71b62aca6b330e2b763e54eb3c0b50dd90b71257b0a
SHA512

d39e88852fb01018fd330a0b51581cb0c3de88e2aaf4688ba776df2403f36342e56d09cd02b509e7e826bc56f5efdbc599881ba023a414456157ef0c221efa69
SSDEEP

24576:xDmoL0otaYtXMjGcdJZXs+bS8oaPnDAUCxFMUjTo+1EjlMbq/13tdHbZKm51Ob8q:l1Q7YtkdJZJboaPDAUcFHj/ajlMbq/1u

Score

8^/10

banker collection discovery evasion stealth trojan

Malware Config

Signatures

Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

T1628.001

Processes:

com.hyrc.gauv.erlb

pid process

4658 com.hyrc.gauv.erlb

pid	process
4658	com.hyrc.gauv.erlb

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

T1407

Processes:

com.hyrc.gauv.erlbcom.hyrc.gauv.erlb:daemon

ioc	pid	process
/data/user/0/com.hyrc.gauv.erlb/app_mjf/dz.jar	4658	com.hyrc.gauv.erlb
/data/user/0/com.hyrc.gauv.erlb/app_mjf/dz.jar	4724	com.hyrc.gauv.erlb:daemon

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

T1418.001
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

T1409

Processes:

com.hyrc.gauv.erlb

description ioc process

Framework service call android.accounts.IAccountManager.getAccountsAsUser com.hyrc.gauv.erlb
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

T1424

Processes:

com.hyrc.gauv.erlb

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.hyrc.gauv.erlb
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 2 IoCs

Processes:

flow ioc

41 alog.umeng.com
58 alog.umeng.com
Queries information about active data network 1 TTPs 1 IoCs
discovery

T1421

Processes:

com.hyrc.gauv.erlb

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.hyrc.gauv.erlb
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

T1421

Processes:

com.hyrc.gauv.erlb

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.hyrc.gauv.erlb
Reads information about phone network operator. 1 TTPs
discovery

T1422
Checks CPU information 2 TTPs 1 IoCs

T1633.001

T1426

Processes:

com.hyrc.gauv.erlb

description ioc process

File opened for read /proc/cpuinfo com.hyrc.gauv.erlb

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.hyrc.gauv.erlb

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.hyrc.gauv.erlb

flow	ioc
41	alog.umeng.com
58	alog.umeng.com

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.hyrc.gauv.erlb

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.hyrc.gauv.erlb

description	ioc	process
File opened for read	/proc/cpuinfo	com.hyrc.gauv.erlb

com.hyrc.gauv.erlb
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Checks CPU information
PID:4658

com.hyrc.gauv.erlb:daemon
1⤵
- Loads dropped Dex/Jar
PID:4724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.hyrc.gauv.erlb/app_mjf/ddz.jar
Filesize
105KB

MD5
23ba0b249042b7ba33e92c0199b0ea4a

SHA1
99b13ee9f7307316c2337953fceed87e9942b794

SHA256
1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2

SHA512
0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

Download Submit
/data/user/0/com.hyrc.gauv.erlb/app_mjf/dz.jar
Filesize
248KB

MD5
a54a18b58c6720991c021f433dfb2a46

SHA1
d2ffa07919f92b6e04914e39843f08fdb2a75b68

SHA256
3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3

SHA512
e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

Download Submit
/data/user/0/com.hyrc.gauv.erlb/app_mjf/tdz.jar
Filesize
105KB

MD5
293ea5f01e27975bed5179ba79d80eac

SHA1
c5b0806a537fd1cb753e11f1a9684933317716b8

SHA256
8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b

SHA512
c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

Download Submit
/data/user/0/com.hyrc.gauv.erlb/databases/lezzd
Filesize
28KB

MD5
fdb8a92e5060ce104e8f0faca55a47ce

SHA1
270d7ca30673e18cec1d2b9add71cba96dc426fe

SHA256
194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a

SHA512
ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

Download Submit
/data/user/0/com.hyrc.gauv.erlb/databases/lezzd-journal
Filesize
8KB

MD5
c1da2a4087ce93df77102588afe8993f

SHA1
94afc086c8faba764e566e58befd6ec08a4a7533

SHA256
74289974a95cadb6d6c27feebc8f8c60e9447baff1ec546251ea9999acc15134

SHA512
8fb3f5bd9e07bb45f60f38323ed9755e69972f328e7956464479086503edcbe50bf6d435af68d71cad055e23234dcad8389d68a534e729a4b07efe08b2a9590e

Download Submit
/data/user/0/com.hyrc.gauv.erlb/databases/lezzd-journal
Filesize
512B

MD5
0e687bd0645aec46ffbaddd59b7de681

SHA1
45a73617fddb5f76c5bd3ac1d86d83f41668cf48

SHA256
d57751b7f89a087e33d64acb13067de2b0738316b6b148f582f571c798fd338a

SHA512
a9513cb9b1a4326ee9f9b2b0bbbb542ae2d07d5c89d8b6c7251557b5168df6808e290bb2b5a852b6b6da98ee9bab70e59d1d367383ff5b319df223eba3457819

Download Submit
/data/user/0/com.hyrc.gauv.erlb/databases/lezzd-journal
Filesize
8KB

MD5
c87cb4c7c23dfe37c4103fb6b2c82cc9

SHA1
10ca15f7fb259e3079272b3ac14e6348ea534543

SHA256
ad8e8aa4f377e7c77316b2b8e7e02f91f5bb18151346d789a71fbf1d7088679e

SHA512
0fa0892a589438f44cc81c2554593744fa8c9584f98011bbc5f9475780b437b7c46d5db5babc9deecee7cef975e0b8c261e68908568ae0b37cf129c847912082

Download Submit
/data/user/0/com.hyrc.gauv.erlb/databases/lezzd-journal
Filesize
4KB

MD5
452104e02985114fcdd6626ae5952d55

SHA1
2dc10c836959e3cb57f3cf5ab3f708698e766d80

SHA256
e5d2b08388f04d8495d63426ae957a2d31a212ed6c5f5607508a69dc5145a365

SHA512
6198c074f45735b07271eeb6e1ec6d07e10e758ee0d73dd8e7cab0b37b0c6f1f017a261e089cb66406db6ca30f7e644e86a695cc75f16748f8147ce9b68f4ea7

Download Submit
/data/user/0/com.hyrc.gauv.erlb/databases/lezzd-journal
Filesize
8KB

MD5
2a6820a9757cf2c17ec25102286f8b9a

SHA1
8f1ee606be3a5b7888e66462d79eaf3eb9f2b598

SHA256
266d8ef36468dbad11bd72030450ad08483de11844edb34788335bafad7be8a3

SHA512
41a06ab83cffdce9f388235aa239dcdc1f1cfdf6841a29c8a5b287f906299a242d5349c779673090533679b7604c8cda49d79890abd87d3ec230b5c8ce2d4d19

Download Submit
/data/user/0/com.hyrc.gauv.erlb/databases/lezzd-journal
Filesize
8KB

MD5
e09857cf0fc580ac61c4be18a2c0cc36

SHA1
9d43b3eb4bfb16ee2175a2c68ee0076ba0ea842b

SHA256
ca4d75ca33a352968186f72ca9911bef3dc0ca2e606483edef68e97db3c4abbf

SHA512
94378634c261341b0cedd1fbce7878cfb46b50bc12984e976c36fe7c5cc1b21f7aba3ec86faafa6e132d6de889bbc64f676ea0951d84370192c228e993db94e7

Download Submit
/data/user/0/com.hyrc.gauv.erlb/files/.um/um_cache_1718332388209.env
Filesize
650B

MD5
042d1651291f59ac402bb290d3f0a0e3

SHA1
6f4d0446a8d03290aa2193e657cb2f47d2122204

SHA256
2591b81c92c2228993b446d415e1bad14adb659fc5c7e4eea15bb445f6d1aabf

SHA512
88ae719c02537c83f46f25950d8889041b4a7ccbc875d067ea12851b0bf5cd93023bee2c95e2a0703911bfe2eea4361cfa74cf2c4a23f36adfc9d82548b12a9b

Download Submit
/data/user/0/com.hyrc.gauv.erlb/files/.umeng/exchangeIdentity.json
Filesize
162B

MD5
c03b95a54cfa2bba434f4a5c047971b2

SHA1
0e3d908fbf82f5ac529c423bff9d506345105a69

SHA256
a3b7194df6df69735d83cff51f210bd3b1517554381ecc16eff78413e5b72ccb

SHA512
1e3f02369fd209d595005cec9ad2fb26cddc3cd4c77a660da31f91b6fddad8d51617c611ca2398ff4ea6748b835404482d0d3509510f2dd11cba88e709bfc622

Download Submit
/data/user/0/com.hyrc.gauv.erlb/files/mobclick_agent_cached_com.hyrc.gauv.erlb1
Filesize
791B

MD5
fbf8d01ae9fc4efc845eb3f45e2d2c6f

SHA1
8dfbe782edd5dd93dcd392a4673830c5c54f5dd7

SHA256
58b66761e1a208f0653a7f05f2f450e21e240087fd9450ebd54568a1456134dc

SHA512
63eaa907382b2dc444332c088fcf6b308178220d44cec30949526570237ef04c4a8aa56cc364a657d1e3c86a1d6a7cd300b8a2f5c3b190f9e39deb50a875dd0a

Download Submit
/data/user/0/com.hyrc.gauv.erlb/files/umeng_it.cache
Filesize
348B

MD5
ee53d4cda43859d0aa6ef13479418e43

SHA1
9923eb2d87aed1f91fa296c8be3c53ae04c75a31

SHA256
cfa2b285d5e35cce4a53ce3bed4f1c8d2ba4ed65a2bfd0e65be7ff0a0b1645b6

SHA512
4a3202d4378a4f5825a7b3da6cadabbe98b8cace8a1611ac756a73a7c2087d3ba87383613d313accb5ab2b6d0aaba2abe804b2b8891e6f0e981ffb284952e9f3

Download Submit