Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
179s -
max time network
157s -
platform
android_x64 -
resource
android-x64-20240611.1-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240611.1-enlocale:en-usos:android-10-x64system -
submitted
16/06/2024, 22:43
Behavioral task
behavioral1
Sample
9ddaa1bba5fd99393f212df4b1999c527448f07ebc9e26b291c3f1c02d5500e0.apk
Resource
android-x86-arm-20240611.1-en
Behavioral task
behavioral2
Sample
9ddaa1bba5fd99393f212df4b1999c527448f07ebc9e26b291c3f1c02d5500e0.apk
Resource
android-x64-20240611.1-en
Behavioral task
behavioral3
Sample
9ddaa1bba5fd99393f212df4b1999c527448f07ebc9e26b291c3f1c02d5500e0.apk
Resource
android-x64-arm64-20240611.1-en
General
-
Target
9ddaa1bba5fd99393f212df4b1999c527448f07ebc9e26b291c3f1c02d5500e0.apk
-
Size
2.8MB
-
MD5
60c50ad04d5c749e4b8e4a9868c546ba
-
SHA1
aed5c1ec0474b7bbdb48bf5069de8138e1d202e6
-
SHA256
9ddaa1bba5fd99393f212df4b1999c527448f07ebc9e26b291c3f1c02d5500e0
-
SHA512
bcbcf4d41f4d87ef75c607c5d6d8ccb1adda719a536387f0ea29deb4491f60ee9a5d1cfb1c7756df014b6c74b4ec1cf82627e1e09afa4de36fd38fddf794624a
-
SSDEEP
49152:yCLI265cIBX3N7g63mngiXmLaL4HW9HF3vidqHzZDzQZ/HPAmOXqLBCi15E/ir6g:yCLI26xD7g2XiXmLaL4HW9HYcFEvPAIb
Malware Config
Extracted
hook
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.jugocufojulixa.waya Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.jugocufojulixa.waya Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.jugocufojulixa.waya -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.jugocufojulixa.waya -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.jugocufojulixa.waya -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.jugocufojulixa.waya -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.jugocufojulixa.waya -
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.jugocufojulixa.waya -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.jugocufojulixa.waya -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.jugocufojulixa.waya -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.jugocufojulixa.waya -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.jugocufojulixa.waya -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.jugocufojulixa.waya -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.jugocufojulixa.waya -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.jugocufojulixa.waya
Processes
-
com.jugocufojulixa.waya1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5173
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD55305b530c4a50394e410300fb759ffac
SHA1f68f39488661d7f297b5ff180b81418030915681
SHA256a466f47e41dff828c48b61b85aecac71e1efd97266023431a1356c1b033a20dd
SHA512c2ca3cb6f5a1c75d1b7641958b2cdbc89067910912a0cecc1280093efde4e5874f4bbcb0d6299617b7f9542120088fa070202a33d6e164ccc15bf5ece802daa7
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5a5a033bbba44e46c0457fe650606c04a
SHA1ffd09f091cf02f0665836f39d12e669ef1bfeb20
SHA256f18af368b237a8a48a372b7bc921ecaaea9e3422f0990ae763c8fc8d252f8993
SHA51214942c1707ef859d8d879ea66f38e42abf5c6aed189c274a74f407c242d09e4864ca42022ede5cbc0a5441d6a479684d3a3dd6d9c4569156f7481c6c3201a102
-
Filesize
108KB
MD5140b4386f5ba46ab640aaf2f6915b902
SHA13d96dfb519d460480de745f2bdc12fce461f2da6
SHA256e02c6c7ed8a592a138312a82aa2fe0fc6da6db915d5b1579e9208474d6755033
SHA51234f83430c1047a8e414da7d423fc7c83057b58dbde0f9d255ee0105f24b942c99fe7d547ed10be250a72a4fae7e6aaa7ae352b4aa0af6ea08a8fa292a401646b
-
Filesize
173KB
MD5a02de0ad3e3bd54f726dd5a8a58fef4d
SHA19454f1b850114e0e940f0942838af31d1294f994
SHA2568697fbb63e52a3ee095e6e2575e119073cf064b76fc3b84988645d75f673ffbb
SHA51260a7a4a70b20a1314f0b354e17c8e12b0950867e5b7442d6bb4d129a3c0565a92d6947837784d1b9e8876f6694b1f0e9d22a05ac080ad0a39c443750f1807600