Analysis
-
max time kernel
178s -
max time network
187s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
25-06-2024 22:02
Behavioral task
behavioral1
Sample
cd765dc7eb3f935d1ac7559aded4b6fd23e051b51d1f478c45aec47ee91ee384.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
cd765dc7eb3f935d1ac7559aded4b6fd23e051b51d1f478c45aec47ee91ee384.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
cd765dc7eb3f935d1ac7559aded4b6fd23e051b51d1f478c45aec47ee91ee384.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
cd765dc7eb3f935d1ac7559aded4b6fd23e051b51d1f478c45aec47ee91ee384.apk
-
Size
2.8MB
-
MD5
d3989f143d8128ca96d2312357a3c604
-
SHA1
549b2e4ce520c28ec0d4e77a748cc0405c3136d0
-
SHA256
cd765dc7eb3f935d1ac7559aded4b6fd23e051b51d1f478c45aec47ee91ee384
-
SHA512
5795a3a03c84798dfd292665311ef60e5a9a7049a37271233358723c186d9d49b58415a429aa11ab67479b9d80dc0c601f0c9d167b71d33f8ac7edf92c4b71e7
-
SSDEEP
49152:gQUNYVrYc2veOIAZi7hHVVBgvi4LOcIBnLQiMen2PEsHXc3g/oS:JvrYh2Ki7fnlLrMcW1HXwS
Malware Config
Extracted
hook
http://94.156.65.180:80
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mm -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.tencent.mm -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.tencent.mm -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.tencent.mm -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.tencent.mm -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4502
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD56dde533505535c45c51e957164b4816b
SHA1056c9e1b7681f3e1505ec6e7ffbc8870d1b24c19
SHA256821c66ddb7d15b51248c0aee8a228efc6fc6c48d313635163dd059ea044afe80
SHA51257c16592e3013dea1b57e74919833dcb895cd30625917d57aa513cebb14400c510d139f6ef98da3bea7db384ebd350d2506ef7fef3f61138fac69aa3988145dc
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5ea4fd99ae32f9af5334d6fb5784d3871
SHA1f0ffe664b85a54adefc6fd2cfd3083345d09cd7e
SHA2567c50304ab5046c4b77232d09976d84762ce4b4f554fb3da578aefbb2cde6bab3
SHA512b92299c2e7696f02fbfcf526d6f6f3f1900c991a7d2fb0d4ad75b438ef34fbe4a6b00f28dea89cea481be8c97c32c5509cc03842fd1e8137fa40b3813df0b2a4
-
Filesize
108KB
MD5ca4406f45fe6aff3dac5defb5bb518bb
SHA15c12a5ed83fb77ade09f8cac5ec1ca15fa83a194
SHA256d974c9eef9fce4ebe7daf022699c761ca957c832f0a906ec9924d45378c67c0e
SHA512c8957817b5f0f325ee7c3ccfe16a3473534b9cac0dd2df0aded4792d35d9814f67c0cc432a9eaf3cc5f3655f6722ba5ce9103575f5c441485bc39fde5249c521
-
Filesize
173KB
MD527c645347cd81e1cd9cae74e5cc37dd6
SHA18a875373706fe960f0f923757eec6321ed6bd87e
SHA25687caef641d69820a18b43c97bdddf85fe3d246592633ae31ff9fac50fbee68f6
SHA5120b802f063763949ff614ba52866916fb3d16fb49b1c7ce2920764d5aed238b6f0d0ad0d93203bf7338d97cc1b1fba16e61a6240fef6c355a872d1d84be222e78