Analysis
-
max time kernel
178s -
max time network
185s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
07-08-2024 22:00
Behavioral task
behavioral1
Sample
6f55daf164b6a604c62c6bfcda9c0575ce29cfc183d5156a35fdf82761d57c67.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
6f55daf164b6a604c62c6bfcda9c0575ce29cfc183d5156a35fdf82761d57c67.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
6f55daf164b6a604c62c6bfcda9c0575ce29cfc183d5156a35fdf82761d57c67.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
6f55daf164b6a604c62c6bfcda9c0575ce29cfc183d5156a35fdf82761d57c67.apk
-
Size
3.5MB
-
MD5
35df01a317d9d8451b77704d427d880a
-
SHA1
30b6513efb873493fb30517127e23318cd6a39f4
-
SHA256
6f55daf164b6a604c62c6bfcda9c0575ce29cfc183d5156a35fdf82761d57c67
-
SHA512
c36c6081a33d33151a97a157d8885af65595d6dd254e9382b4e7617e575975140796559d247ff0c8403f34b3481a65dd12cf3b8bc25ba1b0fe46d16b5ca06b11
-
SSDEEP
98304:29eoW7f2zsltpXo8AVY2c+t9OD/7g4XK8zDWloEx7HWLuf7sNtXPY1p5o7Z+:17f2glTHAVY2c+p468PWvx7HWaSJYrO8
Malware Config
Extracted
hook
http://91.92.245.16:3434
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.yiholemipawuvo.zife Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.yiholemipawuvo.zife Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.yiholemipawuvo.zife -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.yiholemipawuvo.zife -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.yiholemipawuvo.zife -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.yiholemipawuvo.zife -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.yiholemipawuvo.zife -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.yiholemipawuvo.zife -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.yiholemipawuvo.zife -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.yiholemipawuvo.zife -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.yiholemipawuvo.zife -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.yiholemipawuvo.zife -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.yiholemipawuvo.zife -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.yiholemipawuvo.zife
Processes
-
com.yiholemipawuvo.zife1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4945
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD57aaa1e5fdc1f66939bd428a8f0317d5c
SHA176231155e8386b171e76ad9d7cc98c9156cdd832
SHA2561d90cfcf0d5557869f32d1914c713649adabb6184d10901fe17c7fd69dd675f3
SHA512b98eaeae9af206547ec24845cece80780c6e5ca7bf696afe89a7d7d45c599f8b388584fe585ae19faa8e48050dd099534c83f2a29e82fc5b4582126ec6f433f1
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5dd58c038fec41fcab282679f76aba30f
SHA1f1380174da926be4f1690f0c0eb2efc351c6f9bd
SHA25617054c3765220cde0eca3f7473249eed8a58330e9742624fa6a5460f9a8ececb
SHA512a8391388a5c78225dd052298166d76026e3d9ea2f356da14396110cd30adddcc9c915bdde4b66f7ae7aa9f3e84e37a4b0130d4361b639408d1070045062bce9d
-
Filesize
108KB
MD5289721f08f60de8da299da64b9b83c74
SHA1f28a18baf397e2ebb0d803c2ad210ba49935d866
SHA2560975b2e783a110068b743a0c1036053e7957459860c20deec40a8fa3e784de07
SHA51203b753b82900c133413aa064ea5abab1bafcc5bd660ad2cdbc73ac1999475d400fd3e74dbd7e720c9d06062ce8a83566f9712babc24805ec44423f740e3facb8
-
Filesize
173KB
MD5433688f8d2dfcc8171bf399b5011e0a8
SHA176fc50cca91c0ba81a29f0bbf6efafb7ad96f404
SHA256dd5195ec9859c709b6b631137c99b933886a7fcdaeb36657e55513c0c8ff8aa8
SHA512cbf164edb3e950e872baeef3b1fc6add5a0abd8705f0bf28ad72753a01ea64be03a5c53d23d4c3332f9a1391a180cedefdb632a4319b0fba173a87463f270727