Analysis
-
max time kernel
179s -
max time network
189s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
15-08-2024 22:00
General
-
Target
44746359fc1789b961eb00e9110ef15814d5bb22e7b2563d879acec5e718df11.apk
-
Size
4.3MB
-
MD5
44ad1465f63b5d0455b7977677afac46
-
SHA1
2fcfb4c03ef45c0c233421b9421652f08e73071c
-
SHA256
44746359fc1789b961eb00e9110ef15814d5bb22e7b2563d879acec5e718df11
-
SHA512
e7fb1a7e2e9753f0b4fb0eb0abb9374f626ed1ff2a092cf46e0495f8871b1a72e17abd1997959fe1a49a705dfc5728d4e0c889b2509aba594ee3a615f1c4d017
-
SSDEEP
98304:aHS4ieZodzREnAknaF7+egAXlDDhJtKrQBU+WGfpbD:aHS4iAowApB+8FFCEhbD
Malware Config
Extracted
hook
http://149.50.108.117
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 9 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.cqcrjofjk.rqoxfnffo1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cqcrjofjk.rqoxfnffo/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.cqcrjofjk.rqoxfnffo/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5b63c1999473258b564ac65609ef60698
SHA11b9e82b1572bf8c9a60cf9b942f971adaaad56fc
SHA2561c1ca6bb79527c933902eb788bd8a0f091f7201d978d102f53144a22e2cb3a3f
SHA512f25efff54ab06c30233ce6ba6392b8eb6b8d8dc74256d13a23ce17abf9229ebbbbc5c066a70034e9c8666716e43c18497117313919fea6fff3169cb490e1d998
-
Filesize
1.0MB
MD5cf576eb3d15a1956b051ba3606b5bcc1
SHA12cbaab1c71bdb387825229107ed3cafacf4e0865
SHA25645c37ec744f3fe05e33c6ab7b99f2fa482326d531d8cfe1b7f93c5d4568f8ead
SHA51264da862840be9cdb0e152aef2acec61625b9d647d1aa1cb0cb5017bf85c0d13657a7caf8e39018d5aef6c4d82798c0f8d2d2e387ce224bf77f3177f61c172e62
-
Filesize
1.0MB
MD598436b38f45d33370a4f812b66380922
SHA1c64c539da0b3fde462bc394cfac2bb25a462f41c
SHA25638da95e30ff829bcade963ffc2edf5f102fb8ddf10becd18cd9ec79fc1ac8482
SHA512af327feea5fd828ec4433e87a3c3b5b4ebcb19cf17bea8fea41262a0fb51b85fa900171efda04a706595ad154d614069e39be3026bef1824fbf4c4b46b1d2130
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD567a4147eaa3211d55db9e174d01ff3d4
SHA13a49331fd839fe23e2b0b1cc2db5ea3de49e4280
SHA256fde3a47c919d3bf3f9e9840a0f07c4834dc9f7a5867dbdf4f135a15fe4d55441
SHA51258dfe0bc9613ee58e639be91aca67573388a4da15ac1702e1e2fc77cdeb4154a0bb626ea70c101d388155839491eda6e2db43fc0ff32d12a881be4f18b3f2ada
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5d3422fa4749f5aaa45c2605ceb10f165
SHA1985793105c89ea231751ea282b0988e606304ee5
SHA25668a3ad0bb7953d4ea503b12e6240c76e25fbdf63b348fb96676afa0a518e20c5
SHA5127de62ee9f0160a119e394eea70a15f4ca92b4804621cd7b1d4bcfdd2d9495f35a246d6e6b6c208b2fc9f25fd2abbe19ed3fd9528099994a9dc1ef9418fe202f8
-
Filesize
173KB
MD54dcd60e64fcf8cab1faeeadce838c681
SHA16cd8cfe57e0f5ee1356c8a4c6a39a5800c655715
SHA2564485eb72b2e6df760907129809f59459843e6c2a53a7a170241142ab2f29aa07
SHA51253a1a71ffc50db8bc2e571f07bf30a731f91bf0533236a3febfd3d96ed6d0500e712c2e95a16be03d6c02b43888ccaa93c8bce8ed89c801bdac1a1755f3bf283
-
Filesize
16KB
MD501bede19b028f22d024b311dbe50c991
SHA11eced95bc6efb168d660f57b3d67b1bfe241dfd9
SHA2564b6e260832ad1987bdfdf35dd78670e89bff29e3d289d6c217c904510bc56416
SHA5128b5d2a9b1ef0a9898a8de816c2d86df475be4274856c7c96728a66df58feb93128bbb00e66c90493886344a1e51ab2d15d8c63d5ae98f9245832c6c9a1f5357d
-
Filesize
2.9MB
MD598c4130ae30c252ca120fef9f89f1361
SHA17ad8a5d9ba438b7514534e8be6f297298539404d
SHA256879a94ed12f5747551754156683687c143bc4cd48cd491f9a09a32e8594d087c
SHA512d5a3ac18a56078aaf3ade40159c8e25ded585a601635006de7186b886db9e3c327669a030e00990e61ffd809d49846623aa15f88c4e3e15153f72b9b78799c8a