Analysis
-
max time kernel
179s -
max time network
190s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
17-08-2024 22:04
Behavioral task
behavioral1
Sample
b7fc601917a91a4ea4ec688bd90e7d74e129cfaeb6ca35eb12c41836824fc940.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
b7fc601917a91a4ea4ec688bd90e7d74e129cfaeb6ca35eb12c41836824fc940.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
b7fc601917a91a4ea4ec688bd90e7d74e129cfaeb6ca35eb12c41836824fc940.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
b7fc601917a91a4ea4ec688bd90e7d74e129cfaeb6ca35eb12c41836824fc940.apk
-
Size
1.1MB
-
MD5
fb39a388c91b50708740deba669adc6c
-
SHA1
d8a4d13df84f54418ceb4b075b98fda7dac3b3d5
-
SHA256
b7fc601917a91a4ea4ec688bd90e7d74e129cfaeb6ca35eb12c41836824fc940
-
SHA512
b9436f4d71cf868ef7c317b156a495c259dac149284936fc54e203166761f638b417c691ae241e96628dbc25012357baee4fd3bf9b8566f4df378d02aefd5e8a
-
SSDEEP
24576:gRwXn2Sd9gnYeCQ6S0trWec3E7f+2wpMYdYY2ojyT0g/HXjp:gRwXnpduL6SorhcU7fTwL2XT0g/Tp
Malware Config
Extracted
hook
http://laughing-grass-88954.pktriot.net:22722
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.nebepileyabe.dojudescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.nebepileyabe.doju Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.nebepileyabe.doju Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.nebepileyabe.doju -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
Processes:
com.nebepileyabe.dojudescription ioc process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.nebepileyabe.doju -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.nebepileyabe.dojudescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.nebepileyabe.doju -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.nebepileyabe.dojudescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.nebepileyabe.doju -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.nebepileyabe.dojudescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.nebepileyabe.doju -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.nebepileyabe.dojudescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.nebepileyabe.doju -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes:
com.nebepileyabe.dojudescription ioc process Framework service call android.app.job.IJobScheduler.schedule com.nebepileyabe.doju -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.nebepileyabe.dojudescription ioc process Framework API call javax.crypto.Cipher.doFinal com.nebepileyabe.doju -
Checks CPU information 2 TTPs 1 IoCs
Processes:
com.nebepileyabe.dojudescription ioc process File opened for read /proc/cpuinfo com.nebepileyabe.doju -
Checks memory information 2 TTPs 1 IoCs
Processes:
com.nebepileyabe.dojudescription ioc process File opened for read /proc/meminfo com.nebepileyabe.doju
Processes
-
com.nebepileyabe.doju1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4447
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD5d281453e515990e12e1e20d099cb09ec
SHA1a9cff3c20938696c8fc257c652d4e959e8165946
SHA256885bb957e7dd46e3ce5c1e2f89cf49f31fa024e6954a923392df5af758ad82fc
SHA512d73c6b965467d773078486ff1fa713c01de6bb7f860dc38f30176dcde81dde3da587b31d8f2e94d139081c39d45a008df09c08e628c743bb51e7bf1d238c28b3
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5e9c8ab1c7bfa5db49e72edf35a326f27
SHA1ad4713a84c1e39c31e6c0b538c58fc9af17e2b7a
SHA256e0794a12ba3c29f60014598baa19116bc328def444446d6a9dc45e541403990f
SHA512b2958aa1290001cac7ae09002621a78e24351d92b1bd0ba1d40b2a87a302340ba13ee78a735aef8e8a7bf379836d4710bdd048a09dc01d94c627d611f5bd1636
-
Filesize
108KB
MD58237e0e3cf2662b1c4f4b76c9f8ccf68
SHA14f1ba28c4debd6ee52effb3e8261480cf92256c9
SHA256cfaf54c0f566ee7be036325583fe9902aa45d8ab81bf984baa0b69d4237d0f2e
SHA5124392fbf1bbfaa6c7463642e8c174979ba13344ed70fb9bf1046d4b530a945cc75ab5ad79127d836c8741d5bf37acd47365204d21d712a084c6b02b1858a5a7f6
-
Filesize
173KB
MD5362a89ccfef30a6f9448845ed86aaf46
SHA1f01fc792f6db5f8bd4451648cb3336ca917b598e
SHA25657347690e8c9f8646b090946b3ae5f14367a2df3295a9eb225a621eabb9bc4a9
SHA512cdc1236e559753d54448d3ea536f17c4ef94a3dae645f8c6f2eea0df73cbdfd994ce8d5bcedd32d42d0b70a8b6fcfc9836d01f45439b8a9bc3bc93ba8d3cf016