Analysis
-
max time kernel
149s -
max time network
153s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
08-09-2024 22:24
General
-
Target
1524d0f1ba6f88d0198e089916746a5113aa43bc1e66e8dc2127848fc21534a4.apk
-
Size
4.4MB
-
MD5
b0cd63bf5b230cd7c98cfea697f6cc8f
-
SHA1
eace30021bfd0a48a7e305b2c63bf88fab3787ba
-
SHA256
1524d0f1ba6f88d0198e089916746a5113aa43bc1e66e8dc2127848fc21534a4
-
SHA512
5b8eeaaaf0a31cf19d96a01f31db76372b18c878363693898192f696639de9afac9279ab842a0afc7694e917c9413599001c857bd8f3fc70c0a2714d9d197dba
-
SSDEEP
98304:dOJTlzwVvfEBPstapRYzHYPRGom2kF6se7BlA5VLYaBdJGN:dCzwp0PmapRYMJ+2kPe9W5VLY0dJGN
Malware Config
Extracted
hook
http://80.64.30.123
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.rmptprhsb.nwyhljaui1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.rmptprhsb.nwyhljaui/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.rmptprhsb.nwyhljaui/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5a3c1f2271d8c0efdf0c49ada80aaab67
SHA1f986539664d62adb13eb8c1be4dd8c8b733399c9
SHA256683197920810347aea31231b3139dcba88765fa022dc5edcab54dc1a2b32b8eb
SHA51255d676b2ddf5068c67a54759d08009ec69ffc93107a49128c337ffff4b2684418611144bb52ef28994854a3dc956d90b1f6309c431e85c6adf2b7b3a1f67f47b
-
Filesize
1.0MB
MD5f62f72e50f525973890b6d7dd12378f4
SHA1c673a6494f661afb6f828ea17e462611d0cdb12d
SHA256af7ed57836e8d6eeb7e8103680fc3b66b8a53056f7f41815f340a167221fd8f1
SHA512fc8172e4b183dc27dc6e814a920cb5c282754f6453b636201580fdc6c58885d39b346396bbaf167e712e3b9eec4ea154012344971c8c01e1b08a62c594f94402
-
Filesize
1.0MB
MD522fd06e37fe2e50eb188d8880d6f4bcf
SHA171037998373c123e011a6f7bd0c5c276c079d31c
SHA2563d433bb139535765f2386596d186804bd4552770bb5c17210ae591fedb0ef408
SHA5123c91b96b3ff2ed4eeea19c741a651cba11dc64069d8b476060650a524f1b1baeeb1e9421d22b3a1eb3fc8f3655f21a10823928c7f4c0c9b344283eec28419e0c
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD50ea44b3ec879814c5ba0d509d1b5376d
SHA119c492fb6850a7afee08fcecc1e5913ea6b5dcea
SHA25612e7e2a5c649651c0af58d8fde067216745ede5241c32e97da54bb2ff62683cb
SHA5126685f0b65f540ac8e194f2a6574445615d5261c3a510877fe7b1cdfda71311ccec4e39af5e969072b0a7b6affe0e3fe5a21acf6b369100e2c0c0d6f4f07d6dc4
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5a390ce9880cb9ceb8d80ece17915a648
SHA13c20bd1cc775853b608623e38954319a7f380fdf
SHA25656ae132dc4f00f55d701d3878d7ac0e102b114b3d614de32eac9490dfbfcecae
SHA512339708180721399fe38b917ed981f28b8dd8dc37458f5b61739949db9b5e94455a010ed51c6c504109f4d1d06650cfa513d8a00671de916d0d728a3b5d079a9e
-
Filesize
173KB
MD5388034341f5dc871bc1a4cbcb764217d
SHA191c8e5b692ee4c23b0e3c147119fc7fc83114290
SHA25648c036041ff947b80d0bd4a970d4531096e49bceee42d103a8c56b1ac5fa231e
SHA51289b191f7f830032b74599ff551c0eeef65be741cd686abb21df88642acc9d193df954190b95370f4f12b4a964c6afb294533150662c5dcaac3a2778f47f3632e
-
Filesize
16KB
MD573573feaf38e3a84d8d164db391df5ac
SHA181a61e3c2fcec0a0f4fe7137f74e838c07d07d0a
SHA2561b235cf650028727b844a47f0c2a3c61fcf2e2e3e4817cfdc5d4c4e5393defd6
SHA51297b078a754b31f4dcad4cc25e4c29160ec1a410af250ea1f9173189e902ae7c37aca6ed424e44108dd60f000c1451441ed9fc7e7e61f11113825f03b7e70b76c
-
Filesize
2.9MB
MD585ba36d1e005f596088fb6e34f10f348
SHA1c0772b86729f86cd57beddca08e37dfe941cbd02
SHA256427fe06941aa382f601545a8548a8af5014e62557dac5b85f73a428469d980d7
SHA512c57aedc33cd6e0a72b3889c4b1003271df39832d7be00a21b7268f4b4e6c4603f4bf965fec79195ff97f5a39a01fa128d4571a7f6c84aa9abf90fbb53a91c5d2