Analysis
-
max time kernel
149s -
max time network
152s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
09-09-2024 22:14
General
-
Target
a4b9aa0619a74dcfcf4b4bb13d610e76606c7cb551a9fdc78bf45e737dbbd37f.apk
-
Size
4.4MB
-
MD5
0b7c5967ca8e6251473fd9b26f19fb11
-
SHA1
46b21076e97b2c5bbe977f98b67330dca7dd21f6
-
SHA256
a4b9aa0619a74dcfcf4b4bb13d610e76606c7cb551a9fdc78bf45e737dbbd37f
-
SHA512
d46252ee3f11754600ddc6c7b48b8241cfd0b1e489a0bc665442931bd9c99c538d84e86b221982c9228ac668ac97d07eb108cd2e26c79adae45b405f401b2701
-
SSDEEP
98304:UKfAQaTUibERxhgqDfAaIgXfmq3gQ2fK9cpCCSuD+mWxWjnd1VOJ:UuAQEUiby7gqDOgPmq3gQKCcpCxWJrOJ
Malware Config
Extracted
hook
http://185.130.226.87
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.ncgtpctkg.eanzbfsiw1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ncgtpctkg.eanzbfsiw/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.ncgtpctkg.eanzbfsiw/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD55060e68e2fa658d1b28e18d514d5033e
SHA1c27247f5d015ac181ae32df2c4b889b31fc8115e
SHA256455a988b8371ce33e6ed39bf0c4369c3c9fd26b6002423d467308f38a0cc20fc
SHA51279138601617072efaa8e77171133026aaf24bf4af5df14e2ac69e16cbd8efd4f18843dd1f8458f5ce8fc78cbb578bf0ed400971cc326b30b53b9935bab58dbc1
-
Filesize
1.0MB
MD58391d760410890669979909cf6c1318e
SHA13f44823afce3eaa20ed125913079a62356c2a674
SHA256b47ceef4fb691a856f3e76ae7b6c18c612aef1cc4e01578bacccb715968fe4f9
SHA512bb931c5fe6cffb62dfd8c0e57c7a9ad58b414a6d51342d983608095036dd0ce6420ce5b1da646a58e43b1a8054b09e92b1d32b13a0544409b03a70dfd415e691
-
Filesize
1.0MB
MD58ab99d97e191d7b4d3f33d3065bf0076
SHA17a896180aa15ab8385d50c3306e44e2e6d98a61b
SHA256f658fe00f4ad2e0bddd60e25a1ceb001efd1333546e25516e9b7e0da705394cc
SHA5128129481cb41a2cedcd09d86f161c5469b96d1ca597aa056b1ffc7f071d81bced258c409f879355b8da6a2040c5ce3cd67ea038fa791d4bc3a3a6c5b6459951b4
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD56c158235316f31c90c886642aecfc2f9
SHA19a4a23294765646d1c9994e770ff9ad42411f428
SHA256b822ec0ee3306e6a97087968377e5fa92b2ce01ba3cff866216e262f395fa697
SHA512858865bd2873ff78cc1c2152b017c5f9e013b9991a45026da3dd7f733e097f03cb555a313fd55865bdb70238373f2c9c05a05fbf8885c42f2a49fd770daab40b
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD57f0da097e066a7a67a0a7998b6751d58
SHA11e055fde88b0e7c7b07f7a1b126f0b09b4cdeff7
SHA25604ca58ebf59370a971e9cf349b37f7b196baf70de339f404dd429efa388d4824
SHA5123aeffc4cef1ee1f36cf8490639b081fdd582eaffac6037dc29e1bd31bc93e7b924c57118bb65d6d0e0841135734e4e42884f8bb7b062c64a89d5f215304e7d6b
-
Filesize
173KB
MD58e589bf78baa6241585b3ba134f6a025
SHA1bc317ec38ca3d40cbf427b5fb31e6d5b907f90c8
SHA256fe7b00c033108d232785a9f475c6412ef8d7c61ecd5454bf2c5fcead4f8d1c27
SHA51242f59ad19d50c80ace890d194a3a4a854c1b20c4f149f12cadce9adaa2dc3e79404f8e4615f23d422f31e7db8ff05915ef7a190afb62dc523ed70d00ac65b5a6
-
Filesize
16KB
MD5f7f501ffa1ed311ed84e0f149d8916a7
SHA145c4e0fd69afb1a0d573093f87fedf658038580c
SHA256a4f924d39ebcd265082c5a4a2da0eb849d2f4c947be1fb6d21d121921ceba67e
SHA51202f42f4798973e0b9e459a1e2e77518e940518a22fd4b8db9e9e7b161809c7203056d673e9c110813fc45c9d985b10fe6f273061f265219a2272074c1ea25655
-
Filesize
2.9MB
MD552854711fd29601052aa260cb003833f
SHA1a605f95025734b7f224f83d23f6d0aa20653c7bf
SHA256ed78e940ceb585b71f0d042e1f17b4da73e10a80f03f41dc60d8cbb8d74b0e20
SHA512421960a7c80233a79d6dfdff6c5f4e2ffac95e96781c2f921697e3660c86c60b7fc90f9ab5ff1db591de0ac2e3ac1539a818c2820aaf60406caba444e4ce33a5