Analysis
-
max time kernel
148s -
max time network
153s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
09-09-2024 22:01
General
-
Target
9ca68fdb6fcc96fc1725b8101999d638227fc8540c66204c85b3a1a896a57226.apk
-
Size
4.4MB
-
MD5
29be1ff2be84cb99949012c2b82ab983
-
SHA1
fd4b89b0a5f9083b9d844e97d3e3d1770bf16f6c
-
SHA256
9ca68fdb6fcc96fc1725b8101999d638227fc8540c66204c85b3a1a896a57226
-
SHA512
c5d2895d63e066dcf0444b307898525a7b6983947273d4739ec923a3c150d536817e03718ce3dfee79739845391a5a4f1777fca768a8ae88eec1671897496df7
-
SSDEEP
98304:O+DmqkGO8zKO6koZYZbYUE7P8sRZz+xnzyrPSWJXw9MuJ7pXL+BwFhIZegPtKTYJ:3Dlkizv6zYZbYR8sRZaxzyrPSwb0iIIb
Malware Config
Extracted
hook
http://185.147.124.43
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.jmxrpjdpn.zaivookdx1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.jmxrpjdpn.zaivookdx/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.jmxrpjdpn.zaivookdx/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD564d0bb27e7959a0da6a8973bd21712be
SHA1bb05efc5fab7283cabf40c5301235c3eb2e2f623
SHA2562034a70d8c6842cbe4c6db26481a755f5877b8790c7c93967696e8c06c3823a4
SHA5129de9dcf4b216efc679187c68a3791dd7f02046fa64c83b48d73d455b8e2004182131759d74ce34977586b081ecc6eea8aa85452311a0ad99cefeb527bafa763f
-
Filesize
1.0MB
MD59014736a1491cd740990892f23b03ea4
SHA17df45baf835c257d33cdd79fabce19f210d318d6
SHA256ca6ad51fa5f5c59e25ddf68aef2f34ae18e08b5e1f488732e5befdebdca40ede
SHA51256b23b4181efe9ed6a3535bfe58048dd1a3fd6620b74539a66d41ad3cd19bb94359711e7bbaebbad68475014fa039dbbabbb6b8ca8833123a3046d51fbc3da07
-
Filesize
1.0MB
MD53298cfeb444f81018af17b8f01c792c0
SHA1df7dcd490d1cc746faa65567165db286aefff7db
SHA256d66c0a32aab9ba685616d037dabc07daded673660d2808aa25a39c5c89ad3c67
SHA512a7cf611dfc105a56e801880d178f1aba0c8cd5ae925e946c301bdd21f85a457b418d9bc053b57525d587e04d7535cbdb959380e034b3eadc6b8c37be239621d0
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD526b74fc229a388719f0614be62861e85
SHA16b29521f825ae0b81699aea0adb68d24b58f7e24
SHA25610f681edbb48a6b11c841b8b9adcae24c2b876b42e38b7180bc49bf721a8956d
SHA512077915cce14580179fc1602b3ccf974a95eb3b55f7025cb54152fece0e93fd38a56af497dff437a31994510aee5f960ebebaab2ea756953da17f65fae881edc3
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5ebe6bdfa7b4949a0eb938da98b6b9d1c
SHA1299c8d9617371d955468cc41d878da2ed972a576
SHA2561b4bb5094bb9c2d79bac27a26ee6824230ef70f068aa41e6013a07f73509c81c
SHA51291801be9de486301d5d0563b0305aa66aad1345ec46b77fa95a8816386906986c6ccb859109a9ee348827940809d94d1a5b37693df23ad40b448f1a6e666a9f6
-
Filesize
173KB
MD507136903332d4c55fa4b2718fae5ae2b
SHA1b615753bc71bb8313fb7e09404875f3aa7afbee6
SHA256c6cc59624c535ce0ca9b1cccd2d5879b1eb23a52275912bcde5c7a8b84f74eeb
SHA5120e2e4fc457a1a46dc331b196404ee66f957558042f5de13fafc4fa9f44d0cb47e4f278d40e1a3ddafcefad6b082950229d9615374748a38d2df916963a2315d2
-
Filesize
16KB
MD520383ed95c8f997a41742073828779c6
SHA1b76143a23d5ab6716390613b679a51b6a6b3cd5d
SHA2567477724398697adc252edd0a9a9946f0f953b557147fb944efb2085aedc7bde5
SHA51260c32d7f177376cc40351f79b619fefc277f1f9c569cc41bf5eff5c947dc48fef037e08ef68826e498939c6cbdec9df7ed9262bd12963e3773fc804b4960126f
-
Filesize
2.9MB
MD5013c8aa6e8e4111c5e754603a2b5ecbc
SHA1aa373cc380c9c6b1d986bdbd9b256a25e247bf7c
SHA2566ad5a9fb41bea4c6452ea3d01d201fb5e5364e1489cf7619a04f043390201f88
SHA5120c75253b2edca8f6a0381d094c43ddd47bcaf9fac945932e8a074ca1a74061dc62189e0858a9311b2350288d7bd5d19fa43055bc73de2b6baa12c15102dae826