Analysis
-
max time kernel
149s -
max time network
161s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
11-09-2024 22:00
General
-
Target
da68f3761855cb416561719126b46cddb738dd36930d9005073b554bfbe88188.apk
-
Size
4.5MB
-
MD5
b978be7c10cc9ad633297b325d0e5f8e
-
SHA1
b62ad6474e0c491b3bbfe7aa425e2f3963405fc3
-
SHA256
da68f3761855cb416561719126b46cddb738dd36930d9005073b554bfbe88188
-
SHA512
82c9f0ad84dfa476a26fbd8f05d7703d7e10183d221c54da49c187996be1d91984546122f39ed32f50694edf33ca43eaf6117cba38940a1eed0d59a3e708c5c3
-
SSDEEP
98304:ITTdJbspOYwzTkg1jm6CwKEVQ66hZoIQnKIetNmZDx25q5yE0AoR4Y:K3sh05sFEVQTLI2mRxj5yE0mY
Malware Config
Extracted
hook
http://185.147.124.43
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 9 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.mfuhhbhyd.anrsgvsge1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.mfuhhbhyd.anrsgvsge/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.mfuhhbhyd.anrsgvsge/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD56ee308869afd47ed550b4404db020f0d
SHA1f0fc3b841ceb0bfaa3fac9df8f48dbb94030ea70
SHA2565af756df5b912b317f459b4f632708e89534468747d8ed9a9c18e944e762d0ba
SHA51294444f49771a610150ab1c51accf2db9aba1a0b42d541015f67e9193a76e1ffb274801876b86f7e769f55753ab9a341ce56456ec2a4e09d7df5a9fceb8499c3f
-
Filesize
1.0MB
MD54dd1a2fc4702ccf385ebffcb398262aa
SHA1e88ffcb75c28e17f6cf2d5f765e94c0741c571eb
SHA2562d842dc62a5a7443a54bd44848735759dc3f95919679db94254c7a38b4a02f66
SHA512a7c404519584b8f0b981b7dac3b7ec8e7ab400f7fa5347dbdf52033147d18b06aaf9998d215b3b05870511d68e65e3b2aff965bb3b3de260651e2cf571e1f8d5
-
Filesize
1.0MB
MD54643fce6e599187bdc1fb8635b012fe9
SHA173b144794508156467477ad2ca3b858982c18482
SHA256170d44b56f9171ea4ab0b3e3f64d7e0d862e90ef76ca8229c2cd512a07638ef4
SHA512fa79bfcc50f1ddd9e39d18f56ebb1f9984c0c26661f8724c5b465d45efa70c43f7067f1e568788ba7071bb6a7e373493cf342f77856b5961df4524f8a29cbb01
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD52eb5aa450460f4a0d55ec462832fc5ef
SHA14b85ec32ff148d82a35a41c4fbe58042884fea8b
SHA256123b3c01495e12fb5a76cb7a9d4d653227a064d915f02bbb097d1e9199b514b0
SHA512c0c04b9b3b4479aa4090dd4eb152fff88c35266c5726a431d95794ebb3458c166127f2a1617f77e7fd7a7506467fdde53db4ea4b7e1b3c8c20b42ddbe6cffb52
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD55400a144afa4ff902bf93bb891c66434
SHA1c89301d52f5969c54966a4849839ca1d3237e1ac
SHA256daa90c75534068a1284131bf111e2355fb17f1f62f13e4b53f56827f62ca7f80
SHA512c21931585b5911f948352264bcf909b2c0dc6f57bc2bf5b2dd6122cf60e5bd86450350be6719970f2f3304af8bf1dfc5266726e63e24ca689bf5c9bddcef8df2
-
Filesize
173KB
MD5842bf0773c50e8eac3c6edcd7e02c8e2
SHA15f44d1d703c421f5e63e6dc0a8729ded4f4584c9
SHA256d37dd18b425b92d4b2f86fdafa152f5bf08f6a18c27ff80e7c51500f3432ca80
SHA51229d89f93e65647a0cb84c76f92b66795a0e6e602414e3f5746bd5acfeb9d43c8e0439dbb8a6ebc7241a05a6ac9c9e8ea40652cab68f7ef4f6a2d99aa4c1a27fe
-
Filesize
16KB
MD586d6c816fb27d95263fd06e5b620662d
SHA11b8823c081915593ea3235b67c91337988ff04cb
SHA25610fd372f35af84829168ec70c2d1c90e64db0c389a31bc4496572facb6e31715
SHA5129089c753f5d23ba6db6c9012d5b062bb4875b6827c0fbc23f7c37a879335c9abe72099ecd41a755c9a709d6023e15bd563ecf1dad6c76bcce8e5bf7b45a31a38
-
Filesize
2.9MB
MD526fe4d43ea8a9df6edcca088c8a88456
SHA1ca2bbb0876cbe3e637a0a465b94259cb5c74f811
SHA256130d9c5942cc9909f2d29773e329a843b386e39c6bf496ebaa57e09f3de7e7a2
SHA5126f954b9c6e097b70daefe659ff0f1d961a70c17e50eaf8c42c9de5053162eb1b177f2220baeb9ce2317ac86658c9e0e206139755a97c82bc2784936b1e2887b1