Analysis
-
max time kernel
149s -
max time network
152s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
13-09-2024 22:08
General
-
Target
4e08b0bf9d8f80edbd91da1b65e62ac7566c4602b31d5e1fc7c659e7647d29c7.apk
-
Size
4.5MB
-
MD5
c4ba4e0834ae3423c083b3c2b1567be5
-
SHA1
90ec975973b0925d70862e72d7890cf76ba65584
-
SHA256
4e08b0bf9d8f80edbd91da1b65e62ac7566c4602b31d5e1fc7c659e7647d29c7
-
SHA512
13abe943ef3a983fa2faadba15e5fd955274ff8bfbd4eb1bd86303f171a4b21ba74bbfdd27253bebd3196fe587683135fd6f11abbf593b6ee28acf9148cb91d1
-
SSDEEP
98304:Il+YtPzwd/hhc62oh8Eue5GFjfrMMPzc6GdhXXvzRNB5Xs:Il+YtP8hhcLRY4FjfrMMPw6AZvlBs
Malware Config
Extracted
hook
http://80.64.30.123
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.isethakvk.atexkdybx1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.isethakvk.atexkdybx/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.isethakvk.atexkdybx/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5e2129fa6a62c50b32f58e2d8cdeaa2ae
SHA1e0f7a927868a243069fa4e19e3e7d7b9a46350ce
SHA256681cad66c3e2d3de7b4952be46510aa2dfef2c20feaa18514472074321bff399
SHA51270753d60a95d4d4fe3ad5d1e37ead87c9f97a194abb72c6c02c27e3e0842969a1be18acae2e6601350fd16a61b549fbe2acbbf514f1a4b19ab7515117d4e6c18
-
Filesize
1.0MB
MD5e3cb1b8783660459b772d51dee05877c
SHA1347a7121dd9167cf655a86643988fb87fd58f0d4
SHA256c7e8ee170c86c5e93d5ee68845251efeb3da79a11b37bbcabe268e82ed351028
SHA51286da101c331acb16bac742bf7824ef99005588e21f2e188483fbc2fd6916f68bd1062f020799a33d6eb096faba5ef7266bd47d97eeeaeefb8b0b1639567626b2
-
Filesize
1.0MB
MD528d7a1a6f071eefcbb4aa636bcf61644
SHA1ed241e8f2f5ddc142de555df4225290b18679800
SHA2567a2ed56fe14ec45c3deff59754ed9e3b8d8cd6d41f1b717467ac9c55986c2f27
SHA51225acf50495262827fab655f3d7e0e0e15ca632a639ad964874663559a6075f53be85bf833f4cf51e908ce97de8eee32c1156b652983519d4ddb5f66c6c533799
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD598586567124d107fd036cddf21a53bf7
SHA130b0f52435ba89ef408dbfc1594a49a69df85b05
SHA256635d8a7614212d98b31b9dd01c0ec2d70107f88178ab47149256635e7a563b5e
SHA512c60594d2e056268dc2d8f444c119b671a00eba420acdcd9534ac73f7d45132161c1b44447bee003a7df57085e3c100c5b60d53d52abbbdd2f2b7f3163f11ca59
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5410430c8a0e6e9bc28e47a51a1e8f026
SHA1e0635127efbac1a3b1feae0786507711813de62e
SHA256ab34d5d3c85a98ec2a257f086659f3f17cb9286094273ddbd8b08775ce8e5337
SHA512adb75bb47a61eaa64294123fe08837f814513fb2fbda746bf962461777572fee2473bde06bdc610cb4897509e32e36823484a529903733d98e0ba3aed4eef0ea
-
Filesize
173KB
MD5254794f6ad870ff5ccc90cc0e5659264
SHA1a77260cb82a57ddfe28e210e3ba4398f921bf4de
SHA256b5f7666aefe1c39e8406e480ca0b9e27d0aa691f903d776cd0f17f55ff6cf823
SHA512304d00b96de724a45d7fcd30d91289afc07e3665913a51054bc0a359a3333a7318e31b2c11e55d2a4da8d539102b8836f26b8d7c49da835722c39976185267a9
-
Filesize
16KB
MD56481996775fa06aec3fec8b81059d85d
SHA147af13fd6d170c436ec44781d58e44ca14a7b8f8
SHA2565af04e5090777da95cb9c7fca08c8c3bc042bea04eb70cea0b8715533dd3e4d3
SHA5128d8b71096bb5327bef8aa83c042371659b8013f1a27a0c036db28f7f2b9e24e530e6399454830372705d728b630360212dd2ff56874ef2169f21b19cb039c62d
-
Filesize
2.9MB
MD5882e1fa6424f3c66134104f33f2dab80
SHA17e330ce381ba79d3127d192c94d88393b62d8a72
SHA256ed14121ac3f9f088c6a853b22cc2920dc28b6f249aba819b840ccd6c54e85b6c
SHA512a8406d197f7841802caba902b9e22b4ca79a248e87bf9d016b3c9f1c0ccc379ac97f1f2bafd9ff708fd2346c2a8aefae5df5025a2264412bf0633cdfed4bf9d5