Analysis
-
max time kernel
149s -
max time network
155s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
14-09-2024 22:07
General
-
Target
558234427065b190153597d49b26a64fda69ce6ead7419d568702e464115bc21.apk
-
Size
4.5MB
-
MD5
9998c68a71fd2e2035c30967f48f4332
-
SHA1
d2f7934bee6bbcbd33f872798ea47f47ce600936
-
SHA256
558234427065b190153597d49b26a64fda69ce6ead7419d568702e464115bc21
-
SHA512
a9341fabd87b575ab4b034ea87bc7d6f7d4e9cac5b2785c6698ec8a4135aa075833f916a10c8ed3ed7dab2c1da32d3f88094e3f3f219c82a847bc5301beee67e
-
SSDEEP
98304:XqQ+yElnnZDdBQ4m28aatk2Js0ugCdyNB/f9hsx2KJlianRBexzBF:OnlnPBQVraatXJegCdqhQ2klfnirF
Malware Config
Extracted
hook
http://80.64.30.123
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.bolaoixyx.pacaaopiq1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bolaoixyx.pacaaopiq/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bolaoixyx.pacaaopiq/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5a2c5c17b3307726055b49289cc4646e0
SHA191557d92b9e519a399685eaab27a0858a3d4dd37
SHA256f5c5c2195cf1e141b7cafb2780005c8765dad1a8edd9293a57e6a201b0568938
SHA5121782344a2fcfdad5cbe33d018a5d7c35c0000ec9da2c5fc7ff56ac74f697b17450be36fcfb4637590c0a04762b56eb8c7ba6f8c54f264a1f82a5f79d4421c26f
-
Filesize
1.0MB
MD5fca9d42e2678a461dd90a098e693ae4b
SHA1a19558fb6a83ca6eaf0cd5dcf2a86c05a182f3be
SHA25690c7aeec28ab0984873209c1463234d85b9002a03bfe1970a12c290cee5b0fc3
SHA512bb9303c3c4c7777809d8786f67fa19d449b092ec36e0f3884a88ab071b63a250d3923f514baaa54fb8be745805289cd7132799bad1670fe30ef496bad09dda7f
-
Filesize
1.0MB
MD5fb24f22a86d8f227257da2f25b56a551
SHA12af02a7d034bd8ab5dd831e2b5ce1f4de6b3a64e
SHA256037a690236cef5d87b743c8dcb9e412b48f694ff1958143667f74f48b5d5ae03
SHA5128ceaa97c365d064fb71b93b961bd36e963bb58616919d246e8895057823b55a17729331fc97c6fd776769588f6b7029dc0da1e58bb1ffce1b9d0244e50db7876
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5225b153e6d444aa97458bf47d4e07412
SHA1db5851e8caee9b892586cdd1eebdc70cc9a1d257
SHA256e436c23f3c2ddc96269b7e3d769c479b1852f73edf66604ceff28494da4a491d
SHA51206c690cc7e99d51ef183cfcf6d9ba271f21238e473c8f16c9e40819e9f044df90866b7dab17d33a20bb2d27887c99540cdcd0babed28aa69fba1e71f33a0916c
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5ebb3dbca25fc0fbf3953508a9d1ffdfd
SHA1aac94041906758920b91718fe6677390d8156380
SHA256320b92edca7a5a414a7f1920c54f7a5646882c848fed8e3c02cc9a8ef13f6941
SHA512664f18272d01d5039aaa268a0b2d496033ed792d95256e233f772443f055e84e3425a7497306c46b4dbec872ac0a2424dceb4bc51911614532c109c046d61aac
-
Filesize
173KB
MD5fd2ff39556013bf8f87c2f86dd68c98f
SHA14f772c1188303c6e36716f190305a70d730182d0
SHA256014eaa19c594598e4f8c2e35fff4c6c0b7ff4e6cd71d190f389077609cee0fb8
SHA5125c92a587160e36574b430fd138ab3d68b724521c0aecf3b08ab8271a95396a46dfeed137c7fd54570be6510ac1866934d572a0d76d5f30b70c0ff7381bc3bff8
-
Filesize
16KB
MD5d4fb2753c753cdc965cc120f8294418a
SHA14be91b0d9b017040e892ca7ec2a42ecd19b0413a
SHA256cfad186343f40019e9d413eadf1eb413e15075df65d7affb25e3a5ae6b77722d
SHA512617e77d3e71f30418994536e7ab853afc5143ddeb266a56c5cdcdeed347b9414342b3b405b9fe4007ac6213aad30337cfdb270f5f208d713bedc57ea58ae48d7
-
Filesize
2.9MB
MD5df8b0fd9c0f7830c02f16e36d5f06006
SHA197fb5b163191847d835b0af6d162fb40587afae0
SHA25672b8d36f188d94943a1d39f0bbd5284574cab119cb20092fd061e84b204ce61f
SHA512ff7d6d25bdbaa0286031457a38e07b8db60218db814bdb86881c7ceb2fdd5ca1f8d4fda3529cb0da5f73d0f5c44034491acd23a6e3074cf11c01f6832186f2b0