Analysis
-
max time kernel
148s -
max time network
158s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
14-09-2024 22:03
General
-
Target
0e8c9d3ab7c5b39f1aa8e639333238a93c7ac627a94acc3472386c10d0c1d760.apk
-
Size
4.5MB
-
MD5
01a3606e2217f1dad0e9de4b2c202397
-
SHA1
b336582cf54dcd5ec3b0efb1b11e164bf672f78c
-
SHA256
0e8c9d3ab7c5b39f1aa8e639333238a93c7ac627a94acc3472386c10d0c1d760
-
SHA512
d12bf246bd943b2e85adbe3f8c306f562d7d8f06f9d4da239f9499ab2a596ab768886d22237c01b5b2f6c110f5934e581e7c2d0c65ec42df1b66064dcd81eafa
-
SSDEEP
98304:WqMd6HDKhiA7xVUGo0u+nremJBXurC9LS0KvGW36d:BMdeDPwjU+VSmJbL1RW0
Malware Config
Extracted
hook
http://80.64.30.123
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Removes its main activity from the application launcher 1 TTPs 2 IoCs
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 10 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.ggkabyurx.cljrtrclx1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ggkabyurx.cljrtrclx/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.ggkabyurx.cljrtrclx/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5b417b641fe4cf7480812586558788390
SHA1379bca2d3b614017ec94e4d3d35e0e8ccd9cf889
SHA256e570f75e4e7e78be2bee5c5c273511f08f5071537e027d26191d199ddefc3948
SHA51210655cca4cb46c881580e1f2848add176565b9bd4d1a91df811b21601d5627ce904b4bca9ad67679db847821587ed44d5ecf61b5c8aa418c0f2ebea0f53d432f
-
Filesize
1.0MB
MD5265c2a5b83b196bcac144a4b7d1074a4
SHA1fa7e63327a8fca13ef4302bb78e7108b79787541
SHA2567fb7b19401feb963ed29aa13117f0a1ea6a428f1febdf7453bb7365a0749dcec
SHA512d51621e08be8cdeeec60d189f36b9d0d8b33909236f099dbec73f99832261e553c1f483702f0dda79a084e73ccb3b9ecd215551aaa40a6b7c7fbf3728d679de5
-
Filesize
1.0MB
MD51d74ea41adbd7dd8a3932e50ddbe5f27
SHA135c719636b3f9134119a09843d451b8d9b484913
SHA256f98f69acf1c80f1502714fe17ef7b1ca60d84b6fe58c8e6a76dc9d71740ffe38
SHA512b0e3d6344c4657e16e91129bfa704c1327a5282cf04024fc1d164f96252fdf858a6291a853d0db70edac1ccddf26521c2f26e73046472d24361746669ec8ba59
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5bad8ee036c853be607fcb3b8f3dfd188
SHA1f4c9ef07a2ce6ca8e64db0803862993a181b33ed
SHA2567181cfca5d97315b364a10ca31b762945420a10dd14a26cbbde70a765c751e6c
SHA5122d55b04404bb54259849209dcc0192b4d668e1c837cf63b3afed3a8dd51a64e3101ce652ad7e8238cc3bef6b6a28c94a9e5d26c359e1690d73c3860e8b79aa60
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5362cbd4fd805e131a7a8a3c9baf8442a
SHA19b14b2d1e65a08682173343ca1fd7b3f65c7b122
SHA256db248abe1e7c7d61c4433e6d3b36d4d71d403254939dbb5e31b1c83aaa069861
SHA512431e68cfc2d50cb6c3d795c37a2f3b4aff9542e0ebc60150f4a9edad102cb5d9cccc75c972b766a2882f1c7cb0b9c38ab1436f0bc78bf61fd7809d34517ebbe8
-
Filesize
173KB
MD5594b07c08ac2b6f8989f8345c16c9bd8
SHA110dab1d47167ab866f9d58becf2922695270eeed
SHA256852887220af36bf213d456315f2d0e8446176c9e2ce9f14bd4834462df0d8da3
SHA512b4ac63cb572cb8f857adde8ad0dbb469a54502652cc8d2da04671ffcb5a57afb1aeb342e7e40f55c8a6613f453c9db15cbefd64835764e4bd5e48155d8305627
-
Filesize
16KB
MD5340d30a2c7e033b4c937368a268a7acd
SHA175f078705715086f5482c884cdc2aa379415b840
SHA256d69ac22c3585c71fd876c5700a82971ba2e41a7b243f195457be52bfd5caaf5c
SHA512ad8b62aa3fc670a7d462b4a8e47d0e516d1f4764d09dd3fb6d6d39ee0e68d24ea88c02d7e40c18865f95249303f6a80cc8320f121ff8873dd04a1517f977cf7b
-
Filesize
2.9MB
MD5b62e1b062c0b4e161a20c62bc5829fc5
SHA1687eeac2667d7c19629beff22229255e01c8d983
SHA256f6444859a03af9d3fc3a985a4b926ddce8e152d3407909402830494a3e584087
SHA5127586822e4a7f5799a26b37cf45c9303c2c07d86258e3328254892361f9c56ffec5649cf56e371f9ad03e20a31db2d3fd8e6940462682354a12e1766f0f6e9d93