Analysis
-
max time kernel
147s -
max time network
151s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
18-09-2024 22:07
Behavioral task
behavioral1
Sample
579c5c1126aa330e5e8eee1461799d84ff1acf7ba7a593c933120523c72e536f.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
579c5c1126aa330e5e8eee1461799d84ff1acf7ba7a593c933120523c72e536f.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
579c5c1126aa330e5e8eee1461799d84ff1acf7ba7a593c933120523c72e536f.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
579c5c1126aa330e5e8eee1461799d84ff1acf7ba7a593c933120523c72e536f.apk
-
Size
1.2MB
-
MD5
5b7903126a21275d7bc748073188b232
-
SHA1
b13186d9e448e6ae415d0d4bd50e35a55936bd09
-
SHA256
579c5c1126aa330e5e8eee1461799d84ff1acf7ba7a593c933120523c72e536f
-
SHA512
d3a0bdafe42233d10bf58303f1846f94101430d10578f75ade013e106d3f4712ce91aebd862c4a3c7219bb8c06288828355d10080fe19bef364464a2a7d375f3
-
SSDEEP
24576:PDgS5V9wA3Ufx86cRqEikqVuaGaWu5aMu/T:PDgSP9GcRqEikqVuLPu5u/T
Malware Config
Extracted
hook
http://185.147.124.43
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.dehodigipuhixoyi.mafuko Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.dehodigipuhixoyi.mafuko Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.dehodigipuhixoyi.mafuko -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.dehodigipuhixoyi.mafuko -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.dehodigipuhixoyi.mafuko -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.dehodigipuhixoyi.mafuko -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.dehodigipuhixoyi.mafuko -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.dehodigipuhixoyi.mafuko android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.dehodigipuhixoyi.mafuko android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.dehodigipuhixoyi.mafuko android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.dehodigipuhixoyi.mafuko android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.dehodigipuhixoyi.mafuko -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.dehodigipuhixoyi.mafuko -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.dehodigipuhixoyi.mafuko -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.dehodigipuhixoyi.mafuko -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.dehodigipuhixoyi.mafuko -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.dehodigipuhixoyi.mafuko
Processes
-
com.dehodigipuhixoyi.mafuko1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4839
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD546f5a5c335dc83d15687f235f39a23f2
SHA1d28b02a723bce4918f66d02c39956f064c092293
SHA256dbb87a8e4ad9d4691cde897d4a8633747673ff3b1f15130361afc473dad4cec4
SHA512880d6a4d4f051f68a94585e55747b67050745a7d7754f8f0bc2748da3ca26e341852c2f4b850024a2570db9487f2b959718c64541f2252588af81d03b41325f2
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD57d3f025cd8e6de1c0c2a9d1254d5c2fc
SHA178ebfcbeab9080b66c65b6be93fbed184c60d09b
SHA2568c66bb9783991d4100e8fefbe7b31fb9d54820ee486f064961a5c652ae447a5d
SHA51200189d542d2c1fbe9f58f9ff0a2dd9b795aa09516ec091af2297282a174fbc12c83b795c2948ca03f60670859c11ef80561bec4a654fcd20468b81bd1ccf1e9f
-
Filesize
108KB
MD54e94b7b5368da26ab3e2af6985ba557b
SHA19d417e187693abdf0ff39e103810bf25dad68dc0
SHA2561f868f514364fdcb49994d17a576e6ca1127ce0be893d1eebc5641e5d503add7
SHA5122efc432d6227ff543f3e37bfe05937caef336838928af1ef451978db041e3c13f79d6b6bdd982070e751ad1b902f2d16b05da89fcecc6f280938205b9766e1c4
-
Filesize
173KB
MD54a7117a645f610aeec09ae8d3b1bb321
SHA1dd6ddd1aec227e34a3213dc70c8e3e030c25af0d
SHA2565fd6873928cc65c597be71801290a684f477337ade6cecdbb973e7c822a5dd91
SHA51224e28200b67b413ffa1e3b72957e1b78a7d0e9de700efbe0cdcde97bb35c06c44b2cdd799e768d635a783525f2659db01fc2806c22c6cfe994347025469ea4d5