Analysis
-
max time kernel
148s -
max time network
153s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
18-09-2024 22:00
General
-
Target
54c3247113d8d1e9d74b600f81366d6692b6b3fa25132abfde756847622526e5.apk
-
Size
4.5MB
-
MD5
5b53f91e9e759100e1dfe7e03fc0deb2
-
SHA1
51ce7983e44b54594d32ec0a34403f9b1e13ddd3
-
SHA256
54c3247113d8d1e9d74b600f81366d6692b6b3fa25132abfde756847622526e5
-
SHA512
9a432871126733d412e4beb2b85376628142c036ad3be6104de6d29e0404ac7ae33ba6b75b16784e978ac6091bf212d48e8e5a7c00a3734528f14948fb6c68fd
-
SSDEEP
98304:lzdtOIqoB/ZOQg1EgG2FUEOMmri2zeUN+Rz/Ds+ldlvkNK9:lzu+/4QSEt2y5jcRDw+l/MNK9
Malware Config
Extracted
hook
http://92.255.85.109
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.mrakoryxh.nmnjqiqlt1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.mrakoryxh.nmnjqiqlt/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.mrakoryxh.nmnjqiqlt/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5e32d7ab6583ca68aa84f881bb694b2d2
SHA1324bc8cdbfe8c20dc578af5ff69400a24a83925e
SHA256339772d75d8199cb902136d3da0a82328817ea6235348fa9faedf92559f75f36
SHA512603c12cec933fd75b8ab6942741502212033fbc138f3fec7a40f4a6824086c1c5227c07c48cc3905da5be6af7ea84108dcfd448b05ba7bd42e945e808d0f3f2b
-
Filesize
1.0MB
MD580f9891bfe1bb26739c206c6b8990f82
SHA15e0681c6036b4471eadc35ef042b666c88bb2224
SHA25600803ed861cb54ce024b7b4e4241ae2826aa9576795b58a65ebdf3b756d522c0
SHA5121b7c5e5e26c41e16dff1905c1b82856b93ecf2c48d787cd6be4009a2375781b40151ec7d09116e8d20677c3bf22270f5b8da04853bc405134278e17f0f445185
-
Filesize
1.0MB
MD5b9e4d7c41e392d379d1640cae6d48527
SHA18a41b702e3f00977c8be61b178650597a932be30
SHA25681efaaf8682350d45717ad3939656969e19cb8fbe4f43a97e61642c89bbb9d37
SHA512328c00403c9ff20941f69fe2b56a144c1658627d1e145809299df12d1c2c6a215e38be853d9e46a49ddf0cc489178d9c9300a23c55834e8550460cdfa71b38e3
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5aba17ffb5dd86b68b0f4d12f0d4a4ce3
SHA1508384d6c290cc3e8af08f19dee4d2e46e2ca587
SHA256d979d029fa52187cd878c2053b0c489a80414c38033dba9faecc0159b85eb60a
SHA512a74289e459bf043ddd7c439db9f1768163f4219e5fefce371f8bf2c2b3d0ac3cf3c913c5ad0dcf4bce9e431dc1e24f9a754a12ec128056ba933d5b19bd11b6be
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD574112a8ee3e8cbed8716350026681683
SHA14a53e4ff6276c399df5db2421638f129299ab3bf
SHA25645ade99527d0fe30b3dfa5d2671e8f2261c3a241de434a9f0acf5eadeaae6455
SHA5127dd57df699d4c96dd9589c3561918ce557af84ed973a10970c5ea8911005234396a9a4017d1070143e22821c91c109251d0c9433a0fb7be5ca98649b095868eb
-
Filesize
173KB
MD562beaa4ef202dd30aa0153133ad94b4c
SHA1178c1b46b2d9fc84b999bf6bfc575fdabfd3317a
SHA25677358e8b7ab4d7be2fcea28e651f940598b89fdb3ef0dcbc5a0d298092375844
SHA512505b2c960cb463a2bde7a6658ee597bbc4efa8576ed23d013b6ed0c9f7db365c9ed8b1c4748c4cbdeaae7a70ca778cb35267e4d499e6f5a2ee5eaf3bbd8ea9b2
-
Filesize
16KB
MD5ebef65a708c4f46c2dd7f4ef9e169d96
SHA1374dc17018914355ad01c1e0a58d4db99e2dd3b9
SHA256afa6894cffc9b0ce0189c3d83038ed48fd787c6835c72be5a8a0fda5249215b9
SHA512363a36972421fa76f170ab78a027b74cfef02b89fdc2224e5b10b41974ddaa0d0daf51c05751add1031d9beb19ea9d888d35a24254211137baace11e4c59a567
-
Filesize
2.9MB
MD551c991c0518b5a09e5bc5ab63e685c97
SHA187f3436e3cb88a265d7a13a84ce51cb69fa2a98f
SHA25676b07206973f523426f857759ca241baa3056f1eeb379fa23c77edcdba48594f
SHA512f62b7f47b5bf1b0696884efb1035bee35f8c58d0692cae4667fed058eab25d4e75da70ffd766cad502c03bc5e56ba6f323b7c67eb864a763472c7250bc9f3e23