Analysis
-
max time kernel
148s -
max time network
153s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
19-09-2024 22:11
General
-
Target
dbadc144b3a6e61098cd156b4b1085a57a8119b107fb6eb8fd3928c13e4d6295.apk
-
Size
4.5MB
-
MD5
3ea4f44dd292b731aec68ef4d3f94182
-
SHA1
7594bde1952ab5489a9cf6747b27ece6d22a397e
-
SHA256
dbadc144b3a6e61098cd156b4b1085a57a8119b107fb6eb8fd3928c13e4d6295
-
SHA512
049dd112c522cbd63c2ddf74a8f1e2935a480c5609824f597a9c26c85c8e9ed08505fedc3b1969ba389e2670a606ed02caf5d70c2478fc5f6694e5c2f02bcc60
-
SSDEEP
98304:euldjJicozFsd4w9TSmOka5R8oeSCiDUHm37VaNU0eXzod3PVON:egftqFsSwRJO4oe+eA7Vdrei
Malware Config
Extracted
hook
http://92.255.85.109
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.fylzuyfht.fmtkupzpg1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fylzuyfht.fmtkupzpg/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.fylzuyfht.fmtkupzpg/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD556467dcc77721194e6e5364a82cd4ba4
SHA17de6d72f6f19d0fdbb5f2603cdc67943e163fbc9
SHA256411f338ae8d2e4f084b5eed03c4d331ecd7d18cc614b53a3042a34fa1b34624c
SHA512dfe20b4b33c07f0173d6ba2d59d3720456c9f438442ad418a1f5962cbe7ce3e9fb502605ee4c46b0f8cd293decad3f6b6625b356663495aec90da042f16317b2
-
Filesize
1.0MB
MD545431be1bffe68dce0763c8ad0ba0339
SHA1e95723db5a4a6bc32d11d71c8315419dc4a4c419
SHA256f792b13f1e67e11ce1488dbe807f21738c6be378d10df3e2c12951b1268cb729
SHA512fe30ee8f3cf2cf8987922ed856aacfa36586d8fcab8d742d6f75a2b23c7d37c257462c20e08e2599bcc8c8855d7db9e00561c2ac05ff4739212cd6d3672f3d1f
-
Filesize
1.0MB
MD5c5cfac931b31d620d692c964e8dd4111
SHA1b4c3bbd39ea275e241f23f406a2c43a08ea07ced
SHA256290c4d23d2f9a55a9b9a2e10da62878cf155a04b85f4de069eafd759a2979c6b
SHA51222d47c4d8ea0ef582fd86627abd95538cbcb2de71ef70d21cf66cb8d4c974e5932ff41fe3980652c25124ce88b4b3d8402ed23c588f64799777ffcbbb7a27822
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5f11c1ffeb2794904a74ae934c3d67eff
SHA16e84878335238775879f030863d0ae9b038c951d
SHA256c435bd3f91a3e1c0fed78edacf5df9d44dc8a88f858e5b37f3cbb83cbb5272f4
SHA512f3803e500440aed3be69b6953fb2f1088cdc997f2da3f1d59c6947bf774bab76019b6d6161711754712f256bff09b1c6d236ec4eb375e857eece18215e23cd88
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD50e33ae1f20226aa1d57f624b5c64a411
SHA1be1a2f15ec8930dafef5d860c5be46eec7525984
SHA25649a7a02056c263c927d608965e51b4486437f3ade44d01b89fe3f254c36896f3
SHA512db7df7b1ee9233fcd2bc7a73bc6501883d2383e349c6274fc127f534bc81b91c274f0bc46e6181ad4bdbe6aa79a766ab7eaf510a869f5a2f311a687779062891
-
Filesize
173KB
MD5657257e46e139071a3407fcdfa3015cd
SHA1682c9abdba2a7abe08d00167c4d9a715269373e3
SHA256465cc122c96e835e4145bb86a63d86de6a927292ee536090386c014282661d50
SHA5127213f8df9e03db31d76ea4ef0210d34447ea0a85f804d29fcef0f0a2107b5028c0ebce721b8789401c4b70804401ed52298e008d9ca8cc101618374a351c0e3a
-
Filesize
16KB
MD5cb83872564ceb30613c58a50df1f4112
SHA162d1ab439198ca8e585a4f3c0e02e5cf45028b63
SHA256606b83926d5281f2a82738d7aabbc1008c44495c067f066ba47fcc26b44f016d
SHA5129beafbe9abfa37c98560c5ebdcdf38326789558c84d02a2fcbfab590e811999261a17d34fd2e1e637045f0c188b68429d0d3629a61829b4f0ded7fc550f777ad
-
Filesize
2.9MB
MD59db457d17fbf24160059dde21d2e0178
SHA1b013302c0a9c5a95520e13d3acb415610b0c2a1c
SHA256520d9cf31d72ad532ff5e9e265af02e7d8649861911b39a7b810933528fc4a68
SHA51242aa3102156a339ba29489183f3f193b153d6f8e0d188223de6770c5b0960afdd738d08f17149bef813a4ab7b57ff72514129fed832b0b39a7c1c80da36b96e6