Analysis
-
max time kernel
147s -
max time network
155s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
07-10-2024 22:04
Static task
static1
Behavioral task
behavioral1
Sample
3fb8abfe4878d0644588effa1a2fe6fa55caaf3df800fc2dd34a60c82aecc70a.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
3fb8abfe4878d0644588effa1a2fe6fa55caaf3df800fc2dd34a60c82aecc70a.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
3fb8abfe4878d0644588effa1a2fe6fa55caaf3df800fc2dd34a60c82aecc70a.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
3fb8abfe4878d0644588effa1a2fe6fa55caaf3df800fc2dd34a60c82aecc70a.apk
-
Size
3.4MB
-
MD5
40ae63de85092c97b7ab5e40733e22e3
-
SHA1
bb31eef59dbd915d0510f48b73214fd47871e547
-
SHA256
3fb8abfe4878d0644588effa1a2fe6fa55caaf3df800fc2dd34a60c82aecc70a
-
SHA512
026ee1c5a35295fc4eba6c8bf3f371ae0ea948727032874b0db5f028d96307f7fd3f14dad5a1d274b5d642a571e7d81a7352951f27a2f177f801c972d10c8fdd
-
SSDEEP
98304:BTdMGFUcKx8r3NINj9ts99tNitbUDPR2ybP++PhjIo51VFw:ZdZBDrdqfs9MtgjR2ybmqpLw
Malware Config
Extracted
hook
http://85.209.11.193
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.ehmygokzi.cjbpfdbdj/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ehmygokzi.cjbpfdbdj/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.ehmygokzi.cjbpfdbdj/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&ioc pid process /data/user/0/com.ehmygokzi.cjbpfdbdj/app_dex/classes.dex 4264 com.ehmygokzi.cjbpfdbdj /data/user/0/com.ehmygokzi.cjbpfdbdj/app_dex/classes.dex 4290 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ehmygokzi.cjbpfdbdj/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.ehmygokzi.cjbpfdbdj/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.ehmygokzi.cjbpfdbdj/app_dex/classes.dex 4264 com.ehmygokzi.cjbpfdbdj -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.ehmygokzi.cjbpfdbdjdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.ehmygokzi.cjbpfdbdj Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.ehmygokzi.cjbpfdbdj Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.ehmygokzi.cjbpfdbdj -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.ehmygokzi.cjbpfdbdjdescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.ehmygokzi.cjbpfdbdj -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.ehmygokzi.cjbpfdbdjdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.ehmygokzi.cjbpfdbdj -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.ehmygokzi.cjbpfdbdjdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.ehmygokzi.cjbpfdbdj -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
com.ehmygokzi.cjbpfdbdjioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ehmygokzi.cjbpfdbdj android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ehmygokzi.cjbpfdbdj android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ehmygokzi.cjbpfdbdj android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ehmygokzi.cjbpfdbdj android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ehmygokzi.cjbpfdbdj -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.ehmygokzi.cjbpfdbdjdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.ehmygokzi.cjbpfdbdj -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.ehmygokzi.cjbpfdbdjdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.ehmygokzi.cjbpfdbdj -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
Processes:
com.ehmygokzi.cjbpfdbdjdescription ioc process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.ehmygokzi.cjbpfdbdj -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.ehmygokzi.cjbpfdbdjdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.ehmygokzi.cjbpfdbdj -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes:
com.ehmygokzi.cjbpfdbdjdescription ioc process Framework service call android.app.job.IJobScheduler.schedule com.ehmygokzi.cjbpfdbdj -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.ehmygokzi.cjbpfdbdjdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.ehmygokzi.cjbpfdbdj -
Checks CPU information 2 TTPs 1 IoCs
Processes:
com.ehmygokzi.cjbpfdbdjdescription ioc process File opened for read /proc/cpuinfo com.ehmygokzi.cjbpfdbdj -
Checks memory information 2 TTPs 1 IoCs
Processes:
com.ehmygokzi.cjbpfdbdjdescription ioc process File opened for read /proc/meminfo com.ehmygokzi.cjbpfdbdj
Processes
-
com.ehmygokzi.cjbpfdbdj1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4264 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ehmygokzi.cjbpfdbdj/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.ehmygokzi.cjbpfdbdj/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4290
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD57df07a8e0ba5aa9ada1285c7226efbee
SHA1d00d6c228a1e33db46e348283897bcc081218c9f
SHA256e172cb64a5bc8d8da5102b02cb4f242e4e42daa735657363a8aed7e26b1436ed
SHA5128828274c08305d4e96f37474ffade446ee271ecc829f092cf0c184fd68ef65c2d2d1a71d730332d6637344a993a8cbbe2a2e3df259071c5b00ebc15084e8a684
-
Filesize
1.0MB
MD5a06a80d3cd1e299ee92a541d8634c67c
SHA1caf3809ee0de695c06b69c7cebc87655b42bb06a
SHA256837111a5f17f0ca1b122c33a16be54130d43d73ac1ce9faa2e65c1f9f133787d
SHA512c330d0b042e00aa00014a06fe42ea121879ea600a803bfd58e3943c06df55bc4444b3f4f59f503b7814137b2ba732a594f22db15c71f3a65e05fd4116621e64e
-
Filesize
1.0MB
MD56ba0782b490600a3648790c4b4ff16fb
SHA173f337518576de9c4c46e5f8dfe6681e470ab595
SHA25623e114be70367b63e463223dcf96eab32672bc3c275424cf185b061c6cf2b176
SHA5129fba89d8850f26c2f164f8cd107c38d3db1a63a5b69c610b07ce3b1af543f296109580d8fe3f509f9a0f9fd94e8168a3ba17664e6eb90afa6143dd553bcc790b
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5a19b997ea7bd22f5065b2b841ad9bff2
SHA1e4e9c3618c1c58666901dbe10b47f4a1e3e3b047
SHA256b5a54f2445f0972344c033cc45dfbab290a1adf0132d46ba20dc4ddfe225e87e
SHA5120c02eb6fe3d17418cd57fee5fb16559f58d3fff199dc3bbcb15f35348c0666ce60bffadf69fd8de303f03e28427fd06a9c88d30097409e9ccac2c20928b746d2
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5a42fc0c2aef2a803e5478b82bb9f53ff
SHA125244a86a07efae3de6d3b9078e23c6b2ebbfe4a
SHA25608f998c85c5b257980e6fc47051c1f2b27b2cfaf3a3a033ad5d0d526507cd708
SHA512388588e2804f078606e6b06286badaea74ccbefaf0c0d8a0acb7090fb89327d5b0a7bcb4663362bbfe1d0ab33dd37907d883498403c33114a765e1a68d788673
-
Filesize
173KB
MD55a1d9b95433974d209e6ab904606bd81
SHA1c29a5571356775c4350e51ef980f60cb4ca7edc1
SHA2566a7f20dc403923408680f9d226f6309f083b7277860e3ff745b390b1b22f2946
SHA512ffdbf9ab3133d35328ce05cdf1af334786ff0d57f6ddd1b05957e1c3d54aac988e0313a535bd2590aa46a418e2f28c8f3c1dfcdffa100f95a6de3be55f29e81d
-
Filesize
16KB
MD545f588f8dc22d944953248155471f28c
SHA136097c606b4f8c44b1c82d6dd1548b5f07a08a53
SHA256b83a6a2da9fb0d6910e0c8f06d2cc6562974349ef37c6c782cfda74dc4720e76
SHA512bf26cd240b0ef86526f9d6b0af122d0f01f380bf8cb94dc0e5c08121e12d60c8b60bf342c08dd790ad8f5311321be611f54dbd43da53396a138cdedd3aa58431
-
Filesize
2.9MB
MD52b4be443eaf9ba1a12d2f679907c3cc3
SHA1b9022e94e9444ea8436d60366de9c18428773c7d
SHA256094903c8fca0b6457b741ca7fa0525550ce80536448280e070531443c3280445
SHA512749eedcc868a95aec89f8a5dd1a1da935ac500a1d945daee17eae23ab1ec7f7fce89c34266fb3911fcff4470437a4151503362dd235427ef77fd9afc7f1a8d2d