Resubmissions

10-10-2024 22:34

241010-2g5tbazgka 6

10-10-2024 22:17

241010-17vklazbqe 10

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    10-10-2024 22:17

General

  • Target

    baae85883ca0ee6910098ff917ee1765ba6d2924d84aae3c7c7f7aa759182652.apk

  • Size

    3.4MB

  • MD5

    f38d2620c8515dc267181f2b7c5f7232

  • SHA1

    7bad07f7354c51634aedfb07e23487ce94c2280c

  • SHA256

    baae85883ca0ee6910098ff917ee1765ba6d2924d84aae3c7c7f7aa759182652

  • SHA512

    caad18ae8bae9e5f63869b24a51bb0c4a63202c4c95a9e4d36272a0c11a35393a33b5ab9bde57e23473945e7065a6e45beaae02713b8cc0814612e16367fa59f

  • SSDEEP

    49152:pZR0YrmrgIJQMeCUNvtSUFvtklF21MgWvxeDvYWawxHvS4q5PUobDFfUfd3xvAzc:pZR0GSQi21MreDvYgxPHw7bD69cLE9

Malware Config

Extracted

Family

hook

C2

http://89.248.201.43

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.gamkstsaf.xopshmzuo
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4312
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.gamkstsaf.xopshmzuo/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.gamkstsaf.xopshmzuo/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4340

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.gamkstsaf.xopshmzuo/app_dex/classes.dex

    Filesize

    2.9MB

    MD5

    e1495a9d3763521120baab7ad49993ae

    SHA1

    691a2c40a6f7bb433e0bae39a5905d1dbb760270

    SHA256

    d248dd160c174e59a057cfe9267200619974798fafc1bde37d1f8e4332510649

    SHA512

    ea986489613d7508d8f5dea3f96b83fad17bc05305a88db194b242e9395aad2ecbeeac912c2560a651a8d4de62d137ceac83c01960c7aed06b5bb832e6e78a77

  • /data/data/com.gamkstsaf.xopshmzuo/cache/classes.dex

    Filesize

    1.0MB

    MD5

    cf61a5a4974c3d0304fca4d245eabb47

    SHA1

    0f3f1ad8fefc524874a82e6a032da113f4185193

    SHA256

    9dc65bbf7ce55da341975d314041e77e842abafa420613bb0d8343edba4c005c

    SHA512

    2b508712edbed2801b0afe5ae5a3e942d015682e62c434bce1e0d428f67affc834c7dac7bdf84bb8c7110e9cae5a82dea0daab38af58af7d13e3f3f99c38d42d

  • /data/data/com.gamkstsaf.xopshmzuo/cache/classes.zip

    Filesize

    1.0MB

    MD5

    992105042c21c7e01ea901e587897027

    SHA1

    ddf97ce5c6b9abc5e0f773ae270ebab654f60218

    SHA256

    103a38a4203e405c846698bb23630e185bb0a17fbb99c1580859830e12ee5e46

    SHA512

    8e6ddb5e9cc9047d4ec1a15325c8562132ca587f71203ed8a0545170bb20f1078801c1a5c4a7d9de68173af135f8b870e70b1000a750e51b37fb13b45e763970

  • /data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    8b99977ba3bd1e0dabfbf9ac673ea142

    SHA1

    fcc6cdb48951ac1eed338ccdc4bed18bbaf5f817

    SHA256

    922e4d655d385bca678f84917892ac32a9ac5bc387dbdb60a3e0591833e55523

    SHA512

    6bb66c4a4922c887d9ab44380978e0200eb521bac2a84d0b5e1279957f7b3c2f629656dd182e6ca502a947377fd57d05e59c0600374f4715792b556542ae48b6

  • /data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    d5e030beffa3953f68709c793452d843

    SHA1

    a8b4e6eab56d5e5160f54389b1b2799e5f3073e7

    SHA256

    44f8acc11cca7eff6f3953add0ccc338054adac0406f8b64564ff1d9f2698769

    SHA512

    7d912d147ed1033f499a6027ea4ca910751d82af3e091ffa333f7eb7171f6f82df2f5054cdf7951d73218aafb7564c600e38181aa0e391a64f96aa0dbeeb710b

  • /data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    b0e44f5070b83424c7103f9fcdf4f3a0

    SHA1

    f26a956a72d4cc2a3d911f01f94cb2f4b07d4932

    SHA256

    8ca4eb9f9aa491b1be502b55c1759f8a2337cd609f062f72cb421ee9162d5d3b

    SHA512

    42603f3a4e248ab988f925f42745b4be374c82679d673d5b38d88b5a7fa5759f4786dc9b9aaa4f64e78171d98b494802247965921ddf4757f637ce51bba20dbb

  • /data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    681925eb224abfd1625a9f4853c2827c

    SHA1

    07b39c87ff1923c10f1029cd3a75e5386a8f9554

    SHA256

    72a524ad27404e231a1d95ed148066f3f7f887c190851573fb1000a190b2b270

    SHA512

    6e4c31ed6506966b5f2b875034c61dfdbb952c30f75a70ccdb8786746978c8761634416ba072e9cd0275a3c74d9f26bbb7174d052ffc42a3e8dcc0757f39d980

  • /data/user/0/com.gamkstsaf.xopshmzuo/app_dex/classes.dex

    Filesize

    2.9MB

    MD5

    a8a53fb275303f7438582502d17943e4

    SHA1

    6999a3b8f1651247265fd9c779d3e8d52864a3ba

    SHA256

    21885efeb17d140f446c27a0af3ef00c1df33589706581bad02f85aa967d1dee

    SHA512

    870c9b8ab7f1ff3757b6aae52bb860b2a089728c5f4f01a564f85b070fce569e6e3fd20c594762fafda86bb3489fe881f636a695116e2b5319ee64fb5ea83d25