Analysis
-
max time kernel
149s -
max time network
157s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
10-10-2024 22:17
Static task
static1
Behavioral task
behavioral1
Sample
baae85883ca0ee6910098ff917ee1765ba6d2924d84aae3c7c7f7aa759182652.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
baae85883ca0ee6910098ff917ee1765ba6d2924d84aae3c7c7f7aa759182652.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
baae85883ca0ee6910098ff917ee1765ba6d2924d84aae3c7c7f7aa759182652.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
baae85883ca0ee6910098ff917ee1765ba6d2924d84aae3c7c7f7aa759182652.apk
-
Size
3.4MB
-
MD5
f38d2620c8515dc267181f2b7c5f7232
-
SHA1
7bad07f7354c51634aedfb07e23487ce94c2280c
-
SHA256
baae85883ca0ee6910098ff917ee1765ba6d2924d84aae3c7c7f7aa759182652
-
SHA512
caad18ae8bae9e5f63869b24a51bb0c4a63202c4c95a9e4d36272a0c11a35393a33b5ab9bde57e23473945e7065a6e45beaae02713b8cc0814612e16367fa59f
-
SSDEEP
49152:pZR0YrmrgIJQMeCUNvtSUFvtklF21MgWvxeDvYWawxHvS4q5PUobDFfUfd3xvAzc:pZR0GSQi21MreDvYgxPHw7bD69cLE9
Malware Config
Extracted
hook
http://89.248.201.43
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.gamkstsaf.xopshmzuo/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.gamkstsaf.xopshmzuo/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.gamkstsaf.xopshmzuo/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&ioc pid process /data/user/0/com.gamkstsaf.xopshmzuo/app_dex/classes.dex 4312 com.gamkstsaf.xopshmzuo /data/user/0/com.gamkstsaf.xopshmzuo/app_dex/classes.dex 4340 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.gamkstsaf.xopshmzuo/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.gamkstsaf.xopshmzuo/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.gamkstsaf.xopshmzuo/app_dex/classes.dex 4312 com.gamkstsaf.xopshmzuo -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.gamkstsaf.xopshmzuodescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.gamkstsaf.xopshmzuo Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.gamkstsaf.xopshmzuo Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.gamkstsaf.xopshmzuo -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.gamkstsaf.xopshmzuodescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.gamkstsaf.xopshmzuo -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.gamkstsaf.xopshmzuodescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.gamkstsaf.xopshmzuo -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.gamkstsaf.xopshmzuodescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.gamkstsaf.xopshmzuo -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
com.gamkstsaf.xopshmzuoioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gamkstsaf.xopshmzuo android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gamkstsaf.xopshmzuo android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gamkstsaf.xopshmzuo android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gamkstsaf.xopshmzuo android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gamkstsaf.xopshmzuo -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.gamkstsaf.xopshmzuodescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.gamkstsaf.xopshmzuo -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.gamkstsaf.xopshmzuodescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.gamkstsaf.xopshmzuo -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
Processes:
com.gamkstsaf.xopshmzuodescription ioc process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.gamkstsaf.xopshmzuo -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.gamkstsaf.xopshmzuodescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.gamkstsaf.xopshmzuo -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes:
com.gamkstsaf.xopshmzuodescription ioc process Framework service call android.app.job.IJobScheduler.schedule com.gamkstsaf.xopshmzuo -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.gamkstsaf.xopshmzuodescription ioc process Framework API call javax.crypto.Cipher.doFinal com.gamkstsaf.xopshmzuo -
Checks CPU information 2 TTPs 1 IoCs
Processes:
com.gamkstsaf.xopshmzuodescription ioc process File opened for read /proc/cpuinfo com.gamkstsaf.xopshmzuo -
Checks memory information 2 TTPs 1 IoCs
Processes:
com.gamkstsaf.xopshmzuodescription ioc process File opened for read /proc/meminfo com.gamkstsaf.xopshmzuo
Processes
-
com.gamkstsaf.xopshmzuo1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4312 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.gamkstsaf.xopshmzuo/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.gamkstsaf.xopshmzuo/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4340
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5e1495a9d3763521120baab7ad49993ae
SHA1691a2c40a6f7bb433e0bae39a5905d1dbb760270
SHA256d248dd160c174e59a057cfe9267200619974798fafc1bde37d1f8e4332510649
SHA512ea986489613d7508d8f5dea3f96b83fad17bc05305a88db194b242e9395aad2ecbeeac912c2560a651a8d4de62d137ceac83c01960c7aed06b5bb832e6e78a77
-
Filesize
1.0MB
MD5cf61a5a4974c3d0304fca4d245eabb47
SHA10f3f1ad8fefc524874a82e6a032da113f4185193
SHA2569dc65bbf7ce55da341975d314041e77e842abafa420613bb0d8343edba4c005c
SHA5122b508712edbed2801b0afe5ae5a3e942d015682e62c434bce1e0d428f67affc834c7dac7bdf84bb8c7110e9cae5a82dea0daab38af58af7d13e3f3f99c38d42d
-
Filesize
1.0MB
MD5992105042c21c7e01ea901e587897027
SHA1ddf97ce5c6b9abc5e0f773ae270ebab654f60218
SHA256103a38a4203e405c846698bb23630e185bb0a17fbb99c1580859830e12ee5e46
SHA5128e6ddb5e9cc9047d4ec1a15325c8562132ca587f71203ed8a0545170bb20f1078801c1a5c4a7d9de68173af135f8b870e70b1000a750e51b37fb13b45e763970
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD58b99977ba3bd1e0dabfbf9ac673ea142
SHA1fcc6cdb48951ac1eed338ccdc4bed18bbaf5f817
SHA256922e4d655d385bca678f84917892ac32a9ac5bc387dbdb60a3e0591833e55523
SHA5126bb66c4a4922c887d9ab44380978e0200eb521bac2a84d0b5e1279957f7b3c2f629656dd182e6ca502a947377fd57d05e59c0600374f4715792b556542ae48b6
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5d5e030beffa3953f68709c793452d843
SHA1a8b4e6eab56d5e5160f54389b1b2799e5f3073e7
SHA25644f8acc11cca7eff6f3953add0ccc338054adac0406f8b64564ff1d9f2698769
SHA5127d912d147ed1033f499a6027ea4ca910751d82af3e091ffa333f7eb7171f6f82df2f5054cdf7951d73218aafb7564c600e38181aa0e391a64f96aa0dbeeb710b
-
Filesize
173KB
MD5b0e44f5070b83424c7103f9fcdf4f3a0
SHA1f26a956a72d4cc2a3d911f01f94cb2f4b07d4932
SHA2568ca4eb9f9aa491b1be502b55c1759f8a2337cd609f062f72cb421ee9162d5d3b
SHA51242603f3a4e248ab988f925f42745b4be374c82679d673d5b38d88b5a7fa5759f4786dc9b9aaa4f64e78171d98b494802247965921ddf4757f637ce51bba20dbb
-
Filesize
16KB
MD5681925eb224abfd1625a9f4853c2827c
SHA107b39c87ff1923c10f1029cd3a75e5386a8f9554
SHA25672a524ad27404e231a1d95ed148066f3f7f887c190851573fb1000a190b2b270
SHA5126e4c31ed6506966b5f2b875034c61dfdbb952c30f75a70ccdb8786746978c8761634416ba072e9cd0275a3c74d9f26bbb7174d052ffc42a3e8dcc0757f39d980
-
Filesize
2.9MB
MD5a8a53fb275303f7438582502d17943e4
SHA16999a3b8f1651247265fd9c779d3e8d52864a3ba
SHA25621885efeb17d140f446c27a0af3ef00c1df33589706581bad02f85aa967d1dee
SHA512870c9b8ab7f1ff3757b6aae52bb860b2a089728c5f4f01a564f85b070fce569e6e3fd20c594762fafda86bb3489fe881f636a695116e2b5319ee64fb5ea83d25