Analysis
-
max time kernel
128s -
max time network
154s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
11-10-2024 22:10
Static task
static1
Behavioral task
behavioral1
Sample
6d9b27d9114543149f0608beba457a21ec585db965edd405e9dbc5055767dd5c.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
6d9b27d9114543149f0608beba457a21ec585db965edd405e9dbc5055767dd5c.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
6d9b27d9114543149f0608beba457a21ec585db965edd405e9dbc5055767dd5c.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
6d9b27d9114543149f0608beba457a21ec585db965edd405e9dbc5055767dd5c.apk
-
Size
3.4MB
-
MD5
d5c6fd4bceb5fd02fb84a861811bc4b5
-
SHA1
aecc4437180986d92776319ba35c244341e88939
-
SHA256
6d9b27d9114543149f0608beba457a21ec585db965edd405e9dbc5055767dd5c
-
SHA512
26e42e901732ba8f41b6caaadeeed7c8598581d6b63a8ce753aa041a08b7262e009e6354831c0b871092ebb7ed79a7e52de31224c52a46d668d0cc0983ba9721
-
SSDEEP
98304:zZwDN94TXNQHSeI4KsuS93lUwg/kXVdWevM:dwn4TXqHSeIEj91nOkXi/
Malware Config
Extracted
hook
http://194.26.135.117
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.cdhzvploq.qkuswmgxh/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cdhzvploq.qkuswmgxh/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.cdhzvploq.qkuswmgxh/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&ioc pid process /data/user/0/com.cdhzvploq.qkuswmgxh/app_dex/classes.dex 4398 com.cdhzvploq.qkuswmgxh /data/user/0/com.cdhzvploq.qkuswmgxh/app_dex/classes.dex 4424 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cdhzvploq.qkuswmgxh/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.cdhzvploq.qkuswmgxh/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.cdhzvploq.qkuswmgxh/app_dex/classes.dex 4398 com.cdhzvploq.qkuswmgxh -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.cdhzvploq.qkuswmgxhdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.cdhzvploq.qkuswmgxh Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.cdhzvploq.qkuswmgxh Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.cdhzvploq.qkuswmgxh -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.cdhzvploq.qkuswmgxhdescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.cdhzvploq.qkuswmgxh -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.cdhzvploq.qkuswmgxhdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.cdhzvploq.qkuswmgxh -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.cdhzvploq.qkuswmgxhdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.cdhzvploq.qkuswmgxh -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
com.cdhzvploq.qkuswmgxhioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cdhzvploq.qkuswmgxh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cdhzvploq.qkuswmgxh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cdhzvploq.qkuswmgxh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cdhzvploq.qkuswmgxh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.cdhzvploq.qkuswmgxh -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.cdhzvploq.qkuswmgxhdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.cdhzvploq.qkuswmgxh -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.cdhzvploq.qkuswmgxhdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.cdhzvploq.qkuswmgxh -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.cdhzvploq.qkuswmgxhdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.cdhzvploq.qkuswmgxh -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes:
com.cdhzvploq.qkuswmgxhdescription ioc process Framework service call android.app.job.IJobScheduler.schedule com.cdhzvploq.qkuswmgxh -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.cdhzvploq.qkuswmgxhdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.cdhzvploq.qkuswmgxh -
Checks CPU information 2 TTPs 1 IoCs
Processes:
com.cdhzvploq.qkuswmgxhdescription ioc process File opened for read /proc/cpuinfo com.cdhzvploq.qkuswmgxh -
Checks memory information 2 TTPs 1 IoCs
Processes:
com.cdhzvploq.qkuswmgxhdescription ioc process File opened for read /proc/meminfo com.cdhzvploq.qkuswmgxh
Processes
-
com.cdhzvploq.qkuswmgxh1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4398 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cdhzvploq.qkuswmgxh/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.cdhzvploq.qkuswmgxh/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4424
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5363cc5155b51e5be849b1fc7b10003e3
SHA14c2ea09dbc62583193118bad444189c98dfc0916
SHA2560880253110447ef29ae564d170f8ef91e0a24147ecfbd0aabde4a83de9319324
SHA51288c5298de742e1568b5bec501b4a1e6e9d3033d020cf7c69090704d20c5a532d4508424a2a5b2306e3d1c3e3c1d53faf4b81bebcc20810458a11d490c2b34f84
-
Filesize
1.0MB
MD575d265b76567934bd29642e279dc7e77
SHA1364a560e55e4e78ed102fcf6d4a6e55272320732
SHA25620775d34b114f934c29ed4ee340036e87fb890a5bdbbdcc8f65bde43839a7cb9
SHA512f0ce1a0dc7d9619277b10aff30ceb60b194285a34bcd559661d0b1871c383ffae089f144cb296ff6ffdbd70a4f060c1bc7297181438bf295b2ee38e183fd91b4
-
Filesize
1.0MB
MD54d6cdc33360fd3986179fafa891adff8
SHA186ab24122adc62b6fb9b35a3b0ac0c56f56f50f6
SHA256d3e08e70a5b634b11e67ccaa483b85e15a8b978baa440fc466c83b610fe7e74a
SHA512fdcf1a6a3953124a275522ef2ba5b38036b44380cb8bd10c801aff1a4c5180df546c3c3381ccb2809d58f9239f9ad8dc172215df195d39d0b6bf0e6a59d048c6
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5e7a861001e285f3285c43394ce924537
SHA1fb67aacebbcec5c220cc722ab82d4f38cf2835aa
SHA2560911ec9c9fea8eaa2165c123915ab58a26b69fc039d8c8fa96e58d207fbbe3c0
SHA51297a8e388dcb7ab1df9f5035f299551cb5e0f37c319fa9e8f3aadd8563c4303a6b15682a67f123f3a4f5064d67404d09d99d9138a210683ed953d42348e01a8af
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD56617cd3feac92620d8888c7b4843e447
SHA15c0a2901ce262cdfb785f16acdca9efdc54a5405
SHA256677284734a7d157753887a76817adadc89d925036458f9a7f97f92c0b7913658
SHA5124cd204b4cbb2061092622f6541cd984a1ac2202c5dc5cf43ecb900e01fb0d65a55363bb5d443dd7c0728ea8e57a46d7d0b5e7edf8e63d157124a355800f95504
-
Filesize
173KB
MD5125ceb892d6c24181852bdd26b35eddb
SHA1d34a624a15456a2e5b427570ff8e3ca29836448d
SHA25628aa572fda1201a18b6441a56ada9e5ecb05038f7ce9cbd240f71afd72ff622c
SHA512183ee4ebd829cd3cd6cd4be2b6738aa72b913e0c75e6bb3d775a460a871ececa5a4e94602ee1704126e43b086a5368cf8a66f1d50693df66684a09576abd16a2
-
Filesize
16KB
MD5568fd868b57142ebc4b003fe6b8e6017
SHA123b5c77ce06ba3cf911ef89fc17210b626cf1e68
SHA256b7fc5c2e9b400c0c60d847213ab295671d2db8462fea47791e78e400505776ff
SHA5126320ee4df510d6eef0c5bafcbbe99af78b347ddc46b3a34709636bcd502f1435b16967a80d34d1aa1ab7806980a1a4dde1e36be270f8b6c941ba182f3253cda7
-
Filesize
2.9MB
MD53733540aeabca08c300f16ea1969234a
SHA1fa8800d1a386e034e336a0f294fa750921b2788a
SHA256cca4c1fd4714ad777b0cdfbdedfac8cfff886f3dcb0d2bec248836fca487d557
SHA512d113e7fd0f0fb01800fe20ce6eb483d2ffe41749f512f52d1295c8f3266ede60bacc70123b6cf2424f013e96800d9a6185f32b67fc3dee93511930c517e7c335