Analysis
-
max time kernel
53s -
max time network
153s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
17-10-2024 22:08
Behavioral task
behavioral1
Sample
f2ffcd2542733ed9860218ab2d8b905106b103a2b6dad14b94559cd04e88d596.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
f2ffcd2542733ed9860218ab2d8b905106b103a2b6dad14b94559cd04e88d596.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
f2ffcd2542733ed9860218ab2d8b905106b103a2b6dad14b94559cd04e88d596.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
f2ffcd2542733ed9860218ab2d8b905106b103a2b6dad14b94559cd04e88d596.apk
-
Size
1.1MB
-
MD5
8e7ac92807a0630651930cdcd3fa0ab6
-
SHA1
cb065ded25bd356fd74cb53a49adcf66a770b101
-
SHA256
f2ffcd2542733ed9860218ab2d8b905106b103a2b6dad14b94559cd04e88d596
-
SHA512
698440a4fc62b0b1a79b95543c8d411822953423a52dcd11003ed0cbc37668ec7f380259ebd11f9b8a2ef08460af77e1ffce28017abf8366fd9d84c6e0fc403a
-
SSDEEP
24576:3eQJF0WOHTmMXv3OdylZ50WrP9Ke/TpKPdojyGVg/AZVQ:3eQzOHTmMfedyDrP9IVXGVg/qQ
Malware Config
Extracted
hook
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.tencent.mm -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.tencent.mm -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.tencent.mm -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.tencent.mm -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4807
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD5a1515acf5117f86488c1cd4113ad896d
SHA1c0c8130b6695d1131f4911d0c90d52a3f6428a6a
SHA2565627c4af271a6ac0dc064b96cb5c8f331861acb565ac4a4edf8972e32ea8dbfd
SHA5122a3140d2f035e5f1f0c56c18b39282cffc51a44d7487caf782c282717c4be68ac9b8c04cc5eb47a72cf07b8f42e6d5a559610b6441f5de9a334d7ee9746e90ee
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD50af80b8be8f8910d9cbdb6a848fd4541
SHA176eafd23f2ce0fddb7d3078e805ba53abd6c0b3d
SHA256668e01be6ae1acc20235daafb7208f52b36e2afcff7c68f3b0ee780e4b54a9ca
SHA5120064390d408a776e2e1453abf924b6c787da6de623b0ea09a890caa7392b959de014b5857c3739ef2e8852357ca33287e6845a8d2a42ea7a00d1b4ed70ef79a5
-
Filesize
108KB
MD52b7b26e0f18649bce9ba3f0f00023d08
SHA1739103b4526dfae6304e5e0e43369f7d1a2b0ef0
SHA256994bf22b82ef178d989e603490f92bc47db6593ac7b14048bf26055bd042f8c2
SHA512849b894861a98d8c11bf14b13905a244c7b1ffe3b9bdea473daeb551040c8a6ae077a26e4505e354e014c5465d8b47df2d4923571e48434bab3fcf4b704587fc
-
Filesize
173KB
MD5b529fd4215c86486a6bb4e061d23e188
SHA119347291f354e7e4dcf2c1ad116ba6d12153395a
SHA256362377b67e9b14f5e7facc9f8896f978c22c3006ae69bc6a34abd6bccb936af8
SHA512ef18ffa92db9c9783c07d712c5f2b4f866742de076dfc68720d5065582a651ea3bdd67b2dc3875bcdfffea755060029522562a47d11b195ee35c31c9b20dda8c