Analysis
-
max time kernel
147s -
max time network
156s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
17-10-2024 22:18
General
-
Target
f8a5c518d7f1ce0819831b38b7140e861911e89d9715ffb40f7b30bbeae65e1c.apk
-
Size
3.9MB
-
MD5
09696d3316f872a514da05175016a78e
-
SHA1
e9dc6e41fe429029a50535e8ad8e19b44beaa87f
-
SHA256
f8a5c518d7f1ce0819831b38b7140e861911e89d9715ffb40f7b30bbeae65e1c
-
SHA512
6dc718acbf31c578802cd46f0173d1021b77e5f8bfab8acec49cb82df5516002df3e7ce7dc33500a510cbcffbc068af382c8d48a4083852a94bb954b61ff440a
-
SSDEEP
98304:k0L/gGOUkKuaeQR34vRNgVbfDZ3zSnSNC7EjNIO5:nYG1luLQRIqZqQ5P
Malware Config
Extracted
hook
http://194.26.135.117
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.pvhaznrjh.fnucrxpjl1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.pvhaznrjh.fnucrxpjl/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.pvhaznrjh.fnucrxpjl/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5960a3ca1a9d5137546537705b08ef721
SHA1e9744ffb2116ffef20544609f80ae52c858dc490
SHA256656c2fde8e7cd50179487f1d4097925f1808f26664c7a3918d691ec99c90ffd9
SHA512df9af272149738330e8a411178c31464e0c2f5833fe68736a6b6833681495e4e00c3fcb3f6b2982968fdccfc14de88f4614a11cd23869f764a9a77503c950bf4
-
Filesize
1.0MB
MD5d9c27cce30b8c8c3c9802a5d2c77289a
SHA1a09c418c24f01bc957e35cf99b2cbf51afbf6410
SHA25668297ff4225275e138bad9d4e957f3c8aa5283a7ec1088b4dc29d16a34c82cb5
SHA51200ad9972daff714fd85e485b1b46f8f72bf1082372e65ff339239a4571c2ffa509825ebdaf6e3a924ade5d44675b777a0f6871c91b3d23ceb8e47cbe0a77c9a0
-
Filesize
1.0MB
MD5257dbabf0c6ce6205cf9979114fc7618
SHA1ce9c3a7e06d5bb70b4d3c3626dfd36196a2ba0dd
SHA2562e99c2af4a6d1ef00e7874c5ca6398bc8a540e0ed5c9ad81bcd229dcaccbb514
SHA512a247b5ada3caa1812979780e81d9136b9d321c11fa5124439cfe80f08311e76112aef6d9298560056a71706e9c8ae8bd945ad01fc63915429561e77ad4145c20
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD552568503bfd0daac012d03a72750379c
SHA172f9e4926c7b7911f70f5a6029bad00c48f9b633
SHA256bd48c68ce5cdf6018e06e2b2bf56867cbc625c4fdb9722079a286f4afeb892b7
SHA5129936b601863da2d682167c33fd0969f13e9c498553b1d68d019a5d3de92396ab4f4e1089de8ecfe3f28a836e1ee49e17f31319e0b0554cba555328d799cb5283
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5f7248b9a7c06475da2f1a0c080e1fa3e
SHA17ef171f2dbc10215ac63293ffaf70e322bdd5a4c
SHA256078006257ed78c44805c3d2c965d84179e2e36814eedcab31c45783140eb0cb6
SHA5127ee307be367d3afedf39de021eaa7e88813b67e9284760c196de76697dbb4a7735835a06bae086c42a90b2a3434624965b3628f816634a1b43cce8e39b816a3c
-
Filesize
173KB
MD5b7935ca4b5b90f19b65cca038e2030ab
SHA17af178c6a72025718a3f51479ba6e327ef05bbee
SHA256da615d86a3cbdc36d1942be19e36db7ad313403e9ce6e653dd3108e2c2b151a7
SHA5125b6fb9444608f6d761180315ee050b7197753e6a53ca2c47f0c5f97b8d86a501d55b85a3545d8a6db1609feab6dec14a70f8d1fd340eda42e390d069d818d114
-
Filesize
16KB
MD5137d9614443d108ab7195c5991878d8b
SHA1ae546bd9f3aac638f09b34aeff7ccca4090bad52
SHA256d5f00ee6754a5dc7ace5edaf42ab73c54acdcb05482d19c739d001341b3f2d45
SHA512fbb9cd69e4b96ee5a86be0400238db4a5b6d54d99a4b1431ac5e4fa102258a818de24b96dc7a5dbc2a5adefbd6598fc617576dc2de346c17023edb9635440dc9
-
Filesize
2.9MB
MD518543a22f6690bed94c71e2a9e5ef26f
SHA14caf4117dd745619f84bed522fcc4dcd7acc76cb
SHA2561345bd8c3440a539f2927fd5b5727070a0a4ae4be90cc14e02c9900e922d16a4
SHA512e6b2b88f614a3ee46d0f9a8bad02035f312a3564ac2d3b58a61c4d6ce2a5cc86285e136f7a84caa4e8e8edd942c33cdc44998b6b4240013da549d6c6c9eee93d