Analysis
-
max time kernel
149s -
max time network
157s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
18-10-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
199bd69fbc255a3431712d1de98f6c70b14bd08d223d5cc859a6ab10ba7f2ea9.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
199bd69fbc255a3431712d1de98f6c70b14bd08d223d5cc859a6ab10ba7f2ea9.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
199bd69fbc255a3431712d1de98f6c70b14bd08d223d5cc859a6ab10ba7f2ea9.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
199bd69fbc255a3431712d1de98f6c70b14bd08d223d5cc859a6ab10ba7f2ea9.apk
-
Size
3.9MB
-
MD5
8eced96251a4a8c9e5d11a156f05d1d3
-
SHA1
7fcffa6b92b72483ff1b293aaf14e219e47f44b6
-
SHA256
199bd69fbc255a3431712d1de98f6c70b14bd08d223d5cc859a6ab10ba7f2ea9
-
SHA512
d18e561b85c0d218d75f8d2f7d1f5ff1b73228cd3c059c9c743c59c53dcfc8d0695db0f8e7e5d564f9268441538c99c44398a524a241848a5f86c5120b29cd0b
-
SSDEEP
98304:0hXK0V0gZHN5A/UEUAmzO50W7OlRx1rt9Pk6Z:N0VjZ/zEX7OBPP
Malware Config
Extracted
hook
http://194.26.135.117
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.shgdjsbwk.hezecrsgb/app_dex/classes.dex 5124 com.shgdjsbwk.hezecrsgb /data/user/0/com.shgdjsbwk.hezecrsgb/app_dex/classes.dex 5124 com.shgdjsbwk.hezecrsgb -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.shgdjsbwk.hezecrsgb Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.shgdjsbwk.hezecrsgb Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.shgdjsbwk.hezecrsgb -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.shgdjsbwk.hezecrsgb -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.shgdjsbwk.hezecrsgb -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.shgdjsbwk.hezecrsgb -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.shgdjsbwk.hezecrsgb -
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.shgdjsbwk.hezecrsgb android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.shgdjsbwk.hezecrsgb android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.shgdjsbwk.hezecrsgb android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.shgdjsbwk.hezecrsgb android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.shgdjsbwk.hezecrsgb android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.shgdjsbwk.hezecrsgb android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.shgdjsbwk.hezecrsgb android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.shgdjsbwk.hezecrsgb -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.shgdjsbwk.hezecrsgb -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.shgdjsbwk.hezecrsgb -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.shgdjsbwk.hezecrsgb -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.shgdjsbwk.hezecrsgb -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.shgdjsbwk.hezecrsgb -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.shgdjsbwk.hezecrsgb -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.shgdjsbwk.hezecrsgb
Processes
-
com.shgdjsbwk.hezecrsgb1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5124
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD538307a3e049677219d48be0190ae0fbb
SHA1eddfe151cccefcc1a763539348bc99e18c7c7bda
SHA2560ca677b60cadaf1d224fbb13e69a71123a41b64be4c5ccc43502d6557a429683
SHA512dac9f632929cc8234ba7a90ad9cc471839c72169df12658f8dd1d465a7dbdb5c13fbda5983e93b3fedf875512fc84be73bee3627d298deef6fde17d4ebec264a
-
Filesize
1.0MB
MD5885f8af047aa4d47d1fffa396386a402
SHA111b4a7526ed0f035eccb4cf9d94ec3b8047c1273
SHA256571f19b24e664653f35ca1afb4ae18db37a4b3629f7fedc6b5a2b17cff5083b6
SHA512d85e459b3af5669dc9ab5d0c6759e164cdb3174030849921aaa32634d31d5640ee0b0a2aaf538d0c25251a841763b628a046b60125732e41bb4199039b25997d
-
Filesize
1.0MB
MD582383505b39965d7d8bed449020abc86
SHA1429e280f8049ca4bf718d000f80c5817c23b1059
SHA256946f74d95a576ed0c7ea406c8ba571f1142a3f06359f7274ba5aa7efdcb1a455
SHA5124dd6be92838106fc59f06c55881af36a447d567af2a9c29cb4ee02e4c1d5d1a0603aa9f5b3aaad085bc25a7da713869564488f6eb29707600fa8375d5d0beb09
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD53e9ef03c1c1addd773d7420d4874e975
SHA10e030615901d85be95b97375a4fa2db56533f433
SHA256b4bdc691a7f688bf61f30052efa3d72aad6ccd65c917af6d1cdb3e4485b4c889
SHA51226528a48cdb3faba53e12e1a082e651b3b5263ac4a38315aaea39f546ccfa25e4dabdfd398b6da67cf86765f9cdef076b963b5dc819b78cd665d0748435c8ede
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD59daca561afe5437e1cf99542e2a009f0
SHA1b9b24951418807f2cb850a7c7864a29486e7b669
SHA256c5694a6da3669daa07cb72bb82f062fb1cee6114f3cf4794d0a99810001da853
SHA512ad7327164b113adf85decde8f4ca44a24edc54906facde29382f06b8c8669e1d758c314554f3c016888dda550bd9df8f4e7a4c20a23a4a27e7a479560c3dbc9f
-
Filesize
108KB
MD5478a482fcd79addde3f090440515bdce
SHA132b39556f58407fccfaaab6a2dfd8792ceec28b5
SHA2566c679fe0575e65e8131eb5f954dd9352eba23cb9d02ebd0c89d22920bf4a3b3b
SHA512fad27e71bfd47cbbea72ab569385ca7d2ee728ee5cf1a85ea21a30bb202b50165852a14eee644204dda8b2c13d93eb00b8269e22e0e468bc1c2965f57f4df639
-
Filesize
173KB
MD5d10ad0d7744181427fc4b1a6b71320be
SHA1ff4f5e7023b3ed8edca9e77e9e9024c3d649828c
SHA256f4c60ce48d0960781331a1e1e5be9338ea6339c01aad49ff52ef24fd45e3dbaa
SHA5120b06b96c5ca438e3f5f6078cb7361bd90e0f1acf0302d6cdb2c4478e3b47357b4d742bc41268fdbb20da80c990550c9f0cf060345e38539d77959d2bf56f1a98