Analysis
-
max time kernel
129s -
max time network
159s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
18-10-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
199bd69fbc255a3431712d1de98f6c70b14bd08d223d5cc859a6ab10ba7f2ea9.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
199bd69fbc255a3431712d1de98f6c70b14bd08d223d5cc859a6ab10ba7f2ea9.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
199bd69fbc255a3431712d1de98f6c70b14bd08d223d5cc859a6ab10ba7f2ea9.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
199bd69fbc255a3431712d1de98f6c70b14bd08d223d5cc859a6ab10ba7f2ea9.apk
-
Size
3.9MB
-
MD5
8eced96251a4a8c9e5d11a156f05d1d3
-
SHA1
7fcffa6b92b72483ff1b293aaf14e219e47f44b6
-
SHA256
199bd69fbc255a3431712d1de98f6c70b14bd08d223d5cc859a6ab10ba7f2ea9
-
SHA512
d18e561b85c0d218d75f8d2f7d1f5ff1b73228cd3c059c9c743c59c53dcfc8d0695db0f8e7e5d564f9268441538c99c44398a524a241848a5f86c5120b29cd0b
-
SSDEEP
98304:0hXK0V0gZHN5A/UEUAmzO50W7OlRx1rt9Pk6Z:N0VjZ/zEX7OBPP
Malware Config
Extracted
hook
http://194.26.135.117
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.shgdjsbwk.hezecrsgb/app_dex/classes.dex 4462 com.shgdjsbwk.hezecrsgb /data/user/0/com.shgdjsbwk.hezecrsgb/app_dex/classes.dex 4462 com.shgdjsbwk.hezecrsgb -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.shgdjsbwk.hezecrsgb Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.shgdjsbwk.hezecrsgb Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.shgdjsbwk.hezecrsgb -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.shgdjsbwk.hezecrsgb -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.shgdjsbwk.hezecrsgb -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.shgdjsbwk.hezecrsgb -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.shgdjsbwk.hezecrsgb -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.shgdjsbwk.hezecrsgb android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.shgdjsbwk.hezecrsgb android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.shgdjsbwk.hezecrsgb android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.shgdjsbwk.hezecrsgb android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.shgdjsbwk.hezecrsgb -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.shgdjsbwk.hezecrsgb -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.shgdjsbwk.hezecrsgb -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.shgdjsbwk.hezecrsgb -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.shgdjsbwk.hezecrsgb -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.shgdjsbwk.hezecrsgb -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.shgdjsbwk.hezecrsgb
Processes
-
com.shgdjsbwk.hezecrsgb1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4462
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD538307a3e049677219d48be0190ae0fbb
SHA1eddfe151cccefcc1a763539348bc99e18c7c7bda
SHA2560ca677b60cadaf1d224fbb13e69a71123a41b64be4c5ccc43502d6557a429683
SHA512dac9f632929cc8234ba7a90ad9cc471839c72169df12658f8dd1d465a7dbdb5c13fbda5983e93b3fedf875512fc84be73bee3627d298deef6fde17d4ebec264a
-
Filesize
1.0MB
MD5885f8af047aa4d47d1fffa396386a402
SHA111b4a7526ed0f035eccb4cf9d94ec3b8047c1273
SHA256571f19b24e664653f35ca1afb4ae18db37a4b3629f7fedc6b5a2b17cff5083b6
SHA512d85e459b3af5669dc9ab5d0c6759e164cdb3174030849921aaa32634d31d5640ee0b0a2aaf538d0c25251a841763b628a046b60125732e41bb4199039b25997d
-
Filesize
1.0MB
MD582383505b39965d7d8bed449020abc86
SHA1429e280f8049ca4bf718d000f80c5817c23b1059
SHA256946f74d95a576ed0c7ea406c8ba571f1142a3f06359f7274ba5aa7efdcb1a455
SHA5124dd6be92838106fc59f06c55881af36a447d567af2a9c29cb4ee02e4c1d5d1a0603aa9f5b3aaad085bc25a7da713869564488f6eb29707600fa8375d5d0beb09
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD5006a6c8a2c1a2432e2f1d61a8049eb72
SHA1060596ee11b7bc27518add958786a606c28ee703
SHA2567f0047bc8cc27e41c55786bf38ec9d061d49e17799a7c2c7d306b413fd798e20
SHA512dd983aece623e735d4b5948c04363a1ad636bff71ad682be3bf438a23c7555de142602215e9a814401d1c89400b60c586700e86c27fd3d1c322adb73ceed5c10
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5acfa73d0ddf9959d3e38aa6c5fbb7b79
SHA1fd694e008c4878d4db3c3f4aae93a4d731dc4799
SHA256cb8965d526150f73eadd2e72e15a3646bdfa6452b80e0a47b487a3ec7dd26a65
SHA512282386f1c7ce0b76f1727aa0dd48b0160009448400a93f2bc0cdfbae97002cb86f2d40e79c0c40c95f0f20e064760c3396599e3ffc53c029ccfa9c4d38319522
-
Filesize
108KB
MD5d910a77ea2aa94c73f4b47c4d384bf51
SHA12ad08663d88f12edf72477987b576f3c0fefeb16
SHA2565db22fbc67b9d233da25f0b7eb52ff27c6b3b535675321c025ab6cedd8228304
SHA5120f1538b56a73d5c7fce01d9c06a00ca1d2a9c55eda2b0d3410ab249ed694c32612e12e8877556430119edae6b5c1988f7985b91317f7a384e878c56ccbc5a4c0
-
Filesize
173KB
MD518de5cdd97d9cb307164be94b8b377c2
SHA1078eb16b595cc1f24c94b2689d66ba3e3b6e8069
SHA25688ff4987fb40367ac52fc620fe89d51792a71584c9c20ab9f86588cad5485f2d
SHA5125260bfa7ab73b3997f7c4977ea74ca873171abe12c7771124e518aa68f1821819daed1bf679b7bc87bd358588a0f159c1248132e0655a54fbd55fa14794827f3