Analysis
-
max time kernel
148s -
max time network
157s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
18-10-2024 22:04
Static task
static1
Behavioral task
behavioral1
Sample
ef1daafc0832d8c6bab1f6009d57531dc7a00831bbf1afddd16d8b898bf241c5.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
ef1daafc0832d8c6bab1f6009d57531dc7a00831bbf1afddd16d8b898bf241c5.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
ef1daafc0832d8c6bab1f6009d57531dc7a00831bbf1afddd16d8b898bf241c5.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
ef1daafc0832d8c6bab1f6009d57531dc7a00831bbf1afddd16d8b898bf241c5.apk
-
Size
3.9MB
-
MD5
dd7667c44e4b076202bcd97d1cd0c5b6
-
SHA1
8bd5538d21acd6a24fbf31517884ddfa6445b170
-
SHA256
ef1daafc0832d8c6bab1f6009d57531dc7a00831bbf1afddd16d8b898bf241c5
-
SHA512
88ca4158e369608ca4f49f9d1459d2fa7c5c7a9503dca45ae4841471214dcd5538d244e019b7c0258425bfde21f7c7948e1cf003612a6d5fb129bd63294bc797
-
SSDEEP
98304:oZ2RaXyHSPhPlxtRJYR4pRWlaI9dyj7xUKObtajrjyj8:eryyP91YaVsUHxUDajrjyj8
Malware Config
Extracted
hook
http://154.216.20.101
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.neasqhpqv.isxurogfu/app_dex/classes.dex 4259 com.neasqhpqv.isxurogfu /data/user/0/com.neasqhpqv.isxurogfu/app_dex/classes.dex 4286 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.neasqhpqv.isxurogfu/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.neasqhpqv.isxurogfu/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.neasqhpqv.isxurogfu/app_dex/classes.dex 4259 com.neasqhpqv.isxurogfu -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.neasqhpqv.isxurogfu Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.neasqhpqv.isxurogfu Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.neasqhpqv.isxurogfu -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.neasqhpqv.isxurogfu -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.neasqhpqv.isxurogfu -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.neasqhpqv.isxurogfu -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.neasqhpqv.isxurogfu android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.neasqhpqv.isxurogfu android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.neasqhpqv.isxurogfu android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.neasqhpqv.isxurogfu android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.neasqhpqv.isxurogfu -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.neasqhpqv.isxurogfu -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.neasqhpqv.isxurogfu -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.neasqhpqv.isxurogfu -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.neasqhpqv.isxurogfu -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.neasqhpqv.isxurogfu
Processes
-
com.neasqhpqv.isxurogfu1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4259 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.neasqhpqv.isxurogfu/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.neasqhpqv.isxurogfu/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4286
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5a66e283d6f2d2502e2502b856666d2a5
SHA16a9e6a66f892dddf8abcc9c9f92c8ec4bbf3c434
SHA256a624059c5a95732186b106eb69d5d74247652d9c7496fea650cb773fc04233dd
SHA512096e19c29f20810d90f36a0845147611340aa3353d89d9a17333d9075eb519ab5d595cd89b14baf55d11393ddcab80db2b3d508a5e100c42d5bfc7e7bd659ac8
-
Filesize
1.0MB
MD5f321641b80e1b8bab465d6502e74c39e
SHA18963bf1c03ffda671c23d7fd1206d868baa474d7
SHA2564c1620fa0fb5232b414d729536ac96fcbc3eb78ac858c6305ee657192b15d1ba
SHA512255edc3fb76c8e83881665ae39db86ef84380ac22a361e9d47d064754fa14d371d07a37672b53588d4bec34581b40331a2199c8bfd423951d2a8070adf18e957
-
Filesize
1.0MB
MD554aad71b69fd0dea398ab5950b2b09be
SHA12c24f45c975335c85dfe8cf18d694fdc124e2360
SHA2565c5d3f2e6e0cc2188e645bde8ea79a4d092deea03d00f30a38281c597b6ada7e
SHA512cb73d76a6fd650470e28ca5f2bb6283d2335d1a0b5e03600310f9c2ae1f6157387d5e0364df238350b9724d7b9cd71cb00f8cd7473d294d8bb02d0ccb7699cf0
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5bd4e96e35062ffc8a0274e467cd6ba4a
SHA1b2eef89233f7c626577dcb96a1b6d25fff598f38
SHA2563e70f8109326e4e65967c3255e4eaef02d3f6714073e461556b1af89fb093b1d
SHA512d5a87a757771ed4a1f6fcebd10ed18a5494fb29dca3dbdee611097df685530cc92b12cff485c41af0c2373f458d667e85eae4a5e805e4a78d7992ee40d41b69c
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD53f1130791a46537730c068db9a4f621b
SHA1cf0d29280a7a3c591e760e7ae0019a2faeaa806e
SHA256f6fd530d5129cd6ae2cb55479f4725f7fb67d3876ba931a9e1899437a46d19a3
SHA5124f4d77e9c56ebcdc8dced49b2054db475d9d66fed440dcde7a2a2ee60d863fa84789d14f075ec0d4d7525c4551d0e0401a41b96b3a43b2e6ffc9fb89d9866efd
-
Filesize
173KB
MD513b4335cca10a66041244b16328b0379
SHA1a515ed52d1a14f3aea75c790c372c94aab512cc0
SHA256e6784047a6fbdc8b66ec55f61cfbd36b215624176bcd092e69731e225ee6112a
SHA512204b2b9443ead56e01804bbe6d2e996f658abcfd88787d4620bdc0eead3fa907a77bfc8ee655220837407a938a66572634be9213eb9d5c18d7328b15987b48d6
-
Filesize
16KB
MD564ecc5e4c33927e21df6543275ed26f2
SHA1224907032288f62dc6cebc9b2e0780d89b9216b4
SHA256685bc326855b48c26973b560d40bb9a6c5e5a65a42e059134690883adde0d63c
SHA5123344266ba28638044ef407e0b7bedaa2f0ea7539d424bdfd8d98b57e81fbc8a8e2fc7273ddf5a45584858e71daa79f285c439a42571a0662a8c5ea55c9fff2af
-
Filesize
2.9MB
MD530c95f01d0b52c276e3fc54bf21c6515
SHA18cd894e58def96107b497012b60f3659faad7a31
SHA2566a7f89db011d331b544aec63be5127c0d16fab0c726ffb74189c3bae31f1bb7b
SHA51259aed1f5c282e6702c9a772227d3afae3c741c8a92e00a72f286133eb19de7a6639bd819cb11c41db68640ebeac15f9d1885da41af9853f1ee114d17f867b76d