Analysis
-
max time kernel
149s -
max time network
131s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
19-10-2024 22:10
Behavioral task
behavioral1
Sample
b1f06bd9f814003fa09639a32d0fca69a663abb7cc3aa19d4921696c627cbf29.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
b1f06bd9f814003fa09639a32d0fca69a663abb7cc3aa19d4921696c627cbf29.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
b1f06bd9f814003fa09639a32d0fca69a663abb7cc3aa19d4921696c627cbf29.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
b1f06bd9f814003fa09639a32d0fca69a663abb7cc3aa19d4921696c627cbf29.apk
-
Size
2.9MB
-
MD5
8e8821b1cbde994a83d43a979455740d
-
SHA1
efb40a7561787007c29a10712d889eb7998e1a67
-
SHA256
b1f06bd9f814003fa09639a32d0fca69a663abb7cc3aa19d4921696c627cbf29
-
SHA512
d11ea3e5fa0be656a0910d43ce95391b1820bb0eee6f5fa4db5b21af90b08281204dee3050fc01c8f24678f81f5e91ba3d846d7e6a0a57e05f2f02fa22ea25e5
-
SSDEEP
49152:srC1YAVgW8O/a23ZOZF/XLdek+14DSNGMAPsxZeSsZgtg0h5MQdVQlHXg/x/:srC1LVgWO23ZYbn+14zMAEBby0rJdVQA
Malware Config
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tecisopojiyo.bikuro Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tecisopojiyo.bikuro Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tecisopojiyo.bikuro -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.tecisopojiyo.bikuro -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.tecisopojiyo.bikuro -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tecisopojiyo.bikuro -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tecisopojiyo.bikuro -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tecisopojiyo.bikuro -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.tecisopojiyo.bikuro -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.tecisopojiyo.bikuro -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tecisopojiyo.bikuro -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.tecisopojiyo.bikuro -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.tecisopojiyo.bikuro
Processes
-
com.tecisopojiyo.bikuro1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4627
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Foreground Persistence
1Hide Artifacts
1User Evasion
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD5f18cedf0915d347a92e3abc686ebd32d
SHA134eab352d9b7579557b259c7254ccb2d6be3d7ca
SHA256d981fba9bc99f0618d00100b6a7037376fe5aec9d6e4a200fb9c7132f5921f8c
SHA5121a930452d3160e12666fff931900ce14a8e07fb135b4e0c6be6bc93fb3c0dcbf004912eecd9b4da4b250759452c7c8f485f5d87b94544704875c489d2a93d236
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5683aec091404178829b8d576860bd7e1
SHA13bb1a86274c77a8bcdd5d5b9bed73a49699f1dc1
SHA256f5bce87e7441a7fb1532b6b2eb766d0f65378a6d549bb97e5194849d3209cd5f
SHA512f91d8fa7ad538d0b779614804e0ce404473c940c822d4a3d63d534248105b3a49e81932189ee361e3b238fe3aeef04adde4ac13b5005e874746bc52e3e1e3b31
-
Filesize
108KB
MD58617387d2a06dd297d96760ece0fbfa5
SHA1c6d6d2871e5e3aa52ea9d9eacc8e20b1621c7ae4
SHA25680dc14da195ff135650895c6ff14ad58928f20787dff2e3f0ac8e9dafbe9c8fe
SHA512ac7f4035d58dfcc8d78cc6dbdb85fa4f6a6d1f6cb412384cfe0e70a3055c39da5d7939803c9f04d328c96667c44781cbb75e0d65aea945125a18780b86a122b9
-
Filesize
173KB
MD510a6637a253dcab1519b7e2f7754255a
SHA1dc03b666f4482d5faab40512c263bc80e27e4d2d
SHA256e8a0bbb1e667c86c7582f713ef3e6938005646d5dbc0695ba887dd12b6fac1a7
SHA5123b03df87151413c9b1a34bd29c5f8045a6e4c5d7eb79a65c99964338ad6c9af8b005b780818d55b3a9657e78acd049e7c4b5078323acb93dc0c30c4d88fd3161