Analysis
-
max time kernel
149s -
max time network
156s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
22-10-2024 22:06
General
-
Target
02ab9ed7120ffc1ae040ec2fe9d847b569d2d05b60e2b830c80632e1aa990bcf.apk
-
Size
4.1MB
-
MD5
6b5b160f35e216c74c39bae4f34da3a1
-
SHA1
b0ea76c9812bba195faa9f637549811c532dd3d4
-
SHA256
02ab9ed7120ffc1ae040ec2fe9d847b569d2d05b60e2b830c80632e1aa990bcf
-
SHA512
d6a0fb306da757be2ce32a6a9167af87523898aa9e2d55ae9626637d732b7e7399a72df37ff1c0cf8356eafeb8a0f91ee1972cc64ed90832a61483bd56772b76
-
SSDEEP
49152:lqNOrgtJpiaCfqjUxYQ2r/WAtsG/nua5iAoqIlMqxjic9Z95G2a4K+AgGi5gVwhh:lqNfh2qjUh2r/1nsjqInjf5LViygVDGX
Malware Config
Extracted
hook
http://193.143.1.24
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.hptzvyhwf.ryacheruu1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hptzvyhwf.ryacheruu/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.hptzvyhwf.ryacheruu/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD53babe20b4777345cb32d4eecc815b8dc
SHA16e8c071b59cfc6d5459255b17e17ccf4d017a094
SHA2565400a29cc8cde255da7d91b26ae87f22cbdd13f361b7e6ce1c3431f91e3ade04
SHA512360108ce98d60a9d1142acd669bf3e8c87c96af0a7cf845c6fe58ed738b1e0cab497530c611dd7ee247ee29c1fbff57adef02367e8d2ad93396d0d911e050aff
-
Filesize
1.0MB
MD5917ad44d4958aa2142e5d3103ada5744
SHA1540ac218739e6b8565ab714fd716f5a032089354
SHA256798f125e7b854449c8147cca93cf1f810a02c835ec075d098f0ca93aff93310f
SHA512b2fde4997ed8308833eb79d5ff5ac2b641dc9e50988a03bca04bbd7b54f45d17212cc4a3795862b019ca1821b7e78c38f0b1b49190c6d4196b8fdd041520070c
-
Filesize
1.0MB
MD5be3c515468abeb7574d8e513dee090b2
SHA11b971919e3f73f78fe21822caf0100fd6528dec8
SHA256fe9b005ef34c9c172fd7c2f4f36404b8a2f768ed14d7aac5625acb2132705e83
SHA51264e1156a7fa34042f0936ce74ba9f804fb03a8d269cbea9c68f75c61f3556f21a4b3f685369eb3c1b8b50bd36336064645ecb86cc38d78471311c2414fc9df7e
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5fd9e9e847ad74b670abcf480742ca361
SHA1fa2c8b0b28431a1cef70fe5bcaa2ba0c325c7994
SHA2566658173c3a29ec525af042a4c04d1d7429201016a9b3b2ca3e5216958998ef05
SHA5125d1701052bfaf9fda99805e846200d53835ecccd30c0851aa19de253b316a10041e8c34612a3bdc255f8a03413094cf1c88318b63487d631bb977a86df02d731
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5a1d708b9dbc7f8366eb33a9138f4289a
SHA1f4fda0b25b27e8237005b21b57d360e18eaaee0d
SHA256437bc976e99589bca7c82e4ae657f84d3906d5f1df82b7070328a618792e5676
SHA512402ee9365bdc69a34f357e42b872154ea28197d56a240622505304b3db9f6c94533640fe65fbee332fcf37f4574d6d09e868809816a14597704e9079ee81987d
-
Filesize
173KB
MD52bed9bbd7677f5accb51f6db9a470621
SHA11b75fb3607a01e9815228d1d07dd156bf5906744
SHA256f27daa9ef673812abf7bbac41f5296134c5217b5600afa10af530482adf33caa
SHA512f6634deb6c751ceb66390962b23d2a40d1a2b3d2dd6e77569a03ebc349be3b3873edc97f18115cfd81d1aa6bd0f1713e518e2005353e603fc055dca10371726b
-
Filesize
16KB
MD55a0cabaae015b609575a52d9dd3bb7a8
SHA130fb14bf77e1ce2d53fd4c4c2d90563598bd06e6
SHA256d564ec12def45ccf6781bb5af0d837aa7fad6e10ff584895826c9ff822e99b5e
SHA512a5b34109b771d91026b5ab0bc3292c92af1276679ecd5d7ce77712a3e230a5a522c35143b215821fa23142e10b8bbf88e87d3f7ac07872bc23926939f093e8be
-
Filesize
2.9MB
MD5c967684d0e4a75d014c3fca68955b5df
SHA17b802108b2747d6f701b0847e00032085a3f90d2
SHA2563cf0599907744f8a80c52817329d6d7619594956093240bedbad99b87725438e
SHA512150d05de56fed4bccd90057902af91f6ffe40e6ac8b32d0821c289b4a02f309bf68274d599d7c363a2d1b959e879c2a11da31a7d3ea53eea4ac62064f4dd459c