Analysis
-
max time kernel
147s -
max time network
155s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
24-10-2024 22:11
Behavioral task
behavioral1
Sample
a5bfbde8c7dccc9557a3299c0f62d77370caf66eba3cb338ddb1e7cee3cef02d.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
a5bfbde8c7dccc9557a3299c0f62d77370caf66eba3cb338ddb1e7cee3cef02d.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
a5bfbde8c7dccc9557a3299c0f62d77370caf66eba3cb338ddb1e7cee3cef02d.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
a5bfbde8c7dccc9557a3299c0f62d77370caf66eba3cb338ddb1e7cee3cef02d.apk
-
Size
3.9MB
-
MD5
31cdb66fa4f4c20bbcd37356dcecce25
-
SHA1
afacf76c670118c85936636d38779ff9c65bb755
-
SHA256
a5bfbde8c7dccc9557a3299c0f62d77370caf66eba3cb338ddb1e7cee3cef02d
-
SHA512
78b8fed0d962464cbacc18401e831c72c5926b0e768bca98b0cc4c5104af3598b1fd2ecd2bb4c5505710653a8a9c17789e0377c446acd7506f2bc2779db59478
-
SSDEEP
98304:8g9RRqaHrTIbUIyM0g+2ZCj4BWSG/JjMUE71Kv9B2Q+/mg:8g9RoaH3Ib1B0x2ZkZja7cBT+3
Malware Config
Extracted
hook
https://ws.fastmano.shop
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mm -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.tencent.mm -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.tencent.mm -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.tencent.mm -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.tencent.mm -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.tencent.mm -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.tencent.mm
Processes
-
com.tencent.mm1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4974
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD53062991e82e28b4ff5b9cef1133f3d75
SHA167d7b652b386eb6318bc7fe3690d46e91f5e68bd
SHA256a7f22043ec76b2ea9f8f6db9c5f9ac5dbd50a2457940ef566a79ab807307e0a3
SHA5123923d3ee755c935dfaf769e2945f1cbc9691b31e2831d9bffe4b8350559dfc321d9b89e6976134235bc47f994d17d5958816eeda729bba73a2dacb94b459e030
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD501e01514270ec9f7f1fe5e4e75bbf194
SHA1805df8e0dd3b5f5fd528ed82d1289c922f0f883e
SHA256f1771b2c77a77723176b024cee2a993c84c07a13125b398c48dad58afe877bb1
SHA51271a20bc74ec89d2ec2885986605c3a03b2ebed9f5b8b1cc02c8935ba965700dfca056dd51206ded30421c7da446c6fe2c811e28c340353adcc54441053d50950
-
Filesize
108KB
MD5a5dfe356d0769c03fd55a9410dbb147b
SHA17076c384f0a0393e0b0f638cd4cc4aebcdf17f95
SHA2567fa89f71ded0fc2e4dc4674cd7b9bb4c9e93938c465a3cfdbe0910b871c555d4
SHA5121cc551904a9a57b933bd914c639dbda456d5de89297ad643e02184a65129942380993ff09ba6332e317cc9985125a5c4d3899dfde9c604d75b14978fe8c28d61
-
Filesize
173KB
MD5fd5a57db07fa470c28cdfe6f7b26d854
SHA1e6257bdc10968a093c9ec9a75a8d999d33d5a232
SHA2568c64bf587bd17c8ba49215dc0400bf4c41ab53b84ef1d633890727c9ae67590c
SHA512e313d6297948906e626bc11ee40395157908802b3535fdd0c96be609a027a01bd6a567f77721b67f10fa044cf4277c1c88c25eb2f69409da1b294fff673f8fe7