Analysis
-
max time kernel
147s -
max time network
158s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
11-11-2024 22:01
General
-
Target
6ad2691cec280e4eafff211113adbc063089e30855daa4382e69bf031bc14a83.apk
-
Size
4.2MB
-
MD5
0fe3b8a38217d77be4935ffb62cc30f9
-
SHA1
c193c42204c1f8bd2feac4eacbaf08bf4a6a5a3d
-
SHA256
6ad2691cec280e4eafff211113adbc063089e30855daa4382e69bf031bc14a83
-
SHA512
67c21e3db4f93f756c48cedb127f19c4f3f701f0abce20a6a81d338a1d6b2863845ce341623ba42ee3443868cabaf5d45f8cf1325cf19567670672205666859d
-
SSDEEP
98304:1856qVvPKFINLj+B1l8V3cHzun1/ZkZQo44Eb:u3NR01l85cS1/yGlz
Malware Config
Extracted
hook
http://94.141.120.34
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.fcghuasqt.cotcrxzol1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fcghuasqt.cotcrxzol/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.fcghuasqt.cotcrxzol/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5d5e525a5383d83e0192418408d726e68
SHA188a20733bf3e31a3cc8115ecf9468a6f7d8c3066
SHA256eb5e87c5bc8954d4ead3b88f1858b4d68d3e0966e632b1c36c9c897f01313161
SHA512db158c02d0e411a80d58ef183d462ff3321b36e7e7ed7da633a281ef3adf671184c74cbd2d15aa6ee3b1592c9d01f2f865be4ecf9f3b0e0a1b3f717084f133b2
-
Filesize
1.0MB
MD5c56aac70f3062c5f1faf1292964061f0
SHA1d05a25611b3e8b314f719a588720a50825952c6e
SHA2564e9860b0baf238b0b8f225eb3b04f1c8b2052f68f7d23b76b9a0028f6d308789
SHA512f93e4838e586178ac7c579f76d0f26c14f829c6f37cb38d3a63c2e45415dd0d8216497113d37e5ad9ba1026d9d60361f5e7d163588612b9eff8dc990514c29de
-
Filesize
1.0MB
MD5591e04e6123cd403268deea290ea721d
SHA13c5497418cbd71546cd8088fc68521f43271858a
SHA256cde626a00e2d305de23d293329279b32a3efac0432197636cdd1eb37a4ee8698
SHA51253aec2f1258edc52c2c139d238505477e902393200001a4e7e3b4d798a75e4b929fd38c002bfac0a85c3524873eae20f86120bc0d49c039cd1c9fc5a9b1653ac
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5e8613fb6a4de17e3ca6b2cdb2c5d02fe
SHA15981e7d4c511fad307aedc226df68dd6e9f22ddc
SHA256ad713a8396480917e7673f22938393298691773200a68d6deeade4da3b6eb3f5
SHA512cc41461b8b3d672cee92901971792671cb3173c6f7977a9f610c7d5593746e38adafeeae10bbc639037c0ef4931e51caa6e25fdf489d47defa2a0b5b50ac9289
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5ded715618baf5591846f9a9cb0282566
SHA1519bf7333426407c96e078e48b1413e42d314c36
SHA2565fcadaaee34319dfede6863ba9b0527ee3c90089b1160df8c49a734ebdf37b0c
SHA5128fb66db032a49b45b60f8a09cfdeb37dd7159a1df6f47c596ad4822e005d1c993968c73b620ae904d13459eee461bc37367532aa63c8e22b7596b4f8c18cda81
-
Filesize
173KB
MD535572102b0b6e8e1ed3181e21e81b671
SHA19ac7dc785a2c98371a5b0f0663c84a87493263e2
SHA25622af3b87123d4df85ebc03284c860be199095e26a4add68d5be65152462d2a81
SHA512d7d468d862456831b79422dc62b54b81141926aa052198d8554bc2f55fdfea242d035b91a9ff79dd5024e4947bd74fe893295b3d7148b4d24be78e08ff9238b8
-
Filesize
16KB
MD54f767a8975bb0c70c08fd43fba4db9ec
SHA14e1937327de22014df3aaf75c5aa9261e25beabb
SHA256ca1faeb04802031c26f8b5ad7613e92e9e640f80df309ea24acba64508d04d47
SHA512c006dacdd8b9d916e911ab430930edc0e0c8317658356f71ab9d4d0599d62e6dc7c4355c087e61dfc1d0a0c8d00df2b4cff8e02350280b0c033513b9b517ed61
-
Filesize
2.9MB
MD58136f34b56123f1f63d16db8dad0b661
SHA1bf0a3de0c76160d57131209c0311fb5c358e9964
SHA256eb8854d114b631493d446e12f4f428342cbd20000a9beaaf9bce0139045c7b44
SHA512e696c574074bd8e72a7868b3241d1608a583bf2aeb411f48665f7a599274d095570a636b1729c26c2647db8fab424e0a1e2a6d156e6707a98dd4527ba733b5e4