Analysis
-
max time kernel
137s -
max time network
159s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
17-11-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
a1cde728e002bea0c7a8ccbcdc768c07070595722586a96311cb8ee67c96541c.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
a1cde728e002bea0c7a8ccbcdc768c07070595722586a96311cb8ee67c96541c.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
a1cde728e002bea0c7a8ccbcdc768c07070595722586a96311cb8ee67c96541c.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
a1cde728e002bea0c7a8ccbcdc768c07070595722586a96311cb8ee67c96541c.apk
-
Size
4.5MB
-
MD5
3a3b6b6addb9363d29d71f812a206edf
-
SHA1
bc41f94bf099801f63ededa7cdc910d58f494611
-
SHA256
a1cde728e002bea0c7a8ccbcdc768c07070595722586a96311cb8ee67c96541c
-
SHA512
cf22aba65860af243eade0af31e31775307175693a01156f6a9bd07824c548a8a191d8ba56cf274521b43168b20309ffad479e4df3241af345c1142185d4a783
-
SSDEEP
98304:N7siz9gQAT+2isbirbnlad66nAJ4m8Th6NPk1FEQMQdsV2L:xLza96MbwLN6nAOPTh6NQMim2L
Malware Config
Extracted
hook
http://154.216.17.184
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.bitejkoup.ksmlommbb/app_dex/classes.dex 5007 com.bitejkoup.ksmlommbb /data/user/0/com.bitejkoup.ksmlommbb/app_dex/classes.dex 5007 com.bitejkoup.ksmlommbb -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.bitejkoup.ksmlommbb Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.bitejkoup.ksmlommbb Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.bitejkoup.ksmlommbb -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.bitejkoup.ksmlommbb -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.bitejkoup.ksmlommbb -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.bitejkoup.ksmlommbb -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.bitejkoup.ksmlommbb -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bitejkoup.ksmlommbb android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bitejkoup.ksmlommbb android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bitejkoup.ksmlommbb android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bitejkoup.ksmlommbb android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bitejkoup.ksmlommbb -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.bitejkoup.ksmlommbb -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.bitejkoup.ksmlommbb -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.bitejkoup.ksmlommbb -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.bitejkoup.ksmlommbb -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.bitejkoup.ksmlommbb -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.bitejkoup.ksmlommbb -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.bitejkoup.ksmlommbb
Processes
-
com.bitejkoup.ksmlommbb1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5007
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD525c51549ad94398e5cc70218ff594d83
SHA1e6b015de8602920cee2e6a061901cb383a4f430f
SHA2563ae726c5690e141f75dc336fb1f3b406729c96d6c620ad32cc79a08f2a00e354
SHA5128706c6882de933d94f7df7937f0e1049570d29b6b0e1e10b70fd3589fc429ad9546e816cc10c8e03ededc0f40828aaad7091f542280981c443f1708c9deaf173
-
Filesize
1.0MB
MD54ce48ab27e54230b63b0612bf5cbb718
SHA16b564617f8f684a05dea4a33d2e83f8dad1e39a0
SHA2563332c82cf7498d6c10b1d95b6239e71acfdd4aa9df5075b2b3a25dac4c372476
SHA512cad2af7f81e2a6b2af5f6256996039516b6e089975f8be1609968ef1d24a581a83613def7cec9db32bf20354101b60939246ba930c6dd0a2580ba7c47427f5cf
-
Filesize
1.0MB
MD56931b2ef642907d143d9bba65cb2982d
SHA13ad37de5876dc2e742b6d7d922efe6a6a4edafae
SHA25603e611aaaa0dd48347ebcec30ef700feb81616eb1e51669ac12df786fb9b7564
SHA5126579ca60f392fd4030ce160a94ce2410257ce1fe488df2bc34668e6f991347a12c8bed2d83f834b638be09bbe3f198c59bd549f20c2c7e3194fa2197952d3493
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD54459c0a492fa6e3e6106337c63de351e
SHA1cfe874892eed5db517f75fdf1e4a702f3517b620
SHA25611bb6814d61a3704b82129c86bbd20735ef4f9d2435cf9d1f747f6e567b8d83e
SHA512c6a313005843f7db3df97a9bdbd6b1a82ca5cabff5ffac8e2312374d35f0f4f079773c6b2eacd0f025c5665c69194f6ceab4532a011507abc6d5ad5684403639
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD50a0e17b75915cfeb2d981874b22a5ce6
SHA14b632df08f49e6186dfdae21af74d08383f1f4f0
SHA256ffc18fa57660d73bd2f57e104610e1b3ec2e7f7c7d51ef6aa0f87c74d99e654f
SHA51240f0c2d9354aba94c182e8ba236979d48be32ea6fefadf8305350c878fc11054d6a581081d742d0a4120841d5a82876ce65e70918ef6a3f8a8383186897bc8ca
-
Filesize
108KB
MD5eb7e24e55130e7da3090e3aeff49f2d2
SHA18d2ea5c713520cfdf3ab665e0b9a8ff82476d297
SHA2569ff673836617c5f83ce8fe38f9a57177b52b61d8692388f99a10a2584c188e5a
SHA512d5f589dc0c998c59d6819c38c9f1302c1ffb84d8ac21e15c157b33efb5a2f6d227c14a4339743d3988f115b0fbcdaf5b25e59a0961c281f9a84b55b07c122392
-
Filesize
173KB
MD5927c1db357879229dd1ee52969d4a8e6
SHA143b385bac8fc7f485b39172010ca732eabe69ce4
SHA256f5d727f8b8d36c8aced5d2b02c9ec3259914b2749970f7174716d5f243af7aa7
SHA512029f98e395507be7c1e31a6e4cebce97f885f5e24bd595fec167e7f0f3c2b72c96b972fa636fe8cfabf2ab14b7846e949ea1993737ed31f5007b570fee2d9c17