Analysis
-
max time kernel
130s -
max time network
159s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
17-11-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
a1cde728e002bea0c7a8ccbcdc768c07070595722586a96311cb8ee67c96541c.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
a1cde728e002bea0c7a8ccbcdc768c07070595722586a96311cb8ee67c96541c.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
a1cde728e002bea0c7a8ccbcdc768c07070595722586a96311cb8ee67c96541c.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
a1cde728e002bea0c7a8ccbcdc768c07070595722586a96311cb8ee67c96541c.apk
-
Size
4.5MB
-
MD5
3a3b6b6addb9363d29d71f812a206edf
-
SHA1
bc41f94bf099801f63ededa7cdc910d58f494611
-
SHA256
a1cde728e002bea0c7a8ccbcdc768c07070595722586a96311cb8ee67c96541c
-
SHA512
cf22aba65860af243eade0af31e31775307175693a01156f6a9bd07824c548a8a191d8ba56cf274521b43168b20309ffad479e4df3241af345c1142185d4a783
-
SSDEEP
98304:N7siz9gQAT+2isbirbnlad66nAJ4m8Th6NPk1FEQMQdsV2L:xLza96MbwLN6nAOPTh6NQMim2L
Malware Config
Extracted
hook
http://154.216.17.184
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.bitejkoup.ksmlommbb/app_dex/classes.dex 4516 com.bitejkoup.ksmlommbb /data/user/0/com.bitejkoup.ksmlommbb/app_dex/classes.dex 4516 com.bitejkoup.ksmlommbb -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.bitejkoup.ksmlommbb Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.bitejkoup.ksmlommbb Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.bitejkoup.ksmlommbb -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.bitejkoup.ksmlommbb -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.bitejkoup.ksmlommbb -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.bitejkoup.ksmlommbb -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.bitejkoup.ksmlommbb -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bitejkoup.ksmlommbb android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bitejkoup.ksmlommbb android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bitejkoup.ksmlommbb android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bitejkoup.ksmlommbb android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bitejkoup.ksmlommbb -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.bitejkoup.ksmlommbb -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.bitejkoup.ksmlommbb -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.bitejkoup.ksmlommbb -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.bitejkoup.ksmlommbb -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.bitejkoup.ksmlommbb -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.bitejkoup.ksmlommbb
Processes
-
com.bitejkoup.ksmlommbb1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4516
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD525c51549ad94398e5cc70218ff594d83
SHA1e6b015de8602920cee2e6a061901cb383a4f430f
SHA2563ae726c5690e141f75dc336fb1f3b406729c96d6c620ad32cc79a08f2a00e354
SHA5128706c6882de933d94f7df7937f0e1049570d29b6b0e1e10b70fd3589fc429ad9546e816cc10c8e03ededc0f40828aaad7091f542280981c443f1708c9deaf173
-
Filesize
1.0MB
MD54ce48ab27e54230b63b0612bf5cbb718
SHA16b564617f8f684a05dea4a33d2e83f8dad1e39a0
SHA2563332c82cf7498d6c10b1d95b6239e71acfdd4aa9df5075b2b3a25dac4c372476
SHA512cad2af7f81e2a6b2af5f6256996039516b6e089975f8be1609968ef1d24a581a83613def7cec9db32bf20354101b60939246ba930c6dd0a2580ba7c47427f5cf
-
Filesize
1.0MB
MD56931b2ef642907d143d9bba65cb2982d
SHA13ad37de5876dc2e742b6d7d922efe6a6a4edafae
SHA25603e611aaaa0dd48347ebcec30ef700feb81616eb1e51669ac12df786fb9b7564
SHA5126579ca60f392fd4030ce160a94ce2410257ce1fe488df2bc34668e6f991347a12c8bed2d83f834b638be09bbe3f198c59bd549f20c2c7e3194fa2197952d3493
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD5071d00a6a3bc888f7edf51df1eca5467
SHA1d0c8dd2b3aeeb69766e72eff0b979f82e52c0817
SHA2560463704a4ddfd9b1f16744347c2f67fe95fe3b62fc3402088ab88c73f1099052
SHA512680b78f519222c2e2839084177c15768b9e907e87e3226fe7e7e2fe8699ad94401913436741140a076a3ac9143d6f211d47b962ae1a8c2cd4855192bbf4dcce8
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5c7747bc4ec9d67316ebfeb4e7d6d857b
SHA192f9c9a434e15b21801a522af63c67cf33d331d4
SHA2567b066b97c6de9841df9855b9ed3ae5df85d4276cc4068d750a0dacd1b23c6651
SHA512905d95f5aa33504381d53b1d0ab33c8e15bbff5c900a03d639118e6a309e220837b7a308e7dff2de86a4831575763391e7efcf0efe6ce1ebdfa99a1512731823
-
Filesize
108KB
MD5f69cf06ef06360b75627045bc37e9dfd
SHA13a74bc0ac03df5be860a5a9d2ec0dd6f93ceb44a
SHA2565d12ac9e48ffa0bf13bc92b38d3bff0ce18f60627b7ebb534e6d45fabd1e49c7
SHA512d9a8a05c98ab536ec0aad87dbf44451deeab0fdf10ed4afad323097ad621e8541f906495ac7fc012702715da02574fa43f28a56104f2771948a109c772e3584d
-
Filesize
173KB
MD5a85a2614d114b809911e97f49555e70e
SHA184cc88e50eb377de2cbe8dfa4bcbb3af21bdf173
SHA256129e4ae1bbb666a7446312676c1df451406a7023811046c684a9a7274812f13c
SHA5122c92707b45c33f8fecae90d2bbe271b3e492f3c0429fac9089e64d6f071d39f1ae8829d781ec0f5dab3967d9b100c7ba7b02fe87ed48ef648c287d20b9895348