Analysis
-
max time kernel
147s -
max time network
153s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
19-11-2024 22:06
Static task
static1
Behavioral task
behavioral1
Sample
3c44af86acb77cb7b03d4380eaa117347f62853ef7603d58b5df8727e3bb25ab.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
3c44af86acb77cb7b03d4380eaa117347f62853ef7603d58b5df8727e3bb25ab.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
3c44af86acb77cb7b03d4380eaa117347f62853ef7603d58b5df8727e3bb25ab.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
3c44af86acb77cb7b03d4380eaa117347f62853ef7603d58b5df8727e3bb25ab.apk
-
Size
4.1MB
-
MD5
428511bbb686703e0e7da106eea33555
-
SHA1
b25652bb4fd64a3362005618c242d6dd54f36818
-
SHA256
3c44af86acb77cb7b03d4380eaa117347f62853ef7603d58b5df8727e3bb25ab
-
SHA512
29654d654be13bcb94003d2473f84c5593a11e6002c2b0c56cb2e0fd69b0e1a96389ddb45d1a62894e84c60eda01c812e10d3477bdec5a5c1604fe51ad1df2a3
-
SSDEEP
98304:ykEwezCzu/lnTWmE5U5EUQRNFsi0Fq2ceePMCn5nVuW:XlezCz6q9UifNFsi0FuJPh5VuW
Malware Config
Extracted
hook
http://85.28.47.32
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
pid Process 4323 com.xvufmyjui.lvpbmzncn -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.xvufmyjui.lvpbmzncn/app_app_dex/ywmkqqf.xfw 4323 com.xvufmyjui.lvpbmzncn /data/user/0/com.xvufmyjui.lvpbmzncn/app_app_dex/ywmkqqf.xfw 4348 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xvufmyjui.lvpbmzncn/app_app_dex/ywmkqqf.xfw --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.xvufmyjui.lvpbmzncn/app_app_dex/oat/x86/ywmkqqf.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.xvufmyjui.lvpbmzncn/app_app_dex/ywmkqqf.xfw 4323 com.xvufmyjui.lvpbmzncn -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.xvufmyjui.lvpbmzncn Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.xvufmyjui.lvpbmzncn Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.xvufmyjui.lvpbmzncn -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.xvufmyjui.lvpbmzncn -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.xvufmyjui.lvpbmzncn -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.xvufmyjui.lvpbmzncn -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xvufmyjui.lvpbmzncn android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xvufmyjui.lvpbmzncn android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xvufmyjui.lvpbmzncn android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xvufmyjui.lvpbmzncn android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.xvufmyjui.lvpbmzncn -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.xvufmyjui.lvpbmzncn -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.xvufmyjui.lvpbmzncn -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.xvufmyjui.lvpbmzncn -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.xvufmyjui.lvpbmzncn -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.xvufmyjui.lvpbmzncn
Processes
-
com.xvufmyjui.lvpbmzncn1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4323 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xvufmyjui.lvpbmzncn/app_app_dex/ywmkqqf.xfw --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.xvufmyjui.lvpbmzncn/app_app_dex/oat/x86/ywmkqqf.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4348
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Process Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD52109c4374feffdf3dd44559939218d80
SHA1fc9c7ef5cfcefe1db0cddc26841c253a062cd36c
SHA2560e7f6a649f03a7222948907e79ccdbcc8353d3ea5a299e3665db88aa38a2b232
SHA512cda3fe9abb736eb6325bcc3d8f13f6720271d63c9a5598895c32a7822054d9c24bff97720488701a5a694b82ac30743846cf4ff7759ea9be1c0f578273bb324e
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5717f7d0a13d1daadaf112f82551fa318
SHA139d01efe4e640bc11f412d7e8534765df82baf9e
SHA2563a6411cc83e42283c445d658a0c05b92bf59de6757b908ae16c7c057b7190af5
SHA512be19361e2f6f6cb7e7570b8e5bc07e9dda41c69a5813db2cf582c0d228c22f7645e3001469383e48d88b2514b8d7ad0d5e4ea2e5dae78e7dcbb13f749d8d4ebe
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
173KB
MD56195555b9427a1d7a4789087e2c6399d
SHA1ae7891f9c6d0a168a434ceffa1272365db9b84c4
SHA25651b659786bed1f00322ef923815a216f46a01cb5b892b3dbd7cf43ed047c131a
SHA512b2a728e4376449b05758a4ac01d2e9df2733f78d342a2dfd222ecb6430dff1d688344ab0b3b694c8891eeaa7eb3b7cc8271b7d7186e5dbf4848b1c976d88ee63
-
Filesize
16KB
MD517ee1c53dd56fd77598355539f11909b
SHA1a69a7c8a438e74e20ec21f6d781a6351deaaab97
SHA256ba576dc8a763fa282b29afa543bb6942facf160da148379783df4cfb4695204f
SHA51218b66d2866b50bc1daef7a462ba2fff0289936bb3798901d7a11c114235ff87ad5ccab8ca7f551bfebeabf0e8086de4ec2ba5e2055ed0f351e1006d1d9352070
-
Filesize
108KB
MD53fd0edb59e6779c2f08ca0809b4332bd
SHA1acba23c29f5aabbaa2086b933bf93efcdc5a07e4
SHA2561accbc2aded23b147f037a675a97775856dfb53a1ffb68c29aa6381746ca7505
SHA51264b8d4d050a523ea24c9a9d72a331d48e2599e1f7f283ff71bb971c144a2ce77c4e1f1bd582bae5d2065ae26d22d1898c57dc534515e50fa563a1e7239dff9e5
-
Filesize
2.9MB
MD54c1d7315a9722c663103ccc01055a6aa
SHA11f23832f83b0c1ebf2ef0957899e2d21bb8cea45
SHA256fb63a2d4138af370ec20dbca4f5a6a4a702bfbde8c49934ade0e7f2e952ec37e
SHA51287c19329bdad947a18c88ed593b6e38c8e1233c2cb2a19fa11c250a7a2ba2461be9e47e3ab9b29eb9f15de4a030610b45a331ea3c45c74e1373d887088524df1