Analysis
-
max time kernel
143s -
max time network
158s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
22-11-2024 22:04
Static task
static1
Behavioral task
behavioral1
Sample
609eb001b2ef877d2d75446b0382321ec8aa4c2cea9d7cbddde479962687ad76.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
609eb001b2ef877d2d75446b0382321ec8aa4c2cea9d7cbddde479962687ad76.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
609eb001b2ef877d2d75446b0382321ec8aa4c2cea9d7cbddde479962687ad76.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
609eb001b2ef877d2d75446b0382321ec8aa4c2cea9d7cbddde479962687ad76.apk
-
Size
4.6MB
-
MD5
2857b4fb409629ae5f161c96470d58ba
-
SHA1
282a482d799d792cb2df8002f27a4e6c5029a85f
-
SHA256
609eb001b2ef877d2d75446b0382321ec8aa4c2cea9d7cbddde479962687ad76
-
SHA512
a2756c95f20bfea7d067fae37a20b68732b8d39f29e7051c96bf45168073b8009ddd58720dcc46d4e3c98b57a9c2524e3bd9ac6f7988f98b32fa237557f12295
-
SSDEEP
98304:nTymrArg5a4/+P++6i4ZAWBUMkhwdi+BJFuAESn7YzhbP8Tna7E:T7rlBC+W4ZhBVkqdiQJcAhn7YVQuo
Malware Config
Extracted
hook
http://185.147.124.250
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.gbqxnvcjv.ucoujosyu/app_dex/classes.dex 4475 com.gbqxnvcjv.ucoujosyu /data/user/0/com.gbqxnvcjv.ucoujosyu/app_dex/classes.dex 4475 com.gbqxnvcjv.ucoujosyu -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.gbqxnvcjv.ucoujosyu Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.gbqxnvcjv.ucoujosyu Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.gbqxnvcjv.ucoujosyu -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.gbqxnvcjv.ucoujosyu -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.gbqxnvcjv.ucoujosyu -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.gbqxnvcjv.ucoujosyu -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.gbqxnvcjv.ucoujosyu -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gbqxnvcjv.ucoujosyu android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gbqxnvcjv.ucoujosyu android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gbqxnvcjv.ucoujosyu android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gbqxnvcjv.ucoujosyu android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gbqxnvcjv.ucoujosyu -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.gbqxnvcjv.ucoujosyu -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.gbqxnvcjv.ucoujosyu -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.gbqxnvcjv.ucoujosyu -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.gbqxnvcjv.ucoujosyu -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.gbqxnvcjv.ucoujosyu
Processes
-
com.gbqxnvcjv.ucoujosyu1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4475
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5cd656538ea17b154ce6e5e924ce51226
SHA1c0c3e008fcfb283a1485275f3f0793a3550fcab5
SHA2561f8d6ff3ea76583a2116a0dd16dea77e7aa79bd74b6bc19f65005b5c6fb470e1
SHA512fec605c89a58dcad69be6f22f3efae9bc5c798cacb57522d26cf230ba8c1d48cb20c50d1d4226128347c842975fe689f6a662dfdf355d4b029012bf72b74cac2
-
Filesize
1.0MB
MD52eef054e2aa0d5b5b860a5aff35449b2
SHA1d80251639ab6486d83bebfa77d1590a01c265e5c
SHA25616b476cffa816758ab2cc1d5c61a13543e483bfc5cfd97589eccf9a4313f13ac
SHA51280638f11bf1ec9a31d0baa0049fb7c2ca2a38576fc6d5abe7193887f85160fd0a644c9133f9f66d7aa8d7420267cd83e845d490da0a2f753d4e226c57691c32e
-
Filesize
1.0MB
MD5556c86801ccf48bc917e38546b067308
SHA1a996c082a2b4a1785a41167ca5d418c06dd01a87
SHA256c287f01e17975b0aec265756b2ce369dbda205182b165c9ce5ffd1cceb626a26
SHA51271fa6711d665da5aa70126fa3fe78e3619fd5189b93ee9398cd452d621e60f4cdf00b358c5aa3daa8dc7d8f3ed33a9f3538730808015ffc3ba1eb941dcb1e9b5
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD55bfc5bd93e4bfaeb1da4c273a9e21ab6
SHA1b92a90d372e05349c851b086ecb3b36562b2c574
SHA2567816debd45d411923e0ba0f2fa5e098ea355061f05194227ce138ad8582e5f0f
SHA512f13bc33cb8b7148afcea795235a3c024b504629526bd8d8b01c88eed620c3cf9a46eae9c095ce546c01ae1836eb17bc0bea4c60a5eff4f41b27f7428c411359f
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD57bc3ce0ffac157ec33b8ae60768ed97b
SHA175c689086cd55c1fa9ac2332db2a5f6e5203d78c
SHA256d69c097bd1783336f1b0f0b9f6e18f3c300e05aea9077c27152d32b0baab176c
SHA512d173c4d5649e18ecc89f684018b6b64f41b52005f04714f6466c1eb1a6aa34dc08298f0d742074512d9b8ee4d3733da97a983b6debde60d01f1baf676f483675
-
Filesize
108KB
MD51300e9ace761445c8717605931100a08
SHA1982ba9c818e2ba0fcba3331536201d37f771e6f4
SHA25673b16673618509132b41528a2985918d438da38fccff7818774198515521b3ca
SHA512807a4e046f270deeb13b1893a1c25e292fcbf8348c421e83a00bca78fa29f417ec3171b16ebcbd9ccdbf87debb1940f6d77135f3a5e712785ff1cfbd75fad1ab
-
Filesize
173KB
MD581764c0b2c435633758f29374197a2a5
SHA11a4b36e84bac4aaf401989789f1881dd09b20a93
SHA25646b3dd7b99c1defb50aabeac2c61fa5e8176418f88c25057f471bfdf4058f96e
SHA512c9aa2d9c1c4e9972b6fa755255aea60e4f915141550320709d4d9ce2b9c56da7bdaee9a67796a9b0d22c27e87a3a1b3374df0c62444d00d8c34bace3fae2d214