Analysis
-
max time kernel
148s -
max time network
153s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
23-11-2024 22:02
Static task
static1
Behavioral task
behavioral1
Sample
29e3f0e8add22d309979a53374b05191d3eadeb2044a3f9789e69d1fd9ee1ccd.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
29e3f0e8add22d309979a53374b05191d3eadeb2044a3f9789e69d1fd9ee1ccd.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
29e3f0e8add22d309979a53374b05191d3eadeb2044a3f9789e69d1fd9ee1ccd.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
29e3f0e8add22d309979a53374b05191d3eadeb2044a3f9789e69d1fd9ee1ccd.apk
-
Size
4.6MB
-
MD5
ce14a46d76f85e0fd89f1426424ce0e8
-
SHA1
09dba1beae86b8ade5a3c38cbfc626c3774c331b
-
SHA256
29e3f0e8add22d309979a53374b05191d3eadeb2044a3f9789e69d1fd9ee1ccd
-
SHA512
4a92b66fda5c5f6553bfe2fc74fa8aa49d6469c29da5e38fd4847d0b59db8fe9d95e8ac1539b8450848477c5215813050a0f0287b5381399826ebabfe752000b
-
SSDEEP
98304:B82CUr9okS6DlG+tPjqq16iHKjAn/dtbhLO/xpmn:e2p3SeG+tbn6iHD/dNhK/Hk
Malware Config
Extracted
hook
http://154.216.17.184
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.ppzsqekzh.lqmrttevu/app_dex/classes.dex 4400 com.ppzsqekzh.lqmrttevu /data/user/0/com.ppzsqekzh.lqmrttevu/app_dex/classes.dex 4429 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ppzsqekzh.lqmrttevu/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.ppzsqekzh.lqmrttevu/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.ppzsqekzh.lqmrttevu/app_dex/classes.dex 4400 com.ppzsqekzh.lqmrttevu -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.ppzsqekzh.lqmrttevu Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.ppzsqekzh.lqmrttevu Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.ppzsqekzh.lqmrttevu -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.ppzsqekzh.lqmrttevu -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.ppzsqekzh.lqmrttevu -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.ppzsqekzh.lqmrttevu -
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ppzsqekzh.lqmrttevu android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ppzsqekzh.lqmrttevu android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ppzsqekzh.lqmrttevu android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ppzsqekzh.lqmrttevu android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ppzsqekzh.lqmrttevu android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ppzsqekzh.lqmrttevu android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ppzsqekzh.lqmrttevu android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ppzsqekzh.lqmrttevu -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.ppzsqekzh.lqmrttevu -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.ppzsqekzh.lqmrttevu -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.ppzsqekzh.lqmrttevu -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.ppzsqekzh.lqmrttevu -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.ppzsqekzh.lqmrttevu -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.ppzsqekzh.lqmrttevu -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.ppzsqekzh.lqmrttevu -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.ppzsqekzh.lqmrttevu
Processes
-
com.ppzsqekzh.lqmrttevu1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4400 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ppzsqekzh.lqmrttevu/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.ppzsqekzh.lqmrttevu/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4429
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5b747bc1877405e323411437c291f36bf
SHA1fc04e788deeb43cba31df5957d67ce6ac6d70f17
SHA256793a1287a1ab1d148ba128a956c841544ce2a1767662c75cd6e2b1768b79a9f0
SHA51251824b5b1dd7147039969f6e4eb12c4776543b48024ecb6361d49ab18166016a2623b22948e223d44bd678149f37c0512186a603987b79ae5a6a88939ddfc8b0
-
Filesize
1.0MB
MD5378000e5f02033a121440909aedae5bb
SHA18f27f72a7e328068e957f89f5bdd84125cfdecb9
SHA256ad389952480c57dc94b79518cbe1ae80e1d842d2554fa50fc2d9a77c5b7d745d
SHA512d8125d653bee90d49f4db6c9f76632f96acbd90db454ac00f62bcb815e0534c6089bea380c604a73664e40d29f1e063e97c1f91396841d36c9e2c8f3f051e23f
-
Filesize
1.0MB
MD50d5b4207363e49f92970964b62d958cd
SHA13822c058342952ba2e6d487e97bd34ae019aed53
SHA256cdfdf0fcf2a8c7d21a6d745f573e82816c16a8a53b8b46be6d20de615707a07d
SHA51297c4989ddd30fc018921953845e2e7c0568f176ef1bb766a0fd0a908f89873c3da99b55460b45c399c8e778b2c3824fd2a056c51f94b333d54961ac0909878d0
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5f79bf61d17e97f71e05650993607c875
SHA13faf3f1f0ff2ad90eb77d8d211f31b71d6533cb1
SHA2569e35f18d16bc21d16e2a0c2a2c595b784f484cc689e897c964ed62d24a0df812
SHA512ccbd4bc6c2c1474a08f252dd363fed3574d6b1bf914f516e2bc47b2941b3cefefef99f87838eeabe670b5b97eeae6470caa1920da0b42f139f6ace93e5314d2d
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD54122bc24a2444d5bfd71c5ab849ffa47
SHA177aa8c9f156a6043515969f5a26bcaecac7974f6
SHA25611b8bb2bccc59a05d6d0d682639bf660bd4af0cc6cc40080b7871d2526088bab
SHA512607c41e448ea664b5abdc9e97b06455d45f5a06962b734da9dd3691c52b8c285398d223f0dec70e16d98b2160130c5fcf6b16f6dfbfb41476fbba1cc228c0b80
-
Filesize
173KB
MD5de12b65f4cf415e867733bf2848ea9f4
SHA198d2a5ea5484d6e029ab216526b7e0ee7642b1f6
SHA256f8638dbfad0c1e710efe8e9883f4100df4eb3e357db89536e5839360940b805d
SHA51207373d4c7b4f0df00b628556112c27808ff612421414f51a2dc1412af500c595230b4a49ce9216ce91996a880492517052f4b8c07375e448e2b109021b98377f
-
Filesize
16KB
MD59d6bf0195285105bd569a8e822349243
SHA13847fc79b02e433481abd4bef431e1a6cc013027
SHA256891c8616f1cc5d3aa491ac7479415cba051c7fb0d4b39967f6db1823165ccc66
SHA5120670f1f47a532e8ae64c9d328cf2aac133396c9f62a0fbb8fb6f996ff2d2ea65a3c80fd91e2b58d71756666515c5ea7d27c1c7ef0e2ee0c58a598cd95c62db3a
-
Filesize
2.9MB
MD575c453e84976af4d01dbf2a22ff02239
SHA11bacdc76e63fc1963f3c78d671cd9af4e3ca3669
SHA2564523e7f85dfb845198b486154a2a7ec47fc551466c72bd78660a3af0b077ad7f
SHA5123fe126a74dd4430073d32183fcfff1e07ff4cb9f292fc7a60168d048ec57d0322bb1650265032d35bc5432578c05860d2f27a591a223e53254aed0a1d78e2c2a