Analysis
-
max time kernel
127s -
max time network
159s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
24-11-2024 22:12
Static task
static1
Behavioral task
behavioral1
Sample
5cb0139646f702fd0eea35b543682f9f5b7f8b74154c8696171f0aaae98c5d80.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
5cb0139646f702fd0eea35b543682f9f5b7f8b74154c8696171f0aaae98c5d80.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
5cb0139646f702fd0eea35b543682f9f5b7f8b74154c8696171f0aaae98c5d80.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
5cb0139646f702fd0eea35b543682f9f5b7f8b74154c8696171f0aaae98c5d80.apk
-
Size
4.6MB
-
MD5
d54c87f71b32f4736cdc157a69572d30
-
SHA1
d62e2553ff0d06e37711405979ac6166e54956d1
-
SHA256
5cb0139646f702fd0eea35b543682f9f5b7f8b74154c8696171f0aaae98c5d80
-
SHA512
87542cd0e32e74f2399ef0105f8825434feffb30372cc4603a7fae155829c95561c5d91e24cd71414822e2fc14e91787beef82cea500d7f9ecf97f0628580271
-
SSDEEP
98304:p2j0TxTTfwqb9yxP81qglgH6oYTjYxlVuC1OL68eWwFFhepTFwCh:WyLuP81qhhOkFITFwCh
Malware Config
Extracted
hook
http://154.216.17.184
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.yjxvhulqf.wobznkpnl/app_dex/classes.dex 4954 com.yjxvhulqf.wobznkpnl /data/user/0/com.yjxvhulqf.wobznkpnl/app_dex/classes.dex 4954 com.yjxvhulqf.wobznkpnl -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.yjxvhulqf.wobznkpnl Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.yjxvhulqf.wobznkpnl Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.yjxvhulqf.wobznkpnl -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.yjxvhulqf.wobznkpnl -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.yjxvhulqf.wobznkpnl -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.yjxvhulqf.wobznkpnl -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.yjxvhulqf.wobznkpnl -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.yjxvhulqf.wobznkpnl android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.yjxvhulqf.wobznkpnl android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.yjxvhulqf.wobznkpnl android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.yjxvhulqf.wobznkpnl android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.yjxvhulqf.wobznkpnl -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.yjxvhulqf.wobznkpnl -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.yjxvhulqf.wobznkpnl -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.yjxvhulqf.wobznkpnl -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.yjxvhulqf.wobznkpnl -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.yjxvhulqf.wobznkpnl -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.yjxvhulqf.wobznkpnl -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.yjxvhulqf.wobznkpnl
Processes
-
com.yjxvhulqf.wobznkpnl1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4954
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD55e06a2f8f33252d54a5a765996b88e35
SHA1ec9fc8688329743bc58ac907547c9480ab669546
SHA2568397350efa4b637869a7cc8195ab66ce9b23b4701cc2eea984f2f63d8d5f6bdd
SHA512f875fba2219cc73380c4c73947e002b30ead89f26b07cc8ef4af054ed0bcc3fbeb435c2b15919f1351963e674661345422a0c38a4b9ddb9f2f6c01b4bd4fdb3c
-
Filesize
1.0MB
MD530fc69aa0057114389f815fc73f88d23
SHA1625c83a18065fc9cc4232fdbbc6d0903d29edfd9
SHA2563b5802797800d7cc601499bc784ed4bb99a761b71c46c80369fbd69e72557ae3
SHA512c13fcab948b06d205e254ceea4e68126507b63413b6378d6858ca575e6343a4c682111d29ecab7b6bf38a67c3b8a40321177696cdec3e82d618a2848e13bd991
-
Filesize
1.0MB
MD5e493a8ce0e2b4d03676b00747ab50003
SHA184c5dfb64335ce7a92cea0036fe514eebb16522f
SHA2562dd711cbfefc446dbdf770099fb7399e5b2609b805a842b48d029b89d16e1d72
SHA512b489777b48533ccea303e79c9e40747bfc490b9f4033a2338c348e2d16655d222d260ea75f8e6af6d9807fd401b44573152925237661109d25f760c9db05c371
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5d9f6e328ff905ff7085c01341d9081fc
SHA1dd706d1809c7bad5639f8ade594d35efd38daa76
SHA256044e39016c3a26ff4f957b1108911b1c84bbb04cb34cf3e98891f34e8f739e96
SHA5128dc5a3fe3f8fcdb842ce0b2906b6072a0fac4ea20dff2cbc8c7ecefba3dae82101cf802d64dc97c7ce7d621fa9e4f0293cc934b359e070b225a8c7b51714a8d6
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5a0bb511b269da027e076430fed4c2bd8
SHA1f72155778939f9464c618a4c105ddec302becb8a
SHA256595852a381af5a046b557e094537929e367f42446d95cef2211d64509287ecd3
SHA51290dbd9402dbb06f05a1d33b62bcb2b6411d9217077a4323ee94f12e675e2d2668b4334f35a7a455a53b25813b846a8498a50405c8cc0bd21393d73207d05404c
-
Filesize
108KB
MD561a09e01e330a1c933386d7c7448eac8
SHA136b6f8f554bf0fa43dd4ceb1a6175cc41991fc8f
SHA256442655b488f9158990f7da4a9a7d7719ff0e63d53d6dea28b3a6ff9a275999f1
SHA512ac920c6dc2e81fef12f65691bb7f02afe8882c82713683fe3d99fcd73b379153c5913d506c15f788c7546464d5be4da68090cc469aa36d99912cfde2849216c1
-
Filesize
173KB
MD58578e322d48f3f1689834d1ccbe8a78a
SHA1bee0699e1227416bbd462a90045433843588968f
SHA256f461632a9962f861a136d2ac2cdc81ee8671491170161d374f607efddfa81e59
SHA512d95421e5d9cb351445599adf545b263faf5a621b2fa23ca82983d3a57bed3a6d7ef65dbec11d50794c5f358317398a5f96bee88f57ea32307eebe90da7dffcd0