Analysis
-
max time kernel
148s -
max time network
158s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
24-11-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
b7742c9c70e896b31d68b4cdf345ac1d77192ae381f6e49907197fe2bd97eb2b.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
b7742c9c70e896b31d68b4cdf345ac1d77192ae381f6e49907197fe2bd97eb2b.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
b7742c9c70e896b31d68b4cdf345ac1d77192ae381f6e49907197fe2bd97eb2b.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
b7742c9c70e896b31d68b4cdf345ac1d77192ae381f6e49907197fe2bd97eb2b.apk
-
Size
4.6MB
-
MD5
7ebb1a9bd104996f722ec77affce15c4
-
SHA1
c59502a830d4bfbc31da6640a4ad9566d41a0786
-
SHA256
b7742c9c70e896b31d68b4cdf345ac1d77192ae381f6e49907197fe2bd97eb2b
-
SHA512
74575c2eb3193f8ed8005775387e0d2aa357afc4909c1490df85a5820f4d67e6687881cb666d0dd0311866a5cdf00cc9c1f0fda395ae61b5ef4c45f2f437aa8b
-
SSDEEP
98304:GK+KlMqXInLSSU6rB4bq6D7l4wmHa42F7b62orR8krE:0KaqXMD/N426Kda4uBw0
Malware Config
Extracted
hook
http://185.147.124.250
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
pid Process 4269 com.wwfvynwml.wjpuuowbi -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.wwfvynwml.wjpuuowbi/app_dex/classes.dex 4269 com.wwfvynwml.wjpuuowbi /data/user/0/com.wwfvynwml.wjpuuowbi/app_dex/classes.dex 4294 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wwfvynwml.wjpuuowbi/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.wwfvynwml.wjpuuowbi/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.wwfvynwml.wjpuuowbi/app_dex/classes.dex 4269 com.wwfvynwml.wjpuuowbi -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.wwfvynwml.wjpuuowbi Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.wwfvynwml.wjpuuowbi Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.wwfvynwml.wjpuuowbi -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.wwfvynwml.wjpuuowbi -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.wwfvynwml.wjpuuowbi -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.wwfvynwml.wjpuuowbi -
Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wwfvynwml.wjpuuowbi android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wwfvynwml.wjpuuowbi android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wwfvynwml.wjpuuowbi android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wwfvynwml.wjpuuowbi android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wwfvynwml.wjpuuowbi android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wwfvynwml.wjpuuowbi -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.wwfvynwml.wjpuuowbi -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.wwfvynwml.wjpuuowbi -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.wwfvynwml.wjpuuowbi -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.wwfvynwml.wjpuuowbi -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.wwfvynwml.wjpuuowbi
Processes
-
com.wwfvynwml.wjpuuowbi1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4269 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wwfvynwml.wjpuuowbi/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.wwfvynwml.wjpuuowbi/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4294
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Process Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5c7699693c2ca0401fdd78b06c2a446d4
SHA18218183d5cf401728e6467d81a8805b392e40697
SHA25682f6e4403759bd9396bd4b20396b3fc9194c76fc952e728052c5589846b24131
SHA512c7b4c3213c9039e57abb229de59a78749312e6a9d5341410dac23d3d21a554fede9df184896fb8ab4d94eaa8a7cfec848243a41465a6e29502de836e80dda141
-
Filesize
1.0MB
MD544ad8ad4679956dd01f4fba5bebdf06a
SHA1126b28b77eccc8beb2fb4e0ed728da8a7860c1db
SHA2565edd22cebf6a52fe7ab53694a7550f3202af3888646d3427d089eeee0a2ede29
SHA512bb4e63fa1ac04f03bb875cb57a2d35ea02af19537a0c0c9fdc46a0039c1fb1da8e77a3b2c6a7813cb37d7c176b42af08463cab7eb9d053246be97df5e1c6c99a
-
Filesize
1.0MB
MD5a0503a60ef6fc55513388785cd01465f
SHA1294025fa0759d4c1438b528979e784c15714cb94
SHA256cef4433dca6437c14b90c291439ea1cefc4f3f4b4571e7ff64d3d5bdd549cd4e
SHA5122020eaba4b7b21e32b3e44de2a7fc6dbcb10c634a748cd330d172a534a438fb8cb139b8ba89001077828c9870318c08becdc3ea154b3741cacca596ce8e028ae
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD58beb4cdba4163f553fa1568e4648efb2
SHA1b8403b43fe576527f902294075fffa0a5bdd42f4
SHA2566ee7bb9c873896a7e48ec1a7d4c5f23f5566f52a06d7aaf6e396b47359a2fff4
SHA5121de1d4d09fa8f0dda1f26e591255736641b36ffa9129c23e2dacfd0e97d8bb3732dd6088a229b48ed3a69785824fccc7718502297bba961ab67a20a756507cef
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5e99e10fae93f9a7e89116461894df0a4
SHA149c7e98202184ddee660ba81241bd446be07b2d3
SHA2561d89cd7a61a07158e5343aa0172edfcc1d66d8cf13a59af2fe3cbc9051443854
SHA512a98516bfb8eca369df1afd9bea2a524e5d731bc8509fe9dc489240a040f4bd6fc6e62cf76a4bcce8a212c45907faeaec64219c7870dac76298fb8a7e3eadbd73
-
Filesize
173KB
MD5cb9b4fced3c3da069d5ad1ba632e7983
SHA1a62444a23869d49068c66bcce2689cbddf0a33ec
SHA25605def34996b6aae84f42f88f6f4c103268d39db29a08a1844a2f1d91e9625ad8
SHA512dd294a720e6b588793b3d4f073272ad2c97ba9ab89dd684101188cf08a8775aa6a5288754555a83b3cd8c1cd38fcd45827eec0b6c695c08b8865345ee862ebe5
-
Filesize
16KB
MD51e0db5b6d585ee729978d534e4a2807b
SHA1e738a8c36b128740d812ec18aa612c77e47223bc
SHA25655c29223b36398978a84108673daf71b4abef446631d570cba6590a4ec768b33
SHA51254d3db6fcdd1158f27daefa53d418dde1963929c9a181e1895372a4d57a4a19f1dfa09c5689eb14eaabc8c4125f746f5551e5bf997ca182e2ad7ceca50793d05
-
Filesize
2.9MB
MD5419585d7bafa3bd32d82b86b63f9adbd
SHA1f0ffe2c5af5a743e85dc24abca3207c165785226
SHA256b31d39c30f8b8a6e4a0d7cc131b2bec7e3ecea6a024a0d7254243580cbd63de9
SHA51258d03bed060f720cd749819bc764c2e07cdf46c9f16abb7f70312e21ff61cdc3c21e6f612dd4c111e794645d1707f17c6d61c27a3c1a20ad62fa7d5f867a70a4