Analysis
-
max time kernel
148s -
max time network
155s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
24-11-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
b7742c9c70e896b31d68b4cdf345ac1d77192ae381f6e49907197fe2bd97eb2b.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
b7742c9c70e896b31d68b4cdf345ac1d77192ae381f6e49907197fe2bd97eb2b.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
b7742c9c70e896b31d68b4cdf345ac1d77192ae381f6e49907197fe2bd97eb2b.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
b7742c9c70e896b31d68b4cdf345ac1d77192ae381f6e49907197fe2bd97eb2b.apk
-
Size
4.6MB
-
MD5
7ebb1a9bd104996f722ec77affce15c4
-
SHA1
c59502a830d4bfbc31da6640a4ad9566d41a0786
-
SHA256
b7742c9c70e896b31d68b4cdf345ac1d77192ae381f6e49907197fe2bd97eb2b
-
SHA512
74575c2eb3193f8ed8005775387e0d2aa357afc4909c1490df85a5820f4d67e6687881cb666d0dd0311866a5cdf00cc9c1f0fda395ae61b5ef4c45f2f437aa8b
-
SSDEEP
98304:GK+KlMqXInLSSU6rB4bq6D7l4wmHa42F7b62orR8krE:0KaqXMD/N426Kda4uBw0
Malware Config
Extracted
hook
http://185.147.124.250
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.wwfvynwml.wjpuuowbi/app_dex/classes.dex 4476 com.wwfvynwml.wjpuuowbi /data/user/0/com.wwfvynwml.wjpuuowbi/app_dex/classes.dex 4476 com.wwfvynwml.wjpuuowbi -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.wwfvynwml.wjpuuowbi Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.wwfvynwml.wjpuuowbi Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.wwfvynwml.wjpuuowbi -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.wwfvynwml.wjpuuowbi -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.wwfvynwml.wjpuuowbi -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.wwfvynwml.wjpuuowbi -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.wwfvynwml.wjpuuowbi -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wwfvynwml.wjpuuowbi android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wwfvynwml.wjpuuowbi android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wwfvynwml.wjpuuowbi android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wwfvynwml.wjpuuowbi android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wwfvynwml.wjpuuowbi -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.wwfvynwml.wjpuuowbi -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.wwfvynwml.wjpuuowbi -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.wwfvynwml.wjpuuowbi -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.wwfvynwml.wjpuuowbi -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.wwfvynwml.wjpuuowbi
Processes
-
com.wwfvynwml.wjpuuowbi1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4476
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5c7699693c2ca0401fdd78b06c2a446d4
SHA18218183d5cf401728e6467d81a8805b392e40697
SHA25682f6e4403759bd9396bd4b20396b3fc9194c76fc952e728052c5589846b24131
SHA512c7b4c3213c9039e57abb229de59a78749312e6a9d5341410dac23d3d21a554fede9df184896fb8ab4d94eaa8a7cfec848243a41465a6e29502de836e80dda141
-
Filesize
1.0MB
MD544ad8ad4679956dd01f4fba5bebdf06a
SHA1126b28b77eccc8beb2fb4e0ed728da8a7860c1db
SHA2565edd22cebf6a52fe7ab53694a7550f3202af3888646d3427d089eeee0a2ede29
SHA512bb4e63fa1ac04f03bb875cb57a2d35ea02af19537a0c0c9fdc46a0039c1fb1da8e77a3b2c6a7813cb37d7c176b42af08463cab7eb9d053246be97df5e1c6c99a
-
Filesize
1.0MB
MD5a0503a60ef6fc55513388785cd01465f
SHA1294025fa0759d4c1438b528979e784c15714cb94
SHA256cef4433dca6437c14b90c291439ea1cefc4f3f4b4571e7ff64d3d5bdd549cd4e
SHA5122020eaba4b7b21e32b3e44de2a7fc6dbcb10c634a748cd330d172a534a438fb8cb139b8ba89001077828c9870318c08becdc3ea154b3741cacca596ce8e028ae
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD5a0dc1b9f514b0cc9c461b5fdb419f962
SHA1105c49421e8ff07906f5f262381f455db109dfea
SHA25660963e356ee8d81107f18b9cc51668b0fead118ac20ea56a3f571575d1146f0e
SHA512196d2897f2627133987ce54af0ad5d4217dfc140344c6b3084a9aaa94f455f4b32a62834c37425522c02d6757b880863c5964ea044e2fe1fde138ee7032f9601
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5815bee24c28051e6ae91b3ac6a90353a
SHA1989ce13a1a426bfaf597b6b6cc39ee81dfa6162b
SHA256aaf370cbcdf5e76fca185768361270e952e905f3ed1d0656c2f56288914ad7a6
SHA512c91f6389c88e0f4252ea2c549b42b7476522f6ba315ecfdeaeea8ca8d60cde4a63728119578dbd798592ab3589667b8c145b94e1d974c73351330d33e1394494
-
Filesize
108KB
MD539b8d7f5ae501a482843c28b0ef73910
SHA1f9546719a36393f08b693d2863895a857498c8db
SHA2564d84084cac825e15ebfbaf1bde301d3b5a8b04e12e63c37c87518536d0e6c550
SHA512790368c126ba46d4b73ed4297c77997cd9a024b47357fbe374dee5f686d3b24826daa6cad51acc2a4f1840e7642933f0411d7f782b18e07693b11abbc17e2ae2
-
Filesize
173KB
MD5e99e70eb112b1db41c486dce47b0dec0
SHA120a29a4772a622c576fb1376eab425cf1790f9f4
SHA2569b0e49e0d6e24381e6827ed23c051dc62e169c16dece886b707e48373db2b822
SHA5123f2daccd776caf194aae2d4028be04bcea2e35fa3331e013b8dae369ed733a08f59f688a89551e85f781836e5a20f6b135d297639517c214e83ddcc09b3eac14