Analysis
-
max time kernel
147s -
max time network
158s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
24-11-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
8dc420efd61e175140c215fb0f514c728312a1db2f2be48438ed1fe8a81eef0e.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
8dc420efd61e175140c215fb0f514c728312a1db2f2be48438ed1fe8a81eef0e.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
8dc420efd61e175140c215fb0f514c728312a1db2f2be48438ed1fe8a81eef0e.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
8dc420efd61e175140c215fb0f514c728312a1db2f2be48438ed1fe8a81eef0e.apk
-
Size
4.6MB
-
MD5
4e124742f97c21743f4eab69ea4fe27e
-
SHA1
caefae5c6e217169fe683bcc1e61b582620b7b04
-
SHA256
8dc420efd61e175140c215fb0f514c728312a1db2f2be48438ed1fe8a81eef0e
-
SHA512
c3af9b30d06b02028ff6212c4b59ea30f8abb5dc13848ec9660f74a2e8003b1244f5cf0d384949ef36c074d995d8ffe1aa9b3e9d80863130d07eb47ba95c9878
-
SSDEEP
98304:xgO1xEQCdw0PoqzbP9oWx8qfKUfuwcpGYObG0JI0Jw:hiQCdwwoAP9rxdiUhyObw
Malware Config
Extracted
hook
http://154.216.17.184
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.muzeauuvq.consstfgr/app_dex/classes.dex 4271 com.muzeauuvq.consstfgr /data/user/0/com.muzeauuvq.consstfgr/app_dex/classes.dex 4300 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.muzeauuvq.consstfgr/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.muzeauuvq.consstfgr/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.muzeauuvq.consstfgr/app_dex/classes.dex 4271 com.muzeauuvq.consstfgr -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.muzeauuvq.consstfgr Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.muzeauuvq.consstfgr Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.muzeauuvq.consstfgr -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.muzeauuvq.consstfgr -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.muzeauuvq.consstfgr -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.muzeauuvq.consstfgr -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.muzeauuvq.consstfgr android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.muzeauuvq.consstfgr android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.muzeauuvq.consstfgr android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.muzeauuvq.consstfgr android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.muzeauuvq.consstfgr -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.muzeauuvq.consstfgr -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.muzeauuvq.consstfgr -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.muzeauuvq.consstfgr -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.muzeauuvq.consstfgr -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.muzeauuvq.consstfgr
Processes
-
com.muzeauuvq.consstfgr1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4271 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.muzeauuvq.consstfgr/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.muzeauuvq.consstfgr/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4300
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD591945e8e9424b112b54c0b7d096e8140
SHA12a682040772ea08ee1cdaeadfa11d082c5e814a9
SHA25665a4cb850f8259ccdd53097a96d12d6f21a63361fd4260e08740e57bebbc5a7f
SHA512d0cd2e8c60bde9ae1251feece71d01dd02b640ee3331def50dadb82fe01eaf6eb29e99a4b8ebbf65378ad0f8e2ed6e0260e12a7994c7979ae77883d6989f5fb1
-
Filesize
1.0MB
MD5f227ac280380931d865e58cbfdc15752
SHA10bdffd65f16503727fcb0b678392150e2867ff66
SHA2564a172f9862f44cee2068bbf6106aad4fec4b4d33327ad52a785a0e45de47f9ef
SHA51245d328fe58bdaa47cfb260920d18278296b1741874461ff42d67a16ee1871dd113a2d6173c95bae0491d098a1a0d45700cf82d9d7f7d0498071e98d9cfc5e333
-
Filesize
1.0MB
MD5b003a2054e04d4cd3d0873dec66e4ec1
SHA12fce0eeee50bf02419aa57864cf67233e9ea5f8a
SHA256fd7e64679ceefb7bb4e9c8b08d9997892b516ca6b2698f0f183965f946577443
SHA5128e59945ccc15eb660dd0617d2dde7d06e073c07486c0e5ac5bc9d038780ef9f68cea3cc11c4f24ae7d0efd2159e6a40d677129960b8ecc7d34cb537d41217487
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5e1e758aaf86a13bfa08b71c86c5c6374
SHA19a766d4a8a6114b6c278d99585a8d6eef029b8b3
SHA2562d91e623bcb94a9b9cf11967c5b3397dca698200f1d685a3cff87c7216ad1b77
SHA512717c257787445e172429cbd6feb2a1824cd0c2dbfd128599a54d802da600558e52c17d14c9091175c9d036fb1ec2cb84e7c89c00879e10203def45759a3bb483
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD595aee670571021d6b537c765c3e3078a
SHA13f4f171f3acc55a2a215d10904b10e7cfbf1a512
SHA256dc922b258424b594464b6216beb39129865791f4000c75f0af6e12305bb3b0ff
SHA5120a50b468f860273dcf2b9752dc00bf1871e175bec91a6ed079c0005e48e356d48da72bb2646725aa36f469f5d5a4ab374f74ea46b9ecdd975b4ecd92d5232d9e
-
Filesize
173KB
MD55ba6200b5a9ce6cca8f24ca3999727e9
SHA18e9fa3d663df61a768beaeb1aee97eb4595215ab
SHA2564e98e299be375a38d6d42fe0f4d800ced6d653c4b890f6dedbfa444be4c523f2
SHA512228c0c1e75063ab9a2a4f5d640e86fcf07aced9701de6f601b9184553f347d07f868a512bb0da1b477d08fde2c119fa8480540cca91401a3e6f4098251d25b88
-
Filesize
16KB
MD501d4fecdb2bfff7b10d4c0ae5a0af391
SHA1485d24644731c68f59b54723fa1f403a9705e26c
SHA25630854a92d692fda00870fcb8f069650212687b5a39404bb72fdc51253b7bed2f
SHA512e6cd85a8c5f8cbf326ecca28a55a78ae7e0fb8decb1e8e64127a9bfba7bd260b5df336d2a884c3bd01b111e73e6c53ecd962a8c0dc4c49a61ba1e9de8bf3a9d8
-
Filesize
2.9MB
MD5b9430a2b2c5bbf32bca5642e1a86c050
SHA183eab457c72953ca5503d956c508b868e071aaba
SHA2560aa0e212c793277828347d736d4de9d44856d47f143a421eeb5285afb33ad3fc
SHA512c7ad78ebafa3a55c25001ccded7c042150c4c8b09476f75f6db12b86851629e0022e3793ca685cf59699e3876151166b204ff43a2d7017a474a778fe143aa520