Analysis
-
max time kernel
145s -
max time network
159s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
25-11-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
8564583d8884530c37150a5193cabb1949c05fc07cf5c8c119b1c03fde25d0e3.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
8564583d8884530c37150a5193cabb1949c05fc07cf5c8c119b1c03fde25d0e3.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
8564583d8884530c37150a5193cabb1949c05fc07cf5c8c119b1c03fde25d0e3.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
8564583d8884530c37150a5193cabb1949c05fc07cf5c8c119b1c03fde25d0e3.apk
-
Size
4.6MB
-
MD5
889abd05c789ca7870cbc8380cbb9e9a
-
SHA1
549ce6cdf003a052a52220b438ccea56c40b5fd5
-
SHA256
8564583d8884530c37150a5193cabb1949c05fc07cf5c8c119b1c03fde25d0e3
-
SHA512
73ff7fee227c36849289617eea7e0f694f0538d4d06f1e8ead9a6f09e0a0994e6a3f3139faad919aea43933ed11078e6a9d856eabb0f78e0d9fc78342d01e99e
-
SSDEEP
98304:gVzChgizffJ66E7kQTdhWEMN/+yR1LAUCKlfj/fExSgaLvj3Q6ag:EzCaizc7n5MR+URlfo5Yvjrag
Malware Config
Extracted
hook
http://185.147.124.250
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.yxsqkgwvz.bfqiecahy/app_dex/classes.dex 4936 com.yxsqkgwvz.bfqiecahy /data/user/0/com.yxsqkgwvz.bfqiecahy/app_dex/classes.dex 4936 com.yxsqkgwvz.bfqiecahy -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.yxsqkgwvz.bfqiecahy Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.yxsqkgwvz.bfqiecahy Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.yxsqkgwvz.bfqiecahy -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.yxsqkgwvz.bfqiecahy -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.yxsqkgwvz.bfqiecahy -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.yxsqkgwvz.bfqiecahy -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.yxsqkgwvz.bfqiecahy -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.yxsqkgwvz.bfqiecahy android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.yxsqkgwvz.bfqiecahy android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.yxsqkgwvz.bfqiecahy android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.yxsqkgwvz.bfqiecahy android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.yxsqkgwvz.bfqiecahy -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.yxsqkgwvz.bfqiecahy -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.yxsqkgwvz.bfqiecahy -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.yxsqkgwvz.bfqiecahy -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.yxsqkgwvz.bfqiecahy -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.yxsqkgwvz.bfqiecahy -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.yxsqkgwvz.bfqiecahy -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.yxsqkgwvz.bfqiecahy
Processes
-
com.yxsqkgwvz.bfqiecahy1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4936
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD54890df35d01cb3f5abe2fe48468808b1
SHA1e34d25fbadeb8797a267f0b14147d6fec3436cfe
SHA2563c11b1fe8e48ea3c0ef920bf17b38bd09888c2e7d5c7328913043a06879f90dd
SHA512a5e5bc39898e96196e9b308a811a640c635e6b9db3c415eec5a5c38e031de83330c7acfa771320234247eb07d601f4c2ae04ca1523778514759b923ada77171f
-
Filesize
1.0MB
MD510efa14909800042f90a47c5bdc5e1d2
SHA11824e614dc129b4e58b96c077a6af87db5ec368d
SHA256fc3099255ce95efcbfacf646610d6b940789aa71d850f87d3636f2b36c7435a7
SHA51294e8027c38008165b3ccef7732f53187789f3bb7c0dc3881f01f15b16bde89613376e9f02838dc3aff9ddbb1548ea670a91ba9991f8161a07ed937f0a16447a4
-
Filesize
1.0MB
MD5ba8134fe531d50d6e1255426d99eac48
SHA183be6708993e2065b1c1e8ecd61ffec34f193c3d
SHA256aadb67dd5bf02b7a595456cac0d4c08bf57f0ce0f2368d033182721762a6a18e
SHA51276f45f1a637d4f9d9c2406037661c330c5c2336ce9c4ef4e082f0f48990378a2877ae7de2947e99ffaea31ac49ea17f52b3ac5b1d186a6fd675e5fee762779dc
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5f2de86d6469b395ddaacfc41036298ee
SHA19d379f8a488ba7f271ffc28488b675a035024cf1
SHA256d439108f4e085f5cc6583e2a9d6bc50517a8024d958b7da41c75b19d33ca4d66
SHA512346cbe098c477d88f43946fa2fa27526c75ed37f16b9bbe470d229f761f53f3724c00ef864cb74edaebe4f9f72cede18e677fdc437a880126313df1953014d22
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5f587e0d775972866d2405c70d4618205
SHA1d854cf23cd140a000b17729a394de29ef59a2e41
SHA256a64795a2890f721b315583ad6f0181883403978354dcecaddbc0f10d762855cc
SHA512adc7a44d469b8450c04ac3abdb7e17427f33d425c48dd255ab8e3bed0f89378771ff78c3b246bc9294d601c77fc39dda0b00addbf239180e3d6b3e65206d7abe
-
Filesize
108KB
MD5a17a0de92a1e9f1bb2b1f347aab26036
SHA13aa13c8c04ec7fd9dc4b857f0d55c6b8aae4912c
SHA256a5ae0194c36dcb5f49e9ca8bdd3d7e031423b4a2741e2ec7cd3508804c550321
SHA512fde208b9d920a542cd5c94fd484f3adbbbc11ad28f48b72f7ccd40ea69d305843ec2309a41130cb441006dd2eca289ddbc9475d23b0f9bc8f839cee9fed401fe
-
Filesize
173KB
MD569fc3f33697e5bfb4d8bb89e890e3bb2
SHA143b6cff222a530d37679288d54c291f46292ac5d
SHA2566e2c6c83b889de7bec34e13a185d27ffb4e0d6eb27b7f069754fff9add0a23a2
SHA51250e48a084556fad0d04740388d113029b817ef484f570e254e1acd91510012ab8734fa6eb4416e396c59b16a728eac1f1112f5753b834c08faa24262e04c59fe