Analysis
-
max time kernel
148s -
max time network
158s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
02-12-2024 22:04
Static task
static1
Behavioral task
behavioral1
Sample
d2faa03050cd15ad97c0108c451f00b074228ee8235dce87d546ee45846f93be.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
d2faa03050cd15ad97c0108c451f00b074228ee8235dce87d546ee45846f93be.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
d2faa03050cd15ad97c0108c451f00b074228ee8235dce87d546ee45846f93be.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
d2faa03050cd15ad97c0108c451f00b074228ee8235dce87d546ee45846f93be.apk
-
Size
4.5MB
-
MD5
c32d1f84cbe09832a1d19de808d6470d
-
SHA1
279404c25547f76102e2bd63eb5540b35f2ac613
-
SHA256
d2faa03050cd15ad97c0108c451f00b074228ee8235dce87d546ee45846f93be
-
SHA512
1e88cc6f549949020105ee25d2459d8290dcdefcfd717472f7b3122c6b75e3a743fd7ecd96f9be504cba11c7ca8a0b06a448000ed82517c00569dd29dc479c10
-
SSDEEP
98304:9YtvbekaVwFYMo34EhPHrjIPg3fhamP7vTjD4RDs/pPow2WdDM:PZoYDPHrjIPgXPbDis/pPowxdY
Malware Config
Extracted
hook
http://94.141.120.34
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.zwuiaeqza.wxdlfyvob/app_dex/classes.dex 4929 com.zwuiaeqza.wxdlfyvob /data/user/0/com.zwuiaeqza.wxdlfyvob/app_dex/classes.dex 4929 com.zwuiaeqza.wxdlfyvob -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.zwuiaeqza.wxdlfyvob Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.zwuiaeqza.wxdlfyvob Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.zwuiaeqza.wxdlfyvob -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.zwuiaeqza.wxdlfyvob -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.zwuiaeqza.wxdlfyvob -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.zwuiaeqza.wxdlfyvob -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.zwuiaeqza.wxdlfyvob -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.zwuiaeqza.wxdlfyvob android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.zwuiaeqza.wxdlfyvob android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.zwuiaeqza.wxdlfyvob android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.zwuiaeqza.wxdlfyvob android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.zwuiaeqza.wxdlfyvob -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.zwuiaeqza.wxdlfyvob -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.zwuiaeqza.wxdlfyvob -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.zwuiaeqza.wxdlfyvob -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.zwuiaeqza.wxdlfyvob -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.zwuiaeqza.wxdlfyvob -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.zwuiaeqza.wxdlfyvob -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.zwuiaeqza.wxdlfyvob
Processes
-
com.zwuiaeqza.wxdlfyvob1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4929
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5dedc5af2004e162e3c8b7b1eb6c72653
SHA10d78a1a711fad8c620fd1ab53549545d1e858ae6
SHA256a9f29e0b8b87d2e52c627924a98bad036f62efc59bb279e7b34193e26ff7a969
SHA512cecfcff0abeceb4989ddb2e7e06890a7a54b4d55227fd0bb618a60f5d186ea27f2d2c39803ba78f6b45eac22ea3e317a742e8fcfb76230cc5dddca5b221cabe6
-
Filesize
1.0MB
MD55d61b8465fde28f4f65eccfe6b4b4814
SHA19fe6ac6e4134eb6ec160b3c6b0e887046e49bd9a
SHA256dda4d0e0c91e06c04b16e6cf8b425d99323cdf4caade9ccdbe86decfea41bdd1
SHA51259c407ee9e7ee97fb1424769d50863de0571839c2c8d625daabe6e4b9ba6100978720edbf0fed90646341b46364e94435f4b6c0738d842718aba0d3c3e9ceac9
-
Filesize
1.0MB
MD51bff0e8aeaf91a1cb1533ac459905f76
SHA1159198260758dbfea33121c1974816c81da381dd
SHA2566c633f4631ceca59a98a5071b7be36596f35211848c8f4fb07d0a2e19d446ec0
SHA5129e5e6439f3e35f215e6a19f86594f15439191f688b03329737f15837b306aea97d1965bed623183c106a23da157d446e6602a1bb07a5b7818d12ba0540cc606b
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5954d7e15a9d3f71c40c5e5cf53156448
SHA18ed4688481e5610aa22c0cd668298a366923c170
SHA2564dfdabb91d72ab4e8d3ced9ecde3e030f127e908534397ce401fc790d13fa148
SHA512e6125fce70e85acade3654f42c7956af3d72463251db0c7d0219a55fe12f2b1225d0a52c1ff9c70068347d9ef5e41f5e7c336943f08b64e86422aff62ab87735
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD564943fa64e6a037fcf08d1c37febbdc5
SHA189da85b227e4c2aa405aa0f631df4161dfcbfdfb
SHA2566ae591e96da2364cb29c2d5f92e95768d743541ee9d90dfe4ac8d2154e57b294
SHA512e6f771c04605bb4e04df404409516ee0cae0dbb864f4f5ae642ee0c6200b331960b3251cca5331f15429bd9c0cc7cbf0737304a835fa8a081756e042c527ac09
-
Filesize
108KB
MD59f7dc6e420eee77ef76fc7dfbbcf0848
SHA1c8f81628bd3a4bba6aa264896655b21ab49120ee
SHA25603b0f5d8002e1603a1516f384eda4029b21e9e709cb16031d4cf9056cb53cb99
SHA51290f663f4ea274dba17d4e7df00d0ef09f7e7ca6ffbd373e8a5bea853ab01d97ee163007558e1361c89945907d307ccba0f0c7350eb257a6a40af5c46ca17f8be
-
Filesize
173KB
MD55c0a5d115cd1452f36ebd92828df284f
SHA11512e322e943657beb34474cb57b9b0f13208f5e
SHA25677352620ce89fff04212ed65c0e680cffc36e1801e430936aa6afd063951b37a
SHA512424b469fa9f3cf050ce2c77b0fd0902894b7c206047415c96878b8e3b7356ab7d14eef30147a4421819396fc985885acd4741681ef798dd62f74b566083b51f8