Analysis
-
max time kernel
39s -
max time network
159s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
03-12-2024 22:04
General
-
Target
2aeaee9e0ea142d3b3deaa4adc3b8babe86b9d3fd602dc40dabd517c49d0c224.apk
-
Size
4.6MB
-
MD5
2dde7c54154a53b2630dc9c45ad5b49f
-
SHA1
01e7e4d63fec624c93a77eef40cb1a2d348b4602
-
SHA256
2aeaee9e0ea142d3b3deaa4adc3b8babe86b9d3fd602dc40dabd517c49d0c224
-
SHA512
a164110894421019a162d54046fa9f4b717978d2cf451ab6627dedbcf2645d2a5ebb30cf5ec11cb079048ce9f151d92b994937b7432af1466c1e3509d00b1996
-
SSDEEP
98304:QFhwzo9WfXkhSzTjJvL82L+nHG+3G2TNJ67am5od9yOy3c:eefXkUvLfL+HGXuTLIOsc
Malware Config
Extracted
hook
http://92.255.57.103
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Removes its main activity from the application launcher 1 TTPs 2 IoCs
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.qlqwkgtby.fyytosfbe1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qlqwkgtby.fyytosfbe/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.qlqwkgtby.fyytosfbe/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5f1a182ad315b028cf34884569f68d79a
SHA1a216324eb31013c6a56a1ef297fcd5c6b2fc68e2
SHA256232bcadb8d12d29bbc1f176790de32afc957347fa7f9a55f274ef97792863864
SHA512f2837e47ece07fb3319c60b344c4f4dc46f1793adab9578ac8bc5797b4488da3191ced289108c002e970964f18c38f4f43443fbd6f292401704483cce0b4741d
-
Filesize
1.0MB
MD5ee4c3c05e2120d3c6165f98ccc0a9308
SHA1646efb4b5122b595910d04e7102f86898b8766ca
SHA256db4fa10794f9e3b6cc9cbb2e335897d9a97b831607c05de244ffd6c6d327d553
SHA512cac1ab0b76a8156c81453352bc9ea20dbe7a954deb6dc6a3bcdc585d00b3ba59155aa0bd3990b170a57501fad2e5c6157e71f9e0a23334bf1e3469a94b64f79d
-
Filesize
1.0MB
MD5cf5d7d4fbb964968f10083490214d858
SHA12cd61ab920648146cbea69a29e30fe3788fd32ce
SHA256aa9c059cf742dbcf759194b62c3bfa854352fceb4575e02554df6cd09e38dc24
SHA51249064605397a62812c749ef8b8fa7ace528ce3000afca6bae2252cb3b2c5085f574ba22218af96b78364a244580df648c1b0150eff64a22664bc350273963193
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD53fda2df544b00885c31677ed5a5207ef
SHA17bfe014a807759be607b9bd75228b8719918d7cf
SHA25605676f6aed2ff0ee9197dbe0209d1fd6a48a2cb8d6f88b40f3e1047ae8e53335
SHA5125d8673737013b14ba68a6f5e9fb83c00f9dc4eb44fd354d656ff66fcbe576e0ebb788824019b82af171e6546e6e817cef8d2889adffb611db3e966d5326da4cb
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5d8d89b2cc1887dc88b126ededf2409ac
SHA1948b3bb39d4842fcf9a77b450978b193cb641105
SHA25645d0d57bd51e206802328cd52ddead612e85ae3b3e5e37ed759df05bfa8595a4
SHA51290d86be97cba0666a37b4ec3e63eaba10c509c8a6f67ad5e3084d959cbb12fa5c9ecc1b59dcf3646c4f50c0ef428c943cd57b0f9efe9b9bf34273fbc734a7a0d
-
Filesize
173KB
MD5e2321935d0721a6536071eba47956e57
SHA1508331eef5dd531e59d707e019445178cf2173c3
SHA256e1299d108ffdf508a5f9af731d8a48f392552edf46bd823adb9168c864441b25
SHA5121f0c20499a27502f1b9eb3caf7f4eaa734b68b68f17ecc91c06a96d5f5835bc0f9f8000016f0f86d64e2f952ecbeb26e1a156795b53816c4c6b383cfa20d47f9
-
Filesize
16KB
MD5aeda641c91273cea700e2d280e0fb3ee
SHA196b5191ad18c9605df0fc59ec550b85326998db0
SHA2564ffbd6e5431aefbf28c07b23785f2669735389e4d8017bcb87ece4f486039522
SHA512e846d28c533877d7de07df5907614a56757453aaea5d333b252739a3bc4f37cfa80db2e2b440864cf5dd5eff83e3dac425304cee6e2134e759cc2348e861ff08
-
Filesize
2.9MB
MD5526bc76afb1f6545876fa01fb73e1625
SHA1a144506ed1280aa5f32672c2a79fe1c1860f7492
SHA256a4a10ddb808fbccdddfb19405077aecaa0139dcfeaed3a4873ae6f71a985f64c
SHA512da83221153f1b2e241d15470b643f60a39aeae699e7b68111e6298e9d47f8d1bfdc00137bce4e3fed7d35d805966a1cbfeb9b9fda1c10b5a5a8fb4283227d1f6