Analysis
-
max time kernel
149s -
max time network
156s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
04-12-2024 22:02
Behavioral task
behavioral1
Sample
1be8d3725146675fc339b3824119274ab4ebfad67b8bd44c1fad02998ecd1bef.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
1be8d3725146675fc339b3824119274ab4ebfad67b8bd44c1fad02998ecd1bef.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
1be8d3725146675fc339b3824119274ab4ebfad67b8bd44c1fad02998ecd1bef.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
1be8d3725146675fc339b3824119274ab4ebfad67b8bd44c1fad02998ecd1bef.apk
-
Size
1.2MB
-
MD5
cffd249c168bbcb4061cd9667c7bfc20
-
SHA1
9e35d98adec9739c67d41ffbd1d013ae718aa66e
-
SHA256
1be8d3725146675fc339b3824119274ab4ebfad67b8bd44c1fad02998ecd1bef
-
SHA512
1f56ba08890cdd964d4f31eb7a93d81a2e557c10ad2c1816b5ec1bea2606a1f1a2f52c7aa7b2664e77d44296413ce6a7ff6360fc928faf97d3eeabe3d6ef9078
-
SSDEEP
24576:6PskVBKfcx9dl4VmblGEOyxTcjd9LAWhUj07g8Sf:6EkZl4VQNYjcg7g8g
Malware Config
Extracted
hook
http://147.45.47.204:80
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
pid Process 4802 com.SJZaKuuKdTuM.YJDgMCQLOYpl -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.SJZaKuuKdTuM.YJDgMCQLOYpl Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.SJZaKuuKdTuM.YJDgMCQLOYpl Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.SJZaKuuKdTuM.YJDgMCQLOYpl -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.SJZaKuuKdTuM.YJDgMCQLOYpl -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.SJZaKuuKdTuM.YJDgMCQLOYpl -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.SJZaKuuKdTuM.YJDgMCQLOYpl -
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.SJZaKuuKdTuM.YJDgMCQLOYpl android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.SJZaKuuKdTuM.YJDgMCQLOYpl android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.SJZaKuuKdTuM.YJDgMCQLOYpl android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.SJZaKuuKdTuM.YJDgMCQLOYpl -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.SJZaKuuKdTuM.YJDgMCQLOYpl -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.SJZaKuuKdTuM.YJDgMCQLOYpl -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.SJZaKuuKdTuM.YJDgMCQLOYpl -
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS com.SJZaKuuKdTuM.YJDgMCQLOYpl -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.SJZaKuuKdTuM.YJDgMCQLOYpl -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.SJZaKuuKdTuM.YJDgMCQLOYpl
Processes
-
com.SJZaKuuKdTuM.YJDgMCQLOYpl1⤵
- Removes its main activity from the application launcher
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests enabling of the accessibility settings.
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4802
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD54a29cff05679a1dd8b5b64e5757ed877
SHA1973e395b0515ac0e63cb1e6265e50742d4f6a561
SHA256ffaa5e9349b032cc43a7f0f1cddfedd3106712b2163dcc36073ba3e514f4bbe6
SHA512bbc0acec29e68fdde9055cc156d7d91ad412fe38a7702794ef83628b3985c34117812df5b99a4600be9d26ad3e15beb6119176b556f917eeb23eaa07e7945813
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5b89f97b7d31c66565caf4086e37b7dd3
SHA1fc33c6ca4d7c53339b753b16edec2c78386cc5ae
SHA2567c953336f3138902125f07b35eab7706c66be36bb17e4226914428a34efce646
SHA512b8dff50edda5e9c6050d786f689a84d5e08ae4af4f7ba0ae0cb579b57d7cd729c77dc1430f66ac93b052aa2f4f5b26b65d6bf74d4fe5382fb3c296cc4c51af70
-
Filesize
108KB
MD52a49a778dcfaf3faa98511ebd57b8214
SHA1d59fb54f3fbbd5943e86501d825e973280d113b0
SHA2569a55fb330da95cc6060ff6f5727795d352f3dcefd941b6e2777603d17885df67
SHA512809568aa9f761338b999902dc55e3045d73ba49143c6705cda60428397fb1ad119bfed4f6ba3cc27f0c2c726db5b134f1b24da56363a0cea28425e2bee141ee9
-
Filesize
173KB
MD58a529674e53bbfce1bfdd2b360fab5b3
SHA1467c4197cb09b427506c6d3d7ed346ca88564ebe
SHA256e5cb352b71a21f9dacf530375b48e9cea4ab0dca1e77afd78c037ed5950e9202
SHA512a013eb4c0281f3211a5d45cd01fad8b55a6f219d6f469dd4e31a7ff1e3c663d39c4ee130d3b8abd786ae8a7ff4ca9377147e53b82380c2c28ff258be9c039bd6