Analysis
-
max time kernel
148s -
max time network
161s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
09-12-2024 22:09
Static task
static1
Behavioral task
behavioral1
Sample
79219ec025b01ba08b08e9734db24e51b549d2a75d2a63ae48c4711ca7ca80d4.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
79219ec025b01ba08b08e9734db24e51b549d2a75d2a63ae48c4711ca7ca80d4.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
79219ec025b01ba08b08e9734db24e51b549d2a75d2a63ae48c4711ca7ca80d4.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
79219ec025b01ba08b08e9734db24e51b549d2a75d2a63ae48c4711ca7ca80d4.apk
-
Size
4.6MB
-
MD5
0311383ed8ab2648e46d550dd98c77cd
-
SHA1
84bc0f8a3c8f5d3344915d4c5f2d62244679a123
-
SHA256
79219ec025b01ba08b08e9734db24e51b549d2a75d2a63ae48c4711ca7ca80d4
-
SHA512
c89f9d63a29cd5488b46c470b087d5987ea6dcbdd80c44704953badfe56fc1d737016e1bc6ec76f40b47b3d65e4fe8fe27710183f5014ca7d86cd0619a029a7e
-
SSDEEP
98304:3fwJqEScs8FzBB7URVBkOMPBQo2/PqnkQbyZTSbJqIgd9A:yqN4JIRV2OGF2/okQbyZT+qIgA
Malware Config
Extracted
hook
http://154.216.19.93
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.gselqrjdt.fbjofrdes/app_dex/classes.dex 4210 com.gselqrjdt.fbjofrdes /data/user/0/com.gselqrjdt.fbjofrdes/app_dex/classes.dex 4236 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.gselqrjdt.fbjofrdes/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.gselqrjdt.fbjofrdes/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.gselqrjdt.fbjofrdes/app_dex/classes.dex 4210 com.gselqrjdt.fbjofrdes -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.gselqrjdt.fbjofrdes Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.gselqrjdt.fbjofrdes Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.gselqrjdt.fbjofrdes -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.gselqrjdt.fbjofrdes -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.gselqrjdt.fbjofrdes -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.gselqrjdt.fbjofrdes -
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gselqrjdt.fbjofrdes android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gselqrjdt.fbjofrdes android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gselqrjdt.fbjofrdes android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gselqrjdt.fbjofrdes android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gselqrjdt.fbjofrdes android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gselqrjdt.fbjofrdes android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gselqrjdt.fbjofrdes android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gselqrjdt.fbjofrdes -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.gselqrjdt.fbjofrdes -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.gselqrjdt.fbjofrdes -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.gselqrjdt.fbjofrdes -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.gselqrjdt.fbjofrdes -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.gselqrjdt.fbjofrdes -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.gselqrjdt.fbjofrdes -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.gselqrjdt.fbjofrdes -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.gselqrjdt.fbjofrdes
Processes
-
com.gselqrjdt.fbjofrdes1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4210 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.gselqrjdt.fbjofrdes/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.gselqrjdt.fbjofrdes/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4236
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD54e5666891f5538cdf3555e01177a91c7
SHA1cc9b9a2ecef1f56bf04a326ecacbdec6b3330c44
SHA256ee02e8d7fdf75fcc8a8bfffee8616a3bcb6f461efbf1c89b0e1f859ce268f950
SHA5123111496c0fe413e535bff9ce301fb7a30d5b7bc5c5a7eb7fc97ece4567b6e92bbd28b91259a03663af6657515ee254effd20b061f45b9937846dbb9ec8cb18e9
-
Filesize
1.0MB
MD59dca2adea53f7795350be0a75115e152
SHA18d0965a89da3b4a2ede2e6a62cb7236f718becb2
SHA256a470d5b36d90e694093739a3103a7ee1531ed7b770dba724f6822e00deda7108
SHA512c241a932a2ebce50d0ce14a21c8f94e03d9a7b36a1e22ba30daae80c42e5c7bf46685db3e1d12aa960851b744814da3a7ae965e31f9f6d99f11a853eb3ce8e81
-
Filesize
1.0MB
MD5c681c85cefc7f8ca81598dff7313a001
SHA1e4c23dfe4364544297d23eb9a2efc790146dfa27
SHA2567c9e11c5d136fb5f8c4beda3a7702c4c01336cfdec66c93e7d02d4701c4ced6a
SHA5120a6fb1b7207722992516b5a0c410e232f4d096e5103739f08cc3569403820604a5f85b7bf6f2a67966d2b28662fa698326010d27f889d5a65e6b0ecb0c30fd59
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD55bd81ab00966945c51efec6103205383
SHA13c680ad0fab235089f3a87d74c00e47eab691927
SHA256c2feffa48452f336acdd3e8330a75bd726d0283e8189f8f0b3b421709ec5af9b
SHA5128a22eb719a0fe63d83c165194e42cf2a65d1f0ca522dc1eeeac4d50a58f3e07acca74ed26f1113e1cae66cb2f265aca91a8e071c4e3f001e8c7c8ee74069b461
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5aa52761c03651606596dbddcd59ae993
SHA1dbece8c5d9b390a5cd9c2a2e91bfcad915dec3f2
SHA256c577bd79be152a94b30c0e259f73643ed0349ef1cf5dc50ee8f55ebaefeb7e7d
SHA51201bb3b87db9dfe2e4b8eb75b2d2f05f7edeaaaee2f79bb138e802a25de41a954f9d2b9cfd948fa35cafbbaa2f9e4dfe5bc3a441838d1cd5670e548f7af675d54
-
Filesize
173KB
MD502fd1a484cfd1b0b001b1c99365a642f
SHA18d5711763f9368587b864bc81fce79e8e33d128b
SHA2565c4d64dfc10cd6ea787aa4be2967816d92429cebb83ac7d56a3671d1eff26f67
SHA512462cabc61f7be631994da3c440502bd89ae3b046a9e8a656c3cfa3b61ecfb3b6f9e769a4edaf7886eccd212d961f431c9f12dafa7acb415b2aa3789fd09ad3ef
-
Filesize
16KB
MD5b9f321f3c6fb30aeb0dec10ab73b1455
SHA1e6ee316314ed5fe9fb1bacdc934babfad82dd606
SHA25630f7c0259af14e999a5aa25115cf8acad9b4bcd436f9a804e9eb8d86d2dd347b
SHA5122ebca71724ec185dca1f629dd11092150e356e634cd73f1b83846f8e3d4dc883f643e307e05f5d7a05df4e7e395cb64abfefcff183941abc03b415e9bc156af8
-
Filesize
2.9MB
MD536146acda96b44606a11eeafd76baf43
SHA1e7473c99e753f621d4a7ff68637de3476d501b9f
SHA25699bb7b1e4b5fbfa3bfebc88f8aca5b523e1330222271edd7ed61b15b0e0b1e8c
SHA512356dc8e545eddf9b82854cbed92c78b09e4737eec53a0d5761d8f47baec16230112a91cd292d3c9812b03fb1a1b8747f970cc4bfaa91074fc76b5abc81ec1f51