Analysis
-
max time kernel
148s -
max time network
159s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
09-12-2024 22:09
Static task
static1
Behavioral task
behavioral1
Sample
79219ec025b01ba08b08e9734db24e51b549d2a75d2a63ae48c4711ca7ca80d4.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
79219ec025b01ba08b08e9734db24e51b549d2a75d2a63ae48c4711ca7ca80d4.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
79219ec025b01ba08b08e9734db24e51b549d2a75d2a63ae48c4711ca7ca80d4.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
79219ec025b01ba08b08e9734db24e51b549d2a75d2a63ae48c4711ca7ca80d4.apk
-
Size
4.6MB
-
MD5
0311383ed8ab2648e46d550dd98c77cd
-
SHA1
84bc0f8a3c8f5d3344915d4c5f2d62244679a123
-
SHA256
79219ec025b01ba08b08e9734db24e51b549d2a75d2a63ae48c4711ca7ca80d4
-
SHA512
c89f9d63a29cd5488b46c470b087d5987ea6dcbdd80c44704953badfe56fc1d737016e1bc6ec76f40b47b3d65e4fe8fe27710183f5014ca7d86cd0619a029a7e
-
SSDEEP
98304:3fwJqEScs8FzBB7URVBkOMPBQo2/PqnkQbyZTSbJqIgd9A:yqN4JIRV2OGF2/okQbyZT+qIgA
Malware Config
Extracted
hook
http://154.216.19.93
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.gselqrjdt.fbjofrdes/app_dex/classes.dex 5237 com.gselqrjdt.fbjofrdes /data/user/0/com.gselqrjdt.fbjofrdes/app_dex/classes.dex 5237 com.gselqrjdt.fbjofrdes -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.gselqrjdt.fbjofrdes Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.gselqrjdt.fbjofrdes Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.gselqrjdt.fbjofrdes -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.gselqrjdt.fbjofrdes -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.gselqrjdt.fbjofrdes -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.gselqrjdt.fbjofrdes -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.gselqrjdt.fbjofrdes -
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gselqrjdt.fbjofrdes android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gselqrjdt.fbjofrdes android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gselqrjdt.fbjofrdes android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gselqrjdt.fbjofrdes android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gselqrjdt.fbjofrdes android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gselqrjdt.fbjofrdes android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gselqrjdt.fbjofrdes android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gselqrjdt.fbjofrdes -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.gselqrjdt.fbjofrdes -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.gselqrjdt.fbjofrdes -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.gselqrjdt.fbjofrdes -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.gselqrjdt.fbjofrdes -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.gselqrjdt.fbjofrdes -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.gselqrjdt.fbjofrdes -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.gselqrjdt.fbjofrdes
Processes
-
com.gselqrjdt.fbjofrdes1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5237
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD54e5666891f5538cdf3555e01177a91c7
SHA1cc9b9a2ecef1f56bf04a326ecacbdec6b3330c44
SHA256ee02e8d7fdf75fcc8a8bfffee8616a3bcb6f461efbf1c89b0e1f859ce268f950
SHA5123111496c0fe413e535bff9ce301fb7a30d5b7bc5c5a7eb7fc97ece4567b6e92bbd28b91259a03663af6657515ee254effd20b061f45b9937846dbb9ec8cb18e9
-
Filesize
1.0MB
MD59dca2adea53f7795350be0a75115e152
SHA18d0965a89da3b4a2ede2e6a62cb7236f718becb2
SHA256a470d5b36d90e694093739a3103a7ee1531ed7b770dba724f6822e00deda7108
SHA512c241a932a2ebce50d0ce14a21c8f94e03d9a7b36a1e22ba30daae80c42e5c7bf46685db3e1d12aa960851b744814da3a7ae965e31f9f6d99f11a853eb3ce8e81
-
Filesize
1.0MB
MD5c681c85cefc7f8ca81598dff7313a001
SHA1e4c23dfe4364544297d23eb9a2efc790146dfa27
SHA2567c9e11c5d136fb5f8c4beda3a7702c4c01336cfdec66c93e7d02d4701c4ced6a
SHA5120a6fb1b7207722992516b5a0c410e232f4d096e5103739f08cc3569403820604a5f85b7bf6f2a67966d2b28662fa698326010d27f889d5a65e6b0ecb0c30fd59
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5d59b96f93ffb27d7eb4ab1ac8cdbdeb4
SHA1df11b94ec4d8d7e7c89437acd9c8ff577be453cf
SHA256dabc27872ef134747c9e1003e1a599f5d266b80cfd3e70d5adb083d9a139bfde
SHA51238cd02c0ea0d8982585d6ea1eff5ee1fdddf4636526012ae3db0d594e5194bf97fb6525b3e2908594adb5b2ed0a1997c1ad1621944df5fa8144eff53b17eebc7
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD52e15ea9b73e74357a93bf347a59cabf0
SHA1abdaed5c788018fa646ee853d8003dbf6c6f65b0
SHA2560f9ed427b60fe596986b64957a365c676954a568f1871ba6c495351357324611
SHA5128b06694cbd85abd10e85a06213ad2775b511db74400c5702a87bb6f9e9e9a2bbb7cf9f1293559b81deea7041ec12fbe4a9565a2469fab147dcafec550c15dac5
-
Filesize
108KB
MD55307b6d735b051973bd70b54375fc56b
SHA14466d097106e0fef2e2b81b0a5d966865810660c
SHA2568781b30ab415683835bd80608e2352bcd31072c38b644b1a5167e77e1b26209d
SHA5126d6dda3e3d00d6c8b166674fbd2367c9951a17ef0c2db0816589f90a0ba2407d43bd289e804866edeca7c103f62fdbabef84d805328e3792a367a19a93eee398
-
Filesize
173KB
MD50003828dc275a6202c5607e007b2063a
SHA139dda10ead68a03fbd8a8699c524f2ae1335de58
SHA256fe5c4bce97ec2c5efa3ff36d1e0a3d1d2ff3987a81227a03409b92936272b91a
SHA512be5d14175277ecdb2bc24adb4a6e9ea492dbf0093ae816c9cb0919a55e13bbc617cbf1300e2c8be7355605911d69c4ce07187498d0b5f8b4db911d13beefe91c