Analysis
-
max time kernel
128s -
max time network
159s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
09-12-2024 22:09
Static task
static1
Behavioral task
behavioral1
Sample
79219ec025b01ba08b08e9734db24e51b549d2a75d2a63ae48c4711ca7ca80d4.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
79219ec025b01ba08b08e9734db24e51b549d2a75d2a63ae48c4711ca7ca80d4.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
79219ec025b01ba08b08e9734db24e51b549d2a75d2a63ae48c4711ca7ca80d4.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
79219ec025b01ba08b08e9734db24e51b549d2a75d2a63ae48c4711ca7ca80d4.apk
-
Size
4.6MB
-
MD5
0311383ed8ab2648e46d550dd98c77cd
-
SHA1
84bc0f8a3c8f5d3344915d4c5f2d62244679a123
-
SHA256
79219ec025b01ba08b08e9734db24e51b549d2a75d2a63ae48c4711ca7ca80d4
-
SHA512
c89f9d63a29cd5488b46c470b087d5987ea6dcbdd80c44704953badfe56fc1d737016e1bc6ec76f40b47b3d65e4fe8fe27710183f5014ca7d86cd0619a029a7e
-
SSDEEP
98304:3fwJqEScs8FzBB7URVBkOMPBQo2/PqnkQbyZTSbJqIgd9A:yqN4JIRV2OGF2/okQbyZT+qIgA
Malware Config
Extracted
hook
http://154.216.19.93
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.gselqrjdt.fbjofrdes/app_dex/classes.dex 4613 com.gselqrjdt.fbjofrdes /data/user/0/com.gselqrjdt.fbjofrdes/app_dex/classes.dex 4613 com.gselqrjdt.fbjofrdes -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.gselqrjdt.fbjofrdes Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.gselqrjdt.fbjofrdes Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.gselqrjdt.fbjofrdes -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.gselqrjdt.fbjofrdes -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.gselqrjdt.fbjofrdes -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.gselqrjdt.fbjofrdes -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.gselqrjdt.fbjofrdes -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gselqrjdt.fbjofrdes android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gselqrjdt.fbjofrdes android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gselqrjdt.fbjofrdes android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gselqrjdt.fbjofrdes android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.gselqrjdt.fbjofrdes -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.gselqrjdt.fbjofrdes -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.gselqrjdt.fbjofrdes -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.gselqrjdt.fbjofrdes -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.gselqrjdt.fbjofrdes -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.gselqrjdt.fbjofrdes -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.gselqrjdt.fbjofrdes
Processes
-
com.gselqrjdt.fbjofrdes1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4613
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD54e5666891f5538cdf3555e01177a91c7
SHA1cc9b9a2ecef1f56bf04a326ecacbdec6b3330c44
SHA256ee02e8d7fdf75fcc8a8bfffee8616a3bcb6f461efbf1c89b0e1f859ce268f950
SHA5123111496c0fe413e535bff9ce301fb7a30d5b7bc5c5a7eb7fc97ece4567b6e92bbd28b91259a03663af6657515ee254effd20b061f45b9937846dbb9ec8cb18e9
-
Filesize
1.0MB
MD59dca2adea53f7795350be0a75115e152
SHA18d0965a89da3b4a2ede2e6a62cb7236f718becb2
SHA256a470d5b36d90e694093739a3103a7ee1531ed7b770dba724f6822e00deda7108
SHA512c241a932a2ebce50d0ce14a21c8f94e03d9a7b36a1e22ba30daae80c42e5c7bf46685db3e1d12aa960851b744814da3a7ae965e31f9f6d99f11a853eb3ce8e81
-
Filesize
1.0MB
MD5c681c85cefc7f8ca81598dff7313a001
SHA1e4c23dfe4364544297d23eb9a2efc790146dfa27
SHA2567c9e11c5d136fb5f8c4beda3a7702c4c01336cfdec66c93e7d02d4701c4ced6a
SHA5120a6fb1b7207722992516b5a0c410e232f4d096e5103739f08cc3569403820604a5f85b7bf6f2a67966d2b28662fa698326010d27f889d5a65e6b0ecb0c30fd59
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD5d6ee521c1d7fb58b5d00d299c49496d3
SHA17094114032a099b77081591d358a69ee4eeb8a85
SHA256104f2c882bdbaddbdcb3ceee9fe23cb90cd379b299c2ccb0894a7a88b8f991c3
SHA512d0edecdb14e631880a7ebc647eeaa48091bf6dd418fd3f284352f0cf79292d6e42ad389d5088c9de88c25ada0d69a73e34d897aeb36eb9ce3e4fba677b166f21
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5cd1a9d922df4f477f5769daf681a46f2
SHA16f78427d9e227653e2b666e70ca7ff7f8d246f19
SHA256310e3f93f1ab176874e27db673bf7203fe727f00cd3463c2f45f4861a155304a
SHA51252980e196dce919818c913363b54144c9075148d67827bcbe9eaeda22e03167e37b28bd4518facfe7ab71295f9e860d616192c7e216e803068a148292d783d42
-
Filesize
108KB
MD5f91a83c3c2daec1fb637ed8be26cbf20
SHA1ba412917259018074b1df07eb41bf14b5f457218
SHA256e765a9ec0587eee3b5724d09d35fa95c5841f2d858163f8cc9cbe9705fba6f4d
SHA51256cee07c0afb9f30e739f4c97134b94497b7d7abeb541b9aca8fe98343b9558b5b4e6fc1d071205ccd94f9b1dfb03ca81940a3d60074a7cd2f40143e9b81884e
-
Filesize
173KB
MD514011c289619ba8578700b3852dbd406
SHA12439c3d56f9b9faaff8e5d3abdcaa54c496fc209
SHA25682e86741ffa65456f09d73c22b34f6e79829da448178eb0fa0a9da419fd2ce2d
SHA51223f05318ea7004897de10927d48cb4982e01def8f6989d95b58e30a8152c072c706dd4ce33a405c3d2964fbceb5f08c03264167314a7491fc3c15aa3d9459bc7