Analysis
-
max time kernel
147s -
max time network
158s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
13-12-2024 22:04
Static task
static1
Behavioral task
behavioral1
Sample
4370336bd73e915cfeb97e3fe83162c93d84f9afbabe7abec1e1747b407eeba5.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
4370336bd73e915cfeb97e3fe83162c93d84f9afbabe7abec1e1747b407eeba5.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
4370336bd73e915cfeb97e3fe83162c93d84f9afbabe7abec1e1747b407eeba5.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
4370336bd73e915cfeb97e3fe83162c93d84f9afbabe7abec1e1747b407eeba5.apk
-
Size
4.6MB
-
MD5
3027217d201b494a391930e86536b306
-
SHA1
1d4105b6ffe5612d96694ab2841125387118d216
-
SHA256
4370336bd73e915cfeb97e3fe83162c93d84f9afbabe7abec1e1747b407eeba5
-
SHA512
31dc177257fafd60042c948859650cb6cee9b7ece80b43b3ec986269e988f0f9a226cdf469a5ef6487a7f0d5b9c7bbe41b2cdc1290491e351e5bac4e9183dd3e
-
SSDEEP
98304:3OdnuxYQ7TPu8vvF/slzHhGJtY1pqRURIDtJN8p0P1fgxkRpD:+sTW8vOaJwpDWxGmfgxEpD
Malware Config
Extracted
hook
http://185.147.124.250
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.uqdgtyueu.qhpqybnfs/app_dex/classes.dex 4949 com.uqdgtyueu.qhpqybnfs /data/user/0/com.uqdgtyueu.qhpqybnfs/app_dex/classes.dex 4949 com.uqdgtyueu.qhpqybnfs -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.uqdgtyueu.qhpqybnfs Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.uqdgtyueu.qhpqybnfs Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.uqdgtyueu.qhpqybnfs -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.uqdgtyueu.qhpqybnfs -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.uqdgtyueu.qhpqybnfs -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.uqdgtyueu.qhpqybnfs -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.uqdgtyueu.qhpqybnfs -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.uqdgtyueu.qhpqybnfs android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.uqdgtyueu.qhpqybnfs android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.uqdgtyueu.qhpqybnfs android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.uqdgtyueu.qhpqybnfs android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.uqdgtyueu.qhpqybnfs -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.uqdgtyueu.qhpqybnfs -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.uqdgtyueu.qhpqybnfs -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.uqdgtyueu.qhpqybnfs -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.uqdgtyueu.qhpqybnfs -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.uqdgtyueu.qhpqybnfs -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.uqdgtyueu.qhpqybnfs -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.uqdgtyueu.qhpqybnfs
Processes
-
com.uqdgtyueu.qhpqybnfs1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4949
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD52c2970d6fbee0fabe270cc435676d6dc
SHA10c8ae7b972e19c207f4c1cc93433341f46733f3d
SHA25619625ea42ec3edf0f18093f592cb8b9fb7f5173265eb9cc72b396837aa3cda17
SHA5127b67106d9adeb506b6e6910cb398b1e3184b4d7e3ccbecd704245ef0855ec76a29aa3df2a9a2850431957a512554c4d0e6e82cc42cc04872bf837b6bb1543412
-
Filesize
1.0MB
MD5b97e2891f67e261115fded30944eafe3
SHA171d9faa2adefa697b357097b5bcb4555e7e11cdf
SHA256592f7ffc21002776c48bd690d7e2906ce16a3cfb2e77944dce59e257d138fec1
SHA51205c64468ce0aebd3c326aee59d2ba9f2d7f33defbbb3a1e24e16ce5201c0d82a94cbb374608f562dbd065fb598b8681e7101ac0091bde3cf64d6eec16a8673b4
-
Filesize
1.0MB
MD5994b5f2b8033ca8cf537719cd6519e19
SHA1767ffc71e10123cc05a476e630f0d664f88e34f2
SHA2566326be0f88333dce8b2874a98d435ddbfee8c2329cf1ac9cd03f2ce06b364230
SHA5127a72e66d9c3b981bcf1b8a99faaa8adbe22b57602d306ee2ec9c181d97c0b005d2ab819c0cc4e52c94083a5c515cd6152e6bcf4276b30230abdd32a68eb64c77
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD500176e1ab117b195eb59205310418328
SHA157cc58ed5b3e42198fb087a985bb563a2fba5140
SHA256a8fcfad145246cc18684113dc58f6e90cf442ba53a1990285e46f127e591d3cd
SHA51210a5bb8eb41b196b08d309fa05fa6a0b9d29fb710eda0e3710e3204588b6e4567fc3a04be9781f1e69a7d65930ef00418f13fea040d213d5a58d91a18c549daa
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD55edd5b1a205f69982a160efa51644dcd
SHA1119842b63ff6e51bf7a2a74ac527dc0cf24ac08f
SHA2560d8b98e9b7bd43d54be2604397e64e28afb59e33badac0920834cb397040c249
SHA512ab451cdb391fd6eaaa67b0a47d5c6fd4acee7600688211500e66ef469e0af5466d13e5927cb4d39137ac1c2ab8361507e566d626b4708b88845efa37dbce4c26
-
Filesize
108KB
MD5d9ca3653d9feed548f4107472dfdf560
SHA1e80df2d4ac3cd9c7b60025eb2f4a9629f3184187
SHA256db183b6e2d76af5cc9fd2b3c03ad4dfde0ff7f22a86ee0c1509c7a17c042bef9
SHA512ad43ec4774f58c9c64a91d745e3e7595a96e95532c35a58d4d859e03caec083993eaa21d3110c1ff02bc6df2786b2900e48cff7e4bd263a667c6d2a109ff2706
-
Filesize
173KB
MD57b6b29765b2618743b7be1f227d647af
SHA129169e4ce2fa095c73f68ee4e2132229c1acf668
SHA256757f9c1002ff5b46601be2e8bdb9d07ed3a1107801e01552c704a41f98da520e
SHA51216b0763f8e22445583e41e726857357e1d8f5372ea6dcf156dea5d9f5cf5fd2f126ac305fa54b0668856a2ef6d8dafd6354869a7c8fe88937df6f04f0b4cabf7