Analysis
-
max time kernel
148s -
max time network
152s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
13-12-2024 22:04
Static task
static1
Behavioral task
behavioral1
Sample
4370336bd73e915cfeb97e3fe83162c93d84f9afbabe7abec1e1747b407eeba5.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
4370336bd73e915cfeb97e3fe83162c93d84f9afbabe7abec1e1747b407eeba5.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
4370336bd73e915cfeb97e3fe83162c93d84f9afbabe7abec1e1747b407eeba5.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
4370336bd73e915cfeb97e3fe83162c93d84f9afbabe7abec1e1747b407eeba5.apk
-
Size
4.6MB
-
MD5
3027217d201b494a391930e86536b306
-
SHA1
1d4105b6ffe5612d96694ab2841125387118d216
-
SHA256
4370336bd73e915cfeb97e3fe83162c93d84f9afbabe7abec1e1747b407eeba5
-
SHA512
31dc177257fafd60042c948859650cb6cee9b7ece80b43b3ec986269e988f0f9a226cdf469a5ef6487a7f0d5b9c7bbe41b2cdc1290491e351e5bac4e9183dd3e
-
SSDEEP
98304:3OdnuxYQ7TPu8vvF/slzHhGJtY1pqRURIDtJN8p0P1fgxkRpD:+sTW8vOaJwpDWxGmfgxEpD
Malware Config
Extracted
hook
http://185.147.124.250
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.uqdgtyueu.qhpqybnfs/app_dex/classes.dex 4771 com.uqdgtyueu.qhpqybnfs /data/user/0/com.uqdgtyueu.qhpqybnfs/app_dex/classes.dex 4771 com.uqdgtyueu.qhpqybnfs -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.uqdgtyueu.qhpqybnfs Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.uqdgtyueu.qhpqybnfs Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.uqdgtyueu.qhpqybnfs -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.uqdgtyueu.qhpqybnfs -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.uqdgtyueu.qhpqybnfs -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.uqdgtyueu.qhpqybnfs -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.uqdgtyueu.qhpqybnfs -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.uqdgtyueu.qhpqybnfs android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.uqdgtyueu.qhpqybnfs android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.uqdgtyueu.qhpqybnfs android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.uqdgtyueu.qhpqybnfs android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.uqdgtyueu.qhpqybnfs -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.uqdgtyueu.qhpqybnfs -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.uqdgtyueu.qhpqybnfs -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.uqdgtyueu.qhpqybnfs -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.uqdgtyueu.qhpqybnfs -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.uqdgtyueu.qhpqybnfs
Processes
-
com.uqdgtyueu.qhpqybnfs1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4771
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD52c2970d6fbee0fabe270cc435676d6dc
SHA10c8ae7b972e19c207f4c1cc93433341f46733f3d
SHA25619625ea42ec3edf0f18093f592cb8b9fb7f5173265eb9cc72b396837aa3cda17
SHA5127b67106d9adeb506b6e6910cb398b1e3184b4d7e3ccbecd704245ef0855ec76a29aa3df2a9a2850431957a512554c4d0e6e82cc42cc04872bf837b6bb1543412
-
Filesize
1.0MB
MD5b97e2891f67e261115fded30944eafe3
SHA171d9faa2adefa697b357097b5bcb4555e7e11cdf
SHA256592f7ffc21002776c48bd690d7e2906ce16a3cfb2e77944dce59e257d138fec1
SHA51205c64468ce0aebd3c326aee59d2ba9f2d7f33defbbb3a1e24e16ce5201c0d82a94cbb374608f562dbd065fb598b8681e7101ac0091bde3cf64d6eec16a8673b4
-
Filesize
1.0MB
MD5994b5f2b8033ca8cf537719cd6519e19
SHA1767ffc71e10123cc05a476e630f0d664f88e34f2
SHA2566326be0f88333dce8b2874a98d435ddbfee8c2329cf1ac9cd03f2ce06b364230
SHA5127a72e66d9c3b981bcf1b8a99faaa8adbe22b57602d306ee2ec9c181d97c0b005d2ab819c0cc4e52c94083a5c515cd6152e6bcf4276b30230abdd32a68eb64c77
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD5520267074deec39489f339c222895cef
SHA1ce7b08b46d8a9047b4b2ccd5af390632aef04c07
SHA256e8e411ba2b8450ccd1c99b638fd4a68599803c60f379c49a9a0cf318ed105e3e
SHA5121d8e9d3678fa092c9d744c9dc579c29f343f0a773d8c997a844de131824c9ac530be9530674a02dd5ef3c1f5d2a683b2f6832beb81e0310ce8f6831fd184086f
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD56f3f99f99446e87c6531ef1f41329e61
SHA12c08de271d445c42a87fb021e6c968deb80e6a75
SHA256c317b07ee3d0f9851df1796bf799466a15f8f61638dfe21ff4fac2bb92e2ecd3
SHA512015c78f402ddddce027686a51bc07d9bdde38fcbc0b7c89eb40db802f6b98587954f305b721338b404ab4060d908ed248db39b475d88d2ec3cd4eff81170c1a3
-
Filesize
108KB
MD57ea62c98507d1cd243bfd259fb909798
SHA15fde3469b9410c13d79d321dfe0e1d82bf26b03e
SHA256e5ff7f7ca4482b6a22c285dc6d5f4df89905b5135f51b42d1dd01fa45b76eb16
SHA512f22e214ad363e32ac48656ad9126b79fd4c56d58ea185bce3f67b6a49dd67a824c9590b90fb234b972c886a470399dd58d49cb0f88023b1dd7ce300edf5d0961
-
Filesize
173KB
MD5988a9b67f9d5c775fcdbe73965d9e563
SHA19ab2237503a88fc89de99472220023e8978eb9e4
SHA256cc8322e344c33cd44fd170155572ec6828eac44c4b1f31bbeb61c1add1106299
SHA512aeca0151a7dbf95813ad3a9a9d1a8e788bac0479432aa54902f660f7cec25870e1c8ab0a6d0d61fc689384e676d6b51417e5771c54b69e3b33a4b021c040dfd8