Resubmissions
16-12-2024 22:35
241216-2h4yeaskfz 1016-12-2024 22:35
241216-2hw8kasrep 1013-12-2024 22:05
241213-1zj4ws1nfl 10Analysis
-
max time kernel
148s -
max time network
159s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
16-12-2024 22:35
Behavioral task
behavioral1
Sample
194aa64a8107412e8f6442f7addbadcb9e544d25b9915ef534cf175cb6e60b3d.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
194aa64a8107412e8f6442f7addbadcb9e544d25b9915ef534cf175cb6e60b3d.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
194aa64a8107412e8f6442f7addbadcb9e544d25b9915ef534cf175cb6e60b3d.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
194aa64a8107412e8f6442f7addbadcb9e544d25b9915ef534cf175cb6e60b3d.apk
-
Size
2.8MB
-
MD5
0f197622ba7d3ff87cb16dda5ca5b32f
-
SHA1
df629604e3e7c13dd3777b8fe1f96a5e081a9813
-
SHA256
194aa64a8107412e8f6442f7addbadcb9e544d25b9915ef534cf175cb6e60b3d
-
SHA512
8220ceae9714c07637a04409dfe3b9248292b1a10836c67c65115a6f588421ffac18c56bd7abee542f8222b86e88db3e737f9510538a1b3252a3a77846cde84e
-
SSDEEP
49152:lLFktfNk/2lW+sligkiCC/ScqLZcGJhwbPSHvklq4ggI0EbWWR4fKmSQ496Kg/Vk:9FkcJ+sliglVkLZVTkhggPWRyKbQ49Ok
Malware Config
Extracted
hook
http://39.109.117.207:3434
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
pid Process 5066 com.jedokuwafesewa.pobibovi -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.jedokuwafesewa.pobibovi Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.jedokuwafesewa.pobibovi Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.jedokuwafesewa.pobibovi -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.jedokuwafesewa.pobibovi -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.jedokuwafesewa.pobibovi -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.jedokuwafesewa.pobibovi -
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.jedokuwafesewa.pobibovi -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.jedokuwafesewa.pobibovi -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.jedokuwafesewa.pobibovi -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.jedokuwafesewa.pobibovi -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.jedokuwafesewa.pobibovi -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.jedokuwafesewa.pobibovi
Processes
-
com.jedokuwafesewa.pobibovi1⤵
- Removes its main activity from the application launcher
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:5066
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5fc14dd1307a09fa889bedecae4b50115
SHA1943d2b87e0a2d5379efaf1704938fab28c83e565
SHA256301a4c714793b2cae0c93421a3c5f05ebb1d7f9b8c132c8cb6c5acbb9886ea96
SHA5128418b462428b551ce2c0669b5346d1adc40442ec739332a8d8dd87d4324adff298d7dfb0442fb96974914e28011c9aa315c83e81ca0867b5eab10d321e524670
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD519446c8b3da5ced750994eb2abe7f0d7
SHA19e57a4402ac143683ea9ed5ba1725f08b850fb02
SHA256e0b3fb692c65b7eb8472ea90da4d7498d6c2144dcd630653646776e63bb486af
SHA5124c796242cc24294a05d334f12e0774b04c90592cbc4cd56800048e95ac15e706f802c574646a522679ed242259070f0793d2808d2800334537e8399054c0796e
-
Filesize
108KB
MD5a9d7245b17c45b8256f5c1a063f0d761
SHA1d15182ea15d1e3e8f394f917b9e46509dc169bf4
SHA256813b884caaff14a971bd56d59286acbf76329baa19c331bdaa396443054542f3
SHA512dbb45ed02071e7bdb46c453522619e57c6897ad40fef44d9f49a7b07f9659a7c0168f303fb1bb6c6d4d3ee10a2ada17fe9ab657dc332202f8444853768c99501
-
Filesize
173KB
MD54841ad7d8bb1b494fe009e8636da67d7
SHA16f4336b048a56d35faf14cc63f0f652a4e0e0ef8
SHA256e7c96cf5edb5004b516185dd1ad0e97cc2243b9fc92a82584066d86af7e802fb
SHA512effed6cd1227ae769fae42c2fae6546104ce5dfce3b148c49f0384b95c87acedb61c117f84c6c6f6cf79baa7d6b76603ab7771e4bd0939af4887c0b4f49c1855