Analysis
-
max time kernel
147s -
max time network
156s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
17-12-2024 22:06
General
-
Target
7c4c942aa07f3896745dd542d7816dddb964ceca373b3f4df034cc53157abe3f.apk
-
Size
2.5MB
-
MD5
5517e206bcbf255348cc51cece644049
-
SHA1
e97382690e2f39234f6d6f00a7f253dc31bd7aa0
-
SHA256
7c4c942aa07f3896745dd542d7816dddb964ceca373b3f4df034cc53157abe3f
-
SHA512
ee8e8945788853965a043b255a5328dba8fc19e35c9670698a8f400cde1f745ca6cb7aa90173a16da8d786b50aee0ee9e8a61e17e810d959ce56ef2ffb832398
-
SSDEEP
49152:d+JpuDmrgsBfrXfLBC3iCysiPkU3hAHwvx70nFSyXHMdeWvD9E963Cc:d2EoTSLiPkyhAHw70dHMddvB9yc
Malware Config
Extracted
hook
http://154.216.20.102
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.zglqnizqi.qlygymgcx1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.zglqnizqi.qlygymgcx/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.zglqnizqi.qlygymgcx/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD551823137275d6086fcc555a6a212797a
SHA1eb9fd48a75a66f0e65b41a88015e00fcd774a03f
SHA256de6bad00bf58f600b8927fe9633a42e312ad735aa3593afb191a07be0a388fec
SHA512959596191184ff56eefbafc5688dc36fe971793d60158ed7d9f4da94e800a27471b09660bcd04e5175cb35e5a689aade47dc619c55041a33e3d0a30b9d170a64
-
Filesize
1.0MB
MD5f3f1e127a7cc0a0ea29cb4e80533abe0
SHA13de58cfbff05455fdd4b6c8430d260fb55486641
SHA256bb68d169253ba1774539a1419fb591ec0d58625b44d61cbb66db2d93262efea2
SHA5123a0a36eb663a34e4b89e0dad62e54ea6291f49de3695e9d6ce1394f653655150ea769f39c71e2690678565547e565402de6d1a256ad98a13e3e330b58c35e00f
-
Filesize
1.0MB
MD52cddef70031c013b8a454fb26017a216
SHA168a4df5dcdf99796b01d1a520abbe4dc7e65d80b
SHA2567a42b16b2ad1920bf37eff6b4c108841ac532b24fb4ab939a66d7399f8718fdf
SHA51299d0bd24094ece0004dd5e9bcc46da106e752414bfe6ce4d0d1eed3c3e4a463dde6bf40e8ab428bb96677a9768862560c4ce231b487952ebb35d4dda2254165b
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD57c34139b85d8f08163fd5d20fed9b991
SHA1162a5c83664834d9cb548c5668d60eab35df8c2d
SHA256bdefab62caea1e74990e818dc4f16fb858c05adee7932d0c54af2daf0cb52ebd
SHA51297b883514f85c836359fd882df903ec0fceb9b36c1827de758d9dfe9b38d24455f84196537ae2be17423a211291e1a4d5f887b478713a4ff6a680df79629421c
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5c41981db966227b4ec76b97e7ac35e2f
SHA12cead8a38f8c7174a15a4d4ab56e86032586d660
SHA256d05d37d9dad84e194cee3bbcb826379424f8dece4e93899d8286c51dee1b36c1
SHA512cad28ff323eba13095475f6b37e086aa45ebf89eb956be7c1cd038e4392d26e1c8d29329e8b4de010cbf0210cc1611a3fb5a876b98e98167808351de206f52b5
-
Filesize
173KB
MD57925da16c23c343881b3c30cfb727e53
SHA13dbe4f4463f59ece9925bc60635afe9d9fd462d6
SHA25613ca1b5b4a64e9a1cd7320b05a733b18569483af46830dbda7e316f749bf6826
SHA512c8b66b901c48ba6336653b8b062776975347f71e00aeb24f854a8c3dd42e707d43b5f18619c8c8fdc917252a5d80474de55dca7d71a45b76b964b8d9f06f873b
-
Filesize
16KB
MD53da426a6223f39ae2352acfe8b9f46e7
SHA102eaa496ba6ea18a03b30e3b5d77707aa1147aa2
SHA256c8ed3eaf4eb8ba7b01402b193df909529e24f9e0505821975f5c15a007836c8f
SHA5127a5144d38c10216504586d79959487ad30ecd9cd7d4f78decbecc400d1abe957bd405bad885343e6ae3741009a06d3992483495517deb68600bd6253084711f4
-
Filesize
2.9MB
MD5ab473b6ceb7bb4ae4eb3af43f264be66
SHA1c2ecde2159a61ea835ffeae63708031fc016cfa1
SHA256722e2a67659fc510ed638cf790e140498b34461aeab5a9fabf683626fef9b3b8
SHA512061eefe8384cbf0ac11f41da1f98f3ebcae771f6eb2cb85c52de510da3f76286a946ec0a9c0e8fb06164bb0ff89f168dd9aba42b2af870f41655dec1fe0cb35a