Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
21-12-2024 22:15
Static task
static1
Behavioral task
behavioral1
Sample
a1cb4730227e27f7d6bd7b6782a31908d885df663cd13e2899b7bda43ec846ba.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
a1cb4730227e27f7d6bd7b6782a31908d885df663cd13e2899b7bda43ec846ba.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
a1cb4730227e27f7d6bd7b6782a31908d885df663cd13e2899b7bda43ec846ba.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
a1cb4730227e27f7d6bd7b6782a31908d885df663cd13e2899b7bda43ec846ba.apk
-
Size
2.5MB
-
MD5
5d498abb0f99b3a4d57dca6ce0d5b530
-
SHA1
fd51e64ca5ac2297b8848d85f7d22f48e92c469c
-
SHA256
a1cb4730227e27f7d6bd7b6782a31908d885df663cd13e2899b7bda43ec846ba
-
SHA512
99db244a2aff14b9cafb2a19f61a5550f4fb1a95f601bcb6f40dd4cda2f6ace7fd75fa7b328995a1927abf014bcbb46d955d3e1c7043726552dd0a0ff7429565
-
SSDEEP
49152:mbPtn/srg71IMYSXwf1OhtkBeFpj6FnB8ZZK/l0fdjtkxGk:mbPtn/JO+K1OfpknO6l0fdjtkIk
Malware Config
Extracted
hook
http://154.216.20.102
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.pzvoxzxip.lxaqztnyy/app_dex/classes.dex 4319 com.pzvoxzxip.lxaqztnyy /data/user/0/com.pzvoxzxip.lxaqztnyy/app_dex/classes.dex 4319 com.pzvoxzxip.lxaqztnyy -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.pzvoxzxip.lxaqztnyy Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.pzvoxzxip.lxaqztnyy Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.pzvoxzxip.lxaqztnyy -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.pzvoxzxip.lxaqztnyy -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.pzvoxzxip.lxaqztnyy -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.pzvoxzxip.lxaqztnyy -
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.pzvoxzxip.lxaqztnyy android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.pzvoxzxip.lxaqztnyy android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.pzvoxzxip.lxaqztnyy android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.pzvoxzxip.lxaqztnyy android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.pzvoxzxip.lxaqztnyy android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.pzvoxzxip.lxaqztnyy android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.pzvoxzxip.lxaqztnyy android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.pzvoxzxip.lxaqztnyy -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.pzvoxzxip.lxaqztnyy -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.pzvoxzxip.lxaqztnyy -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.pzvoxzxip.lxaqztnyy -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.pzvoxzxip.lxaqztnyy -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.pzvoxzxip.lxaqztnyy -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.pzvoxzxip.lxaqztnyy -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.pzvoxzxip.lxaqztnyy -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.pzvoxzxip.lxaqztnyy
Processes
-
com.pzvoxzxip.lxaqztnyy1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4319
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5c5f2d438a38147bd5039b536bb820c61
SHA1e43c6378765fdf298ff5c01332004492f2916077
SHA25666ab822f0ca23ddb477e6e5c8e4aeed9fc18d6ea5fd17951b55930956108267e
SHA512e234916c9f9a4ed6f86f86c640734bc2ec1c620d67f69df624148d313254064c7da3b888a7919bc5723e2e782fe229b3e52da4113348d3cb99e0f8d76be49849
-
Filesize
1.0MB
MD5913964c71b809c94b494db6b94bc56ec
SHA13191a872bada4c0910aa79b27337eceb2ac06127
SHA2566f83e35e4b0b5bb8001d6d0e097b6ffae7911c36d59467206d9d589ee2a28067
SHA512f632004c155babdc6799f5b2d9ca888819d3967df2d8e629fb2a71458c5d3150e33331d8f1566c575f0d9b4e3255fb8d212da58a0b9534edcb673c70686b8fac
-
Filesize
1.0MB
MD598271965746cab6898a39acb0dbfe86d
SHA14e04abe94c3969fa52b702cecda02bba9f6bcd68
SHA2565aa8e63f609805ed76ab1778cb66a4cd4b6d7d918b9fa182b2f8651a377de41c
SHA512de0dc4384269a25430d6d12725f9d91c8a862543695f6f820424dcdebc3f0d3c4499b0884164e3b910efc779f6abe2d4656a63ab2859d8148bb747e975aff73a
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5af2a705a6b3b042050ba72fc9265ce77
SHA128ab19735cf2d7b57fc4ca666b72bc9fd5c64b2a
SHA256ce88274c7d19ae97928dd25efe7cbf9a76b042a02038bd2811fa4c63a1a88a4e
SHA512df8e2583d00edbbad3728581925b4219b929b19b52cf2c82a9b8f7dd917269076a32b1ccb4218a9501e08e29a125a6b86ea6ef7f763e5840e68a9bff35339300
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5723a4f3744380630d6756a423f75aeef
SHA1bb94647618e004613ff6817e5be98b4375a4a20d
SHA2562f21b2bd5d19445f70c652700815dea542b95226c55f2ca73deac643e649eedf
SHA5122d39a74d799994bf122e49e583441aa55beeb4b34d0c73ad1e987547378f6c6292d8a2d0ac212a10431325da3b73103e3e39d946c090f2a065ee7570e2a44152
-
Filesize
173KB
MD5c413b1386e04741b3b75e29950982137
SHA1a8a3d7cd9f2c123fd88881dadded625c32a0f815
SHA2560f1b46c12ee24cf5672af2254eab65f9658c1ddb4b49e38e41c1371d1b026b41
SHA51236070d7b4cd95f533a749b7c2f8b9d6d31940ed69d76b49a04a9a8f539aaddce494c37b64babf747c033cd8b73aeace8ff6df397eda895c845befbce5729e92a
-
Filesize
16KB
MD53c46828ff6ce604c9c69c9bf37890f24
SHA1e4301980d8934a6a903c0b15b155d99185b717ae
SHA25689f97d96217704f5ee9e298e8f4812a7f917462e5e9a766b8b306c930f3c65df
SHA51201609cf5a663a11d4a67b66cf4cc70cb45116262e49ce254dbba49818e4855cae443ad7e05885b5390b8a9e08fb56304640a2826cea027f20c7aa1e144d9f8f0