Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
20-01-2025 22:07
General
-
Target
443a7d9c1c2d42e5599ba108d96af71b499d6414f8dbf45d3855d93062b97f9a.apk
-
Size
5.0MB
-
MD5
d62f8771384adbac4c2137db36a56239
-
SHA1
fbb6c1ef42dc56fa256e1ad4424c00f3f37ccfc5
-
SHA256
443a7d9c1c2d42e5599ba108d96af71b499d6414f8dbf45d3855d93062b97f9a
-
SHA512
f9cad909d0243247a285aaef0314d74ff0cef33d97bb05ea54b39622c66ff1ec39d33e7be20b5cf33d78ce133d58e43eb3d3a170a8a269c68abab298d3807b89
-
SSDEEP
98304:GJbhcB9yCtWfAUpLBx5gJB223z8SgwgGgAyuWf/CZBA1kBTd5SiD22:whSkM1cLz5gJBH3wNNGgYUC4kBT7SiDb
Malware Config
Extracted
hook
http://154.216.17.69
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.fxlfwvcik.kcdszsfrs1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fxlfwvcik.kcdszsfrs/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.fxlfwvcik.kcdszsfrs/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD51702a43faf35f8b1575d6de10470ca24
SHA17a40328a649593f64441b85ce0bcd5b549f7a219
SHA256ff712f209c9d20110192c3b7e56b4891f5aed2710e18d55d811561077c3a535e
SHA5129f8eda29db1b0e450e6f520ef4efe0d7be7683cfc0e489b2a35b664a42de35d91db2c26ec168a11386d4236b87ba3cce389b52609dcf4e54e187d395364fe3a6
-
Filesize
1.0MB
MD57f78bc6105199610b76e19f55fcd1e0f
SHA1b68bdd71d4da27ce0022fcfe978257c6889d5e80
SHA25660ea4caa81eb4ea6bf8992b6f07dd023de32fcc63916b9072488138f4ca53d84
SHA5120d206651f277ea1579b0875ac9ec8c155dc52dc14729321eb7213d9ae5603681452f5a16d7800c98c4c99cd62c6ff098cde279dac382cdb127f69ae91e90c0df
-
Filesize
1.0MB
MD5d2f078c7b5c0a532a06a97a93f9adeed
SHA1c27383f78797700f127a610d9a4ee2d363b662c3
SHA2562c86d195530fa61368f0459a26092d84634278cd6273aa5744ca97245b221c9d
SHA512ac9274ce3fac6288ad3816d11a77a77ef738174319237b67f2a34f90295776bc84a765be0d27101c435a016fbf87e367412bde696ce4cc7c0da51f20cd0a5ac8
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD58f63a363254d44e2f8aa4dda8668a2b2
SHA1a93e5a58340a60756b7243e121bacd7fd5243c38
SHA256456c844ff0c77bd2dc69dd90778a22a7e2b4ee5ca64aa53f5e13516d97edb2c5
SHA51283ade81c9ab57dbbaeba6fb78c13a71186e71bf7c76ff2795b831bc979ecfc132d3e1d407dbfba58825f1ec726e627f14fd978253f21e9c22ead75e10defbb6d
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD52181ff060015a2fa5860321b161565d9
SHA10c021c5cfd02b679cb4a5252fc2fabb73d022a5e
SHA256f8f7a601907d7420994e588a07c10f0a4bc1074c8c725ae59f704d889a051501
SHA51210b3e719ee2c9bbcc7d5900e0a4756174124f277fd604a51b6b87a4a00b0ee53084383f2278428101c33af714f0724bff9c6104961f1262682695810a577ad84
-
Filesize
173KB
MD5e615305ba9e837e3e64a38ba431beef6
SHA1329b75078daee5be41d8056723d1ee0176995674
SHA256d0740a029639485464eb5fe7b30bf44f3954d5d45f7b22308833bc42f25b0768
SHA5122d6e3a569993a45bc12f90807f1060f667e5595f4b6c3e147a32b9d34ea20c0ba754bfa71145d55220cc463ce494d7f11f9d4c2cb94b9e15bac63807ed91815d
-
Filesize
16KB
MD504726904950d5ba96369b01c51d5c603
SHA1efe611f03c49c612169c83e691152e191d433d8c
SHA256411ec4aaf2ee78654bd71785efec271c47eeca97b25a766bb0d9c8b3fc83ab09
SHA5129e8ea3cec6c740c7e3dd4321fa40c836565f10ac2f757f9ee4ae15fa6c00506be09543ed5a1c9add1062e4f5b500b055aa720f541e4cafe0059f4ba3629345a3
-
Filesize
2.9MB
MD5c9c1359db5e87136b2bfa8e482ff8bf0
SHA1f9847aa363e53150d44aeb78a9df6c77d0bcdde8
SHA2560cec94e695b1ca90e931166ba460869ffe7c0cfa83cdcd7beaf8e969f5c2e03a
SHA5126e87a1ba551f91e343da2f5dfdc82d5a9543dd9c948fa81dea149123c34fd67b4c61e3121dc30ca492760d49bc0875ba2095be87dc442c546057ddbd9ddc4566