Analysis
-
max time kernel
177s -
max time network
133s -
platform
android_x64 -
resource
android-x64-arm64-20240611.1-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240611.1-enlocale:en-usos:android-11-x64system -
submitted
14-06-2024 22:07
Behavioral task
behavioral1
Sample
9073568a1855141fa0de08a35fb37216b8571bd92cc45a564af2d787e8924aca.apk
Resource
android-x86-arm-20240611.1-en
Behavioral task
behavioral2
Sample
9073568a1855141fa0de08a35fb37216b8571bd92cc45a564af2d787e8924aca.apk
Resource
android-x64-20240611.1-en
Behavioral task
behavioral3
Sample
9073568a1855141fa0de08a35fb37216b8571bd92cc45a564af2d787e8924aca.apk
Resource
android-x64-arm64-20240611.1-en
General
-
Target
9073568a1855141fa0de08a35fb37216b8571bd92cc45a564af2d787e8924aca.apk
-
Size
3.9MB
-
MD5
c4c311915dd408fac880507dfb257742
-
SHA1
d94dd0f7f95254eb7fc0be983007c136a56c9684
-
SHA256
9073568a1855141fa0de08a35fb37216b8571bd92cc45a564af2d787e8924aca
-
SHA512
25a2723ea4a8e8d0a8dc9a7bce5b099ba97809de286313bd77869b89a42042b2f8ac50f95542afc94ea2d2e9b0ad9e22105b46ed6fc428fa53b140191035fd9d
-
SSDEEP
98304:sFOWOm3i/0E6/LkCwGG4ZJ8a96F8UJ3SCLaaiNS6:sMPQFTgGG4R90DJ3WNH
Malware Config
Extracted
hook
https://ws.lookonstars.tech
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.tencent.mmdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mm Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mm -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.tencent.mmdescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.tencent.mm -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.tencent.mmdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.tencent.mmdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.tencent.mmdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.tencent.mmdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.tencent.mm -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes:
com.tencent.mmdescription ioc process Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.tencent.mmdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.tencent.mm -
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.tencent.mm1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdbFilesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journalFilesize
512B
MD571657568dc9c245aa9160c7775badc1e
SHA14c2ae6a57648b7fce1dd517243ac7da3182444ea
SHA256948542c83e6ed3f37d68b33cb22898c93d52d90e86d38a3e38b25bc893f3635f
SHA51290974c0fc44d9f7bf4c3cec6048d4c3ecebf484e6ae690fe8b5e59f328231648e445938a3fe375a457d82da0799d944bf60cebfd7db577ab38b3a604a9749747
-
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shmFilesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-walFilesize
16KB
MD58879e99def506686e601f65a4dfac217
SHA15f08ec5cc2a4ac85d9445274e843f5c8b1336fbd
SHA256bac34922661e8ad8442d96b9220c312a41ac2193d03ce92acedab5a8d943a370
SHA5125f885f99792d5c7b9246316940b67462e827f55c55b88d577487185b724b7b470706115dea0f33aeab445d2bb47c2956d152d4e0dba107592634e0a1bfe54fb6
-
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-walFilesize
108KB
MD5bbd8cb4e1ccbdd600888f40ff4045d4e
SHA1571d4e360ca47062f15f7a10cbe44748f47476b3
SHA25695e64360f40972cb0eca85324d0d8b3877cd3cf467a496d02da049294baaa503
SHA512131a7f1d2acff3ef6eb76d1ff1b5d979352f0e149cc059c4813ebe69116d784ab873e53c04331d6998444c97f08cca4977d66fa17774d31b08d7acbe9852466b
-
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-walFilesize
173KB
MD544c81aa81c15fe9b1ff939e30aa68968
SHA15b97377c52388a0594d95b6b115a3560c6f8c9b7
SHA2566685119492194b07f6a71702a637e86928ce31f1d93871abb9e262082fbb3c6b
SHA5129fdd2a6210701c9b48a84876fa9ff5185d98657a48fac0cbbfaf86e68891962f36aab2876046aea34a1a3674f5790fed7e92655d8009863c9074069189d2a0f5