Analysis
-
max time kernel
179s -
max time network
131s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
25-06-2024 22:01
Behavioral task
behavioral1
Sample
e6c0ef7ef87316d2c02b1a41fcc307b6bbbb2c3c60b2d8b99b4dbe213326403e.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
e6c0ef7ef87316d2c02b1a41fcc307b6bbbb2c3c60b2d8b99b4dbe213326403e.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
e6c0ef7ef87316d2c02b1a41fcc307b6bbbb2c3c60b2d8b99b4dbe213326403e.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral4
Sample
childapp.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral5
Sample
childapp.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral6
Sample
childapp.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
childapp.apk
-
Size
2.8MB
-
MD5
114bf0d5c6c6eefa3549ba6258485dd9
-
SHA1
5ec88f000c78dbe85cf6e807e8ec28d144469bf8
-
SHA256
1aa526105b85cad2400df93b3e30c53c5be4982ccde416bd8dc23a3dc2f7e0f5
-
SHA512
5104c5b381c4e78273d3b9a6a427bd883588f24212352f75589418cdd8d5875f4482618ea300eda8900cbd16ab60c887451199fd5a24a3785facf9dc82057bad
-
SSDEEP
49152:rKb7U+Oou2DyWx4UgDdaHnevfxrtDAK8FbQC1R9/oHzfv24R3hag0gK/Xx4g/ku:Z+OmiU+SevbD+bb/oz105Xou
Malware Config
Extracted
hook
http://1
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Processes:
com.JiDpzrKa.WmqvXSVhpid process 4249 com.JiDpzrKa.WmqvXSVh 4249 com.JiDpzrKa.WmqvXSVh 4249 com.JiDpzrKa.WmqvXSVh -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.JiDpzrKa.WmqvXSVhdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.JiDpzrKa.WmqvXSVh Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.JiDpzrKa.WmqvXSVh Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.JiDpzrKa.WmqvXSVh -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.JiDpzrKa.WmqvXSVhdescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.JiDpzrKa.WmqvXSVh -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.JiDpzrKa.WmqvXSVhdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.JiDpzrKa.WmqvXSVh -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.JiDpzrKa.WmqvXSVhdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.JiDpzrKa.WmqvXSVh -
Performs UI accessibility actions on behalf of the user 1 TTPs 37 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
com.JiDpzrKa.WmqvXSVhioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.JiDpzrKa.WmqvXSVh -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.JiDpzrKa.WmqvXSVhdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.JiDpzrKa.WmqvXSVh -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.JiDpzrKa.WmqvXSVhdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.JiDpzrKa.WmqvXSVh -
Requests enabling of the accessibility settings. 1 IoCs
Processes:
com.JiDpzrKa.WmqvXSVhdescription ioc process Intent action android.settings.ACCESSIBILITY_SETTINGS com.JiDpzrKa.WmqvXSVh -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.JiDpzrKa.WmqvXSVhdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.JiDpzrKa.WmqvXSVh -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes:
com.JiDpzrKa.WmqvXSVhdescription ioc process Framework service call android.app.job.IJobScheduler.schedule com.JiDpzrKa.WmqvXSVh
Processes
-
com.JiDpzrKa.WmqvXSVh1⤵
- Removes its main activity from the application launcher
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests enabling of the accessibility settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.JiDpzrKa.WmqvXSVh/no_backup/androidx.work.workdbFilesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
/data/data/com.JiDpzrKa.WmqvXSVh/no_backup/androidx.work.workdb-journalFilesize
512B
MD5f625f8e400cd1d0463edb840e43dd3dc
SHA1a4fe45d2b9185e120aaae22da61449d37fda3924
SHA256c0c93f4da5d11ad140701ba492efd9108045684622b129d5e5237ae403602d7a
SHA512208cdf75d7e2b5d6ecf2592fa0d1043d53fcf24c9b5ba7524aa9928b609a94d3796d52866ced02226a95473a95a74b2c35cba746ac45d0b1b9d4bd675d379071
-
/data/data/com.JiDpzrKa.WmqvXSVh/no_backup/androidx.work.workdb-shmFilesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
/data/data/com.JiDpzrKa.WmqvXSVh/no_backup/androidx.work.workdb-walFilesize
16KB
MD5135cac5b2ac1ad6ec666ded99da71f41
SHA1e7a36945210b5ac59f67109da4440685634506f0
SHA256c94b5bf7c8bd8b4dc5ad79361d144c1d93638a16683ced39eff51cd9b0d10061
SHA512b94acbc941b278ebfbba0b12d69c845c0b89acf9b68161c4d0fa58214122963198a97f0a2567c3372baa9f1725d212592ab0aeb1f64c4231ae4bf13062091e18
-
/data/data/com.JiDpzrKa.WmqvXSVh/no_backup/androidx.work.workdb-walFilesize
108KB
MD52af8c64d902f0b17de405794efd3ea46
SHA138d6fa956fad22de3ec36f04d36e661490542275
SHA25633826c3369c5b9824ac0f5667efd5503bc5d35138cf8f60c3ae810142eef731f
SHA5129deff53b00818ca67e339e5dae3cc12cfe43c78e7b87e99766c2722e405aa58b48f89a02089218e8f1d95e2988c14baa53aebef061198e3d484fc027ad67315f
-
/data/data/com.JiDpzrKa.WmqvXSVh/no_backup/androidx.work.workdb-walFilesize
173KB
MD5407eec393a828da5a14c9a1d81732737
SHA19828682a3fb7837295549522257730a9dca8da9f
SHA256421f7e769649014acff1cdaa7dfe1de8be1c88e804d67611a6815960c414dd77
SHA512b1508da74cad16da3164114034887fa2075eebbf5c3c65e5e39d6ae0629ee584db803060511e11c7376199372af9bb810def1f9ffa301d7b432d4fe45c86eff7