hook | e4fc786d2c691c5e735db758881b9f7a455148615a4bc140ba286a1caab4254f

Resubmissions

29/03/2023, 00:17

230329-alflfafg2s 10

27/03/2023, 10:02

230327-l3abjacg95 10

Analysis

max time kernel
718084s
max time network
1200s
platform
android_x86
resource
android-x86-arm-20220823-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20220823-enlocale:en-usos:android-9-x86system
submitted
29/03/2023, 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YouTube_obf.apk
Size

2.6MB
MD5

9a04cd4b51e74d6951c2c7f78cb0b7bd
SHA1

791880e2417efebdec3bb56c66d9ac18e32c96d1
SHA256

e4fc786d2c691c5e735db758881b9f7a455148615a4bc140ba286a1caab4254f
SHA512

add5a5cca243b1260cdb635d18ca0addaec009f32ca6fbef5e6a8c3debe92c65fc35ed78bc40f6efd1eba6bb004976b7242385613ffe290e5789765456d65947
SSDEEP

49152:5G+mYa9G5wqCZhjz6UYSWrqWZJ/9h0D/Yw36O8RJtnkats10N4NIJ:5GYa9G2VGUs9eb8RLnt54NIJ

Score

10^/10

hook banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

hook

http://176.100.42.11:3434

Extracted

Family

hook

http://176.100.42.11:3434

AES_key

Signatures

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.cinecaluxozixu.benama
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.cinecaluxozixu.benama
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.cinecaluxozixu.benama

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.cinecaluxozixu.benama

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.cinecaluxozixu.benama

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.cinecaluxozixu.benama/app_DynamicOptDex/ODNGfSF.json	4176	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cinecaluxozixu.benama/app_DynamicOptDex/ODNGfSF.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.cinecaluxozixu.benama/app_DynamicOptDex/oat/x86/ODNGfSF.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.cinecaluxozixu.benama/app_DynamicOptDex/ODNGfSF.json	4130	com.cinecaluxozixu.benama

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.cinecaluxozixu.benama

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.cinecaluxozixu.benama

com.cinecaluxozixu.benama
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4130
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cinecaluxozixu.benama/app_DynamicOptDex/ODNGfSF.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.cinecaluxozixu.benama/app_DynamicOptDex/oat/x86/ODNGfSF.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.cinecaluxozixu.benama/app_DynamicOptDex/ODNGfSF.json

Filesize
704KB

MD5
6d5e9bcdab546a41a32dc134a0ca23e1

SHA1
272c6afdaebbf7a6bb78f42f659d5806b30a6907

SHA256
1a80d8632f0dc7d62711f32af196dd4ed98654453bc261288dc52c164f086071

SHA512
54d31460ce8dd7b0616000bbb6ecbcd49860583b08578af5023bbbdf91705de04cd51ee7d919eaf56b40b6acac0f30df05921c5254dbdbfb1e5ec68c42c17ac3

Download Submit
/data/user/0/com.cinecaluxozixu.benama/app_DynamicOptDex/ODNGfSF.json

Filesize
1.5MB

MD5
2f014c008012e9eb8c1d2ad8cd3bc0cc

SHA1
b131858e915215e3d0f9c8c0a863b74289f1b9ac

SHA256
5d47e9802a60d0c0f374be499c0a6c4e52cda4b21cf202f0c5cfeb962ae3ead2

SHA512
8e4928abbd70451e9fd7bf8027abc93c0c0ad23d0eef1cc728e8c36c30c5d8288580821583e887cac0d5f79316bbf2fd5645c4079480362996ddbe34405ad7ae

Download Submit
/data/user/0/com.cinecaluxozixu.benama/app_DynamicOptDex/ODNGfSF.json

Filesize
1.5MB

MD5
089544070959213580514e7b1587508e

SHA1
2e65d6a4b733fac241243dcbb3f45924358fa263

SHA256
204e9b3006016eae2c3b6323483c02515a158e722bf205571ec576e25d52b4e4

SHA512
f398f8ebcdfd628ca78fd17d74c9b72932987d81a94d2db8aceea692e274f6a9b7df751ff73b69526e87f6e379f1f412235ecdd8c72de7d51b3e44e8ec8192f0

Download Submit
/data/user/0/com.cinecaluxozixu.benama/app_webview/GPUCache/index

Filesize
20B

MD5
93027d42b314432c4216e6cfca48b384

SHA1
43448dd8102979c3926828182579691945eedd4e

SHA256
3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

SHA512
a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

Download Submit
/data/user/0/com.cinecaluxozixu.benama/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
2d1cf9829b8c210c3204692dbe323d42

SHA1
9477b74c52f80715e433c733fd755050d2a7b610

SHA256
6aefae08c14ac3f45bacb072ef6689e0097bba0f0921eb6c13a82d9d32d47897

SHA512
25bee513eeaea04f0ad180d8b4738226283c32b291a6b297c388f90de71c15df72656af8c4460063a6da4e0c526bbc0aad38b7a6a3ffa4b0944b5a39ce3bbacf

Download Submit
/data/user/0/com.cinecaluxozixu.benama/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
b819eb3804f436baec4a8f2efeb71696

SHA1
83ddce7fa7ac3ddefc165540206a2a8ef44d50db

SHA256
efa116113121e6961281d1e9709113900d19310177ece4d7e2eb3bb43885542d

SHA512
4095e7fc303d5a32f6171b19b2b3df0954d091a20a78e14cea37188fa3989d04c97546d9a1a177299e995b0983197264132665c0f8a36456abecfb201deef262

Download Submit
/data/user/0/com.cinecaluxozixu.benama/app_webview/Web Data

Filesize
104KB

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/com.cinecaluxozixu.benama/app_webview/Web Data-journal

Filesize
1KB

MD5
6624c4ad2a113476f7ea14260a724f8f

SHA1
391f8458c48b99f45635a9d9cce3d945a086d91e

SHA256
d910e7d1cb0f4bbb03046f76aa2deba48fb20d5f46106f2cded66d45397775d6

SHA512
8f9351394ced6ddcf1cf8ed094a9409416be79eda486ad8d8725d1bf4aa3a7774cfeeafb0f30980416c8cb361ac6f204774bb1c20790e19500dcbe40f510626d

Download Submit
/data/user/0/com.cinecaluxozixu.benama/app_webview/metrics_guid

Filesize
36B

MD5
9f3f5e4aaf49f96672cebcb479649f7a

SHA1
5a51cfbc53cc3e086416b52512aa1623ab39cbbd

SHA256
87d5d137cf4d3cf534fa6ad2ec6ff7d178e1f8d643752311538e1a46c5e44c85

SHA512
2750ca5c68805c6ec55f59488a05c49b0b433633b5f3a81d7490a38cf10503d3c318e8da292a3f4df5d7d6783526829601011f8a2306074d7183b307c502e1f3

Download Submit
/data/user/0/com.cinecaluxozixu.benama/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/user/0/com.cinecaluxozixu.benama/no_backup/androidx.work.workdb-journal

Filesize
524B

MD5
2efd5f91d1b414e3e0b4986f5980b1e9

SHA1
753a4c84217c980948222858274ae0e36fc275d9

SHA256
c7c8a161515742857d2abd5ea653549f5b024c5b43ec792d1be873089e17d4ee

SHA512
4023ef970b5802c2daedfb47458ae1c111fbcc34d7d440560377727e3f38ba5bbe356bcca8ad1d5fc61323b1ba55e8e55e7532837c2e253eb9ce1103446780cf

Download Submit
/data/user/0/com.cinecaluxozixu.benama/no_backup/androidx.work.workdb-shm

Filesize
8B

MD5
7dea362b3fac8e00956a4952a3d4f474

SHA1
05fe405753166f125559e7c9ac558654f107c7e9

SHA256
af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc

SHA512
1b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b

Download Submit
/data/user/0/com.cinecaluxozixu.benama/no_backup/androidx.work.workdb-wal

Filesize
197KB

MD5
87288cbcc0b491bc0d980519b69dafbf

SHA1
06871dbffec53d4e551914c23428b66bad24d128

SHA256
4e84f87821e39363bbd0ecde3faaf855a4be09450a4c62ab1a16ee494c8da9a5

SHA512
8b226909d5c9fbde52fc7118fd396659361baa962ce89670441d824576bf7cd306f6f3b321ed723cd450da208b26703a619c9be7191cf562b05204c04e8465bb

Download Submit
/data/user/0/com.cinecaluxozixu.benama/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit
/data/user/0/com.cinecaluxozixu.benama/shared_prefs/settings.xml

Filesize
138B

MD5
7ceae0a9d45f1c82277d4a61b25e06fd

SHA1
d50d12087085a2a4022ab438544ff5cb21b877d9

SHA256
546f08d3ef03531c006fbe4271232b5d3056da72465664a8363bb1411fa1e147

SHA512
043b7f77726684a39dd67340a2e1e2cbc3fe101acf088d8acc0220e7a1d4cdef48232cd613c59057c7ed717a631a0e09766995c2f8f755887a53c411b2fa2800

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads