hook | 6457c9837f35011200dbee5a82e7f73a09f53b2c68296dea01838e7714d9e1ba

Analysis

max time kernel
402308s
max time network
166s
platform
android_x64
resource
android-x64-arm64-20231023-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231023-enlocale:en-usos:android-11-x64system
submitted
28-11-2023 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6457c9837f35011200dbee5a82e7f73a09f53b2c68296dea01838e7714d9e1ba.apk
Size

2.9MB
MD5

f68658df74ae791d3cbecd205722cc41
SHA1

ad879f0d74d16d7d5d4ec44bfbb8fa931c55a4f0
SHA256

6457c9837f35011200dbee5a82e7f73a09f53b2c68296dea01838e7714d9e1ba
SHA512

739fc004505dc896d83102fdf2a8b09181e333e37e61919ee4981ff35d983187e0932203e15b23df80ae5da95c539891bbcb43c45fd2240ffb732ba2fbf509fb
SSDEEP

49152:C+JUfMl+7ZDPazbnhpn1zvMSjjajdyVSWrqc/b4oc2E8j8vEAinD02zmNSIaX:C+W0lIezFp9tkEbZ/j8i028e

Score

10^/10

hook evasion infostealer ransomware rat stealth trojan

Malware Config

Extracted

Family

hook

http://91.215.85.22:3434

AES_key

Signatures

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.dekezumepome.deyecite
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.dekezumepome.deyecite
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.dekezumepome.deyecite

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4418	com.dekezumepome.deyecite

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.dekezumepome.deyecite

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.dekezumepome.deyecite/app_DynamicOptDex/aMd.json	4418	com.dekezumepome.deyecite

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.dekezumepome.deyecite

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.dekezumepome.deyecite

com.dekezumepome.deyecite
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data).
PID:4418

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.dekezumepome.deyecite/app_DynamicOptDex/aMd.json

Filesize
705KB

MD5
90fcdd911130185f883976c36faf999d

SHA1
d86b61ce13d8f8c67d14168191a01b617c1855fd

SHA256
31c47cdcf1e5ad1c5eb62a19329bee13518182e07c75108d819cb25644d32cda

SHA512
760fef18b8a85b76bd50d93821e3eabf972fdb1134fa7e148272e974b92ae4647624a7f702309352e112be98c09d1cc87a48498fef9aaa27849fc931ff33fdcf

Download Submit
/data/user/0/com.dekezumepome.deyecite/app_DynamicOptDex/aMd.json

Filesize
705KB

MD5
a37b0504afaee8a8fa7aa37dd0a8b528

SHA1
8ee3d308fdbf279011a5906955a16f8ec9348500

SHA256
3e143edb0b456f29437842c249f5602d28e07250049ed0d7e030ada41bd6c269

SHA512
6399c27a949cd90cc97940b0875ddc261ad4168f8d0d6117c23bdbd7618d75033e47a88b4318fb0487dd635682546754f22b795b101df01b9bdbe178a8ac00aa

Download Submit
/data/user/0/com.dekezumepome.deyecite/app_DynamicOptDex/aMd.json

Filesize
1.5MB

MD5
75b6eb041c5124ca9fbf00d0844263d1

SHA1
c3dde78a6c27f78c8a4207b190bd7ded6b1a6887

SHA256
444fb400283211eb44017d60a707e63d140a6101fb58f5b6a7662559f9289a9c

SHA512
fef37cf4b613e976fef071bba2ddf26ac1c72110861c49589f7e05cd18f050ada78ef7515477cfe56ed162ca9e087ac4dfa277cd1b1d517fcdc2958eef22dda8

Download Submit
/data/user/0/com.dekezumepome.deyecite/app_DynamicOptDex/oat/aMd.json.cur.prof

Filesize
2KB

MD5
64cfbc0769b6648fb6b61917bad8620e

SHA1
f5444485bff658cddaeb5ab881247527ace1f81f

SHA256
3dbc90ae8af3d837323984f7efee29ccc552b029e03cddfa816845806e1f4fdf

SHA512
0c68a433db470db4a75783b99329eedd4cf91f23284d7b3f01824bb3dd94c3f51e70e2bb49a5fb6b342ae154ccd829f7e51c4b90895d6656b636b6d775cf5c84

Download Submit
/data/user/0/com.dekezumepome.deyecite/no_backup/androidx.work.workdb

Filesize
4KB

MD5
7e858c4054eb00fcddc653a04e5cd1c6

SHA1
2e056bf31a8d78df136f02a62afeeca77f4faccf

SHA256
9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

SHA512
d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

Download Submit
/data/user/0/com.dekezumepome.deyecite/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
3033235ba7239dd1f439901db3325f2b

SHA1
85f2d9d45bb36007042b4fec2423083f1ce2542f

SHA256
ac38909e2f57e005a2351d6e23299e0dc73fcf8dd38aef2c2774e57d075b4a86

SHA512
b4ffe503d81b62b5dc536143b9b928d6bfc22c2425f6d7c21ae747af77626752ac0271c1f87b6adbd3dcb58db8f5cbb7a1e3116ea67aa4f4842911aae6631b5d

Download Submit
/data/user/0/com.dekezumepome.deyecite/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/user/0/com.dekezumepome.deyecite/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
126ccf43f644d9516083d9874033db86

SHA1
f0d928ed6118f72b4e52afa4608e515ed4ea0673

SHA256
1f16cccb3475a60d9b506137000a5670e4e1d30a72e54cb71bd006dc164e2b4b

SHA512
51270f2d73caa3c8f90c4dc4d75820b5c5deb9881e72401698ec6efebb726e0e1e66c9353596875d48ea622d51189059ce6a2eee74a2281b1bd0e6a51d955354

Download Submit
/data/user/0/com.dekezumepome.deyecite/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
16586fc954d91d5b4210d557dd46c9d4

SHA1
fb0dc3456923e9f9f0c8bab509657bba89fa942b

SHA256
6ad07f972cac0ac0c2177f018dc6ab3d8f6de6be7e4c4cd0ca5866d029819197

SHA512
f46f925b18d3a12080a6b5380447567c8e11b982a7c86134ed0bba2ed9535758cecd46d9f653a56a431f2031f89c664827f438deeb92b20eed22419b79d3f737

Download Submit
/data/user/0/com.dekezumepome.deyecite/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
89e451f985611c27fe6f38ad3bb4ba28

SHA1
fad4d678ee2fbf7e6cf4fb085be893e9c8121993

SHA256
1f55599edca38c9ed57a26631b7b5e5acd9c5257ffbc40938fef656ad441c88f

SHA512
f6dabdc6eb24376ff79535da7958b0643c4015b6530c5544fe8809f3abaa3445041520476ecd18f7418ee8d06161e16237f45902f5aa1c43eb4d315b2ab9b05a

Download Submit