hook | 2a2d38d4ae629349d817bffc4b668c0d3877b36c113635a6151685ebb12d2206

Analysis

max time kernel
1872988s
max time network
158s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
15-12-2023 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac489064b5e34b4d918e4ad2444bc983a1ef9c84f6a1237a983803d2c6c6dcb1.apk
Size

4.0MB
MD5

9acb60849b8a8d5a65973b6f7fee8cc4
SHA1

38a6b3bee7b871bb74ba5cac0db7347cad902565
SHA256

ac489064b5e34b4d918e4ad2444bc983a1ef9c84f6a1237a983803d2c6c6dcb1
SHA512

7fa4c9310be6f71733e3da7a303d414f2f765b7b2182610a4ad17c5ec5e59a21c722accd01981fae532c66b5c0e33173d474d4c6b56eb7bc9e9dce477e035e5b
SSDEEP

98304:nvEXNj1C/CRvlG0yiBH0l+ijldZXVTFtd:nveV1KQvl7TBUQ6lrlTFz

Score

10^/10

hook evasion infostealer rat trojan

Malware Config

Extracted

Family

hook

http://193.233.196.2:3434

Signatures

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.fihuxoyareru.xusopasu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.fihuxoyareru.xusopasu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.fihuxoyareru.xusopasu

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.fihuxoyareru.xusopasu/app_DynamicOptDex/pFdu.json	4270	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fihuxoyareru.xusopasu/app_DynamicOptDex/pFdu.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.fihuxoyareru.xusopasu/app_DynamicOptDex/oat/x86/pFdu.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.fihuxoyareru.xusopasu/app_DynamicOptDex/pFdu.json	4246	com.fihuxoyareru.xusopasu

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.fihuxoyareru.xusopasu

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.fihuxoyareru.xusopasu

com.fihuxoyareru.xusopasu
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4246
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fihuxoyareru.xusopasu/app_DynamicOptDex/pFdu.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.fihuxoyareru.xusopasu/app_DynamicOptDex/oat/x86/pFdu.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4270

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.fihuxoyareru.xusopasu/app_DynamicOptDex/oat/pFdu.json.cur.prof

Filesize
3KB

MD5
f3952e00f5e68583a52e7027f718cbc3

SHA1
14f64df87b6c6cd06e09731fc675aa05d8fad3e9

SHA256
7debe3e3c484ee858428993130efb105396981107acaee1eea481606e06901f7

SHA512
17563117b15451ee7484a476044c481311717d0f30306cec1e7bc44b927fa6d22f7e925f296839d6253bc359510675a2a888ea35ee66959086c2de889ad1e04d

Download Submit
/data/data/com.fihuxoyareru.xusopasu/app_DynamicOptDex/oat/pFdu.json.cur.prof

Filesize
3KB

MD5
13dd8381696ad77d7e7e1f340b5c7fc0

SHA1
af8c9041d173332c553ead8789a9b221e2cb6ccc

SHA256
2811abb5ed9a597605674dd20f0e906f0b8987a07b902253859d90bf615efadf

SHA512
753f7c8475bb96e65aadedab0733bfcfb715be5605e7007b845973f4c2e71e77794c3fb21c9271a27513ba75b552e71c139e16ae3811ccc02b8bc9e14fa94637

Download Submit
/data/data/com.fihuxoyareru.xusopasu/app_DynamicOptDex/oat/pFdu.json.cur.prof

Filesize
3KB

MD5
991db7c25a41adceefb972a7146de382

SHA1
9edde2986fb1546c90736215e766241598f98df3

SHA256
7905f920f4ee05eafaef96187e969d908b6c4e8a7f347f6824d98b94b6462116

SHA512
37992cae538fd9bb0b1ec5504c9c36dad87f807040156f32068f61462f481e9e9e5ec8a71e9a2640e757b8c65aef43c3599daef48beeb873872a5a0d52d855d0

Download Submit
/data/data/com.fihuxoyareru.xusopasu/app_DynamicOptDex/pFdu.json

Filesize
705KB

MD5
10a9cb6f44bbe4a4b4c5b9cd9a18ec25

SHA1
a1b02cb626c82bd595667d5f6e377166e9a7ab8f

SHA256
51df2a75ff2687d40d62a9cd006e9d545ccfcf3a30db9c453052ba606fb91ae5

SHA512
15d5e1d25f818a10bedea134a602ab9f1ea470a6e4a5c0339308cdd30ae6fd13225af3ed35978f07056536d104949bc878aa8a5aae5eab5b9f980b3cd01dd863

Download Submit
/data/data/com.fihuxoyareru.xusopasu/app_DynamicOptDex/pFdu.json

Filesize
705KB

MD5
0bfbea6ad277350d6cc505204bf6b7fe

SHA1
117dea7c71fcf96fa235a8ed8064f6515fc02d1c

SHA256
30b96f66284897ca6926c6a28ccd9e480b8baed72a37e36767a7467af2d47176

SHA512
7ee1cfc9e3b884fa9f33c6b2bcaff96456ce018e974cdd3217beedd4c3638219d1aeee0e6f598a123baf8cad32b14001be8a9c33a8f96da5bc00a9c8f5133442

Download Submit
/data/data/com.fihuxoyareru.xusopasu/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.fihuxoyareru.xusopasu/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
3ca26f7a2c79dca214b6f413166036d6

SHA1
d5d890b72c052d9362254fe15a708a2a9217e859

SHA256
114ccd296024baa51c58b38eaae4f6cb69b791796d28d592d0a5fa8267703571

SHA512
753ce0b2cb63ec7583e011df472b4bf4e3cb7b47bdfd37532e15c1afbb24f371d3b2e0e333b23715464428e33206b5c98ab0d71b68ff01886fa9b5517e569934

Download Submit
/data/data/com.fihuxoyareru.xusopasu/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
96d040acc992db7533cec77861f72ab8

SHA1
db70fc99b507af54a1368d9959f651ace83ff806

SHA256
346652ab09c1e5bb0e9c311384cd99437f7adda3a1df3402a32a9afa4c4a3356

SHA512
bff88dcd9e046f6f06ad847f19bd8789d154722aab29d0fde502c63e1d22e6ef88dbacd491525c40743c44bceb693a07761e5206355df7e87b303c60d41589c4

Download Submit
/data/data/com.fihuxoyareru.xusopasu/no_backup/androidx.work.workdb-wal

Filesize
156KB

MD5
e37ce898fdf67dc30edca922621749bf

SHA1
0bfcfae5288332e8b9de5eb88720831eaafd89a4

SHA256
c5e2c49da2af36d23a857f66ed1de1fe15acb40809767acbf69ac18de349e38e

SHA512
d6c77550a7afbb1a5bb641a2ac14051c98093c8985535e9d5853b706aa2ddd5e3f9d9bb43581c1db4dbf5342a97431588000ae673b2d3adf44d8da66af0c9bec

Download Submit
/data/data/com.fihuxoyareru.xusopasu/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
8055618662ee37b589db522973b475c1

SHA1
ed4ef176821a2d76bfe345455daa4e79ff5dd039

SHA256
94b5f432ad077f05360c9dea9cb517a72a52256b908dac67197214c78b8e3fad

SHA512
de28bbf67f0084812dd622d3b8810c109c1a737b6d144ebdc0c8e3d2af8c7655c97394fe1fadf117e1bc5edc5eee66a8512d3a38a2e9e506e72a7da5073198bf

Download Submit
/data/user/0/com.fihuxoyareru.xusopasu/app_DynamicOptDex/pFdu.json

Filesize
1.5MB

MD5
889d59a2e5c15de2a79238837a28c9b7

SHA1
8eb6709ab52fd3f78c919fa4c692cd025c97c455

SHA256
ccc453f370d6b677b934a20d4e008950c2c7c31c5d77febd28fc2bb7583faad1

SHA512
76e6d56cde855c39d257c3c0fffa8201346f3ca920fe964b98e9f9807039a1350b58382b51561ee1fc7263365ea1752f761160aadede7b477efb5781c4cf939b

Download Submit
/data/user/0/com.fihuxoyareru.xusopasu/app_DynamicOptDex/pFdu.json

Filesize
1.5MB

MD5
3086665e8439a247fa1e1acf478009d6

SHA1
ca6f455f0ff58a854cf06c22aefaa602f7a8d749

SHA256
04536e1d865fe23c8b13920ad08bf986831e2adc65e459c64e1300667fbd8f0e

SHA512
d7da1554bf91270fb907bc00dba4f30c1b487e990c624b68558c1932c6cf07b48847d50caa6b6e891431f9d5307d3274f205009f6b73fa748b76514174c62cc3

Download Submit