hook | 2a2d38d4ae629349d817bffc4b668c0d3877b36c113635a6151685ebb12d2206

Analysis

max time kernel
1872994s
max time network
161s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
15-12-2023 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac489064b5e34b4d918e4ad2444bc983a1ef9c84f6a1237a983803d2c6c6dcb1.apk
Size

4.0MB
MD5

9acb60849b8a8d5a65973b6f7fee8cc4
SHA1

38a6b3bee7b871bb74ba5cac0db7347cad902565
SHA256

ac489064b5e34b4d918e4ad2444bc983a1ef9c84f6a1237a983803d2c6c6dcb1
SHA512

7fa4c9310be6f71733e3da7a303d414f2f765b7b2182610a4ad17c5ec5e59a21c722accd01981fae532c66b5c0e33173d474d4c6b56eb7bc9e9dce477e035e5b
SSDEEP

98304:nvEXNj1C/CRvlG0yiBH0l+ijldZXVTFtd:nveV1KQvl7TBUQ6lrlTFz

Score

10^/10

hook evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

hook

http://193.233.196.2:3434

AES_key

Signatures

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.fihuxoyareru.xusopasu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.fihuxoyareru.xusopasu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.fihuxoyareru.xusopasu

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4452	com.fihuxoyareru.xusopasu

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.fihuxoyareru.xusopasu/app_DynamicOptDex/pFdu.json	4452	com.fihuxoyareru.xusopasu

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.fihuxoyareru.xusopasu

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.fihuxoyareru.xusopasu

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.fihuxoyareru.xusopasu

com.fihuxoyareru.xusopasu
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4452

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.fihuxoyareru.xusopasu/app_DynamicOptDex/oat/pFdu.json.cur.prof

Filesize
3KB

MD5
883e872ae6cf3d825b2e39cfa86be110

SHA1
033fa26425ef07d52d43e404e8b0481db184697b

SHA256
4f6cb3ca7cab884e91f5a43d57cdb99caa1ac83662d71e78f846d0a76befc0b8

SHA512
ecb3559136692ec15b11d3b1ebeb7a0b78ae2562f0348948a58d31f40a7400c528052870af099451bec4f32e1843379949eea2c22bd671edcb432417ee1adb4e

Download Submit
/data/user/0/com.fihuxoyareru.xusopasu/app_DynamicOptDex/pFdu.json

Filesize
705KB

MD5
10a9cb6f44bbe4a4b4c5b9cd9a18ec25

SHA1
a1b02cb626c82bd595667d5f6e377166e9a7ab8f

SHA256
51df2a75ff2687d40d62a9cd006e9d545ccfcf3a30db9c453052ba606fb91ae5

SHA512
15d5e1d25f818a10bedea134a602ab9f1ea470a6e4a5c0339308cdd30ae6fd13225af3ed35978f07056536d104949bc878aa8a5aae5eab5b9f980b3cd01dd863

Download Submit
/data/user/0/com.fihuxoyareru.xusopasu/app_DynamicOptDex/pFdu.json

Filesize
705KB

MD5
0bfbea6ad277350d6cc505204bf6b7fe

SHA1
117dea7c71fcf96fa235a8ed8064f6515fc02d1c

SHA256
30b96f66284897ca6926c6a28ccd9e480b8baed72a37e36767a7467af2d47176

SHA512
7ee1cfc9e3b884fa9f33c6b2bcaff96456ce018e974cdd3217beedd4c3638219d1aeee0e6f598a123baf8cad32b14001be8a9c33a8f96da5bc00a9c8f5133442

Download Submit
/data/user/0/com.fihuxoyareru.xusopasu/app_DynamicOptDex/pFdu.json

Filesize
1.5MB

MD5
3086665e8439a247fa1e1acf478009d6

SHA1
ca6f455f0ff58a854cf06c22aefaa602f7a8d749

SHA256
04536e1d865fe23c8b13920ad08bf986831e2adc65e459c64e1300667fbd8f0e

SHA512
d7da1554bf91270fb907bc00dba4f30c1b487e990c624b68558c1932c6cf07b48847d50caa6b6e891431f9d5307d3274f205009f6b73fa748b76514174c62cc3

Download Submit