hook | 5789aeb0d77bd94cb024c2baeda436ee0361ecf68b474a8185a933b5dee000ce

Analysis

max time kernel
151s
max time network
161s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
19-02-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5789aeb0d77bd94cb024c2baeda436ee0361ecf68b474a8185a933b5dee000ce.apk
Size

1.9MB
MD5

4801b59592e9a335cef4a3e210f38c68
SHA1

089cb14e41feec7fcffa1ca934f15db33d5bae90
SHA256

5789aeb0d77bd94cb024c2baeda436ee0361ecf68b474a8185a933b5dee000ce
SHA512

23d052f51fb2fc48b7f5fd77f1f5d69a6ed1e0ddcf82c3ba74b0aa26bdacb38f6893c06eb4aa6b648a84a6e3ca1f977f2c4722831c89f67b386f3a2c7ecfc4d4
SSDEEP

49152:WEmKrjPT0dWF05dLMVTFdr4pstRMhE5cJ5nh2:JPP4dWWbMVTFdr4ePh5c2

Score

10^/10

hook banker infostealer rat stealth trojan

Malware Config

Extracted

Family

hook

http://94.177.106.48:3434

AES_key

Signatures

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	hello.bro.wroklations
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	hello.bro.wroklations
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	hello.bro.wroklations

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	hello.bro.wroklations

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4985	hello.bro.wroklations

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	hello.bro.wroklations

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	hello.bro.wroklations

hello.bro.wroklations
1⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Removes its main activity from the application launcher
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
PID:4985

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/hello.bro.wroklations/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/hello.bro.wroklations/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
8ec11d13fe39dafd4ed99355f9a69d22

SHA1
0e3779fea8b27c66e91b0fecbec1b80ebb59747e

SHA256
7cd7ac479fffad715891db72e504b5eb879cce3900fa65da6deb0603e626137c

SHA512
a60ad499501f0ebfbfcf85e63a5e13e7e3651f0368409b81706155bdb500ca085d7d30c9776ba3602fb9f6213512d261eb4ad2ae4af673604214597d8a3b10e9

Download Submit
/data/data/hello.bro.wroklations/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
aa7bc1e33238bb2f2053626cb265b8ef

SHA1
eb9e3912ba87668fdee1607fcb1c04448b5b5b8f

SHA256
141bad3bd81a019e7a0ed6365b7f2d8ff92f9c6c5a3c1a0e903d79a4407a6ca7

SHA512
b3bd637da6fbcb6b4dee6b8ce0b4b9f7048b905e83a647f70c4afc404efd3dec1e8d7df24ae6947ea0226808bf1d8c2f52cacd19d68e5b438dece3e2e37f51fe

Download Submit