hook | 7c7e4213746a2816953fc46ce73e69a1b38ded44263a810a4eaedde8511800a2

Analysis

max time kernel
150s
max time network
156s
platform
android_x64
resource
android-x64-20240221-en
resource tags

androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
submitted
23-02-2024 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c7e4213746a2816953fc46ce73e69a1b38ded44263a810a4eaedde8511800a2.apk
Size

1.1MB
MD5

a9cb55488b48219352f8c0eb7b5c3b72
SHA1

5bd952beda27c8c16d88a3ac5e55a1ff9f1e67ef
SHA256

7c7e4213746a2816953fc46ce73e69a1b38ded44263a810a4eaedde8511800a2
SHA512

9fb71720a0a6322e2d86fa349cb9c5dcdc78fe2e2f93601d403bf4ea1b87488d0b8006e3b0dd5cf29d08d6f525f919e9fa47e13c7bb9cd54b48fab8622f6e246
SSDEEP

24576:f0AVatewyf+fWGsGzGYPz2LXR5yPkoMOgSYv:M+j2fWGPXyDD2TgSE

Score

10^/10

hook collection discovery evasion infostealer rat trojan

Malware Config

Extracted

Family

hook

http://93.123.39.169

AES_key

Signatures

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service 2 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.tencent.mm

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mm

com.tencent.mm
1⤵
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
PID:5051

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Input Injection

T1516

Credential Access

Discovery

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
9a8da649c1ff6ab9d9ab16b4674c25db

SHA1
4b9e6213b51d81544b534acec22d16b9455db5cd

SHA256
df2b2514546669261b2cb36e9542a7a050dfd5a95514ff80b4f597649d16e151

SHA512
4ee4eca42e237b31a0adea9020626a3bc02c6f0e79157d31211e361cc071f7e2cae9905ca3164ac0cd37a3e497f4f1e560f882e839e9f3c4148c423f794bf8a8

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
a26e8112ad926b917b1cfc9ef194cece

SHA1
83c9cf9ccc8225f069cb15a5b502db7ccd4ea50e

SHA256
e206cd5e4b158f4f7de0980663a857351c3b2bfc5c277792700ace57653c1992

SHA512
002dcda5ff0a69138d94c3856717b69b2686492c833a7133ed1f3c3aff1487ecffbbc293a779633b54a4002bf4683211444c24c7c796200c080f38a694b75d9c

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads