hook | 0af0346e32955f66d6de014d6bbb096337ffc1632b62a077034f8426ef9c365c

General

Target

0af0346e32955f66d6de014d6bbb096337ffc1632b62a077034f8426ef9c365c.apk
Size

3.8MB
MD5

8fb4312542d665397898fcae12d9a7d3
SHA1

7dfee7eced4717e0b11ee828bf04cc9678be877a
SHA256

0af0346e32955f66d6de014d6bbb096337ffc1632b62a077034f8426ef9c365c
SHA512

161e16b76d46f11f6511007ab854e4a0d68e42eb7c795b137d417bf100c4c7412ccdfb8850a9f7445da271df02681779becaf1e5300e609f49a99be687b375e6
SSDEEP

98304:zImjEiCIHoP9M3ywsFhXFgTtGkpZjOjjuJoy0VFm/:jExvVM3y/LXF6ttpJ6yk2

Score

10^/10

hook collection discovery evasion infostealer rat trojan

Malware Config

Extracted

Family

hook

C2

http://aubhdva.xyz ; http://aubhtri.xyz ; http://aunuredvac.xyz

http://aubhdva.xyz

AES_key

Signatures

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service 2 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.nlaodavro.nlafdfhgs
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.nlaodavro.nlafdfhgs
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.nlaodavro.nlafdfhgs

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.nlaodavro.nlafdfhgs/app_app_dex/dulesgl.uur	4270	com.nlaodavro.nlafdfhgs
/data/user/0/com.nlaodavro.nlafdfhgs/app_app_dex/dulesgl.uur	4299	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nlaodavro.nlafdfhgs/app_app_dex/dulesgl.uur --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.nlaodavro.nlafdfhgs/app_app_dex/oat/x86/dulesgl.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.nlaodavro.nlafdfhgs/app_app_dex/dulesgl.uur	4270	com.nlaodavro.nlafdfhgs

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.nlaodavro.nlafdfhgs

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.nlaodavro.nlafdfhgs

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.nlaodavro.nlafdfhgs

com.nlaodavro.nlafdfhgs
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4270
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nlaodavro.nlafdfhgs/app_app_dex/dulesgl.uur --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.nlaodavro.nlafdfhgs/app_app_dex/oat/x86/dulesgl.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4299

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Input Injection

1

T1516

Credential Access

Discovery

System Network Configuration Discovery

1

T1422

Lateral Movement

Collection

Screen Capture

1

T1513

Command and Control

Exfiltration

Impact

Input Injection

1

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.nlaodavro.nlafdfhgs/app_app_dex/dulesgl.uur

Filesize
82KB

MD5
28b49fbcfccde07b33c5860f193d81e1

SHA1
127f9803863783d7ffd6aecc037bc3ef1f56edad

SHA256
32780212fef91c3d1600dbbf4fe5a004dc41d3d5c664b6abfc0d09251370d91d

SHA512
89156b3f5d73ae265e8e28944a16d606be18fd6bd345de57282006332cc6e009d508afb8f1369f25973066906bdd6760ae13eedb71e92c68463210d3f28ad1a6

Download Submit
/data/data/com.nlaodavro.nlafdfhgs/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.nlaodavro.nlafdfhgs/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
447895423c16df7e1761dc90f75bca34

SHA1
fbcb33155a6143f51ac5017f07ea013bc8c5628b

SHA256
ebc6dbdfc4f9b662d8b2e4cc5a00a14adc24c22a4cfca90994fb5945fa83d86e

SHA512
982ad7d6afa3b0fc82fdf4936ca53886dd1aac2e0e6a72ea6f0dd35f09844eb0e9a9b54cdc62f414d13a86f028da5794ad1ff38922ca57eeeccda15c32e699f0

Download Submit
/data/data/com.nlaodavro.nlafdfhgs/no_backup/androidx.work.workdb-shm

Filesize
28KB

MD5
cf845a781c107ec1346e849c9dd1b7e8

SHA1
b44ccc7f7d519352422e59ee8b0bdbac881768a7

SHA256
18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

SHA512
4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

Download Submit
/data/data/com.nlaodavro.nlafdfhgs/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
e7884e8944a676f97c904e19b6b41405

SHA1
748c808ce5e1a510e315861bba8fb73c5e93673d

SHA256
10dfffaef702909de0a5275c93774382c3f0fdd11a03e254d73fba88efa6034c

SHA512
6e2aa2c38ec4efdc52dad75015aabef17c3ec753638db7033da8c58d505fd2a80413a383aa61773ff54d9cd6b4908bd332f18f239d61d94cc48234add4c19b70

Download Submit
/data/user/0/com.nlaodavro.nlafdfhgs/app_app_dex/dulesgl.uur

Filesize
2.0MB

MD5
4c4c0b603b5bbf84ad37a2143fd378c3

SHA1
64170790557e6085326c058d159e1cb685d9667e

SHA256
58d7b25ba910dad3997c09c38bba97c49b47fd0fa83ae61121677a44f63bf3f2

SHA512
e990ed173b06409d415d4990d2df27bd7bd16b8ae84cfe1e75b90500842b5deba7d00f28c59148a34fa85acf30f0e3d547b3387bfecb6c5d146bebd12ab0772a

Download Submit
/data/user/0/com.nlaodavro.nlafdfhgs/app_app_dex/dulesgl.uur

Filesize
2.0MB

MD5
8b02002d15065049370b00d8e9b265ed

SHA1
2956b0490d2600dc981a778ddaa64fbc45d6f7e3

SHA256
f4fd557df673e88934869e900821a5ec2e03bb7d1db85c4df0fad0dcce5d9448

SHA512
4655c906379fe8667ecc9b153d8523ffea44f789469986315609d4a3590513347fb2e5b08b4d831c40e10e8a2e57fd7cda1dad8f20be0ab54e1325682fb39af8

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads