hook | ed0558cfbfbbffab7bfc500f5a458bf08178ab1a9ee08b79c7e9c1edb21442ff

Analysis

max time kernel
153s
max time network
150s
platform
android_x64
resource
android-x64-20240221-en
resource tags

androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
submitted
05-03-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed0558cfbfbbffab7bfc500f5a458bf08178ab1a9ee08b79c7e9c1edb21442ff.apk
Size

3.6MB
MD5

5d391a83a4c4f2e11bd9af3fce04118b
SHA1

1e373a16fa1e27c17ac42ec9e2f638ee5d8dfd11
SHA256

ed0558cfbfbbffab7bfc500f5a458bf08178ab1a9ee08b79c7e9c1edb21442ff
SHA512

d4ff82ca5f835f360e0b1f2c312537890054d21ea168e7cbd628ca85a762ae6d0f628a24609525f95b7f7c8293d30354a1fd8f16e86cb536e1f1d0ea44ae6a27
SSDEEP

98304:0ZQ6ESsYwdh29tDVnyFSQRH7JSaV2ShayXLe:JJPdQtVrCbL2ShaJ

Score

10^/10

hook collection discovery evasion infostealer rat trojan

Malware Config

Extracted

Family

hook

http://127.0.0.1:3434

AES_key

Signatures

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service 2 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.tencent.mm

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mm

com.tencent.mm
1⤵
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
PID:4999

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Input Injection

T1516

Credential Access

Discovery

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
156KB

MD5
66d8f182ffe54b54617be3ab0924d60d

SHA1
25e2fff642e7a1d0213d985096e9afb0e57bec06

SHA256
b15bd18c79ae0b56f5ac81e7969972b1c49e2c36e969a7f006bd93be807b2760

SHA512
c3be073dd44bd3ba629596a2f3536712add5e9ab71eef94a6073ea514fa43c1f83e398efa656c32744573eb29d559d7424b25fdd42c03f2494f40eac46bc60fa

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads