Analysis

  • max time kernel
    153s
  • max time network
    158s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240221-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
  • submitted
    14-03-2024 08:54

General

  • Target

    0121588ca4de977d77b3492af120588890cf758924fdb3412b780879d8d2192f.apk

  • Size

    3.3MB

  • MD5

    8d958576257733bd78fe81f84e768ed1

  • SHA1

    cd19e464b30b42d80a532cd994828696dc5f7b9b

  • SHA256

    0121588ca4de977d77b3492af120588890cf758924fdb3412b780879d8d2192f

  • SHA512

    9352203c5c06e69a2521041f3eb4751af80295ac50828b3e6a7d653198e6fb4db671b2fa214e3e3c166cf2a4c22ef54a5e87e40d6ce145a32a5c23b71a487683

  • SSDEEP

    98304:TAxM4GZm5vjgae1B4IIDjl5OMxeAPuYXv+r5Pd:xZwMaQ4ImlAYeQuYXv+r5F

Malware Config

Extracted

Family

hook

C2

http://77.246.108.116:3434

AES_key
1
3141317a5031655035514765666932444d505466544c35534c6d763744697666

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Makes use of the framework's Accessibility service 2 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Acquires the wake lock 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.tencent.mm
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4428

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.180.14
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    172.217.169.72
  • 142.250.187.206:443
    tls, https
    1.5kB
    40 B
    1
    1
  • 142.250.180.14:443
    android.apis.google.com
    tls
    6.7kB
    8.9kB
    27
    25
  • 77.246.108.116:3434
    240 B
    4
  • 172.217.169.72:443
    ssl.google-analytics.com
    tls
    1.3kB
    6.0kB
    8
    8
  • 77.246.108.116:3434
    420 B
    7
  • 77.246.108.116:3434
    420 B
    7
  • 77.246.108.116:3434
    240 B
    4
  • 77.246.108.116:3434
    240 B
    4
  • 172.217.169.4:443
    tls, https
    1.9kB
    40 B
    4
    1
  • 172.217.169.4:443
    www.google.com
    tls
    16.0kB
    11.9kB
    40
    32
  • 77.246.108.116:3434
    240 B
    4
  • 77.246.108.116:3434
    240 B
    4
  • 77.246.108.116:3434
    240 B
    4
  • 77.246.108.116:3434
    240 B
    4
  • 77.246.108.116:3434
    240 B
    4
  • 77.246.108.116:3434
    240 B
    4
  • 77.246.108.116:3434
    240 B
    4
  • 224.0.0.251:5353
    3.7kB
    11
  • 216.58.212.238:443
    https
    51 B
    50 B
    1
    1
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.180.14

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
    86 B
    1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    172.217.169.72

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    93fac0136e6d61d0e26f9aa0dfa3c62f

    SHA1

    6bfb8175fab6c80b0eb5f54066b3993a2ad11168

    SHA256

    1c3fa5313c4a77b966c96f7b6e798621f810dd2e2de36cf093245380c2cd8312

    SHA512

    f0de14e9f237747160d2b3f4f1cf57d228a9828ee61a90b3db0db313a45a8eddfbada15bb294966c0367e9fcc144daf4d431618dc319d895b43f5277d89fd664

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    769ed9fb810b48cc79cf16973f2148cb

    SHA1

    c17b991803febb97f27598897d515abd455eb6bc

    SHA256

    adca7f522041947c0b884197a4534e0e2c1a35e5220bc18c43e17b245f70fac2

    SHA512

    fd136c1bbf3f60f00881f527ad835ea1e906f92eaa26f46c44287fdae386795480fc1f0313ef126a0a80315d83ccfc253ec11f3d78f0772d3c10ec944041ffd1

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    e6e35d7ba0a9a6303c1ea649bfd92a13

    SHA1

    8fc9bf23b8a9b35b713216063d7f1a3ee09c5757

    SHA256

    339634f7d38349e3aa7f5b7f760f97def403a4f3631d29690906504138d78dc2

    SHA512

    d4332606472b0b429a592db03aaf3b899461315837095c71ab7491f08a9e0130aa2c9534d0af1c0ae01686b577f2189987e79ece2fe53f9aac88adb79470d052

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    2b20e14f96362c7ff0a40aee8c26217b

    SHA1

    4036cdf81b45e9a8a946803fbbcbe55307da2af4

    SHA256

    b5cc584988358d601266569768e1ecde79704a22c845ea3c96459c01b85bbd7c

    SHA512

    659104284fdf0602cc578cd87e11ed4ec1bd7a4239474ba849cb95ae95d4cd8412ec7659ab7dd4ccfed6873722ff198281983f1a9bbb9034df57361aadce7537

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.