hook | 2142671d090e4c857137bff71cc13f05a25fe1e95bb8fcf80f554f3adf29910a

Analysis

max time kernel
150s
max time network
162s
platform
android_x64
resource
android-x64-arm64-20240221-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
submitted
20-03-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2142671d090e4c857137bff71cc13f05a25fe1e95bb8fcf80f554f3adf29910a.apk
Size

1.1MB
MD5

0b98aa107b4610cc9c2b15e685e9c802
SHA1

cf612eedbe423d7c30a4bf09c3e798e08a512458
SHA256

2142671d090e4c857137bff71cc13f05a25fe1e95bb8fcf80f554f3adf29910a
SHA512

ea2c03fb5194b4ff2957ffbcdda475924f4f99f86a83b747ff63725cf0789ecbd19b06db858bc7d7b433fe3fbb992f197417bf3954add8f3e3ace31131b3f3c4
SSDEEP

24576:BT282S4HtuWZ0p46B8ZJ8SV2BrpM7k9eLxg/Si:Ba82S4NZOp46B8Z60VLxg/p

Score

10^/10

hook banker collection discovery evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

hook

http://170.64.183.64:3434

AES_key

Signatures

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service 2 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.ranixebovura.delasawa
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.ranixebovura.delasawa
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.ranixebovura.delasawa

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs

banker discovery

Security Software Discovery

T1418.001

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.ranixebovura.delasawa

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4452	com.ranixebovura.delasawa

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.ranixebovura.delasawa

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.ranixebovura.delasawa

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.ranixebovura.delasawa

com.ranixebovura.delasawa
1⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Removes its main activity from the application launcher
- Requests enabling of the accessibility settings.
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
PID:4452

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Input Injection

T1516

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.ranixebovura.delasawa/no_backup/androidx.work.workdb

Filesize
4KB

MD5
7e858c4054eb00fcddc653a04e5cd1c6

SHA1
2e056bf31a8d78df136f02a62afeeca77f4faccf

SHA256
9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

SHA512
d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

Download Submit
/data/user/0/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
995aa1306c9b410e056d925a0a8dcefd

SHA1
4dc1a7a7e20e288c3430a1b570bcec2af5a0292e

SHA256
4958acb9c987b3cf29665b2730a6baaa52ceabe6e9a54e5c092560e9de205bef

SHA512
e64074b1bd1a8954821d425bac4fd88b4ddb7a68a3a34e212eee386e9134280844ef3b9f11e6d82863fb0123f970dd1468d7d69e8302678d31ace374dedf8d55

Download Submit
/data/user/0/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
c9b36f34fbcf9b1e25742d529ac43f95

SHA1
b41bf31376d29ebfe04f3d8f559136fb99beea4b

SHA256
bb2ac4d2cc8aa96f8a9f393bbc15ce46b04488bc504a7f69c487a8c8eab4f047

SHA512
b340b61c6b66b36cfdc0adc24c23933a5f17ef7299f1a7f02a1707592dd3f1f3eea669ba5fa1df8ff5c701a607b97195c997de14c0ab4c7b81c037f130317609

Download Submit
/data/user/0/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
4b376a5d3b7ccd98c6a93854831fe837

SHA1
e9847e6c7192c7cb85f240f0d1d290e326e04333

SHA256
38819e54acb83b063a29eef6e2f93bb22a311e0541fc01acc0f273b063da088f

SHA512
f97c5bd6432b713891db33375721a6fe2f925aca7afe56a665f0183e46c15ff98727d79782aa4c700233e7ecd46e8ff09668a42cbde78d7610845e5cdc36e3e8

Download Submit
/data/user/0/com.ranixebovura.delasawa/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
eb71fbdd3556d444a9662d523a849ac5

SHA1
bf198081cddddb81fd8ba2149561c16080ca73e9

SHA256
e4c417638753622ceab68cd28173c132e6ea87a574a27ccbe32191cf4f48a824

SHA512
87e2b77c280d41416a983998db03940bf376b88564c8e949845c780f5df23982b2f28d678271ae7cea254ad97f86a6f31a5fbdf1d369a3fa86667dc68d51c18d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads