hook | c3091c704358f7b326543e9304499e2e5f1e27fcc43d84750c48fda232e37ee6

Analysis

max time kernel
153s
max time network
157s
platform
android_x64
resource
android-x64-20240221-en
resource tags

androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
submitted
01-04-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3091c704358f7b326543e9304499e2e5f1e27fcc43d84750c48fda232e37ee6.apk
Size

3.5MB
MD5

447868eb6480e83644df360ac8cb42ce
SHA1

500c2b6e50511afcfe385a68bc279d2549894abf
SHA256

c3091c704358f7b326543e9304499e2e5f1e27fcc43d84750c48fda232e37ee6
SHA512

f439c758ef63151d5b012479268dca13c63229dd6e2a064ad46da227aeb4621f0021e3135c02aec4c8ecb1580a955da2d47bb1cc614aa7ca0466027ed8d3a518
SSDEEP

98304:1B5GqqzNIClptDm9P6boJtD15qZ3O+BsaojFuf:HMLH3tqP6boJtjjqyI

Score

10^/10

hook collection discovery evasion infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

hook

http://137.184.228.202:3434

AES_key

Signatures

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service 2 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.vazefowocezaga.zice
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.vazefowocezaga.zice
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.vazefowocezaga.zice

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
5054	com.vazefowocezaga.zice

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.vazefowocezaga.zice

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.vazefowocezaga.zice

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.vazefowocezaga.zice

com.vazefowocezaga.zice
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Makes use of the framework's foreground persistence service
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
PID:5054

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Input Injection

T1516

Credential Access

Discovery

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.vazefowocezaga.zice/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.vazefowocezaga.zice/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
f110ea0c0f4b9dd31c9551f0c7f16647

SHA1
3b359a9efe8eacfa6cb2dba39331ff09ee18b12e

SHA256
d2147d267b04b893388536cf687518d3109f1ee212e883466dc91a0a9fd6c7bb

SHA512
32d78b5c8220a01810eeb9463315d1983b4eb8b5284de8be592e99fd850de0fa6c1bef28fdfb9a3763947f047263e39859d95dd4d26e75f5546d1a6c9cd4ce41

Download Submit
/data/data/com.vazefowocezaga.zice/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.vazefowocezaga.zice/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
2bd6c20cda60ba212d40410eec62fd61

SHA1
c23d34a9b1397563897a37dab6833dfcc477d822

SHA256
f1e201cbfc26753138aebcf8d28738abdc1253c3f7fd1e00a9c718a8abeaab5c

SHA512
4f4d11f4662eac6c1ecc40c755c290dba6d0afd34651649c524e132d0858e1180262ce9aaf17d321edd4c3462f0b9c11a09066f3b300f6c0377bc7cd106b9323

Download Submit
/data/data/com.vazefowocezaga.zice/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
6a74221ce117babb014a646c3e861427

SHA1
00872e66d99059f56b0142b1d5b48134c96380d0

SHA256
bd8e27d32437bdd3527ea072b16a63d6031a28f2df44f32469afdcefa06956b6

SHA512
7373abd2d34467cf7db9f7e89d50d4119bdf4f92d77bf2d769ef2fd9a56248374b5781902d5db58ed0644b2373234d10d8c64692d4d81f89dc5589167ba098ab

Download Submit
/data/data/com.vazefowocezaga.zice/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
6ee7f940846189675f7b696174563b24

SHA1
d376154a1ef484b8f07816c2725a558a254abc36

SHA256
fcb4e1c69b0020824650cebed1ad65ed8e1a2569c28532f1f735dd2697abb048

SHA512
8527928256e2a8859be96a6a6ed3fb955dc878cd83c60d12f673e1e8ea2af169f8d3a10b5b5028a7d421f29e1ef2b48bd2119c249bd3e4c73a5718d8fc479608

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads