hook | 820e9e9c1f7f6148c94e647a175ede95e41efdd882fd4b0177ad443ce8b95e04

Analysis

max time kernel
61s
max time network
69s
platform
android_x64
resource
android-x64-20240221-en
resource tags

androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
submitted
19/04/2024, 11:36 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

820e9e9c1f7f6148c94e647a175ede95e41efdd882fd4b0177ad443ce8b95e04.apk
Size

3.3MB
MD5

fed46ad35d269dd4fff2e000143b5a62
SHA1

ab44009839aa65c28652262ffc206d0ffed8f2c8
SHA256

820e9e9c1f7f6148c94e647a175ede95e41efdd882fd4b0177ad443ce8b95e04
SHA512

9b0c177839f9030ab2e71d8bb961f239ce87326f420cf179cd4553023d740917f3cdca4378a5922f48155dec68575beda230c246989f2fbab76ae729499cdbf8
SSDEEP

98304:Oc9piReR5PEVJxhHsqY8bkY42LlS/aeHELijWG:leoRe1Zk925b+jWG

Score

10^/10

hook collection discovery evasion infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

hook

http://163.5.169.19:3434

AES_key

1
555541554b68526b726d546d5064784e5269656e47484b4b7a646954754b7a63

Signatures

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service 2 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
5018	com.tencent.mm

Checks CPU information 2 TTPs 1 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.tencent.mm

Checks memory information 2 TTPs 1 IoCs

Checks memory information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.tencent.mm

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.tencent.mm

Queries information about running processes on the device. 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.tencent.mm

Queries information about the current Wi-Fi connection. 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.tencent.mm

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.tencent.mm

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mm

com.tencent.mm
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Makes use of the framework's foreground persistence service
- Queries information about running processes on the device.
- Queries information about the current Wi-Fi connection.
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
PID:5018

Network

DNS

ssl.google-analytics.com

Remote address:

1.1.1.1:53

Request

ssl.google-analytics.com

IN A

Response

ssl.google-analytics.com

IN A

142.250.178.8
DNS

android.apis.google.com

Remote address:

1.1.1.1:53

Request

android.apis.google.com

IN A

Response

android.apis.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.178.14
DNS

accounts.google.com

Remote address:

1.1.1.1:53

Request

accounts.google.com

IN A

Response

accounts.google.com

IN A

66.102.1.84
DNS

accounts.google.com

Remote address:

1.1.1.1:53

Request

accounts.google.com

IN A

Response

accounts.google.com

IN A

74.125.71.84
DNS

static.xx.fbcdn.net

Remote address:

1.1.1.1:53

Request

static.xx.fbcdn.net

IN A

Response

static.xx.fbcdn.net

IN CNAME

scontent.xx.fbcdn.net

scontent.xx.fbcdn.net

IN A

157.240.214.11
DNS

m.youtube.com

Remote address:

1.1.1.1:53

Request

m.youtube.com

IN A

Response

m.youtube.com

IN A

142.250.187.206
DNS

images-na.ssl-images-amazon.com

Remote address:

1.1.1.1:53

Request

images-na.ssl-images-amazon.com

IN A

Response

images-na.ssl-images-amazon.com

IN CNAME

m.media-amazon.com

m.media-amazon.com

IN CNAME

tp.c47710ee9-frontier.media-amazon.com

tp.c47710ee9-frontier.media-amazon.com

IN CNAME

f.media-amazon.com

f.media-amazon.com

IN CNAME

media.amazon.map.fastly.net

media.amazon.map.fastly.net

IN A

151.101.193.16

media.amazon.map.fastly.net

IN A

151.101.1.16

media.amazon.map.fastly.net

IN A

151.101.65.16

media.amazon.map.fastly.net

IN A

151.101.129.16
DNS

en.m.wikipedia.org

Remote address:

1.1.1.1:53

Request

en.m.wikipedia.org

IN A

Response

en.m.wikipedia.org

IN CNAME

dyna.wikimedia.org

dyna.wikimedia.org

IN A

185.15.59.224
DNS

a.espncdn.com

Remote address:

1.1.1.1:53

Request

a.espncdn.com

IN A

Response

a.espncdn.com

IN CNAME

a.espncdn.com.stls.edgesuite.net

a.espncdn.com.stls.edgesuite.net

IN CNAME

a1793.dscg1.akamai.net

a1793.dscg1.akamai.net

IN A

88.221.135.114

a1793.dscg1.akamai.net

IN A

88.221.134.131
DNS

s.yimg.com

Remote address:

1.1.1.1:53

Request

s.yimg.com

IN A

Response

s.yimg.com

IN CNAME

edge.gycpi.b.yahoodns.net

edge.gycpi.b.yahoodns.net

IN A

87.248.114.12

edge.gycpi.b.yahoodns.net

IN A

87.248.114.11
DNS

ir.ebaystatic.com

Remote address:

1.1.1.1:53

Request

ir.ebaystatic.com

IN A

Response

ir.ebaystatic.com

IN CNAME

ir.ebaycdn.net

ir.ebaycdn.net

IN CNAME

ebaystatic.ebay.map.fastly.net

ebaystatic.ebay.map.fastly.net

IN A

151.101.2.206

ebaystatic.ebay.map.fastly.net

IN A

151.101.194.206

ebaystatic.ebay.map.fastly.net

IN A

151.101.66.206

ebaystatic.ebay.map.fastly.net

IN A

151.101.130.206
DNS

www.instagram.com

Remote address:

1.1.1.1:53

Request

www.instagram.com

IN A

Response

www.instagram.com

IN CNAME

z-p42-instagram.c10r.instagram.com

z-p42-instagram.c10r.instagram.com

IN A

163.70.151.174
GET

http://a.espncdn.com/wireless/mw5/r1/images/bookmark-icons/espn_icon-152x152.min.png

Remote address:

88.221.135.114:80

Request

GET /wireless/mw5/r1/images/bookmark-icons/espn_icon-152x152.min.png HTTP/1.1
Host: a.espncdn.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Linux; Android 10; Android SDK built for x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.185 Mobile Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Last-Modified: Sat, 02 Jun 2018 13:44:29 GMT
ETag: "9ac9e9363b76587769dda7c61107e9a9"
Server: AmazonS3
Content-Type: image/png
Content-Length: 2790
Accept-Ranges: bytes
Cache-Control: max-age=2431
Date: Fri, 19 Apr 2024 11:37:03 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *
DNS

www.google.com

Remote address:

1.1.1.1:53

Request

www.google.com

IN A

Response

www.google.com

IN A

216.58.201.100
DNS

update.googleapis.com

Remote address:

1.1.1.1:53

Request

update.googleapis.com

IN A

Response

update.googleapis.com

IN A

172.217.169.3
DNS

amxcqhoedyf

Remote address:

1.1.1.1:53

Request

amxcqhoedyf

IN A

Response
DNS

bdvfsnuoyiqj

Remote address:

1.1.1.1:53

Request

bdvfsnuoyiqj

IN A

Response
DNS

lhedreuibzp

Remote address:

1.1.1.1:53

Request

lhedreuibzp

IN A

Response

142.250.178.8:443

ssl.google-analytics.com

tls

1.3kB
6.1kB
9
9
163.5.169.19:3434

240 B
4
163.5.169.19:3434

360 B
6
163.5.169.19:3434

360 B
6
142.250.187.206:443

tls, https

857 B
40 B
1
1
142.250.178.14:443

android.apis.google.com

tls

2.8kB
7.0kB
10
15
163.5.169.19:3434

240 B
4
163.5.169.19:3434

360 B
6
163.5.169.19:3434

360 B
6
66.102.1.84:443

accounts.google.com

tls

893 B
4.7kB
8
7
74.125.71.84:443

accounts.google.com

tls

1.9kB
7.3kB
15
15
157.240.214.11:443

static.xx.fbcdn.net

tls

1.5kB
7.1kB
11
13
142.250.187.206:443

m.youtube.com

tls

5.4kB
112.2kB
71
85
151.101.193.16:443

images-na.ssl-images-amazon.com

tls

1.5kB
9.5kB
11
12
185.15.59.224:443

en.m.wikipedia.org

tls

1.6kB
7.4kB
13
10
88.221.135.114:80

http://a.espncdn.com/wireless/mw5/r1/images/bookmark-icons/espn_icon-152x152.min.png

http

615 B
3.3kB
5
4

HTTP Request

GET http://a.espncdn.com/wireless/mw5/r1/images/bookmark-icons/espn_icon-152x152.min.png

HTTP Response

200
87.248.114.12:443

s.yimg.com

tls

1.9kB
13.7kB
18
18
151.101.2.206:443

ir.ebaystatic.com

tls

1.8kB
15.0kB
16
18
163.70.151.174:443

www.instagram.com

tls

3.0kB
40.3kB
35
38
216.58.201.100:443

www.google.com

tls

1.6kB
6.5kB
12
15
163.5.169.19:3434

360 B
6
216.58.201.100:443

www.google.com

tls

1.6kB
7.0kB
12
16
216.58.212.202:443

tls, https

1.2kB
40 B
1
1
172.217.169.3:443

update.googleapis.com

tls

3.1kB
8.3kB
10
15
163.5.169.19:3434

240 B
4
142.250.187.196:443

tls, https

431 B
40 B
2
1
142.250.187.196:443

www.google.com

tls

8.8kB
11.0kB
30
39
163.5.169.19:3434

240 B
4

224.0.0.251:5353

3.3kB
10
1.1.1.1:53

ssl.google-analytics.com

dns

70 B
86 B
1
1

DNS Request

ssl.google-analytics.com

DNS Response

142.250.178.8
1.1.1.1:53

android.apis.google.com

dns

69 B
109 B
1
1

DNS Request

android.apis.google.com

DNS Response

142.250.178.14
1.1.1.1:53

accounts.google.com

dns

65 B
81 B
1
1

DNS Request

accounts.google.com

DNS Response

66.102.1.84
1.1.1.1:53

accounts.google.com

dns

65 B
81 B
1
1

DNS Request

accounts.google.com

DNS Response

74.125.71.84
1.1.1.1:53

static.xx.fbcdn.net

dns

65 B
104 B
1
1

DNS Request

static.xx.fbcdn.net

DNS Response

157.240.214.11
1.1.1.1:53

m.youtube.com

dns

59 B
75 B
1
1

DNS Request

m.youtube.com

DNS Response

142.250.187.206
1.1.1.1:53

images-na.ssl-images-amazon.com

dns

77 B
263 B
1
1

DNS Request

images-na.ssl-images-amazon.com

DNS Response

151.101.193.16

151.101.1.16

151.101.65.16

151.101.129.16
1.1.1.1:53

en.m.wikipedia.org

dns

64 B
109 B
1
1

DNS Request

en.m.wikipedia.org

DNS Response

185.15.59.224
1.1.1.1:53

a.espncdn.com

dns

59 B
170 B
1
1

DNS Request

a.espncdn.com

DNS Response

88.221.135.114

88.221.134.131
1.1.1.1:53

s.yimg.com

dns

56 B
127 B
1
1

DNS Request

s.yimg.com

DNS Response

87.248.114.12

87.248.114.11
1.1.1.1:53

ir.ebaystatic.com

dns

63 B
196 B
1
1

DNS Request

ir.ebaystatic.com

DNS Response

151.101.2.206

151.101.194.206

151.101.66.206

151.101.130.206
1.1.1.1:53

www.instagram.com

dns

63 B
114 B
1
1

DNS Request

www.instagram.com

DNS Response

163.70.151.174
1.1.1.1:53

www.google.com

dns

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

216.58.201.100
1.1.1.1:53

update.googleapis.com

dns

67 B
83 B
1
1

DNS Request

update.googleapis.com

DNS Response

172.217.169.3
1.1.1.1:53

amxcqhoedyf

dns

57 B
132 B
1
1

DNS Request

amxcqhoedyf
1.1.1.1:53

bdvfsnuoyiqj

dns

58 B
133 B
1
1

DNS Request

bdvfsnuoyiqj
1.1.1.1:53

lhedreuibzp

dns

57 B
132 B
1
1

DNS Request

lhedreuibzp

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
eff04d5cf560f21ae19f9aaa8f557ec6

SHA1
19494af731c6088e1ceae52a08f9c3b9f2276d8f

SHA256
ea0c50e79fa2dc9b4f0ce6b65909d22da69c00820ddffb2e40108960adaa7098

SHA512
8ebeb8095bcf511a8140186ca4ec096073d7e74d9d0f9bb98f6881cae85abf5aeb141cc56dc6673d737d7bef57a771e2229dda79cdfa63dda890fec58441d8fd

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
1a7ca69a4924bb3b79548ecef510a691

SHA1
8bdb659530e619f1107d2109d75f856e9c0a7b0e

SHA256
8f2117cd99b4e87aabbf16b5c9832e9b26afcdb5d8bf85ea5e18d34079e6fbdb

SHA512
ee875a340b58ad6a69b9be7e2ae8a707f05e7d50952379e6f15220613cda7076688d4b3a6f0dc559336607cd8fbfdd3c20b5eda1e18d036e219e35c01ba3e832

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
c569bd2a8a146b78ff7381c01622b867

SHA1
56c32a72f9bec0c1029fa8d1e4391f29eff8ffba

SHA256
8da5a0ae46e22ae9e5c9315743628a10febe3583d64a5c1f955fae2330fb4d7f

SHA512
03b99fe2143043bc2c258297c236539aeb1d25b73cb671f0de168b84ebd9a73f38c8d6bdbcfb43ef8f93eeeb291853d9d56213042c0021964fcb524372bb4c89

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
289434499fa3e227fb29c36d254aa97a

SHA1
ca197548a532c488864d46143eb145065aee96ff

SHA256
445a799e66cf336a463c1431a925a31347c7f86882e556aef1b3d0b1991f1a08

SHA512
e2e74a10b51dfca350186ce61875d222ad0ba2545f875c44eaa93afc8a8b96c7ed22e236269f328e7a1302a9aa78d878dcaa863e833df3f3d83ab0274dfd24b4

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.