Overview

overview

10

Static

static

10

1c2aa3d2a5...34.apk

android-9-x86

10

1c2aa3d2a5...34.apk

android-10-x64

1

1c2aa3d2a5...34.apk

android-11-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1c2aa3d2a5447dcde6a048109dabd269ecc3aed19053fc6feacda31c69c1ed34.bin

  • Size

    2.8MB

  • Sample

    240501-1w5lesbc27

  • MD5

    32e4a416df3be94085d5d759f4c30f33

  • SHA1

    494cf06282b76fdc892ccab1e8d94bae4995e3bf

  • SHA256

    1c2aa3d2a5447dcde6a048109dabd269ecc3aed19053fc6feacda31c69c1ed34

  • SHA512

    ab69dc9c96b79b16575d46a0ebd70cdc8f41cb0c8729957b7d5bba9be43505a274176fe4bdf62981e07d477a445ceeb39868578376dbe154c013376386d86f6a

  • SSDEEP

    49152:v0vp81hRdDuxm5p6DlktE3/RVEGFOZqOelEC0VQL+2ho/QrFi9j1nsLyDXgXg/81:v91hRUxQpIlaEZlFkeSCQQi2ho/T9j1Y

Score
10/10
ermachookandroidcollectioncredential_accessdiscoveryevasioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

hook

C2

http://54.36.113.159:3434

Targets

    • Target

      1c2aa3d2a5447dcde6a048109dabd269ecc3aed19053fc6feacda31c69c1ed34.bin

    • Size

      2.8MB

    • MD5

      32e4a416df3be94085d5d759f4c30f33

    • SHA1

      494cf06282b76fdc892ccab1e8d94bae4995e3bf

    • SHA256

      1c2aa3d2a5447dcde6a048109dabd269ecc3aed19053fc6feacda31c69c1ed34

    • SHA512

      ab69dc9c96b79b16575d46a0ebd70cdc8f41cb0c8729957b7d5bba9be43505a274176fe4bdf62981e07d477a445ceeb39868578376dbe154c013376386d86f6a

    • SSDEEP

      49152:v0vp81hRdDuxm5p6DlktE3/RVEGFOZqOelEC0VQL+2ho/QrFi9j1nsLyDXgXg/81:v91hRUxQpIlaEZlFkeSCQQi2ho/T9j1Y

    Score
    10/10
    hookcollectioncredential_accessdiscoveryevasioninfostealerpersistencerattrojanstealth

    • Hook

      Hook is an Android malware that is based on Ermac with RAT capabilities.

      rattrojaninfostealerhook

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectionevasioncredential_access

    • Removes its main activity from the application launcher

      stealthtrojanevasion

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      evasionpersistence

    • Queries information about running processes on the device

      Application may abuse the framework's APIs to collect information about running processes on the device.

      discovery

    • Queries information about the current Wi-Fi connection

      Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

      discovery

    • Queries the phone number (MSISDN for GSM devices)

      discovery

    • Registers a broadcast receiver at runtime (usually for listening for system events)

      persistence

    • Requests enabling of the accessibility settings.

    • Acquires the wake lock

    • Reads information about phone network operator.

      discovery

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      evasion
    behavioral1behavioral2behavioral3

MITRE ATT&CK Mobile v15

Tasks