hook | a68281c33408fd04d6ff24bbaa2df6935ada43d1d6e73189a8194ba3fbd527b5

Analysis

max time kernel
152s
max time network
161s
platform
android_x64
resource
android-x64-20240221-en
resource tags

androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
submitted
01-05-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a68281c33408fd04d6ff24bbaa2df6935ada43d1d6e73189a8194ba3fbd527b5.apk
Size

2.8MB
MD5

a10c88c3486329a3677ea4bb80e2284b
SHA1

be03b6866607b54f05a5661325660f7a5161dbc3
SHA256

a68281c33408fd04d6ff24bbaa2df6935ada43d1d6e73189a8194ba3fbd527b5
SHA512

a1bd58587c3ed5b31ffe891ed32a32a3b88d1b61160ef52681f0013c6a67d5ad7a54489a4ece012fa0c03283f7b931c2168fa7f7ccbed995e5793dd6bdc6814a
SSDEEP

49152:iTIBfxPaeHGCSMaWZSWrqFZ9/oCpM+zfzXdQAxRVujyJS+T0q7qfQyR+6ttrRw:iT+fxPaeH0B1VrGiRVUyw54yE

Score

10^/10

hook collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

hook

http://176.100.42.11:3434

Signatures

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.wirigacetoze.yuwazu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.wirigacetoze.yuwazu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.wirigacetoze.yuwazu

Checks CPU information 2 TTPs 1 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.wirigacetoze.yuwazu

Checks memory information 2 TTPs 1 IoCs

Checks memory information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.wirigacetoze.yuwazu

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.wirigacetoze.yuwazu/app_DynamicOptDex/PKYxWX.json	5052	com.wirigacetoze.yuwazu

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.wirigacetoze.yuwazu

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.wirigacetoze.yuwazu

Queries information about running processes on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.wirigacetoze.yuwazu

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.wirigacetoze.yuwazu

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.wirigacetoze.yuwazu

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.wirigacetoze.yuwazu

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

com.wirigacetoze.yuwazu
1⤵
- Makes use of the framework's Accessibility service
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
PID:5052

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Process Discovery

T1424

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.wirigacetoze.yuwazu/app_DynamicOptDex/PKYxWX.json

Filesize
705KB

MD5
758f2306a80b4f1fb18ebb52abf5694d

SHA1
dc006c95d0ccb09c1c6ec9da72ce32ec8299f7fa

SHA256
9067c8538c67eaee28346cec3e222f39ed32bb9e08e7b22d12962516f61a9222

SHA512
fcf5f1c5fae54337ea32c95b544358bb6cc380e02ac37e12331d94c1f483744216dd81e1cd80c63f0fb2f36b3c6361e35e510474f8fd8e55438639e7ba051267

Download Submit
/data/data/com.wirigacetoze.yuwazu/app_DynamicOptDex/PKYxWX.json

Filesize
705KB

MD5
df058f1ae6a32a19f50a213fa8774804

SHA1
ee6ee53975b57756fd86bb6bffe83ae8d581e252

SHA256
3a18c67faf537283e187310614d6acef46c4392f7a33520da3419dfb1633b8a2

SHA512
afd9502c7f29e3ce97b4888aabd33d24443dcbf38b87c03a27c634fdce74c700d10b4c5788db4eb27ab2808e4f6fee862ad2f5b50277adde96575a2168b8e3cc

Download Submit
/data/data/com.wirigacetoze.yuwazu/app_DynamicOptDex/oat/PKYxWX.json.cur.prof

Filesize
2KB

MD5
d821bd5a137f490369e699aef99f1610

SHA1
8cb272b5f8af329be8735266737c1ab64822837e

SHA256
3f12eec2424528e5967834709b20b68923d93ee17e47166ca65faa5378878441

SHA512
d4ed922eb463ad95a1b5b0fc3acefbbba4f1d6e61df4599d708db4d2fcb9a8b4053999fa49152ffce68d41fef461719a1990f0443bcee964a1dfc95076440f4d

Download Submit
/data/data/com.wirigacetoze.yuwazu/app_DynamicOptDex/oat/PKYxWX.json.cur.prof

Filesize
3KB

MD5
ee17efbcd6f3325a3d42ac12c6c3cf40

SHA1
82ec13eadac827ff19fad290bc13759c4aacf77d

SHA256
8b91d52978cf187dd7de671fb6278c3e7d6dbe581abca0972dc51823c5d8b4ee

SHA512
810b6c9020a02a9788949e11c661c4b7bf6351b74c73d21f44538fa3d3977136e777be4d418b33a8f6dad07e351cb8c142601bd86bfcfba4e46f8913cddb470b

Download Submit
/data/data/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
d1c21a267d34c9ad17390958e8966ecb

SHA1
4bf51abbf5daf52f87fa975aa6440dbd28712736

SHA256
0735c24de5176c364e5faf937db5f0e53c3004002b68bf1bd06e3a75e0a2ba3a

SHA512
a428475e533cd1e71dca9f8520bf5687f3f09de0c402bd8339a1a04d6ea6cc3b52db1d2292147cb12bdded4e780990093e60124ad2b78f48b1230f667c6588b3

Download Submit
/data/data/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
003841766de43f3aac895e964ffe645a

SHA1
5f7b51ac6d41034073a6a0268e2a5038390f54b8

SHA256
60fb0fa3e53b342fbf7dc37e8a8bf9c250da6fd11c0e920d4f7662bb5ae48e8e

SHA512
38d4cbb1e07866011119cf625e718b982e6a48ddfcee839d198e91762da0215f8ff5f39826a800dffb5f494337973c25e91a195fc15cbb11cbbd673365916d60

Download Submit
/data/data/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
a5e43a0c98e9be1eb4da0476678931f0

SHA1
119e65050a4ea23fd1bc38264a09710a5e61d706

SHA256
c0fb1f9d933f0af66527790c5787fcd20ab6b03fd52af84ea57b840215085e67

SHA512
a17306a1342884a2674accfce3253374ed41a335e56477609337936374259f979bc375569a20cb38303d1c2805edcf0704869e0b6fb07d632490f916a9802ce7

Download Submit
/data/data/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
21e31dc66b3dde4b559c09200690ffa0

SHA1
6f4845a1d37ee1f59442db73e3a4ab05a1ebbb2c

SHA256
cbd2cebc61c6d759ddf8bc53b5ab254f0e3f08a7c17a9809f3fac4c9a43fec8a

SHA512
a03f31221b47d65fdcf3b51c26f626e89b3e47b54c19888fed674eb3dac93d469477b84eee8e9fdff90993358cb62320f224d1bc3f72031778c728c06065a242

Download Submit
/data/user/0/com.wirigacetoze.yuwazu/app_DynamicOptDex/PKYxWX.json

Filesize
1.5MB

MD5
625f582689b89479997507f9805e6f4a

SHA1
0f98b131a7ab157d319c4cbc0443cb3726993706

SHA256
7ee6e8208623447487d48a3a0d476826e470718baf81cbac74eef2f4d50499ff

SHA512
3d1d36de17e37d5861d9a83de01b0b3b9509c41b3f1cf1954b404e149a65cc37fd209a458140e7877795c9448d61d050051b615d461bdb53d32a57b6fc322211

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads