hook | 9f17fc20c5c725707168b93690063638cb6e5b3a7b77b3e826e8458a79eb36e2

General

Target

9f17fc20c5c725707168b93690063638cb6e5b3a7b77b3e826e8458a79eb36e2.apk
Size

2.8MB
MD5

242610e74b8914d64fdbcfcc8b63cfb6
SHA1

1731224b7e2705c4910ed477474dc009916d170e
SHA256

9f17fc20c5c725707168b93690063638cb6e5b3a7b77b3e826e8458a79eb36e2
SHA512

cfe0db94bea86cea0bca9c04d56274320991d5595149f7c000d36c368ce95854327f75c7e5e7a5733686c380a677cd2c91fc758c0c3d37161745a22161576cdd
SSDEEP

49152:rG/OCzgkixmu1Jtp3bRNQfo35dGViLscVvRd7Te32k7B5FXzgg/lU:rG/OCUki0ItpEncVvRNK32k7/FXXU

Score

10^/10

hook collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

hook

C2

http://91.151.95.157:3434

AES_key

Signatures

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.mugitepefaxade.ponowe
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.mugitepefaxade.ponowe
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.mugitepefaxade.ponowe

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4318	com.mugitepefaxade.ponowe

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.mugitepefaxade.ponowe

Queries information about running processes on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.mugitepefaxade.ponowe

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.mugitepefaxade.ponowe

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.mugitepefaxade.ponowe

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.mugitepefaxade.ponowe

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.mugitepefaxade.ponowe

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.mugitepefaxade.ponowe

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.mugitepefaxade.ponowe

com.mugitepefaxade.ponowe
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Makes use of the framework's foreground persistence service
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Requests enabling of the accessibility settings.
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
PID:4318

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Foreground Persistence

1

T1541

Privilege Escalation

Defense Evasion

Foreground Persistence

1

T1541

Hide Artifacts

1

T1628

Suppress Application Icon

Input Injection

Credential Access

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

Process Discovery

1

T1424

System Network Configuration Discovery

2

T1422

System Network Connections Discovery

1

T1421

Lateral Movement

Collection

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
5e12dbb034736b0612c67502864defc7

SHA1
8369ddf5faa7a505b8d06e469b7c1655ba1aae4e

SHA256
e9faee595d634ca05852fa97ff81e7a7504977d536fa4352c7486bde6e7a6df2

SHA512
139ce6a57e90d2df8f04ce4a0dd6d97cf4bd2441d3a9f84b3c28173792b87063e1590c32b6cf57ced7e50322b2728de220b7379f016f41e3bc7185646ad25815

Download Submit
/data/data/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
330002b33f6a645f0c62f69166ed8951

SHA1
56a174a53e3f37cb5d0acfdfb7634c584c0aa807

SHA256
0fe4ca0a806ce70140fa5c330d8258e01857eaa76f6c9937f0441ef8ec8ab31a

SHA512
6ffd89b4c65d10ec694283c723d4741df6bd1e25af476bd52a1d7e783e18771863ffbe137c4eceb4bf267792a865d3b01a6cb8ad52e74afaf96821bda6842588

Download Submit
/data/data/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
faafe96eb63b2ab5ba5d337f37b85b31

SHA1
2ec29f105c333abb786e203c0e4d7f5b8c61c315

SHA256
d0af3200fd05b5d47b78996e486647db2ebb9c478e0ec8019e20f39cee43d3bf

SHA512
e76a16038792a4bc585426e76da4b0d5bebd83587ffe8508446c78df865890ff5d7e79ec56d165a2bc273cfbef1039d7dc2d756b720b2c854c6d4b59e6947811

Download Submit
/data/data/com.mugitepefaxade.ponowe/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
5af9f925baeba8f94024b0a333b537ca

SHA1
2dda9319f284b704097f185e59a58f9353762be8

SHA256
e58440d00d3cb3e2345a7edd24f67a7f42304e601ec65297e99ba227b8a0ca8f

SHA512
d23554545f1ec7fbabcaa88e08f08144da9bc914f9ed7354145fd79a97f1df0624c638b453f12ba721198bf22049aa8e7608d4e0f7785ef7d7af091854f3af92

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads