Analysis

  • max time kernel
    17s
  • max time network
    152s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    02-05-2024 02:02

General

  • Target

    bc0b22a27dc2865e3194c23a0555fb791a17da00ed8935b7d0a118262c786f0b.apk

  • Size

    2.8MB

  • MD5

    d44e53ca92e43d18e026f48ce295b02b

  • SHA1

    eb924475a2b085bcc45e3109bf77886eede1126d

  • SHA256

    bc0b22a27dc2865e3194c23a0555fb791a17da00ed8935b7d0a118262c786f0b

  • SHA512

    ede5b7443b32fa71bcc9f9bcac540981a2755a2b5878033f0957683d33b0bceb5b2d4392fe5ba49e1911524a5f67a580aa3b97b258235c74e970751a1377ed56

  • SSDEEP

    49152:G0mdqy656RS1b0R3FJLeISGmAchVJGa7Zff3y7GdfSU8QUOcv/pw6jg/RV3:G0mdqb6RwbSuhG9Uia7ZfPy6xSU8l/pm

Malware Config

Extracted

Family

hook

C2

http://54.36.113.159:3434

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Requests enabling of the accessibility settings. 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

Processes

  • com.fisececitinoje.lalole
    1⤵
    • Makes use of the framework's Accessibility service
    • Makes use of the framework's foreground persistence service
    • Queries information about running processes on the device
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Requests enabling of the accessibility settings.
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4189

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.200.14
  • flag-us
    DNS
    www.google.com
    Remote address:
    1.1.1.1:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    142.250.200.36
  • flag-us
    DNS
    yzvjftqyi
    Remote address:
    1.1.1.1:53
    Request
    yzvjftqyi
    IN A
    Response
  • flag-us
    DNS
    vdcvjsqfvxji
    Remote address:
    1.1.1.1:53
    Request
    vdcvjsqfvxji
    IN A
    Response
  • flag-us
    DNS
    bkjrfwczykptfl
    Remote address:
    1.1.1.1:53
    Request
    bkjrfwczykptfl
    IN A
    Response
  • 54.36.113.159:3434
    240 B
    4
  • 142.250.200.14:443
    tls, https
    858 B
    40 B
    1
    1
  • 142.250.200.14:443
    tls, https
    858 B
    40 B
    1
    1
  • 142.250.200.14:443
    android.apis.google.com
    tls
    4.1kB
    7.8kB
    18
    19
  • 54.36.113.159:3434
    240 B
    4
  • 142.250.200.36:443
    www.google.com
    tls
    1.8kB
    6.4kB
    16
    17
  • 54.36.113.159:3434
    240 B
    4
  • 142.250.187.238:443
    520 B
    10
  • 142.250.180.2:443
    520 B
    10
  • 54.36.113.159:3434
    240 B
    4
  • 54.36.113.159:3434
    240 B
    4
  • 54.36.113.159:3434
    240 B
    4
  • 54.36.113.159:3434
    240 B
    4
  • 54.36.113.159:3434
    240 B
    4
  • 54.36.113.159:3434
    240 B
    4
  • 54.36.113.159:3434
    240 B
    4
  • 224.0.0.251:5353
    3.8kB
    12
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.200.14

  • 1.1.1.1:53
    www.google.com
    dns
    60 B
    76 B
    1
    1

    DNS Request

    www.google.com

    DNS Response

    142.250.200.36

  • 1.1.1.1:53
    yzvjftqyi
    dns
    55 B
    130 B
    1
    1

    DNS Request

    yzvjftqyi

  • 1.1.1.1:53
    vdcvjsqfvxji
    dns
    58 B
    133 B
    1
    1

    DNS Request

    vdcvjsqfvxji

  • 1.1.1.1:53
    bkjrfwczykptfl
    dns
    60 B
    135 B
    1
    1

    DNS Request

    bkjrfwczykptfl

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.fisececitinoje.lalole/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.fisececitinoje.lalole/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    dca56668e1c1d3b15ddaf96ecedb232d

    SHA1

    4a40f61c13fc7ee0738c3ab7a4766bae5870b096

    SHA256

    e9d330e325ffe940c4ad9565877b7decfdd19cb8d64362579040c5ddcc094ad4

    SHA512

    2bd7671f4b3e612b8635d7875de9f0060eb94667626c5857481dc63de3dbe8ea2ac367ac66d5697b22a532005476d93dc43bd4328a16fd5b446c13de9ea1cfc2

  • /data/data/com.fisececitinoje.lalole/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.fisececitinoje.lalole/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    0704abea8b0fbbad940680576a770155

    SHA1

    c499682e83b10bca63f444f1d568a2e360b576b1

    SHA256

    2647e811b23abae17717244f18b82308a75fdc8e8ba7b90a7bea69c441b74c1a

    SHA512

    34730e9fd0fd93664796aa3fe5f2113f5ec5021eaaa5dfc52c3eec5dacb97a9c18c7e2d4ac15c47456ac83ef384e22a536a725a26fe490305b7e767a5fa11ec2

  • /data/data/com.fisececitinoje.lalole/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    ad85f9efc5cbbba826373391c4a49c4e

    SHA1

    1546a2061bd55d7ca4908e3a34791fd7e772b7b8

    SHA256

    e00c6e675ebbd0521550dd62d836502f6b187386f5a6e9366b446e4e4ba47990

    SHA512

    9e662f429e995f6d9959fed5076f282c2cc11afdd8c42b2c5a0dab5cf39a12c74e2722fd764ffc17b175d247ef28f73c6b59bc410c8ce9c5c0abc12c9fde56cd

  • /data/data/com.fisececitinoje.lalole/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    3f97860c91fe8124714da34f3a1c1c3a

    SHA1

    9bba2c1e3595dc1fa4fb67e898734cc642df5970

    SHA256

    aa079bf990af58cef2c228375a5880036d7f93810271e978614de2db70dec6fa

    SHA512

    6d9d869663cc03741183573139632918460bf01290cd30f83c9757c5f8a2e7c09a3b0e4466b0795fe23074ece81d1555c202b4df313286ffec4dbc5d5a86c0bd

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.