General

  • Target

    923bc65bf07815b0b2723ab6cde35887c61d665baf6618ce4e1dacd6345669ad

  • Size

    2.8MB

  • Sample

    240524-pq8v4sca9s

  • MD5

    899022727c1eed901d9e847a44f017a0

  • SHA1

    27231e81607121522405a98dca3c4efe013d6282

  • SHA256

    923bc65bf07815b0b2723ab6cde35887c61d665baf6618ce4e1dacd6345669ad

  • SHA512

    9f3b4b6eb7690c2b688b138d3301f13d320b45832013df366b1743e3b722bd8a42e2746ed4d43e028de0df92f7eca3fce55a970102dbb25431ad67f5ff2796cd

  • SSDEEP

    49152:1KYIc3gRcXBxxytSOLAQniVL5TC1/cGypQqgg9TKAzwXhcHh8xngteZQpy/XyNgl:41xRCNnmFadTC10G4QWiXhWiKtyxXYk

Malware Config

Extracted

Family

hook

C2

http://185.208.158.109:3434

AES_key

Targets

    • Target

      923bc65bf07815b0b2723ab6cde35887c61d665baf6618ce4e1dacd6345669ad

    • Size

      2.8MB

    • MD5

      899022727c1eed901d9e847a44f017a0

    • SHA1

      27231e81607121522405a98dca3c4efe013d6282

    • SHA256

      923bc65bf07815b0b2723ab6cde35887c61d665baf6618ce4e1dacd6345669ad

    • SHA512

      9f3b4b6eb7690c2b688b138d3301f13d320b45832013df366b1743e3b722bd8a42e2746ed4d43e028de0df92f7eca3fce55a970102dbb25431ad67f5ff2796cd

    • SSDEEP

      49152:1KYIc3gRcXBxxytSOLAQniVL5TC1/cGypQqgg9TKAzwXhcHh8xngteZQpy/XyNgl:41xRCNnmFadTC10G4QWiXhWiKtyxXYk

    • Hook

      Hook is an Android malware that is based on Ermac with RAT capabilities.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Prevents application removal

      Application may abuse the framework's APIs to prevent removal.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Removes its main activity from the application launcher

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Queries information about running processes on the device

      Application may abuse the framework's APIs to collect information about running processes on the device.

    • Queries information about the current Wi-Fi connection

      Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    • Queries the phone number (MSISDN for GSM devices)

    • Registers a broadcast receiver at runtime (usually for listening for system events)

    • Requests enabling of the accessibility settings.

    • Acquires the wake lock

    • Reads information about phone network operator.

    • Schedules tasks to execute at a specified time

      Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

MITRE ATT&CK Mobile v15

Tasks