Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

33b9e94991...94.apk

android-9-x86

10

33b9e94991...94.apk

android-10-x64

10

33b9e94991...94.apk

android-11-x64

10

Analysis

  • max time kernel
    28s
  • max time network
    183s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240611.1-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240611.1-enlocale:en-usos:android-11-x64system
  • submitted
    12/06/2024, 20:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33b9e9499126bdd83d1fdef74289b88c331a0ab8643cd66b5dedde4ca03ed294.apk

  • Size

    2.8MB

  • MD5

    53c7b27a4062fd29f843dcace0ffa440

  • SHA1

    7b65fc3272e649196099b88b111d1fea27085812

  • SHA256

    33b9e9499126bdd83d1fdef74289b88c331a0ab8643cd66b5dedde4ca03ed294

  • SHA512

    b6aece74558c9b4d96cc6fd9b6f21812fc7a63a1a044aeb1a497395d514a365d802ad9144201ec49289a433e3d9cb5e8572be5db576c8e86b8ed7ad205a5dd7c

  • SSDEEP

    49152:P3ry0LaSQ9BIC8Hiu0AieWmxd5U2+4rcU3VPDmhOQXbK0rtohkQAXbcs/mybfFPf:PuuEp8HbSeWEd5R3xKbW0ZomQAXbcs/1

Score
10/10
hookcollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

AES_key
1
3141317a5031655035514765666932444d505466544c35534c6d763744697666

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.xemunubohiyutu.wisewa
    1⤵
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4644

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    216.58.204.78
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.200.40
  • flag-us
    DNS
    null
    Remote address:
    1.1.1.1:53
    Request
    null
    IN A
    Response
  • 216.58.204.78:443
    tls, https
    695 B
     40 B
     1
    1
  • 216.58.204.78:443
    tls, https
    695 B
     40 B
     1
    1
  • 216.58.204.78:443
    android.apis.google.com
    tls
    5.5kB
     9.7kB
     24
    24
  • 142.250.200.40:443
    ssl.google-analytics.com
    tls
    1.4kB
     6.1kB
     9
    9
  • 194.59.30.174:3434
    420 B
     7
  • 194.59.30.174:3434
    420 B
     7
  • 194.59.30.174:3434
    420 B
     7
  • 142.250.178.4:443
    tls, https
    868 B
     40 B
     2
    1
  • 142.250.178.4:443
    www.google.com
    tls
    11.4kB
     9.8kB
     32
    38
  • 194.59.30.174:3434
    240 B
     4
  • 194.59.30.174:3434
    420 B
     7
  • 194.59.30.174:3434
    240 B
     4
  • 194.59.30.174:3434
    240 B
     4
  • 194.59.30.174:3434
    240 B
     4
  • 194.59.30.174:3434
    240 B
     4
  • 194.59.30.174:3434
    240 B
     4
  • 194.59.30.174:3434
    240 B
     4
  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    216.58.204.78

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
     86 B
     1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.200.40

  • 1.1.1.1:53
    null
    dns
    50 B
     125 B
     1
    1

    DNS Request

    null

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Foreground Persistence

1
T1541

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.xemunubohiyutu.wisewa/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/user/0/com.xemunubohiyutu.wisewa/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    4af083ba22aa83f58611a3323b713965

    SHA1

    23c1c4b2977dc62d66269534ba6c2593b2762afc

    SHA256

    562e806108e3477c70a42fbd3fc8c9b006e93cf61cc51097645340fee331b1b5

    SHA512

    685e90c815a197b299e660a202ac14a4f7a2e9baf2bc0d6992fc764b8471eaa882cc98beb21920f5d01dd17793a48c340d9311187e6e2294e8b042f1dc33d1c0

    Download Submit

  • /data/user/0/com.xemunubohiyutu.wisewa/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/user/0/com.xemunubohiyutu.wisewa/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    3ed3fc539a34220d4caa75788355f807

    SHA1

    d40c12ff8633511506c6fddf3413881dd95e56ba

    SHA256

    a9eb4db3ec648c577545dd642085c8ba208efed430b2a3087fec6bd3d95d6e71

    SHA512

    201f5a18cffdf02b8d5c862fadc21ec664a3386d1dadfd157bef82d7f184060e2a3c6f7d010a7e921595ea890c00e82aaa78aa253403a7311d17ad354c4f8cac

    Download Submit

  • /data/user/0/com.xemunubohiyutu.wisewa/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    162579bfa33779cdf07d68c3f614b798

    SHA1

    ffdcc14a2fde81d4092b26540d7dde7b0a8769d6

    SHA256

    a1b55ff1adeb6eac34bf084474fd5a143bda363bd610d58a0f720e97eb99bb0e

    SHA512

    67de5c1ff9c1166fd2ea45689de8160b8e6cd32e61ac5962661a9deed08b1f997104867b7edb9f80de31468966cc4f9ba989bb79f3ea37385f2ef1dec50c722a

    Download Submit

  • /data/user/0/com.xemunubohiyutu.wisewa/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    fdfea01a9c384c3f3515b65fe28bd7d9

    SHA1

    1a693680a690250a83e2a3e00f9a6a768552a927

    SHA256

    dfc9e68db5b4faa5f476341c6420a1fcaab8a78893a0923c9681956854111273

    SHA512

    10d8426514a46f12ced267f480880066d02ac20305d4b155658948487b2cde95c2c50e4c6fa5100215b08345ae215d6b5358ee0f4d4ef7b2bfe96067d4963a40

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.