Overview

overview

10

Static

static

10

ef9c1ee9c0...30.apk

android-9-x86

10

ef9c1ee9c0...30.apk

android-10-x64

10

ef9c1ee9c0...30.apk

android-11-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c0b49d35aba26433370836dacc9d3007.bin

  • Size

    2.6MB

  • Sample

    240620-eksa3axfkg

  • MD5

    68391fe42d6f4f61202f40ff7324b57d

  • SHA1

    1dee13f166a3fa951a5fcc7ecca7e6dc15b55fe7

  • SHA256

    c370c5b65b7cb690a4318c1ed7dca724281d482486b7f6f797c77ee3e27dba1d

  • SHA512

    8963d65b7f3586594585965cc5775109fe57e5e265c9e7c38ac13609d28df2980027f166e45da3cf777f84a0a0efbc236376e7657478d7de0cc622ad03fa5d72

  • SSDEEP

    49152:VTkRiCPHpTZ16cMalDIUyxFLyQ1eHRbbsAIBps+YcyXFB+tTb6LgbSfjy6ve:VT1+tmhADUaQ1Q59IL89yN9Ofjle

Score
10/10
ermachookandroidcollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

AES_key

Targets

    • Target

      ef9c1ee9c06e8f6f92e9388e445d268072a321a4bf77704054dfdfbc68bd8830.apk

    • Size

      2.8MB

    • MD5

      c0b49d35aba26433370836dacc9d3007

    • SHA1

      fb46397f5d1a37055cc5323d89681dc0d1da5b85

    • SHA256

      ef9c1ee9c06e8f6f92e9388e445d268072a321a4bf77704054dfdfbc68bd8830

    • SHA512

      c14804d81e12cef1d154dee0c4d650508fd47ea67ebf09b063704834bfde6dd553d18ceb6223212e78cf621caa095aa979ace1dc75357ff3c211811c2bdfee50

    • SSDEEP

      49152:R7gmZbnXsxJHCXVvEELV0AUgFw9EdFMVDvRXleFSl2Fu0cFUm4LpisVaQ/jazg/Z:FpbXsxNCXBEELrUgFw991VIYyuV6m4oo

    Score
    10/10
    hookcollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

    • Hook

      Hook is an Android malware that is based on Ermac with RAT capabilities.

      rattrojaninfostealerhook

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectionevasioncredential_access

    • Queries information about running processes on the device

      Application may abuse the framework's APIs to collect information about running processes on the device.

      discovery

    • Queries the phone number (MSISDN for GSM devices)

      discovery

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      evasionpersistence

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

      evasion

    • Queries information about the current Wi-Fi connection

      Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

      discovery

    • Queries the mobile country code (MCC)

      discovery

    • Reads information about phone network operator.

      discovery

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      evasion

    • Requests enabling of the accessibility settings.

    behavioral1behavioral2behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Tasks