hook | 7a2bd6350fd31bcc7a255364e20a8583c7f3312fbf8f817f00e29d3e3be1a199

Analysis

max time kernel
179s
max time network
136s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
25-06-2024 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a2bd6350fd31bcc7a255364e20a8583c7f3312fbf8f817f00e29d3e3be1a199.apk
Size

1.1MB
MD5

61996b4c60cf3bcb71b142912e31bf9e
SHA1

4d6416fc70563c4f5685bbb219a35cf99b40d904
SHA256

7a2bd6350fd31bcc7a255364e20a8583c7f3312fbf8f817f00e29d3e3be1a199
SHA512

a1cd57cc0060635f93665e0a2006ec4c691e32a8859de678658ef8978631a077dce2cbfbfb2e4002f1438b1daea977ea0724fb5a570fcbb4569d7965665fdd33
SSDEEP

24576:bY3KfQjJkykdgHzKrJU36czjUZSojyjz+sdg/T6XG:bPQlktgHzekFjQSXH+sdg/WG

Score

10^/10

hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Malware Config

Extracted

Family

hook

AES_key

Signatures

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.tencent.mm

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm

Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

Process Discovery
T1424

Processes:

com.tencent.mm

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.tencent.mm
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Acquires the wake lock 1 IoCs

Processes:

com.tencent.mm

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.tencent.mm
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.tencent.mm

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mm

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.tencent.mm

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.tencent.mm

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.tencent.mm

Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

Processes:

com.tencent.mm

ioc	process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.tencent.mm

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tencent.mm
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.tencent.mm

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.tencent.mm
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.tencent.mm

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.tencent.mm
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
execution persistence

Scheduled Task/Job
T1603

Processes:

com.tencent.mm

description ioc process

Framework service call android.app.job.IJobScheduler.schedule com.tencent.mm
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.tencent.mm

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.tencent.mm

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.tencent.mm

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.tencent.mm

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.tencent.mm

description	ioc	process
Framework service call	android.app.job.IJobScheduler.schedule	com.tencent.mm

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mm

com.tencent.mm
1⤵
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4928

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Process Discovery

T1424

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
a7d3e73070e1373537388633cfacac29

SHA1
f9e306e817f9834bbf943db325f1bed5ae4b96ca

SHA256
eac930848bf9d9b0ce0c88a26da23de1a3224fbfb51a1556409e6a307779c886

SHA512
c849c1601c5c6c24cf0350d7fa7ee9e18362379bf2c510d9ffc3adff2819ef3bd5ef00fc59dc9b75cc6457f0a4ba428f3c1271ab6d65beda04341866f9376202

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
0c8e62d2ae1bfb33635eec3080598134

SHA1
27d8b2289b672c6c30d11172f03ea9166f32247c

SHA256
f8e758629a8257580102a2f97d99031bdb85b6545fcdddc00310c152aa4373d9

SHA512
00a1fdc12e5eddbe5e49c459944e3704a56e922b8e65b99d80306d499f9bb207e7f301cb5106c23bf1c8169fd5317d8d757e6429598970be8bb3ee8776262534

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
2c9c89b32a967f3e19f7c8d84be741b6

SHA1
558aa85563f1efff5f3b9af2f9ab5a1ddf0429c4

SHA256
fb774f651e7eea2d4146db75de33253bf52dc2c46a0c6b8c0007ecd7cc0ab57d

SHA512
828b9fdac9d5266b6bc0a51ad015535e0e094cf869500433f636d9016a406aa15482b44b2a84f106080549909ee73e71f4a6dc156b76bffbbd73477c61a6f711

Download Submit
/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
b1c68bc25f4fcc46ef18909d6c93ec18

SHA1
a8cf497462b620707b544be6154d86cb322c5853

SHA256
e9a32858a6f747248eea22bd2a5347241bd6f26597ee3c48e2e424a57da76471

SHA512
ffb180fbde4d6a339f1cf48b770686ee600916a1b3f6abfd7338dbb4ee3580a4fa5f3cecd490c226dc15ee5926d3a326b03eb0f4d3351b45500df7cfc6f28384

Download Submit