hook | ee5f5ebd0297cc3a3bd0f59c8544610ec901fe9a23b02b64b8345cccd96830e3

General

Target

ee5f5ebd0297cc3a3bd0f59c8544610ec901fe9a23b02b64b8345cccd96830e3.apk
Size

1.2MB
MD5

371e5e59cf3431a954ce943f1ca3fd03
SHA1

7d557210694d035c769c3f5b04eea12a8393a3c8
SHA256

ee5f5ebd0297cc3a3bd0f59c8544610ec901fe9a23b02b64b8345cccd96830e3
SHA512

79f906f318f23276ca0f3ee2c9a89d83266d62d5d7edb4ec7acd81dbb9cee8c30b6563a24a9a0de91370e2cb8374727908e611e094df6830c384acedde3954c0
SSDEEP

24576:fJsTe9xlM8jktafUqvBDE80lIM0ZJD5c+BSbvPwbgSq7eEU:fJsTmLIaLvxE3lI7JuOUqgSj7

Score

10^/10

hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Malware Config

Extracted

Family

hook

C2

http://http://159.89.186.168:3434

AES_key

Signatures

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.datowajejiyili.fatogilo
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.datowajejiyili.fatogilo
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.datowajejiyili.fatogilo

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.datowajejiyili.fatogilo

Queries information about running processes on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.datowajejiyili.fatogilo

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.datowajejiyili.fatogilo

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.datowajejiyili.fatogilo

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.datowajejiyili.fatogilo

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.datowajejiyili.fatogilo

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.datowajejiyili.fatogilo

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.datowajejiyili.fatogilo

com.datowajejiyili.fatogilo
1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4312

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1

T1603

Persistence

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Foreground Persistence

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

Process Discovery

1

T1424

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1

T1471

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.datowajejiyili.fatogilo/no_backup/androidx.work.workdb

Filesize
4KB

MD5
0eb157e1a86d4d00aa601dd2f6ff3ee3

SHA1
fee434f784e73cc7916322e949f727caf8363102

SHA256
b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4

SHA512
b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

Download Submit
/data/user/0/com.datowajejiyili.fatogilo/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
685958e6075aab5bd19602dfa8286d64

SHA1
9f316fea74af52f59f040367cdcf112f989420a6

SHA256
1237c222698d7e8f751575e3239c453815372cb29c9ebb9fbffa0844e9033f7e

SHA512
f64f98a69150a949de328d01104b261f0d348d6f5253fff56e7dc1a44daf69b903d9ba43b2ec307b103cac1b63aa82511085abe098d506e7a8bd0ec13f168c67

Download Submit
/data/user/0/com.datowajejiyili.fatogilo/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/user/0/com.datowajejiyili.fatogilo/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
313689c7d8520f14a263c0865ba9c531

SHA1
9a35b0caab032668563d35fdd16aaf4e72917081

SHA256
d0d4da287728bf1a7b168e88a49887c780ad2846823e1af6db9f7f31e7dfff65

SHA512
4e04c94b4ad0621acb012136f9ab7f8f08e36bd45253e28d54c73a22a17e008902353e0713eca602a2e69eeb59395c3cc2d4f7507793bbcf75dba510eb238e1e

Download Submit
/data/user/0/com.datowajejiyili.fatogilo/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
bd37790cac10851f41c04041ed2ddfd5

SHA1
ebce262716a10ae99451912b6292136fa8283aa5

SHA256
22047c5c8db9975362aef5fd1850651c1e6c125973232ddd4084c6a085657e72

SHA512
58e63b4406d049a2144f6048168a837051dc21550de82bef9be7d5dec3d701384d6d6d37789b3260e73a5b760ac6b9d68ab571e494a0eafba4c3c067ba7e1ac8

Download Submit
/data/user/0/com.datowajejiyili.fatogilo/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
bb8a25274325457192b53ad474e357f1

SHA1
f10e9cdbd38357d3b72ae9ddc5052682c5ef38d4

SHA256
3046b51d715e037dd394d4ed9efb4d3abe144185d1ee18eb399c9deadf56da38

SHA512
dab462108c41c691a508341e17f5461ad2219a52772aa5def5f1bdf0681991aca7ce627a9137913265fa6d50d361ca7d5da27611109b0b48abbc2f959ee758cd

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads