Overview

overview

10

Static

static

6

097067843b...9c.apk

android-9-x86

10

097067843b...9c.apk

android-10-x64

10

097067843b...9c.apk

android-11-x64

10

Analysis

  • max time kernel
    173s
  • max time network
    189s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    05-08-2024 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    097067843bae13dedc0385ee30ee67e0c65d8dbb2f3902153c968928b4d41c9c.apk

  • Size

    4.3MB

  • MD5

    4681a111b9ac97532243216eb3c9258d

  • SHA1

    eec94175ea58b273d9f6660ff5ab8adddd9d9dce

  • SHA256

    097067843bae13dedc0385ee30ee67e0c65d8dbb2f3902153c968928b4d41c9c

  • SHA512

    cd9fbfdf5735d50368071e7c741f056db75a912faedacdf910e22a88f45ff59b3c822d27a9644824fc90e5806332a0b3b2113c4b074f73b56569f9ed1a396300

  • SSDEEP

    98304:tjv5QAJSQSTuWqEqfkpnh6+269TdKGpahbc7:tZWqZspnQs/KAaJU

Score
10/10
hookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://193.3.19.40

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.hfmhbinqo.xmbkkpqqd
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4494

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.hfmhbinqo.xmbkkpqqd/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    dedf0e5acf68eccfcb97ab6ff148e3b0

    SHA1

    27e32bfe94f21e9e5db46eed50055c2585e6497c

    SHA256

    203c3ab41aba7e9943840401937cfe338f96662b33ef7207c1a370b615dd14db

    SHA512

    ee1dd9f61cc1a18e8a2b149035ec52af67a04994aa534018a989fdccd8631d375f0b59e72c67bcc4a8f003668d5eca74474f843e8ed02c8178b813d1e363d924

    Download Submit

  • /data/data/com.hfmhbinqo.xmbkkpqqd/cache/classes.dex
    Filesize

    1.0MB

    MD5

    252126cb82e058497b8f4cc43ca00d67

    SHA1

    d347dce920c4c9de6cf60153fd4e21ecfed1c206

    SHA256

    6b5ef63d374aec865a19cefd8d02598a575cce02f37bb2ad2dc0e84be8b0d53b

    SHA512

    5bc429801306a128f475c3997769a89bcbd9780e9a7c142cdc0bcdd71c3231df34b0f67052fa11bb839bfad1a5b908a6bc97774267f3d095aab635aabf6aa7bb

    Download Submit

  • /data/data/com.hfmhbinqo.xmbkkpqqd/cache/classes.zip
    Filesize

    1.0MB

    MD5

    dd404671adc07b6d1e49d92f2d5d3f40

    SHA1

    c3e215b80e75c6ccd6966cf85de7c54f69fef98a

    SHA256

    921ea67ff75c387d246a9a2eeacb4f2371122e536d4da6671e52464e802880a8

    SHA512

    7e5e00efb1f5b8b5c75267dc0c099b6e1ed1ea76331c89532e397754eca021a90c0f9bc922fcc35a39206e252e1896ea79458806df955b2fcdf7f9e77a0578e1

    Download Submit

  • /data/data/com.hfmhbinqo.xmbkkpqqd/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/data/com.hfmhbinqo.xmbkkpqqd/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    1d964aa296510f73c23f4ba89b793990

    SHA1

    9e133e59cde67bab5efa1e1fd07a8bc856575aa3

    SHA256

    2c44feb0544da7a224eca5a1035d52105b891272cf6dbea0cb8072afbe44fa1e

    SHA512

    1a38c94a745f23b5fa2f754d65d68c7dfae5b2a494ba34cc8caf28c11f0d06486142d0ebb7b9afeef643bb2ecd51c7959ee7aa5a99bdbe3cbac9684d71ba5962

    Download Submit

  • /data/data/com.hfmhbinqo.xmbkkpqqd/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.hfmhbinqo.xmbkkpqqd/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    146353c1c71480dbbd33d2ed4e86a2a9

    SHA1

    ddc71fe7ebccbc086a425bc1fc896afed0836312

    SHA256

    ac376ef5b72bfa9623fa16f5c48613d6d7dc10c3806feea8a411447d67df9f29

    SHA512

    807b39d37b33f7cd818cc2136d437bc03f664529073e5e0e09db64bcdfa1ff7c4a43e684fdc22e097da9e1efe25ea0dff6701a5bcb202dac4829b5ecac4ba985

    Download Submit

  • /data/data/com.hfmhbinqo.xmbkkpqqd/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    ac7694a2bd7a58df1458403b8a2194a4

    SHA1

    5c68fabdf1d72e52b7249bccb26c717c1d6c9205

    SHA256

    b0ee949caa5f58f7d8d9a8c71ac4f8a93d402a8a8646930d00a3c305277f9027

    SHA512

    4217af3132284afe6bda7b4bd7607952a835d53fb6bfead6e8e897c80da1941b71d7fa99b38e8dfbf69a5daa4e0e8ca7c5fac6dbdf88b42793f3b6d8d90d9199

    Download Submit

  • /data/data/com.hfmhbinqo.xmbkkpqqd/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    dfd817b381d9c4be84f88ef9f7f7df92

    SHA1

    9befb3f73912de8405c807d1d68a7ecf74e7f5da

    SHA256

    309ce338d9adb7429ecb513f8f734fe7b7997963c38d5a6ccc8f4732425a92a7

    SHA512

    49f5a8a8dbe4de3f8c79cae1864bddfa298360d4c6b45e802905e86655c6916518d2ab8a48e0f803f5f9d7b10c08d0f44426f4fcdf982881990e9cb9d485b2a5

    Download Submit