hook | 66e08e61b9baa4b5a1a2801ed3066b12295ef56b83e167f59a8a069a11c4bd58

Analysis

max time kernel
33s
max time network
195s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
08-08-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66e08e61b9baa4b5a1a2801ed3066b12295ef56b83e167f59a8a069a11c4bd58.apk
Size

4.2MB
MD5

683e628f184379a1c0f22abc4c4fd86b
SHA1

2c30d9b6edc5100630009f06d68b606709374657
SHA256

66e08e61b9baa4b5a1a2801ed3066b12295ef56b83e167f59a8a069a11c4bd58
SHA512

f6b05d35e12be23b764dceae38350d45e6c8bc5718df6fe87c9bcc4ad371c4c384a2d000a2347036362de7c3e8dc019d7958fb6f01f77047318ca007d4f76942
SSDEEP

98304:WxeQB+vp1LDCiKVwYkOjQZjNJNIcKfEDhD9QTTtb6d5vsFt/dY4:qeQ4h1LDjYkOjQ7fIWDJ9QNudeZ

Score

10^/10

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Malware Config

Extracted

Family

hook

http://193.3.19.40

DES_key

AES_key

Signatures

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.rjzenjmum.vtuudohsv

ioc	pid	process
/data/user/0/com.rjzenjmum.vtuudohsv/app_dex/classes.dex	5008	com.rjzenjmum.vtuudohsv
/data/user/0/com.rjzenjmum.vtuudohsv/app_dex/classes.dex	5008	com.rjzenjmum.vtuudohsv

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.rjzenjmum.vtuudohsv

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.rjzenjmum.vtuudohsv
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.rjzenjmum.vtuudohsv
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.rjzenjmum.vtuudohsv

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

Process Discovery
T1424

Processes:

com.rjzenjmum.vtuudohsv

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.rjzenjmum.vtuudohsv
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Acquires the wake lock 1 IoCs

Processes:

com.rjzenjmum.vtuudohsv

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.rjzenjmum.vtuudohsv
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.rjzenjmum.vtuudohsv

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.rjzenjmum.vtuudohsv

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.rjzenjmum.vtuudohsv

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.rjzenjmum.vtuudohsv

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.rjzenjmum.vtuudohsv

Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

Processes:

com.rjzenjmum.vtuudohsv

ioc	process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.rjzenjmum.vtuudohsv
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.rjzenjmum.vtuudohsv
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.rjzenjmum.vtuudohsv
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.rjzenjmum.vtuudohsv
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.rjzenjmum.vtuudohsv

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.rjzenjmum.vtuudohsv

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.rjzenjmum.vtuudohsv
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.rjzenjmum.vtuudohsv

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.rjzenjmum.vtuudohsv
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.rjzenjmum.vtuudohsv

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.rjzenjmum.vtuudohsv
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
execution persistence

Scheduled Task/Job
T1603

Processes:

com.rjzenjmum.vtuudohsv

description ioc process

Framework service call android.app.job.IJobScheduler.schedule com.rjzenjmum.vtuudohsv
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.rjzenjmum.vtuudohsv

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.rjzenjmum.vtuudohsv

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.rjzenjmum.vtuudohsv

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.rjzenjmum.vtuudohsv

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.rjzenjmum.vtuudohsv

description	ioc	process
Framework service call	android.app.job.IJobScheduler.schedule	com.rjzenjmum.vtuudohsv

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.rjzenjmum.vtuudohsv

com.rjzenjmum.vtuudohsv
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:5008

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Process Discovery

T1424

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.rjzenjmum.vtuudohsv/app_dex/classes.dex

Filesize
2.9MB

MD5
eef9bed788e6f70f3ca4a7308d06ac41

SHA1
50314a8fbf789ed20dd8284313b4e6fea2a0a6c9

SHA256
1aac11a002c38dc426e66b58104798814a8a174e57b1b4906e95f4d9225dcb5d

SHA512
4dcf0e0a336ed66d90c2e803a458146f1c712f350511a39c4bf8f6d9785a41a856610f3833c2d67c7c8906857f727a4e0fdcfe7fc84de272f4fe782b9041f8cb

Download Submit
/data/data/com.rjzenjmum.vtuudohsv/cache/classes.dex

Filesize
1.0MB

MD5
c648085afe810e07df71584f7e1771cd

SHA1
ca616e8c479f0cf54dc9eca9a16a1d9691120fd8

SHA256
476bceaa67be558213a9d0a77c2211988020ba064c6fde52264d76fcb84aaca2

SHA512
9d9051a8bd0198323fa8c2315252eabb01a38b7bb7da2893144ff9abc1988fad43a69927a76ec6c6c68bb509ed65ff03b260b2edd2b207a07c8c60fb2bdd97e8

Download Submit
/data/data/com.rjzenjmum.vtuudohsv/cache/classes.zip

Filesize
1.0MB

MD5
ddce10d1722f7e9e7e3c8fcf78ba656f

SHA1
5ad211a0ac230b386234bab1e2faee5230c6fca9

SHA256
0250da3289aa1bfbef5856da4ff2656e2a727d178ec86533fa0df2655924b2ac

SHA512
580f9fa5272516160dfd70c855983f13248127052f48dd146d9ddf7889eea6a0316828568a04c90df3aaf28d4a395fffa4cd2420293cd6c84adf3f6762983d83

Download Submit
/data/data/com.rjzenjmum.vtuudohsv/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.rjzenjmum.vtuudohsv/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
c6d79af25c828167e5fbe3a5f5d17626

SHA1
c2d85d38e062f301613518eb6363a93df36d3e21

SHA256
cbce7694e471748738824ed57ac3d6db244b7fb5598a303f21e9776e0cd2d832

SHA512
1768cd94baed75d3c25bd4bffe0c9c8449a7565d68712733a994af9ddacbf21d301120fbbea2592e7be0d768af0e000f415d82f129c7972aeb04aa798b7d9d13

Download Submit
/data/data/com.rjzenjmum.vtuudohsv/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.rjzenjmum.vtuudohsv/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
e81b66dc2af3c374088dc584137d6785

SHA1
3cbe6b29f58e4788fd868e0a52ab08b7a3be2bb6

SHA256
9e0f082becfd7186799c8d3a07208d70d16ecb3d33afba65e2c34b936924e076

SHA512
065bccfecbfc5be4bd9e6ba8bd66d4be05f3ac9476d77df632e30ff44de08f2d4def0d460c2e337805dbc233c773c813cb11cfdf95af54e2f701e200f676f674

Download Submit
/data/data/com.rjzenjmum.vtuudohsv/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
c2e7bcfc37e0ff353476bbf33826c1f7

SHA1
ef65d21fb632b410c27ddcaf95ec924e32e93f5c

SHA256
673005e5600bb1500ff5a726c16b03b870d006497e6b41f0d0aa02c25120b939

SHA512
1faa54844759af6b3a14c2e9bee98319945f9e60a9598312b54419500f6db310f422f5bf6c0aef689cd2e6a30b552a754189eca66b8e75bab0719446004fabbc

Download Submit
/data/data/com.rjzenjmum.vtuudohsv/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
4cd9634cf8a7719811332e450132d1a6

SHA1
3446f70a76170578d823ef6f1c564147abd1ec50

SHA256
4acd91cfb1e09a22560fe7d1a25b797b053f0fe73ed4932fe7b0b9f53d9f44af

SHA512
f1494d35c4a6e379c9188bd775a276ac9dc56c41eac04e2a94eaaded1a04def99d774cf59c37311fef293ab9f448ad25e1a47e1ab03286891661529920274e62

Download Submit