Overview

overview

10

Static

static

6

6c396f6fe9...fc.apk

android-9-x86

10

6c396f6fe9...fc.apk

android-10-x64

10

6c396f6fe9...fc.apk

android-11-x64

10

Analysis

  • max time kernel
    163s
  • max time network
    193s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    09-08-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c396f6fe92a262c6f99ecff365b68a19ea6aa1bdf5f5ebada207e68c90f8ffc.apk

  • Size

    4.2MB

  • MD5

    a8d1cd46640befce78f39057e28e250e

  • SHA1

    27d1179976c036fd2a58978c6e9dabbfab107a6e

  • SHA256

    6c396f6fe92a262c6f99ecff365b68a19ea6aa1bdf5f5ebada207e68c90f8ffc

  • SHA512

    ce46d368c29bee222b9544066d5736299e567191648741fad7f58800bd83da66eb0093cdc1fdbae97f39e7d0cf7cded11570a23af1539e6fba93d3437ac8f0a0

  • SSDEEP

    98304:OdDmUI4Mrq0VR0Qmup/wuXvFVtEyok+wkrNB:OsrdVRjm8z9sXkFQb

Score
10/10
hookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://193.3.19.40

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.kpkdmjhac.sfggcgdhv
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:5113

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.kpkdmjhac.sfggcgdhv/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    c40b7109bd22940079be96bb785e9cdf

    SHA1

    da0a10dcda9fde2f8bfbcebab4e606826bd784ab

    SHA256

    a42c8feab624b440e008fa42999d2a4490bd395d8b3530f5099b839c1acaaa90

    SHA512

    73992456d11bb6af769b7b38b3b6cfbf037a4a5b1219f552769fb1a34d8d7727a665968ead8809c9cd234db451395ed9451da72c43bbc765a878947e63fef0df

    Download Submit

  • /data/data/com.kpkdmjhac.sfggcgdhv/cache/classes.dex
    Filesize

    1.0MB

    MD5

    e6830ad458d648a5fa24a3849375a6e5

    SHA1

    0a37f66e5a61c991ace74422ba74be11313cb4e1

    SHA256

    4bfa19aa1140485a58e1c09a0e0d922f9b39de366e21b579e1680d8c95200aa0

    SHA512

    1ebceab1afd03d175c0ac23fe0b545ccf3460d74722464c18385d4ea3318f6558792268cf9651c4be7f4b23b4a31b4db13d9c76fcdfc56cc1d59aae1a8f3a971

    Download Submit

  • /data/data/com.kpkdmjhac.sfggcgdhv/cache/classes.zip
    Filesize

    1.0MB

    MD5

    bd7a442eadd6fb799b9cf9226d42de8d

    SHA1

    9113f5635db8dba54c20815193f6b5a95534571a

    SHA256

    a39959f5a0d5d9995a9d9b88ba4f243372f0a361f91e1464db2439023d0b0369

    SHA512

    b0702edf1c53fd19f94806ad0ec3996b3f9896791be957e4b3e34ad4865ffb07a34726e808f5ebf06dd83163f50cddacbed12c486bab442647bd315ef8717432

    Download Submit

  • /data/data/com.kpkdmjhac.sfggcgdhv/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.kpkdmjhac.sfggcgdhv/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    1fb69d7d885721c4a3a7841e5376ed5d

    SHA1

    c452ee1b400b41ce07c5766657c77ba65a973b0c

    SHA256

    0b97ed505836885fc70d35e6bc9dec5a9250004d820749d97ca2b900fff71701

    SHA512

    8e22d842e61594ef899ecd8aefae16c54464b4ae9a23447f108cc24a27ca9d57ada403cf0b199cd68c0100a8348070d5a7de3fc420ad205ef8564706ca4791d0

    Download Submit

  • /data/data/com.kpkdmjhac.sfggcgdhv/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.kpkdmjhac.sfggcgdhv/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    c324b1f887297f6bafeb91b603e9a470

    SHA1

    ad0b2f255336c94bbe7a0efe7147fcfa44968aec

    SHA256

    a8b6d9f9a1918f41be6d7f6f1d7b71edb855a054fa59ec8e4e8e29ece3ed4d70

    SHA512

    f4176c86ee2ec93fa7126185bb710834f83d04b8cf7560cbcd1b25d9f87845f28fb4d7aa0e9e0978ce30c548c4a2074a9a28d099fb755adf411055b77a1f9067

    Download Submit

  • /data/data/com.kpkdmjhac.sfggcgdhv/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    8962b05259d904744f15acaa5a16852f

    SHA1

    401a967e5b6c3fbd2e24241bf159cfbd665d4163

    SHA256

    56509a2863d166eda069f35b2f86381f55230dd34163859aa061cb5ff7972204

    SHA512

    02265d3a01bc59f3c4e3f436c20edd48bf53f54240afcf100cbd83754a8618f508d409d45a8e4bbd6db5c67d0f87fb211b6091ed293215c6670e4685e76fc87b

    Download Submit

  • /data/data/com.kpkdmjhac.sfggcgdhv/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    874506ae9cab10fec09bb2d461c2e434

    SHA1

    c967040ff112db59d88127d4e448881f1e94e9c0

    SHA256

    e0a15733e978fd885c9be40ce811bd419ed49cf83bf5fbd755d0439a0dcd3d27

    SHA512

    42d35dc0a6a59c8d4787380935d75f6f4d44cc7951deb9fc02a34bbcf346f8d41b1ac2b35fd0827a3debbf37eb2385fe0eb210b479c534fd523c6e0f0b27ea0d

    Download Submit