Overview

overview

10

Static

static

6

9a520a99e7...72.apk

android-9-x86

10

9a520a99e7...72.apk

android-10-x64

10

9a520a99e7...72.apk

android-11-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    189s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    10-08-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a520a99e77f6daef764c3081cc17aca8110b3def6de55be46659de77cab6572.apk

  • Size

    4.3MB

  • MD5

    48a832149a7babc03ac1352c4fbdab6b

  • SHA1

    5a29ea5c787f2422b7e3e1634f6e515d9588afe4

  • SHA256

    9a520a99e77f6daef764c3081cc17aca8110b3def6de55be46659de77cab6572

  • SHA512

    998df6dd0e157164220f0e3154b16c582534c9719485a96c7524d2272d47e2252dc373f5d205f91a10b90e1661eec9ed49b794d855f0ea0d1450484e82dae5f8

  • SSDEEP

    98304:gnlarLN0IXVSwSLOsOi0QOPM9dBRt66M94bkx8oQXr1RThM1:gnUnNzVpSydBPk9dbtO4TXrvK1

Score
10/10
hookcollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

hook

C2

http://193.3.19.40

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.utbyhglxp.btfeasgis
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4275
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.utbyhglxp.btfeasgis/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.utbyhglxp.btfeasgis/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4305

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.utbyhglxp.btfeasgis/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    9fae53e68782bd40579a2a7530d17db3

    SHA1

    bf871f1e1aebc543fd7833a46bff185dc0062643

    SHA256

    a129fa37c966ae413141c2a03169ab3f1c30cb417271251680cf9fc5f7c708d4

    SHA512

    f578c832825b988d10da9d63b65c0dca6580ae1353da19aea07a87773e6fccc67cc3d0d45e3132e95153783f3e50fc6c8955953dd649af73537d0fc2850413fd

    Download Submit

  • /data/data/com.utbyhglxp.btfeasgis/cache/classes.dex
    Filesize

    1.0MB

    MD5

    383a05e1363f9c234da7336b1de06b67

    SHA1

    06e87b668d02d4c54559f726b4204665ec94c00f

    SHA256

    1ad2ba74abefa627e2aec75366c5961a741fd24246deecc9176918e074c436ba

    SHA512

    9a329a9fc46a1bb90c33e903084af700235738912670e73b52874a657cec4d722da534805ee7e4ada0a8ec612146ee494b2c51f34702ebfeafd97ad57f9dc061

    Download Submit

  • /data/data/com.utbyhglxp.btfeasgis/cache/classes.zip
    Filesize

    1.0MB

    MD5

    b5cf7d39d2312f4e7da1f35882dc3ce8

    SHA1

    eb050b21ed4669b9bf84c3139c78205f93425945

    SHA256

    5bd8556ed642909afc7ed9d1a7912b24361d0c1043f2560b9606da9b940b3b46

    SHA512

    2587b84e43250f17d953a1bdb90951deaa8dcc36e4c6438101889fbac23943a79dfec3f4007460ba231418bc3c2fcc260a8a9f1d40ebe7dc4327d6e4afd285fd

    Download Submit

  • /data/data/com.utbyhglxp.btfeasgis/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.utbyhglxp.btfeasgis/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    fb135f1f88e7e9bf7fa276c3e0d59994

    SHA1

    512439a64a6b726bf389ec02f38d62653def2858

    SHA256

    b093e45bea110c72b1eacd198d3ba998ddc9366d9fcb02babed5cb596990eaab

    SHA512

    ea825478caadf993a1b8f04f5292d05e2d1ab2a3807ea3b0cd8f4dedfd965fda72c1bd20eba54ce4295abb00a601b20707771523446747ea5b1deb194ef0abfc

    Download Submit

  • /data/data/com.utbyhglxp.btfeasgis/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.utbyhglxp.btfeasgis/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    0ab3f46d2002f669d7448d301f910514

    SHA1

    64b21e239f9c3734a869418711a422a8035b0f3a

    SHA256

    5e589a8486520f6f392cf258a27cbe99793f2ee845c55f9cf6e55ac2de894957

    SHA512

    73574b9b3ab2edc16011c1a1aac8a21fffe886dd415dc20eced00535283019016d386407743a93507c5502d7a7c8a248edd07120986bdc43d411b0a0ed7f4eb5

    Download Submit

  • /data/data/com.utbyhglxp.btfeasgis/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    ddd41fc727518d2a3770af0fdfe4bec8

    SHA1

    53567d31c37fa542dd0fe97e8dc55eaec5309817

    SHA256

    2928fd0f361991578fd30bef6c1567272caa8f6520d17d0aeadeaac3dcf5a5bf

    SHA512

    e1911ec8c138cbc6acfc6f989fd76aa6e50fbdfd2e33e47aa3add78ae95cd7de8c034fc67779c936c069f1e5c97c01b864451b464d92d22784c3d8680cdaf36c

    Download Submit

  • /data/data/com.utbyhglxp.btfeasgis/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    9639791f3af2c53bb99e702e201c2ae5

    SHA1

    3366897e40be4cc287dbb154ecc96bed9424caf0

    SHA256

    d493aeb274facc61e494e2a2c0f422bfeb562873f1cbe886547233fa83257fe8

    SHA512

    f8ff26f945f562abe2462d9a676238d682927b61231cde4bc248a6ccb5dcbc064c5d41f469c67e971e386dbb450ac18f2bcfc28ca336c6487626e304c8669867

    Download Submit

  • /data/user/0/com.utbyhglxp.btfeasgis/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    1937ca55bc0bd6c4f0c0e00ce94d3398

    SHA1

    9419c17ba473072fb6aa8c0c847f139cc6cb016e

    SHA256

    aadf72344f45370ebc2319d109035930a314985726981091afd80ffac67fe61f

    SHA512

    306a17536b60704c33dc647f6429f30ad9283382f6cc766ad08d564439d224784fb4777fcea52925a360b5fce0c758af85d2927140b4f9726955f5219545fbcc

    Download Submit