Overview

overview

10

Static

static

6

0cbbdc5616...0a.apk

android-9-x86

10

0cbbdc5616...0a.apk

android-10-x64

10

0cbbdc5616...0a.apk

android-11-x64

10

Analysis

  • max time kernel
    178s
  • max time network
    190s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    11-08-2024 22:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0cbbdc5616f4a48f38d763317b59d915a5f054d060b9e69924876716e69f620a.apk

  • Size

    4.3MB

  • MD5

    232655bb6d41e37344fdc82ca82ab21c

  • SHA1

    02865a28db7022f621dc39e26f0054d8276ad7bb

  • SHA256

    0cbbdc5616f4a48f38d763317b59d915a5f054d060b9e69924876716e69f620a

  • SHA512

    a12b014596e28fe8250a4eb3c81f41495ea445f867e4a96e539a81a1500fcf2286f766d7fe4a9a43adf5b644d5497a3bae5402a0b98525ff41b5b4c374f639e2

  • SSDEEP

    98304:8IkHWSOSDhANKwdwTpGyVLILF+h9kHy3W7lulKZ6buC39:8IkHW9NJdwfo43kSmww6bP

Score
10/10
hookcollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://193.3.19.40

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.kxgcfoafy.rriydckpr
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4262
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kxgcfoafy.rriydckpr/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.kxgcfoafy.rriydckpr/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4289

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.kxgcfoafy.rriydckpr/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    0fc16fa09a94af8bb4ea1637b7341f50

    SHA1

    9deec1ceffd986267e843baac23fa2ba66330660

    SHA256

    61ec4668cb5cc0fdf2b89044f0b2b6dc65fca3a18294984ec51d0cbdbac54df7

    SHA512

    c75cf5d569a99469874517a12e95fff8929c096cba6d06c2cc37ccb2c659f56f88b7cdbedd20062bb4853d4ff2a79b9e21caaef394ecbae2c2b83a191e9aebc0

    Download Submit

  • /data/data/com.kxgcfoafy.rriydckpr/cache/classes.dex
    Filesize

    1.0MB

    MD5

    0df792f370847ff2219bb7a2921eb06d

    SHA1

    af029e44e802471a924a35d46e5b7161091c2336

    SHA256

    1e840334025f3aaa8e1d10be81d0edb53fa2eeb03333a0f58e65bca5022e643f

    SHA512

    cef0a5694bd1ee05e05995a5b21a24096bc70d6dca3f12b52b0b2c200df4f31c0348df09d03318999ac5179e9501b293abe82575a5a2d6e1a093a3a1a78163c3

    Download Submit

  • /data/data/com.kxgcfoafy.rriydckpr/cache/classes.zip
    Filesize

    1.0MB

    MD5

    0b16ec09e090732bbafb54ce541896cb

    SHA1

    3d83ad5fd99248bf71c841e4623ea7f9f4ff8658

    SHA256

    931e4b05f1329f238b60827d0068ec42ce749d4d6199fb2a14847d3cb1487253

    SHA512

    e572e229c3f26cb81beab324608a60db62e7db825c2fc61e84598a417013d5f9143909714e8bad101c0445d3d2eee347d10f72a0531fcc4609da452e08236c2d

    Download Submit

  • /data/data/com.kxgcfoafy.rriydckpr/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.kxgcfoafy.rriydckpr/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    5fb52818af6738c63e54f1e144dc35e0

    SHA1

    3bc71f7c5dea25dc512550787210773ae50d84ce

    SHA256

    f4ddd28d64ea1861355a33ea15a9295c5d7058f975a03bee4f6c41c17b80b49c

    SHA512

    3bf493df1e3e9291386e21da07ad020535c57bd007295f29936c7ae60357d22ee176f49d1977db2a2a5f3b3e44c9023ca2d3157474de0d1d894c19ca19ded0f0

    Download Submit

  • /data/data/com.kxgcfoafy.rriydckpr/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.kxgcfoafy.rriydckpr/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    ee8dcb08a8e938537ef842172ecfad9b

    SHA1

    d24bd4cacf4343a58d23e5355f126590455e01dd

    SHA256

    2d28baa5e7c2a3ef4194a6c642f008c674c4c80873565f803fb55814855aebf3

    SHA512

    fbfa145cc3c599a5e01ed0a3b3a607c6e03662a474b8e93d1859ddba50f4f4064384d45507992049dfb21192724a161bd2ec93b205660179ca4fcbd0f2de282b

    Download Submit

  • /data/data/com.kxgcfoafy.rriydckpr/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    a221208a5e8870b37446da25dca58666

    SHA1

    2c9cfafbb838feed5851636dde38c8b371ca4d45

    SHA256

    1717b8e3c4562b462744e0ce04014d6d71e669555fffc3d39a6df2bea91f86ab

    SHA512

    8cb4d7bc090f2608373033e43928b122aa6384b844d98a38c5911889d0dc13582951597d663c455574ba99059f8fd8f4d6a01ce75b7763742c6fa9058fc45901

    Download Submit

  • /data/data/com.kxgcfoafy.rriydckpr/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    706fb035460b8aaec0b73efb39c83807

    SHA1

    80a51a2562ce7e3f42d90970a2cc8adea3cf314a

    SHA256

    a3425be9949c491aa2a3346068d99370e07379cf3fd5b89921f7d919a0c97566

    SHA512

    101e3d0282518b18b4ec56bf2cb0eb99b1fcdba8eb2d55b87e5f00300617ac1e1ae1172f70200cfbe3b6b0ecf53a4530c25c8e84bd617288c62a6e13769097e8

    Download Submit

  • /data/user/0/com.kxgcfoafy.rriydckpr/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    825662712f0579253be7f83344733120

    SHA1

    923d699948e6f6c65a7098e920a13a804d5adf67

    SHA256

    259965efcc7126b4565b4efd2ea92f31f29a2122ad5740d2ecf85c3c5eb6eac9

    SHA512

    0dbe9561bada61dec4b5ba62126abc6455bd4de1082e5e087304e7cc01f3f8d7283c57a84e6fa94986be3ef6bff1085bcbbee9b628465d2430bfcec3d56fd8be

    Download Submit