Overview

overview

10

Static

static

6

0cbbdc5616...0a.apk

android-9-x86

10

0cbbdc5616...0a.apk

android-10-x64

10

0cbbdc5616...0a.apk

android-11-x64

10

Analysis

  • max time kernel
    171s
  • max time network
    191s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    11-08-2024 22:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0cbbdc5616f4a48f38d763317b59d915a5f054d060b9e69924876716e69f620a.apk

  • Size

    4.3MB

  • MD5

    232655bb6d41e37344fdc82ca82ab21c

  • SHA1

    02865a28db7022f621dc39e26f0054d8276ad7bb

  • SHA256

    0cbbdc5616f4a48f38d763317b59d915a5f054d060b9e69924876716e69f620a

  • SHA512

    a12b014596e28fe8250a4eb3c81f41495ea445f867e4a96e539a81a1500fcf2286f766d7fe4a9a43adf5b644d5497a3bae5402a0b98525ff41b5b4c374f639e2

  • SSDEEP

    98304:8IkHWSOSDhANKwdwTpGyVLILF+h9kHy3W7lulKZ6buC39:8IkHW9NJdwfo43kSmww6bP

Score
10/10
hookcollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://193.3.19.40

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.kxgcfoafy.rriydckpr
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4632

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.kxgcfoafy.rriydckpr/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    0fc16fa09a94af8bb4ea1637b7341f50

    SHA1

    9deec1ceffd986267e843baac23fa2ba66330660

    SHA256

    61ec4668cb5cc0fdf2b89044f0b2b6dc65fca3a18294984ec51d0cbdbac54df7

    SHA512

    c75cf5d569a99469874517a12e95fff8929c096cba6d06c2cc37ccb2c659f56f88b7cdbedd20062bb4853d4ff2a79b9e21caaef394ecbae2c2b83a191e9aebc0

    Download Submit

  • /data/data/com.kxgcfoafy.rriydckpr/cache/classes.dex
    Filesize

    1.0MB

    MD5

    0df792f370847ff2219bb7a2921eb06d

    SHA1

    af029e44e802471a924a35d46e5b7161091c2336

    SHA256

    1e840334025f3aaa8e1d10be81d0edb53fa2eeb03333a0f58e65bca5022e643f

    SHA512

    cef0a5694bd1ee05e05995a5b21a24096bc70d6dca3f12b52b0b2c200df4f31c0348df09d03318999ac5179e9501b293abe82575a5a2d6e1a093a3a1a78163c3

    Download Submit

  • /data/data/com.kxgcfoafy.rriydckpr/cache/classes.zip
    Filesize

    1.0MB

    MD5

    0b16ec09e090732bbafb54ce541896cb

    SHA1

    3d83ad5fd99248bf71c841e4623ea7f9f4ff8658

    SHA256

    931e4b05f1329f238b60827d0068ec42ce749d4d6199fb2a14847d3cb1487253

    SHA512

    e572e229c3f26cb81beab324608a60db62e7db825c2fc61e84598a417013d5f9143909714e8bad101c0445d3d2eee347d10f72a0531fcc4609da452e08236c2d

    Download Submit

  • /data/data/com.kxgcfoafy.rriydckpr/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/data/com.kxgcfoafy.rriydckpr/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    19253c995b1d93880e1d584e80d196c2

    SHA1

    644887fa49de4930ebf7a0a247a439d2e58948cb

    SHA256

    392ed34a68c03c4b349566b0a7e0155ee7be5f378e0548d8ad44606babc7eb13

    SHA512

    44d56001db5782cb59f12c6d06c73bfa1a4b8d6af569ba24eee161a673d4e3236c6955505530929b5d45fdc7fb93ba52acdadd8ef43417c2731c13b6b32e953c

    Download Submit

  • /data/data/com.kxgcfoafy.rriydckpr/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.kxgcfoafy.rriydckpr/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    77151b62360f7c9cae86b8a58843b120

    SHA1

    9757275b463e591f84cfb21a8d82f6ad5212c9b9

    SHA256

    1098c744fbde4de501a1f5508a2284b4026b14c23fbd4f115d61e0752685fc6f

    SHA512

    d60e230f5324227b0ffa5f2b56d14674eee89b39d61269e864e6543c07d8d7c322f2c99d464647146f37aa1b6f1f983146564ac27b78aadd7f2322c48b7d874d

    Download Submit

  • /data/data/com.kxgcfoafy.rriydckpr/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    9b5492e3f3954fc9428a0be48e86128b

    SHA1

    f4fe2a4730d6315c8b7c824dc3c6ddf64e7e0fa4

    SHA256

    9980d2fffa75c06d08084ecea7fb5423ee6aab0a550bfa28b354d6329066316b

    SHA512

    f806be6c9350c687f01967c9a41993f262d13145afbecde65ae42319e8f31e2502afe1592d2c501bc0d83fc00f56c903a1988768612b4c3ed4da50e13429f103

    Download Submit

  • /data/data/com.kxgcfoafy.rriydckpr/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    070459fcf990670288399feb16e1cf69

    SHA1

    bee3cba272f2bac43e5e0f4c6c894d4531c1cb12

    SHA256

    10611bb7621e6525fa729ce1331f5b6011d33f469c94416624268aeb597f7622

    SHA512

    9537e4e275b7460e5c627362867c0d85e85bda698715f055db27d1bc24f4a2d9c5bc4d55bc9148606dc315c864df74d3d5f991b6d3416fbd5ae152662d8357e9

    Download Submit