hook | 226ae08a5c7a95f0fc6ad2017abeeb97faf688e30904f4d97971cd5e1c5a89eb

Analysis

max time kernel
35s
max time network
199s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
12-08-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

226ae08a5c7a95f0fc6ad2017abeeb97faf688e30904f4d97971cd5e1c5a89eb.apk
Size

4.2MB
MD5

784d61b77ad0fce4085a336a862e6776
SHA1

4083ec706d5ef6f60fb830d4051d37531664a695
SHA256

226ae08a5c7a95f0fc6ad2017abeeb97faf688e30904f4d97971cd5e1c5a89eb
SHA512

072044816b454ee498a1feb61a50eac5fed8a0ec75a112a0a319be2cc7fe3637ca7e83c164788d7844fbebddd38e65f921729007c017c5ffd1952a0f93c18b10
SSDEEP

98304:1hZw8/zRQZ6RzVajc2r2ByvYT22yChZL0BehmM:PZ9/zRS6Ac2SByrfwJ0yF

Score

10^/10

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Malware Config

Extracted

Family

hook

http://134.255.180.156

DES_key

AES_key

Signatures

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.tayyrnnst.hbteqmyph

ioc	pid	process
/data/user/0/com.tayyrnnst.hbteqmyph/app_dex/classes.dex	5165	com.tayyrnnst.hbteqmyph
/data/user/0/com.tayyrnnst.hbteqmyph/app_dex/classes.dex	5165	com.tayyrnnst.hbteqmyph

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.tayyrnnst.hbteqmyph

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tayyrnnst.hbteqmyph
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tayyrnnst.hbteqmyph
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tayyrnnst.hbteqmyph

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

Process Discovery
T1424

Processes:

com.tayyrnnst.hbteqmyph

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.tayyrnnst.hbteqmyph
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Acquires the wake lock 1 IoCs

Processes:

com.tayyrnnst.hbteqmyph

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.tayyrnnst.hbteqmyph
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.tayyrnnst.hbteqmyph

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.tayyrnnst.hbteqmyph

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.tayyrnnst.hbteqmyph

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.tayyrnnst.hbteqmyph

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.tayyrnnst.hbteqmyph

Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

Processes:

com.tayyrnnst.hbteqmyph

ioc	process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tayyrnnst.hbteqmyph
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tayyrnnst.hbteqmyph
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tayyrnnst.hbteqmyph
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tayyrnnst.hbteqmyph
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tayyrnnst.hbteqmyph

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.tayyrnnst.hbteqmyph

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tayyrnnst.hbteqmyph
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.tayyrnnst.hbteqmyph

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.tayyrnnst.hbteqmyph
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.tayyrnnst.hbteqmyph

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.tayyrnnst.hbteqmyph
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
execution persistence

Scheduled Task/Job
T1603

Processes:

com.tayyrnnst.hbteqmyph

description ioc process

Framework service call android.app.job.IJobScheduler.schedule com.tayyrnnst.hbteqmyph
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.tayyrnnst.hbteqmyph

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.tayyrnnst.hbteqmyph

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.tayyrnnst.hbteqmyph

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.tayyrnnst.hbteqmyph

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.tayyrnnst.hbteqmyph

description	ioc	process
Framework service call	android.app.job.IJobScheduler.schedule	com.tayyrnnst.hbteqmyph

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.tayyrnnst.hbteqmyph

com.tayyrnnst.hbteqmyph
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:5165

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Process Discovery

T1424

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tayyrnnst.hbteqmyph/app_dex/classes.dex

Filesize
2.9MB

MD5
8485204090d472f3b4ab0c4b87f6b939

SHA1
49ba074b53a207c37eea804faee9cb8d5eecf5b6

SHA256
feb21887d34705c279d8c588e391984a8826880689c877302e0db5b0e4870584

SHA512
dbbf9225bd20a8281d8736a25a4e6c7935797dd079d8c9cac5e4ba00bb31c337840dfa896573b5372f99e7fdc43a5bba07f999df15112c574ff6af2dc5072ec6

Download Submit
/data/data/com.tayyrnnst.hbteqmyph/cache/classes.dex

Filesize
1.0MB

MD5
81f1709f48bbb82639939a44d48de243

SHA1
76cbebdd897849de285ea18994c2790ad8da6625

SHA256
a9e927567913d75aa353ec98496dcf3aca70102b8348d34d36356a8935028b5b

SHA512
32b9376d6f778f5c325ff3179fe6ef5604adeafbb28d4f04f04b4e08e9e7bf9665b8524bedb4b54f33b745b067c2e6a01f7375e1570c6bbd213b1b0cf681fb59

Download Submit
/data/data/com.tayyrnnst.hbteqmyph/cache/classes.zip

Filesize
1.0MB

MD5
4d9bd8b408e45ba38bd4538e11023cb9

SHA1
365e7168082ac9e5c2125c2eecbc0b9c1f897c3f

SHA256
176373a0f9d0b177afe2ec615d9c099facf3be1e53e6be7e35e5b8c72e23e7fc

SHA512
719b9878c7d8fb86b95d9dfed36c048b2d8627c34844e5a5bcecac7ba2c9696b6272a1c3f4082d78be8a84824b2d3623ce7a9923ed4beed39fcdf8e37da26e64

Download Submit
/data/data/com.tayyrnnst.hbteqmyph/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.tayyrnnst.hbteqmyph/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
fb7239e52e60192666c925915e401654

SHA1
07ebd21b21b7a4e818d5e5b731d9a187101a911a

SHA256
dad8cfa18c030e9a4ea4cd192a2169a0adb2d638e78fbb59d4214f4f198a9af4

SHA512
357ff3bb5255b690a358110f663bcdb24ef584b773d2b081e1a8b369bee4c8ef685b6862ad73123941aa8905fdccac3b0b76af114490815d9efbc3273ff89a81

Download Submit
/data/data/com.tayyrnnst.hbteqmyph/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.tayyrnnst.hbteqmyph/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
e9c08b49c0c6f9f5356f4f19d56ef271

SHA1
d70705c9d1562b01840543385036dc3d7fed054a

SHA256
b45f22e3e7cdb7e6b6ec65da58a4818d289c746d471178571e05917cd258cc44

SHA512
672892ecb1fa1d3b9a27b8dd7feb1e71edef00b9c6a2d0d0297a1794984ad66e5a4b92c92e7433dd620f6befbc88c2bd0b8eb8ddd7dae7ea2ab3eddfff0f4f77

Download Submit
/data/data/com.tayyrnnst.hbteqmyph/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
d06aa1f2d1c95a6cb63fdb62db37cf59

SHA1
dad3d2a7a30d4bf0454501fb5b2ec68b2991f854

SHA256
8c2c3a38d51e87f848e47dec6fb9ffdc0649949d5c105031466ac7282d019083

SHA512
c4b168ce343d1959f3e6ae6ff2b0511205367789362921e6f1b838df550849aa37bb2a43549b8792e3bf32fbd8c967877ca62d1980d8329a18fbfd60769550d4

Download Submit
/data/data/com.tayyrnnst.hbteqmyph/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
f478e43762bf397ed73943c3edfe1ce6

SHA1
082fe16b23fcf3441680781bce9c981fd7205b02

SHA256
9709ca00188d80eabea5e39efbdc8d1aa326ef2d6e953dd2baeeafac6e71a149

SHA512
b6631e92571245c8596ba37335af59a769fa7187e9d7c19f6aa036c9b7fa83a83a93642aa8e3b3747b7aa461f50b4bdcb1ad522252de147cb29e9932c1bffc27

Download Submit