Overview

overview

10

Static

static

6

50b13a2bfd...55.apk

android-9-x86

10

50b13a2bfd...55.apk

android-10-x64

10

50b13a2bfd...55.apk

android-11-x64

10

Analysis

  • max time kernel
    168s
  • max time network
    185s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    13-08-2024 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50b13a2bfd064894b7b3414ab1a4a0b21b0b536d270bbf3549bba67fe40ef355.apk

  • Size

    4.3MB

  • MD5

    1d4a89cc8bf454e5443be6cd36e67325

  • SHA1

    bcf9f58d4a4af7895f57e1b928aec7c757260294

  • SHA256

    50b13a2bfd064894b7b3414ab1a4a0b21b0b536d270bbf3549bba67fe40ef355

  • SHA512

    894bb7496e76f7678467274ac9257e76c0d816c2df4bcc94b07641f2cf323f0209831df3acc314f5d7f9c6dcd5a3ad36589d57dedd29110a15061f4399cb4fa9

  • SSDEEP

    98304:JuaF5nWll4HGsxu4OKY8K+AbVJS/5IkDFQAeWNF9lwNwI7QlsNZ:QaaloPx2+AV0IkCAv9cB7Q6P

Score
10/10
hookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://134.255.180.156

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.qudxvqoua.zshvvmukz
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4519

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.qudxvqoua.zshvvmukz/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    cab0b80bcb70f91d4972a5413b37ca16

    SHA1

    83260b8a40958ed23432b5fa6afd9091be603b94

    SHA256

    687cf183b791404fbef4dfae692a19dcab0ee781e5afa3abd12a6bf0d3d5f17f

    SHA512

    a4ee0dc2cbd367f8697f46f6a8b507db91e192fe6e91e314b9863b9736ba0318c0d2745539f142d85386fdc9e4a1b3c0f33102a7ec87704f3ce3ee6a65a65e1c

    Download Submit

  • /data/data/com.qudxvqoua.zshvvmukz/cache/classes.dex
    Filesize

    1.0MB

    MD5

    e51cb0674ceda6d705b5a54caca5618d

    SHA1

    3cd04b784886c87c43e1aa86d284bf1ad14b64b1

    SHA256

    d6695860fab877a1d6be1c4305fb84e236916b95441e05ae53ffa82985ec4f3f

    SHA512

    06b252bdf3f025c2e2b9c242d744e8b2b7c1b8937c505380f64639f2718b4a32d77d6553757e82d20d3369e3071e757f770edbac511cc8bf2c73a6100e437af2

    Download Submit

  • /data/data/com.qudxvqoua.zshvvmukz/cache/classes.zip
    Filesize

    1.0MB

    MD5

    5236fdd55df448c7a158f395d9a3e568

    SHA1

    90a95da4487718b4cd56a0a59b7e7b5f78c47e40

    SHA256

    e9276c366d24e4c7a79bcd0d5fcd81930a1ad370ced2dae31357b10b9635ca93

    SHA512

    b1d8141198c21b7f2dc51f5fa22560c5b28195db6423fa111b086a4ecb6a0fb19cfc55ad81e7915d60b8ca11886119518800c8bf1ae692167aa8aa3a1604f796

    Download Submit

  • /data/data/com.qudxvqoua.zshvvmukz/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/data/com.qudxvqoua.zshvvmukz/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    a7a89e9b2f9e53f457dce5837b91961a

    SHA1

    48cc168fa3af8a7aa4426c7772fb05d43fb82c76

    SHA256

    2d9bd3ee256d3769e8d42e25636b541f26739425d20181d292482bb328516f76

    SHA512

    cc6b653c5cb9a2d11da2bc218aa2fd69922a0a3d75acc10ab354217174abf87db2009f3b3df945b9a2b9fd35e7b48cb6103a97365523d3866003065de501bb00

    Download Submit

  • /data/data/com.qudxvqoua.zshvvmukz/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.qudxvqoua.zshvvmukz/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    c56b787c6d9d2228c7de7936155dc752

    SHA1

    92a92e577eb49d5db25a93e1908cf83b61f844d4

    SHA256

    edb122267a4f6c5864ce6314f40892b438c89cdf55a7c4ec8fc3f33c507b6a4a

    SHA512

    a7893f407c877c4c6a12f24bf2e900c291494a453380a4d447acbca37a858c2402e4288702ac47e664ed1fe9c724be4652c3920e19bd353833c579e192ec1b9c

    Download Submit

  • /data/data/com.qudxvqoua.zshvvmukz/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    34819fc389af6847692fb132e5a56752

    SHA1

    c4e78a5f47b50e45ea21f20b10347303193cb76a

    SHA256

    89f4d4fa4b516b3d4e6c1a7e0dc58e58e8d38fe71795b9f017854210bdf42b1f

    SHA512

    dd4263034d037e7e1a4cbdca40ea64c485ef0ec6faaec9d8a4a1c3c0c25945c57de0a7b9cf70c98d88d9cf146c9990278aba163cbca2c8f511dd2bd1c0fb4ce8

    Download Submit

  • /data/data/com.qudxvqoua.zshvvmukz/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    70c294c84162404fcae659536d6b7439

    SHA1

    75be4bfb2c54997cf07d4a279abd985d51964f00

    SHA256

    f0ec4ecae7468b0784c27bc7095f0047165c02986a534bf119a9c8e9bae4b865

    SHA512

    a5c921886046d11ada6105611533a0e492648320c057852223ab4571599c8b47b7f7d04a1b4454b32b0bea8dc5884a0b466f1c0b308c05d24a36e65143a8a1b7

    Download Submit