Overview

overview

10

Static

static

6

b6ed31e032...56.apk

android-9-x86

10

b6ed31e032...56.apk

android-10-x64

10

b6ed31e032...56.apk

android-11-x64

10

Analysis

  • max time kernel
    178s
  • max time network
    190s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    13-08-2024 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6ed31e0329c6ab919b874b4a4f02c9ee10e57a0b0114cc7fae802b593d85756.apk

  • Size

    4.2MB

  • MD5

    2341dd73ad23f53bc3a9bd1269fb2096

  • SHA1

    b7c10cff0d8018a83eb2fe93826a72228d590df3

  • SHA256

    b6ed31e0329c6ab919b874b4a4f02c9ee10e57a0b0114cc7fae802b593d85756

  • SHA512

    e95766f257e1fbe2e47395171a0aaea554c42a7baa3d232c3ca23b725ce9eb8de2ce5caa165f3ce61bd967a4c05bca37c543fd75329aaf586cf8c80284ec71f0

  • SSDEEP

    98304:U3iHKtQtOPdcmMAXWADwV0rrZT7RMraW+IG0u4j1Oqz:DqtQtOPdFXNwVOtTOc3cj1Fz

Score
10/10
hookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://134.255.180.156

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 22 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.cdnbwsqqe.dxmznskla
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4470

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.cdnbwsqqe.dxmznskla/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    1d4c515f2288e6fe666ad3df34a20f6a

    SHA1

    613152f617d917908fa4f086a789cab9c0c953e5

    SHA256

    00e64c5197f6697692b326a3495eb62e97b3ff11bd12adf6dc287fed1de9d37a

    SHA512

    2a29bbff859774c2c9105ed7cbb9d1a596d352ef28afa8fa44fb49464e962f02a6877e6dda87392e7d466d61fcea8cf252f6135f7bdf9164b49fc26a96454212

    Download Submit

  • /data/data/com.cdnbwsqqe.dxmznskla/cache/classes.dex
    Filesize

    1.0MB

    MD5

    9447ea843495097b9e07a7b657929ce6

    SHA1

    ff4f849f561910a008501c2494349419eb4a94f1

    SHA256

    5b13538022406312a946eb7f897ed0b613bffc88f35bcd00750e12081c04fffc

    SHA512

    3952d88d8134f02dc8ed6972a3055eb24463013f14df97a4aa18497d52fcf60d3f571514048504b8cba88d466f954e5adfb889ed6fd9f7a685d126fb42fd0ecc

    Download Submit

  • /data/data/com.cdnbwsqqe.dxmznskla/cache/classes.zip
    Filesize

    1.0MB

    MD5

    b7a1d2fd02122ba2cb316d1ebdb50a20

    SHA1

    3773617b00e07612fd8069d78a9f15ae307c7a24

    SHA256

    f4899f302c0370f556fa3a89ab3103a9db26d02b6b6856f7f0c8e4487e115467

    SHA512

    890570c671dfc3fc86af420bf23de01bd9b54584ec5e7f8a6f335be9e625aa6d1deffab39500057f42a77227acea20085e199f5858db844af15f013487fe6c44

    Download Submit

  • /data/data/com.cdnbwsqqe.dxmznskla/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/data/com.cdnbwsqqe.dxmznskla/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    6b2b17f3db79ff2da34ca4042efd303f

    SHA1

    1450a31270fe965f814573a7e5ed3087a3243c69

    SHA256

    7fd9248f695ee6730845b12075626ac60e3d31ec47660247db365df964cf5959

    SHA512

    694858bf8c8fe71690521a24f5da0eb3a2756d25c58d109295442ec8735f297117093eae39a31f64f54645ac83f3eddf358e7ae21b2b293f3b3b6fb828106d46

    Download Submit

  • /data/data/com.cdnbwsqqe.dxmznskla/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.cdnbwsqqe.dxmznskla/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    9039d8da1de0dfaeae5a15779733870c

    SHA1

    655af25adf6e303998eb91855c330df8639e7ad7

    SHA256

    78d975c0e42c76b264123f6158dfe6fd8609c8e4e0e519759b3b4828a4a85d9b

    SHA512

    ca7da313d5acf9653fb220d05eeab0a6419b2233b4c7a74b11f82ca9b6c8169315a511c46a54d5768f62bfcc9024686bd22971faf841be3753c545e2c0a81042

    Download Submit

  • /data/data/com.cdnbwsqqe.dxmznskla/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    9d5113c7711d6b773c663e0bd0600cb7

    SHA1

    71edff0d056b1bfd912550fcac6471162f871ac5

    SHA256

    4fbb6e23e4c1b32b1d330fac62c6cbebacb2c6cc92e64334f2c1426df0aabaee

    SHA512

    eb812ce1d4ca31dcb0e603bdff74b5e74979be86c44d43adbbc69424e7a135c724a03fdffc3a89ab4e742a7b5534b186bb724d671cf59bc998de9df72035cab0

    Download Submit

  • /data/data/com.cdnbwsqqe.dxmznskla/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    58348a9a1ab0819e6c6fd1ee0691d1a9

    SHA1

    68f4d94d354480e6517bc120fe5d4442c7a62634

    SHA256

    506efb941f2688b3bf7875fc01edf782af0f5c1ada2428d05d5e2a48c2b66b12

    SHA512

    56b7902a18ba2f029db46e25e124d147910ca1dcff887acbf68978066898ba1d3475be07a2a36beda64f232885f22d09fd429fb2fa78b1780cdd4536b9ecaa3d

    Download Submit