Overview

overview

10

Static

static

6

55ab21077d...84.apk

android-9-x86

10

55ab21077d...84.apk

android-10-x64

10

55ab21077d...84.apk

android-11-x64

10

Analysis

  • max time kernel
    178s
  • max time network
    195s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    23-08-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55ab21077d08e84a2c7c79342a44e3d2eb7b5bcb8590cc1763a82ffc90a48b84.apk

  • Size

    4.3MB

  • MD5

    176c87708376aa9a865445324fb46c93

  • SHA1

    c8500268ad8a395cbba91fc3f049a968c2294612

  • SHA256

    55ab21077d08e84a2c7c79342a44e3d2eb7b5bcb8590cc1763a82ffc90a48b84

  • SHA512

    9838527e55427d8021e5e10b22495e994b9879e172366142149bad391ba0b24ebfa532426216c933737e084d908f0ca699665163964b5840ae1b89dee4cbfa3a

  • SSDEEP

    98304:0T7AhiP5Vqlx6nwqLd/ZT6sMKYmFV5msrcp54x7aseqlbw4A+ckT:0nfqH6nwqn6LKYG8sW56a1qqDeT

Score
10/10
hookcollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://80.64.30.149

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.fxotfvqkq.dbwojlfii
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4269
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fxotfvqkq.dbwojlfii/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.fxotfvqkq.dbwojlfii/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4300

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Network Configuration Discovery

1
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.fxotfvqkq.dbwojlfii/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    f4343c645d425c4eb5d8f92c1e598f18

    SHA1

    6e7bbdd82b7a87f0c0c629bbc5b93f01863a2a50

    SHA256

    088105654af80676fdc255990c417ac7ed41445c5bc556fb1bd6d0d8bc7141ac

    SHA512

    6439e350bbf46ada81383e976ff6963b7bc23beddd1385b0555c3d8ad64b436a7876a3d2d595015b390cab3c6202d7b5d56596b7efa2b06ee81ed33c2919bde7

    Download Submit

  • /data/data/com.fxotfvqkq.dbwojlfii/cache/classes.dex
    Filesize

    1.0MB

    MD5

    528e47a0da2c1722f1b4bef52b3cd875

    SHA1

    1523118862bdd0f534467cdb69fafcdcdb07b3f6

    SHA256

    0a1f258bbbb8fc4893778d7dafa5b8ee5915c87543ba42aeee60dedeae1be72a

    SHA512

    fb25cba996819416106fb5b35b01803d5ce8a301da6ef68b8372d58276b899ccd465a4c2a0b115e22d2030beaeaee0200f95d6222a3625e25696d444cb247482

    Download Submit

  • /data/data/com.fxotfvqkq.dbwojlfii/cache/classes.zip
    Filesize

    1.0MB

    MD5

    48c6047cae3974e6b81fa3e9b615e159

    SHA1

    e36626cfa9133e5bae54cf233aaebaf6544ec07b

    SHA256

    ac32adc4f42987e87f3ff257a05d0b5d3b44b35c121b63fd8c6c6b63e92379c5

    SHA512

    3ac66598877269d002591e104ff63c54490ed6f787ab0da2c741b43b33550922c923aa7984d2033f40cd227c6b4524c16c10569fd373c2e9c0ec84d5fa9dd48c

    Download Submit

  • /data/data/com.fxotfvqkq.dbwojlfii/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.fxotfvqkq.dbwojlfii/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    e6196f02f4de7b476568fd0bdef8b77a

    SHA1

    36f53baffb0324af69b33a605ff8d94462af03ee

    SHA256

    8484accde04b61251dbbe421b610395ca22344c7109258edacd5b86cb92224e7

    SHA512

    1389b0949e10cdd38e41b390720d5c887cd44d67b71e85e222634a16ce4d54b57d12a61cda6e493926fbad490d49b89a3f4026a602b9ad16e919a2c3d90cc859

    Download Submit

  • /data/data/com.fxotfvqkq.dbwojlfii/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.fxotfvqkq.dbwojlfii/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    58a9de0732c45f61aee1c4a5d579fd1b

    SHA1

    6f54579c3de5a392fb85a601469e5ec17f9ac71b

    SHA256

    cd1c2b6665622c0d334486ff272d98c42275977c12152a9fd4ed3ab0aaedcf18

    SHA512

    8de496b91be5ca23f0170b90686cd4fcc6649d6cbdc23280cf07b24b51207b9ff98ee968fa52660aa3441dfccb12a55d3dd5cae0ae7ade6e096f75a23b18f849

    Download Submit

  • /data/data/com.fxotfvqkq.dbwojlfii/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    cc7203375b6209c80942d4e0762a5aeb

    SHA1

    dbf48fbf1132d8ef64a9198a98ebe389af620f9c

    SHA256

    35607968b43f806be6322d99fb0902cc3585638da1337a09dc061b84f53ffedf

    SHA512

    15d3b94c221a0f109295dbc3dd2dc81d4e362df133655a1853cede88584d2b41483bb74030a5c1428035ad4a8e233f58970667f7ebaeceb9bfc158d4f1d9f54f

    Download Submit

  • /data/data/com.fxotfvqkq.dbwojlfii/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    95f107970624f37695356f20b318e0d7

    SHA1

    45767c8d9397e1f467d01eb92a6a37e7681e8881

    SHA256

    160cc43d67575715cf96f395525088000ab78a78b018ac26b239d73ed7dfd44c

    SHA512

    00e800e71800b3ae784bf96070b842959a2438012ad4cea49a02e5e48cf4abcb43aaf5b8c65100e4d944629f1858bbad5068f9f16509824f37954e5716ccbaf8

    Download Submit

  • /data/user/0/com.fxotfvqkq.dbwojlfii/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    e942b8185b59b24b959af909a2187501

    SHA1

    dd75f61fa39307f8f166251124a568b3e2da57c5

    SHA256

    1081a30a505df525bc5e767c1f8ec0094212b24c222e111455b781246f56e985

    SHA512

    44119e9518f6f693dce018c3a1e1961ef38f1c03861f2061061cb7d6a0213f4f1d746a0271f3a02d79ec5e5d92eb2cdcc4ad8827376d9735c2e89c7133fc2523

    Download Submit