Overview

overview

10

Static

static

6

cb1a58ad1a...a1.apk

android-9-x86

10

cb1a58ad1a...a1.apk

android-10-x64

10

cb1a58ad1a...a1.apk

android-11-x64

10

Analysis

  • max time kernel
    17s
  • max time network
    192s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    25/08/2024, 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb1a58ad1add6beb867e31cc7728d45c2f28c8e35293244fb54a283197b3b9a1.apk

  • Size

    4.3MB

  • MD5

    5b7957acf0c19217581e6d3b4f54337d

  • SHA1

    97a73908b2b8c7d59b6237434c785907b57a0199

  • SHA256

    cb1a58ad1add6beb867e31cc7728d45c2f28c8e35293244fb54a283197b3b9a1

  • SHA512

    75bafbe460d497038f339beb19a295880e8caa8e125ffc58d1c2a5de4282df3f067cb5e6684fdfebf58c0c5b0b4dc74c5355d5ac0ad9c597553e74f9a7f4c45b

  • SSDEEP

    98304:WmcY3AswM0ufWdg3MxMP5xbf/+Tb0xCHG3hwHgx46A52PPKWW:yQAski4MP5xDS0xCm32Hg3w2fW

Score
10/10
hookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://80.64.30.149

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.gatqaovqr.qcgkinnnk
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:5076

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.gatqaovqr.qcgkinnnk/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    be230e7cac11318e05002859eb240b1c

    SHA1

    e88665635cd884c9a51755188ac18245a0f86791

    SHA256

    1e7cf205943f5a1873e84c0155131de7318807f484b4833b7b07eba337386281

    SHA512

    5bdfca5309a1e9ea528595946bda1be6b3dd2dffea56431a17c986b57d39f6cf725eabb369b99b7d3f1a8bd3f48e682ca05d341061adb34cb343395cae706e2c

    Download Submit

  • /data/data/com.gatqaovqr.qcgkinnnk/cache/classes.dex
    Filesize

    1.0MB

    MD5

    f0eb21b6ac7eac592fda1c766c6dc37e

    SHA1

    f543c3c5fa2c95bb80475ecaa4a634c5ad3cd4ec

    SHA256

    adbde97ed2ce8e8604ccd7e02b76d2b20d02709fce49ad55f5f7dd43e5131690

    SHA512

    a6c5c4bbdfb81aecd5593539ca1e720977ec9b3765de8b7c2ff367e0c9e552b9818b2c5aa8751e16a03fa711b9d24829c6278695c63e5fff144dee0caa651ace

    Download Submit

  • /data/data/com.gatqaovqr.qcgkinnnk/cache/classes.zip
    Filesize

    1.0MB

    MD5

    e7f0f18877ea6b156ac825b7d945fef3

    SHA1

    54d576f94a427852720e7ba91ec733aa876a1801

    SHA256

    f641d42568b7776425239afb8e06fedc9425a55605c1efc00114c0fad7bcada3

    SHA512

    7586bcd48a95c9131f2200ffc99ff03b9077149ad074c4fa961b1d7ec0b8e6b9ec54868e102697f08cad078bb8af38bc8961edabcef25df82ee5cc7ec6a89be5

    Download Submit

  • /data/data/com.gatqaovqr.qcgkinnnk/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.gatqaovqr.qcgkinnnk/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    1645337bcbcf27a2ec2af9e57d5d29de

    SHA1

    f8adf784e703c1367838eec421abb210c071f814

    SHA256

    ebd7611a1fb4066ef380fada9355ec21683e2abaf694e72aea7ecef596b98679

    SHA512

    cef63029a220bc1a1984b8dc09c02fbe64889583e94f62518369054a016ff87bdf0f6da7662a53b44b0339b9c3e3fc9f83f21b2307bd0fe3693bce8a60ea1104

    Download Submit

  • /data/data/com.gatqaovqr.qcgkinnnk/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.gatqaovqr.qcgkinnnk/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    3279f43e473a2b3f64b7b631163a93f5

    SHA1

    2e0e425978188a11b7c60f5f5e948f538af3cdad

    SHA256

    1cea8c6bb5a881dbde5c221c68ac4f44de5db14da79904427980dfdae755ddb0

    SHA512

    48b3fd59928542fabee5f68c9c7f5c721dba923459e817d5be25b2f237d0c9d3c89a06c5b4f3db46f2018b003f63ff160198777de0cb948e7d530041d6e854df

    Download Submit

  • /data/data/com.gatqaovqr.qcgkinnnk/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    1dc7a7bbd55d745b0c61e25cafb804f1

    SHA1

    3b0c32136df1432617dda986cfd4b4c95769e17e

    SHA256

    62cfcf46ad0cd2a66aa6f39349b9a4175ddca16937035376927974ac1a77d788

    SHA512

    e7832813072cbadc73f0673850fd18bbece3aaded40828a7983ea808791c7d28c5fbc6ed847949833d2a2d74fbb6d986d73a40c20dc3db98ecafc78ac487ec18

    Download Submit

  • /data/data/com.gatqaovqr.qcgkinnnk/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    8932f7f5e7345e7899cf3c078c37f9b2

    SHA1

    a1782c5ee319358c79df1b2123166681973d9c38

    SHA256

    83d33525cbe68dcd1dc97e22a4395024d82995d6cce0e063323aea9268c48af4

    SHA512

    3c6ae78cfbbb7ef54f79031aed4b5b205e4f71983ad82f327494f03a4758316890ff0734eec295f8edfdb714bc5d7ce49a95b19876faca9febcc18e943696190

    Download Submit