Overview

overview

10

Static

static

6

7502ee1c42...13.apk

android-9-x86

10

7502ee1c42...13.apk

android-10-x64

7

7502ee1c42...13.apk

android-11-x64

10

Analysis

  • max time kernel
    159s
  • max time network
    190s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    29-08-2024 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7502ee1c429e1b43f02bdad3e48d2c630d883204378e9b9e5b3b40c455b86813.apk

  • Size

    4.3MB

  • MD5

    c7eafd8c6eb2ca63b3ffe0e163914b0a

  • SHA1

    7965823ae2f99b9fd61857592a809ed39973a3c6

  • SHA256

    7502ee1c429e1b43f02bdad3e48d2c630d883204378e9b9e5b3b40c455b86813

  • SHA512

    0245e2553519d8ff8dc2b1db70a5d1ad01e81ebeeb15e898a297c1de9d65b02b42553d0faa23ecb9de4476287035e398c3874f55b96505071f37b3e306a4a7d8

  • SSDEEP

    98304:1vFYlAXWe8ENPQXJ5N7ef/A4XPvNhd2bp5Hz5z00wqZQOFXt/4yq4Jwm:1oRaNP0wAA1hd2b/HS0wqZQO1t/RSm

Score
10/10
hookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://149.50.108.117

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.akgqozbih.xkvxfgyln
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4453

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.akgqozbih.xkvxfgyln/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    c11761871d6f0cbe447d284c7f3c3f71

    SHA1

    20f9744a023684444c435ebad41a5cf9c60ed0f5

    SHA256

    bae2e9921aa52759f59974584067386d943227c3d7c838052d682a3e2fd60fca

    SHA512

    88a6103ce70615c0d64cdaf6f26b1d6d83cccb05b4cbbf89798c209b42743562404d1312d2ee9ee1debb898634a3b4f78a6aa4c312bee3e37d18e667312e328b

    Download Submit

  • /data/data/com.akgqozbih.xkvxfgyln/cache/classes.dex
    Filesize

    1.0MB

    MD5

    ecdf907df3c61804b81f93bdcf3c8d51

    SHA1

    a13fb71adbd4e55beadbd6776b0694c99fbe0e3d

    SHA256

    ea10efda8ea30a80a5aecebb5932cebd9531f310f896feb724f939d7b1ff4946

    SHA512

    ce65fdfe85b1d5d4c8a8b0b6a50a785afc8b96bfcf30e8c6480b58281eba1627e171cfd8db0cecc0bbb56905fdb9c295c358c8c66bededc39d37e459a3f3383e

    Download Submit

  • /data/data/com.akgqozbih.xkvxfgyln/cache/classes.zip
    Filesize

    1.0MB

    MD5

    36d707d2b9d701cd5fa864c602fc43ae

    SHA1

    8145f1380d5f4df753dfdb4cd44a9ed52e4c0e24

    SHA256

    41f5247c46eed72fb7be73953a9ec857925b3b17210e5c611bbe8b17de33e552

    SHA512

    c0689078aacd8909f826d324a7c7c58cb2ff68306d74485701fb75df7f0903d7cbbed12d36d564105cd788eb356628f3e7c31f0f31bb482da861e526bcb0c7ce

    Download Submit

  • /data/data/com.akgqozbih.xkvxfgyln/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/data/com.akgqozbih.xkvxfgyln/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    4fe6a01f289e234c24737824d87d0a81

    SHA1

    b7fc61de76f2a217c01e0f65923d2ec203921ae0

    SHA256

    17d1325aced7860819059aad807a3a032dcf4a5ae3b5af0b4b4ee2e962bcf882

    SHA512

    675d3be7f476dd585be4821c274602b66b66c9867339ef715664981c8528b3a7c98db66a6df9872423536121cc8ac411c2004037c742f6167f26e36078968711

    Download Submit

  • /data/data/com.akgqozbih.xkvxfgyln/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.akgqozbih.xkvxfgyln/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    be02aab15829f503dc12cc3fab8f8f13

    SHA1

    2ab3d2f6ee747646bc9763e86048ee3fe34fb68a

    SHA256

    e87b22467c9fde4335a3ec328da8796da916be3590b899be44f378e3a573ce76

    SHA512

    858f5cd4b69e3295f8d9704a480bb7183f4373e7c209d55d901d8dfcc3e0495811d6f47b7de0fc7ca4a146c5d9692512d97b23e852e2ce4920109eb03441cd8e

    Download Submit

  • /data/data/com.akgqozbih.xkvxfgyln/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    be910266c88ba1d04b28ece574bf7085

    SHA1

    6cbe719326374e9b68d8fe45f2e62ed8d71c7478

    SHA256

    dd1a76f3d539926d0c0b5fab1e04b63aa845acab8c6fd5da491ef551bd9f566c

    SHA512

    53618e2e33dd61ad80f74c550ad1ad75de3f9f16fc015876705e71f166665103bce1beb8d6e16e2c21d4ad45906ae6224499b36a65b08dba850e01c7b384a3d1

    Download Submit

  • /data/data/com.akgqozbih.xkvxfgyln/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    4cefe616f67c15ecad6ffb957b4563ba

    SHA1

    27f2ad87657c7f35300adc414aa893a8f62bf2b0

    SHA256

    b3d32187755ff7f3260f61310a774f66fef36d15855efeecf0e61263bf050b24

    SHA512

    29a4b427451e5f0d71a6aed5dbf1a458fcbd760fbfb68bb65a3ce1eddc2279f5fdae035bd8574ec53fcf6019fa4e3a098c4255b3265f8d7eade81e455e18a0ba

    Download Submit