Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

e012d239d5...a0.apk

android-9-x86

10

e012d239d5...a0.apk

android-10-x64

10

e012d239d5...a0.apk

android-11-x64

10

Analysis

  • max time kernel
    37s
  • max time network
    154s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    07/09/2024, 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e012d239d54312fab54c679208e0a9f8c9ffac061b5f740febc6b0589b299ca0.apk

  • Size

    4.4MB

  • MD5

    411e5bb9c35797745c00f2e2345bafec

  • SHA1

    bce6ad2b1e2d72fca89fb46921ae9e3b400bd3f4

  • SHA256

    e012d239d54312fab54c679208e0a9f8c9ffac061b5f740febc6b0589b299ca0

  • SHA512

    acabc36e543695075ad300801d1eae6d13d156dc5febaa2a35d6238ff629ec794215d7335bd01ecf2c887400b0815ce191a557459811badd17aad89914bd2e3b

  • SSDEEP

    98304:Wg2IPacQMawnAh6SDSztmZT5C7u9MqFq3gPUrkqXm6srR3faKAkSGc/STDm:TPyMawvdRmbCaJerkqudLSZCK

Score
10/10
hookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://80.64.30.123

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.karqksqxc.mebijyvnp
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:5153

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.karqksqxc.mebijyvnp/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    1b6b1944b8c450ffb96fcbadc6efadc6

    SHA1

    1d67379a4bf1e300232aefd4588ed795e8f78402

    SHA256

    82f374e607fb904616863fa5ce54182b0a13bbfd746066b6ab96982eef5851ba

    SHA512

    df765df9e5ae27a4570c4e17697cc600dd2e2f726fb2968676898b8df02b01b7a5faaad1a3f05e569da0b6ef8973738bc414910282822434173cb54bd50fe83b

    Download Submit

  • /data/data/com.karqksqxc.mebijyvnp/cache/classes.dex
    Filesize

    1.0MB

    MD5

    51cc540e5296ecdd02af0c1fa0b9077d

    SHA1

    109b85537b514cd2f7b8fdaa42525eb06c915209

    SHA256

    dfbc1fe906fd3827c61fdb27232c27523d75f0c0e8dc3785b90e3b2ad942de94

    SHA512

    4214020cb7352fed8b513827ed334141c23f573bfdedf2ac6cb2b255af25be0a01f53eb24bf1b129b357debb5d07c0f085b972e08207df82ceba97cae165d80a

    Download Submit

  • /data/data/com.karqksqxc.mebijyvnp/cache/classes.zip
    Filesize

    1.0MB

    MD5

    3b8755a2d210a390f2f56764c397bbd2

    SHA1

    e861d037f6711152e78fd70d23b9a80af636d5f0

    SHA256

    a3cecb595339d876e4c323ccdc075a80f8483d3407b1d445235873af32f5656f

    SHA512

    c9d7196a748f9b4d1d30ae5e0e254df9284f4f6ed6e7e18df56b345571b4ac89c8c617aebe4c266c62616cc5819675341b671c0af3b0455876e66db724ecc9ea

    Download Submit

  • /data/data/com.karqksqxc.mebijyvnp/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.karqksqxc.mebijyvnp/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    c53fef3c6399c436af5e96a3d4cad8b0

    SHA1

    86b8d7f5c9e2626559905b48bf0000ba4570cfa8

    SHA256

    16dd0bdc1bd4fbb35c300c6bc61555e889e82dc900ef633e2b7ba82783872955

    SHA512

    b8876760c9e7b7eafcbee38bec1df7efd3951041d50715018df4d5438008746561b7fd86975dbc8b1be05002a8b3e426a939774c83461d49c42a98d1ffc0e8e8

    Download Submit

  • /data/data/com.karqksqxc.mebijyvnp/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.karqksqxc.mebijyvnp/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    779320115c1c71c5b87be579fe1fcc73

    SHA1

    45c4d59543c88e73733c6b7ed0581a038600cb62

    SHA256

    a0760deaed0e7497201a1235a93a228ff3e817d1479165f662cb31b8ee344bbc

    SHA512

    ae1c96448e50ef2751eb0f4fdc817ad0d316447335007dde5247ae361723403f4228b1ecf05baf8ea6ef2eb15e529d46cd031af642484ccf49444be23e7d2ca8

    Download Submit

  • /data/data/com.karqksqxc.mebijyvnp/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    81e81ec9132a7b5492109bf368320fcd

    SHA1

    7db39b84fc15dc79da4f49bae9f100ee9a39a329

    SHA256

    1d93ac10f15f354c31b181e33252379180328baab239984780d7a5b67b36057f

    SHA512

    b66bb86e40ded10437a15e8c3f1c6a17e2f7d7cf9d60b74032793b0cfc12f5f1b02246c6c6a5bd338550d98e60d721f87fa736126393b635174ab99c9618c706

    Download Submit

  • /data/data/com.karqksqxc.mebijyvnp/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    07003783411edf9396877a9f50d1847a

    SHA1

    6451a8ed9c2773d538313adaa4602728d354a8dd

    SHA256

    7d02fa8a761077b4e31a09b3760b7f7c8c652c900d0b80629b7de52b0ecad4b7

    SHA512

    124a93b6a133c7c6b6e51a10e79c5dfae16917731d27e9d3d99441d9b2cf82e42d6553f3425ac770524eb74b0bb126e84e022c5ab3f521e2d8c7767de7c75df9

    Download Submit