Overview

overview

10

Static

static

6

1524d0f1ba...a4.apk

android-9-x86

10

1524d0f1ba...a4.apk

android-10-x64

10

1524d0f1ba...a4.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    08-09-2024 22:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1524d0f1ba6f88d0198e089916746a5113aa43bc1e66e8dc2127848fc21534a4.apk

  • Size

    4.4MB

  • MD5

    b0cd63bf5b230cd7c98cfea697f6cc8f

  • SHA1

    eace30021bfd0a48a7e305b2c63bf88fab3787ba

  • SHA256

    1524d0f1ba6f88d0198e089916746a5113aa43bc1e66e8dc2127848fc21534a4

  • SHA512

    5b8eeaaaf0a31cf19d96a01f31db76372b18c878363693898192f696639de9afac9279ab842a0afc7694e917c9413599001c857bd8f3fc70c0a2714d9d197dba

  • SSDEEP

    98304:dOJTlzwVvfEBPstapRYzHYPRGom2kF6se7BlA5VLYaBdJGN:dCzwp0PmapRYMJ+2kPe9W5VLY0dJGN

Score
10/10
hookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://80.64.30.123

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.rmptprhsb.nwyhljaui
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:5232

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.rmptprhsb.nwyhljaui/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    a3c1f2271d8c0efdf0c49ada80aaab67

    SHA1

    f986539664d62adb13eb8c1be4dd8c8b733399c9

    SHA256

    683197920810347aea31231b3139dcba88765fa022dc5edcab54dc1a2b32b8eb

    SHA512

    55d676b2ddf5068c67a54759d08009ec69ffc93107a49128c337ffff4b2684418611144bb52ef28994854a3dc956d90b1f6309c431e85c6adf2b7b3a1f67f47b

    Download Submit

  • /data/data/com.rmptprhsb.nwyhljaui/cache/classes.dex
    Filesize

    1.0MB

    MD5

    f62f72e50f525973890b6d7dd12378f4

    SHA1

    c673a6494f661afb6f828ea17e462611d0cdb12d

    SHA256

    af7ed57836e8d6eeb7e8103680fc3b66b8a53056f7f41815f340a167221fd8f1

    SHA512

    fc8172e4b183dc27dc6e814a920cb5c282754f6453b636201580fdc6c58885d39b346396bbaf167e712e3b9eec4ea154012344971c8c01e1b08a62c594f94402

    Download Submit

  • /data/data/com.rmptprhsb.nwyhljaui/cache/classes.zip
    Filesize

    1.0MB

    MD5

    22fd06e37fe2e50eb188d8880d6f4bcf

    SHA1

    71037998373c123e011a6f7bd0c5c276c079d31c

    SHA256

    3d433bb139535765f2386596d186804bd4552770bb5c17210ae591fedb0ef408

    SHA512

    3c91b96b3ff2ed4eeea19c741a651cba11dc64069d8b476060650a524f1b1baeeb1e9421d22b3a1eb3fc8f3655f21a10823928c7f4c0c9b344283eec28419e0c

    Download Submit

  • /data/data/com.rmptprhsb.nwyhljaui/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.rmptprhsb.nwyhljaui/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    8a64db6a4702258a79a14ab7f9d7d498

    SHA1

    f69b5dc84432d9e803b6ba66a2f9ae95d097e1be

    SHA256

    976d1f6f2feb4b5c0f08a47a99333c8b1da7352cd544caab5e6520ed86237b24

    SHA512

    a9bdf236a63a830559f69ed2c801787fc1cc32c9cd5a2e9f4b91a4382b2757730d309872a7d5bd78ceef32dab725ad90a12491d19758121825db4b533ec78ee8

    Download Submit

  • /data/data/com.rmptprhsb.nwyhljaui/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.rmptprhsb.nwyhljaui/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    c446afee6e308095dd7ea0da14fb5fb1

    SHA1

    6cde050996925e69eefb4e086d3d922a5abeaf48

    SHA256

    25d07b50d64e996efbaf4cc126fc9b0d38c6383bfd8cfa1c238ed606fb23c91a

    SHA512

    c62985a3a096982daf0d1e0256a8151c62b0424db8f2e293f6777541616cfa0e6f2ef8f3841c5ed5f31b0ca9bc0bd15e1fd9ac1f76b118184b30bfea69ce828e

    Download Submit

  • /data/data/com.rmptprhsb.nwyhljaui/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    354627269549d12442c41803d16a0f50

    SHA1

    0e903e89c19755cb33feeb74669be159a7fed8ac

    SHA256

    65ace91c51f2e2762feaa1c6e3365ebf838caefa92b3ff6bfe762eb0314171db

    SHA512

    267903fb249844f620d2628aeaa120cd796e54257e1dab2b661291c4ab1a9514b25a9d54145691d9f3c0d7cede12fd42e6fadcce772bbbdcebe92fa8c281994c

    Download Submit

  • /data/data/com.rmptprhsb.nwyhljaui/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    71f1492ccb0f234743734ef46ec9c67d

    SHA1

    fb630a4eaafebe1685ca561526ad9fef8117a2c5

    SHA256

    68ac2f0497274aa76d7751d7d4afc1e833b6d94cc3973a0d488a2c095a2c9319

    SHA512

    5abc004e349ad1ce91b2cc6f061824cd496eeb4af1d6a2f7719733d39ae591d98d7ca36dfee30970e44eaa24deac87bcb7defde0cff267bd38a28e93b6056cbf

    Download Submit