Overview

overview

10

Static

static

6

a4b9aa0619...7f.apk

android-9-x86

10

a4b9aa0619...7f.apk

android-10-x64

10

a4b9aa0619...7f.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    09/09/2024, 22:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a4b9aa0619a74dcfcf4b4bb13d610e76606c7cb551a9fdc78bf45e737dbbd37f.apk

  • Size

    4.4MB

  • MD5

    0b7c5967ca8e6251473fd9b26f19fb11

  • SHA1

    46b21076e97b2c5bbe977f98b67330dca7dd21f6

  • SHA256

    a4b9aa0619a74dcfcf4b4bb13d610e76606c7cb551a9fdc78bf45e737dbbd37f

  • SHA512

    d46252ee3f11754600ddc6c7b48b8241cfd0b1e489a0bc665442931bd9c99c538d84e86b221982c9228ac668ac97d07eb108cd2e26c79adae45b405f401b2701

  • SSDEEP

    98304:UKfAQaTUibERxhgqDfAaIgXfmq3gQ2fK9cpCCSuD+mWxWjnd1VOJ:UuAQEUiby7gqDOgPmq3gQKCcpCxWJrOJ

Score
10/10
hookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://185.130.226.87

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 19 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.ncgtpctkg.eanzbfsiw
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4748

Network

        MITRE ATT&CK Mobile v15

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1603

        Persistence

        Foreground Persistence

        1
        T1541

        Scheduled Task/Job

        1
        T1603

        Privilege Escalation

        Defense Evasion

        Download New Code at Runtime

        1
        T1407

        Foreground Persistence

        1
        T1541

        Impair Defenses

        1
        T1629

        Prevent Application Removal

        1
        T1629.001

        Input Injection

        1
        T1516

        Virtualization/Sandbox Evasion

        2
        T1633

        System Checks

        2
        T1633.001

        Credential Access

        Access Notifications

        1
        T1517

        Clipboard Data

        1
        T1414

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Discovery

        Process Discovery

        1
        T1424

        Software Discovery

        1
        T1418

        Security Software Discovery

        1
        T1418.001

        System Information Discovery

        2
        T1426

        System Network Configuration Discovery

        2
        T1422

        System Network Connections Discovery

        1
        T1421

        Lateral Movement

        Collection

        Access Notifications

        1
        T1517

        Clipboard Data

        1
        T1414

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Screen Capture

        1
        T1513

        Command and Control

        Exfiltration

        Impact

        Data Encrypted for Impact

        1
        T1471

        Data Manipulation

        1
        T1641

        Transmitted Data Manipulation

        1
        T1641.001

        Input Injection

        1
        T1516

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/com.ncgtpctkg.eanzbfsiw/app_dex/classes.dex
          Filesize

          2.9MB

          MD5

          5060e68e2fa658d1b28e18d514d5033e

          SHA1

          c27247f5d015ac181ae32df2c4b889b31fc8115e

          SHA256

          455a988b8371ce33e6ed39bf0c4369c3c9fd26b6002423d467308f38a0cc20fc

          SHA512

          79138601617072efaa8e77171133026aaf24bf4af5df14e2ac69e16cbd8efd4f18843dd1f8458f5ce8fc78cbb578bf0ed400971cc326b30b53b9935bab58dbc1

          Download Submit

        • /data/data/com.ncgtpctkg.eanzbfsiw/cache/classes.dex
          Filesize

          1.0MB

          MD5

          8391d760410890669979909cf6c1318e

          SHA1

          3f44823afce3eaa20ed125913079a62356c2a674

          SHA256

          b47ceef4fb691a856f3e76ae7b6c18c612aef1cc4e01578bacccb715968fe4f9

          SHA512

          bb931c5fe6cffb62dfd8c0e57c7a9ad58b414a6d51342d983608095036dd0ce6420ce5b1da646a58e43b1a8054b09e92b1d32b13a0544409b03a70dfd415e691

          Download Submit

        • /data/data/com.ncgtpctkg.eanzbfsiw/cache/classes.zip
          Filesize

          1.0MB

          MD5

          8ab99d97e191d7b4d3f33d3065bf0076

          SHA1

          7a896180aa15ab8385d50c3306e44e2e6d98a61b

          SHA256

          f658fe00f4ad2e0bddd60e25a1ceb001efd1333546e25516e9b7e0da705394cc

          SHA512

          8129481cb41a2cedcd09d86f161c5469b96d1ca597aa056b1ffc7f071d81bced258c409f879355b8da6a2040c5ce3cd67ea038fa791d4bc3a3a6c5b6459951b4

          Download Submit

        • /data/data/com.ncgtpctkg.eanzbfsiw/no_backup/androidx.work.workdb
          Filesize

          4KB

          MD5

          7e858c4054eb00fcddc653a04e5cd1c6

          SHA1

          2e056bf31a8d78df136f02a62afeeca77f4faccf

          SHA256

          9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

          SHA512

          d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

          Download Submit

        • /data/data/com.ncgtpctkg.eanzbfsiw/no_backup/androidx.work.workdb-journal
          Filesize

          512B

          MD5

          b44e8a8a7ff4f4a40ea1d3dae96c0499

          SHA1

          7f9fcfa640a26b313d4d94084b482d5bdecee1d6

          SHA256

          879080c704b7e5c180489c1be04a4bb106e0758bee2094b2cb3a4f73290e07a1

          SHA512

          6b93d1837b8646ff7c55723784eb3d8f0d1148ae909e0e999df3e1e7caaa2732fc7744f440e9e0ba5249440022b3714a336da4d92d33098f8dc5a7f6ef896b22

          Download Submit

        • /data/data/com.ncgtpctkg.eanzbfsiw/no_backup/androidx.work.workdb-shm
          Filesize

          32KB

          MD5

          bb7df04e1b0a2570657527a7e108ae23

          SHA1

          5188431849b4613152fd7bdba6a3ff0a4fd6424b

          SHA256

          c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

          SHA512

          768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

          Download Submit

        • /data/data/com.ncgtpctkg.eanzbfsiw/no_backup/androidx.work.workdb-wal
          Filesize

          16KB

          MD5

          369a05494cff82f2e516089e06d49653

          SHA1

          f83cdaf63ea632381128ace01c0030d401a9d81d

          SHA256

          396ee2800e5d796d5f70b4f5de10958db5c0d6bb6024d4437ff67a3992e53185

          SHA512

          f68ae4932b5ac4e4fde76517ce8223d9d455bc7f67b46c7b0e67b13ab22b929193a92d82d852ccacf7f9d3dfe98617ad3e4af3d74328d0ed451fe9497a0d03a0

          Download Submit

        • /data/data/com.ncgtpctkg.eanzbfsiw/no_backup/androidx.work.workdb-wal
          Filesize

          108KB

          MD5

          bdecd238a0eb234494fdfc981fd27e86

          SHA1

          df9db79b9a287662ae7bd7bbbca54b625d2239f3

          SHA256

          a6d84ce33e0ce484d1ddae8d95fa64cef21af22e68b62e8d3e118ca74b95b7f0

          SHA512

          08c4d1359e14e609ae86b51d8e9c1b23ac2ac21da6c397655a3ef66554a1b6b3097a95f07bc931ceda6389ebfbde3138c95037d4f5732b1462b45ce2fe4052cc

          Download Submit

        • /data/data/com.ncgtpctkg.eanzbfsiw/no_backup/androidx.work.workdb-wal
          Filesize

          173KB

          MD5

          4d19ff9225e58dee59f8e02a2d23d594

          SHA1

          a8a67d48d62a317f98d2fd6dfc1556db3ed7e23f

          SHA256

          9633b21d090750f52be808e40d283b0acde44a870dd1228488ed81a623c17263

          SHA512

          de197721acb2bebcc73d67cb5acf68781da95575c109e34dc210a97a8ec4fba966930fcd2505422b024cf0dee0c47d41bb11d3a519a474885e6d5aef60b8dc40

          Download Submit