Overview

overview

10

Static

static

6

9ca68fdb6f...26.apk

android-9-x86

10

9ca68fdb6f...26.apk

android-10-x64

10

9ca68fdb6f...26.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    09-09-2024 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ca68fdb6fcc96fc1725b8101999d638227fc8540c66204c85b3a1a896a57226.apk

  • Size

    4.4MB

  • MD5

    29be1ff2be84cb99949012c2b82ab983

  • SHA1

    fd4b89b0a5f9083b9d844e97d3e3d1770bf16f6c

  • SHA256

    9ca68fdb6fcc96fc1725b8101999d638227fc8540c66204c85b3a1a896a57226

  • SHA512

    c5d2895d63e066dcf0444b307898525a7b6983947273d4739ec923a3c150d536817e03718ce3dfee79739845391a5a4f1777fca768a8ae88eec1671897496df7

  • SSDEEP

    98304:O+DmqkGO8zKO6koZYZbYUE7P8sRZz+xnzyrPSWJXw9MuJ7pXL+BwFhIZegPtKTYJ:3Dlkizv6zYZbYR8sRZaxzyrPSwb0iIIb

Score
10/10
hookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://185.147.124.43

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 9 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.jmxrpjdpn.zaivookdx
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:5116

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.jmxrpjdpn.zaivookdx/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    64d0bb27e7959a0da6a8973bd21712be

    SHA1

    bb05efc5fab7283cabf40c5301235c3eb2e2f623

    SHA256

    2034a70d8c6842cbe4c6db26481a755f5877b8790c7c93967696e8c06c3823a4

    SHA512

    9de9dcf4b216efc679187c68a3791dd7f02046fa64c83b48d73d455b8e2004182131759d74ce34977586b081ecc6eea8aa85452311a0ad99cefeb527bafa763f

    Download Submit

  • /data/data/com.jmxrpjdpn.zaivookdx/cache/classes.dex
    Filesize

    1.0MB

    MD5

    9014736a1491cd740990892f23b03ea4

    SHA1

    7df45baf835c257d33cdd79fabce19f210d318d6

    SHA256

    ca6ad51fa5f5c59e25ddf68aef2f34ae18e08b5e1f488732e5befdebdca40ede

    SHA512

    56b23b4181efe9ed6a3535bfe58048dd1a3fd6620b74539a66d41ad3cd19bb94359711e7bbaebbad68475014fa039dbbabbb6b8ca8833123a3046d51fbc3da07

    Download Submit

  • /data/data/com.jmxrpjdpn.zaivookdx/cache/classes.zip
    Filesize

    1.0MB

    MD5

    3298cfeb444f81018af17b8f01c792c0

    SHA1

    df7dcd490d1cc746faa65567165db286aefff7db

    SHA256

    d66c0a32aab9ba685616d037dabc07daded673660d2808aa25a39c5c89ad3c67

    SHA512

    a7cf611dfc105a56e801880d178f1aba0c8cd5ae925e946c301bdd21f85a457b418d9bc053b57525d587e04d7535cbdb959380e034b3eadc6b8c37be239621d0

    Download Submit

  • /data/data/com.jmxrpjdpn.zaivookdx/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.jmxrpjdpn.zaivookdx/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    5da593b2f8f5a4dacb463e7a5d8c0a2d

    SHA1

    c1956726f27ecc3c7d7806594dd028805c06dabb

    SHA256

    37949e218830fd9c7d81d655a503aec2a5e025f2544eb2ffb46ee6d1584bbd71

    SHA512

    d8a1e7d32725c71b93e1c43185010976161c73de608a03acae055223e01dc5b39d74c3fc484070376c3b5d16baf53e3014dad5c52cc55b976387a7f68120606b

    Download Submit

  • /data/data/com.jmxrpjdpn.zaivookdx/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.jmxrpjdpn.zaivookdx/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    7bd04d34e53f5a1b77392a01f142697a

    SHA1

    f453408bfac89d8396c5fda5f5a8579c2d6a7a55

    SHA256

    ee5dad3edc04d0017ca95f9f48c17a103636ae9cc97328695b936bdd48933164

    SHA512

    d92055874ceb0beb781088d2cd98667d466e9a0a9bcc8ce59f688d0c1c40a111ab672f2d020718a332e8b233a4bcbb8f85a79e12ac6181eeed408387ad0e3c42

    Download Submit

  • /data/data/com.jmxrpjdpn.zaivookdx/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    89dc677ea3f2268dadb57ed177192571

    SHA1

    a94ce9a4f664b772d796757ddbd8beca86d40fb7

    SHA256

    ba8365ee194ac02c39d1c502e36c120ae30776364fab93406304498a8f0a1f86

    SHA512

    d30f6f320fca1ec3e694aef5c5ff83adc4493d2da4f15789906363fab8eadfe065e8675fbe28faf863996e7020cf34905057f8f97c56931fea483eb0e0a19385

    Download Submit

  • /data/data/com.jmxrpjdpn.zaivookdx/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    088fe53d5fae3de1a7c9c689420bcc6f

    SHA1

    9bf190503d86bfe295f120bb60d7703250eb19f9

    SHA256

    bc30cb62f14b7bd5e5c419cdf8519f69dbc42e288dfaa36057a0ac3922ddb986

    SHA512

    c5eba204de60ed6c2630a40cc585e18c504b26afb28984fa0fa3fd3c89bb082caf153939910d0841c8041fd2155560156fe42a97084fdd621e18822c1d15a776

    Download Submit