hook | d28385e66b2922f1353582c0c4e273ee999be25abd4646c6ea1516017c312f5b

Analysis

max time kernel
149s
max time network
152s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
10-09-2024 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d28385e66b2922f1353582c0c4e273ee999be25abd4646c6ea1516017c312f5b.apk
Size

4.4MB
MD5

1cbc68571999e90af71d2a986d0eb666
SHA1

07ecd671ae7b6a637e97406b7ddb0aea06d89d0d
SHA256

d28385e66b2922f1353582c0c4e273ee999be25abd4646c6ea1516017c312f5b
SHA512

13a9dc0ef1d4a1bc74695f3cf7652c66715c0414ee8d77f62513f68170beaa5cbdb4de538d1cbcc70b1db7f2936966f05a2fad98b9a4382145c7f99125ebeed2
SSDEEP

98304:W9aNzes2GYVyqQH7UVLfh8yh9VupDEAeIswuXcQir9vW29:EaNzOrVLZjzYhMQvx9

Score

10^/10

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Malware Config

Extracted

Family

hook

http://185.147.124.43

DES_key

AES_key

Signatures

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.fbrpupwku.pzhhuqsdp

ioc	pid	process
/data/user/0/com.fbrpupwku.pzhhuqsdp/app_dex/classes.dex	4758	com.fbrpupwku.pzhhuqsdp
/data/user/0/com.fbrpupwku.pzhhuqsdp/app_dex/classes.dex	4758	com.fbrpupwku.pzhhuqsdp

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.fbrpupwku.pzhhuqsdp

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.fbrpupwku.pzhhuqsdp
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.fbrpupwku.pzhhuqsdp
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.fbrpupwku.pzhhuqsdp

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
collection credential_access impact

Clipboard Data
T1414

Transmitted Data Manipulation
T1641.001

Processes:

com.fbrpupwku.pzhhuqsdp

description ioc process

Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.fbrpupwku.pzhhuqsdp
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

Process Discovery
T1424

Processes:

com.fbrpupwku.pzhhuqsdp

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.fbrpupwku.pzhhuqsdp
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Acquires the wake lock 1 IoCs

Processes:

com.fbrpupwku.pzhhuqsdp

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.fbrpupwku.pzhhuqsdp
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.fbrpupwku.pzhhuqsdp

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.fbrpupwku.pzhhuqsdp

description	ioc	process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.fbrpupwku.pzhhuqsdp

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.fbrpupwku.pzhhuqsdp

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.fbrpupwku.pzhhuqsdp

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.fbrpupwku.pzhhuqsdp

Performs UI accessibility actions on behalf of the user 1 TTPs 20 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

Processes:

com.fbrpupwku.pzhhuqsdp

ioc	process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fbrpupwku.pzhhuqsdp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fbrpupwku.pzhhuqsdp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fbrpupwku.pzhhuqsdp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fbrpupwku.pzhhuqsdp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fbrpupwku.pzhhuqsdp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fbrpupwku.pzhhuqsdp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fbrpupwku.pzhhuqsdp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fbrpupwku.pzhhuqsdp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fbrpupwku.pzhhuqsdp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fbrpupwku.pzhhuqsdp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fbrpupwku.pzhhuqsdp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fbrpupwku.pzhhuqsdp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fbrpupwku.pzhhuqsdp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fbrpupwku.pzhhuqsdp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fbrpupwku.pzhhuqsdp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fbrpupwku.pzhhuqsdp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fbrpupwku.pzhhuqsdp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fbrpupwku.pzhhuqsdp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fbrpupwku.pzhhuqsdp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.fbrpupwku.pzhhuqsdp

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.fbrpupwku.pzhhuqsdp

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.fbrpupwku.pzhhuqsdp
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
collection credential_access

Access Notifications
T1517

Processes:

com.fbrpupwku.pzhhuqsdp

description ioc process

Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.fbrpupwku.pzhhuqsdp
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
execution persistence

Scheduled Task/Job
T1603

Processes:

com.fbrpupwku.pzhhuqsdp

description ioc process

Framework service call android.app.job.IJobScheduler.schedule com.fbrpupwku.pzhhuqsdp
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.fbrpupwku.pzhhuqsdp

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.fbrpupwku.pzhhuqsdp
Checks CPU information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.fbrpupwku.pzhhuqsdp

description ioc process

File opened for read /proc/cpuinfo com.fbrpupwku.pzhhuqsdp
Checks memory information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.fbrpupwku.pzhhuqsdp

description ioc process

File opened for read /proc/meminfo com.fbrpupwku.pzhhuqsdp

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.fbrpupwku.pzhhuqsdp

description	ioc	process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.fbrpupwku.pzhhuqsdp

description	ioc	process
Framework service call	android.app.job.IJobScheduler.schedule	com.fbrpupwku.pzhhuqsdp

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.fbrpupwku.pzhhuqsdp

description	ioc	process
File opened for read	/proc/cpuinfo	com.fbrpupwku.pzhhuqsdp

description	ioc	process
File opened for read	/proc/meminfo	com.fbrpupwku.pzhhuqsdp

com.fbrpupwku.pzhhuqsdp
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4758

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Process Discovery

T1424

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.fbrpupwku.pzhhuqsdp/app_dex/classes.dex

Filesize
2.9MB

MD5
4c5ae80e0dc5c553e7168ac8f916b9ed

SHA1
f77fe4542e36156d77b638f09cdf555f65a90d80

SHA256
9301238057cc034e5246477275a1bc54192b4474b30de6d1a36329f919a0033f

SHA512
ddfefdad3520e5b9449b3ef2e03631f0f2b4fa1a87ae12c5b10dc69b8f8e7fc557fca0925293348b21d6248ed0be3a3695de0001ae373094ff1dcec789b196e4

Download Submit
/data/data/com.fbrpupwku.pzhhuqsdp/cache/classes.dex

Filesize
1.0MB

MD5
bb4da3a977d895c51494379fe06d942e

SHA1
e0893be18f6737e274c4b11eefec297b58e471b3

SHA256
e3022e2a26d112a6cbe4f503c9912553754fc2db80654d88d7a6749ea273d139

SHA512
4f9332f1c5c1500508513da0a07dd45a7d50d14c0bb090624326b8bdac0f913e7aac9cbf8efd28ce40f69cc7d74b850c1cadf3194241b27640a9c1ab998755e3

Download Submit
/data/data/com.fbrpupwku.pzhhuqsdp/cache/classes.zip

Filesize
1.0MB

MD5
937322aa6997f8b93fbfe77a4d0d1a24

SHA1
dff848ed92618396537ef7c88197359ac7a16ba6

SHA256
7861d114d3d48cdb41b31c9852beeb68dfabe369cc2b5310f56f93b9efcb8a47

SHA512
ef505d90bcacd6ccb7544c2865be309b514448e7c04b2324c08fa6a6328f66aed0fa0f8a19e6ac74f8462f92cda9d5b587ec492db72b9625b9c95a706ce12be6

Download Submit
/data/data/com.fbrpupwku.pzhhuqsdp/no_backup/androidx.work.workdb

Filesize
4KB

MD5
7e858c4054eb00fcddc653a04e5cd1c6

SHA1
2e056bf31a8d78df136f02a62afeeca77f4faccf

SHA256
9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

SHA512
d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

Download Submit
/data/data/com.fbrpupwku.pzhhuqsdp/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
c11cef2801e86f00bb8e6cf782f12f2a

SHA1
98a4f72b61cc4d0710acfe707058711e95d73264

SHA256
918cb27af378f31fd59fd229ad5e5ff4d69a8fbf95bfe3219ea2039dc637cdbd

SHA512
bf8f28486fb66c0ab45633b8e13fcc5c4951a6046101e0230ace4b3a51a424aac5cb75865702b315ecbdaac17e2fb061b3b8c87131172dc582b92cb48da0834a

Download Submit
/data/data/com.fbrpupwku.pzhhuqsdp/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.fbrpupwku.pzhhuqsdp/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
3bca6f43e42f0ab5a12cb271dd79ed4f

SHA1
1acccf6f90653df81ddcd22dd8ada8cf1757f5f0

SHA256
d73d54e460fa40b15ece93b12605db73dd3a706bc897d85f6252e6b33def03ba

SHA512
3200814a2c654bc6d552b3f7344042f26d2a3bf9c9b37ee92ce08c6667a85d478bb1f8db7abdb9cf47717cdd0bc4e48dfe3ac400649ee0ccedfd49b35fe217ab

Download Submit
/data/data/com.fbrpupwku.pzhhuqsdp/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
714d003504bf1998cec4f5e4d162dfb0

SHA1
6dc260c00cba536d12c6c0e5ca7f3bb8133b47e4

SHA256
7624190a237c5d5bd515092d3f1adee2958403d0342e54a373717dcf9d107058

SHA512
70e277cbfaa0dafe9ffc9688874f37f203b759951c79062cb9ed2b100921f6742f1c97b312735958159b4720791faabdb1be1db6b5b0b9ded2a74cbae444393f

Download Submit
/data/data/com.fbrpupwku.pzhhuqsdp/no_backup/androidx.work.workdb-wal

Filesize
173KB

MD5
f71c301afe1de355a9a51a78429d466f

SHA1
c738cf1c5d0d086c85ab4cd05454aa3102daf3ae

SHA256
85c1a4a36c4a94bf16ccb3e3dbaa06d8dcf86257bb7bbb0b533683072bb8bd27

SHA512
9e31379bed5dc89ea32647d1e0e5858fb01410c93f993c97fbfea85ee12ea69c850ee0b597302a7758483192820c372655d97a422e1767b46b50e7e990e4d023

Download Submit