Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    10/09/2024, 22:26 UTC

General

  • Target

    c2a3177be0d98638ff6ebd0d01e67aad91e514b0610e30adfbf2253689966e82.apk

  • Size

    1.2MB

  • MD5

    4f09e7058337c6afca2088de1b0f39d2

  • SHA1

    08791a5712bad5b7c1fc9561f26eea0d0a5ca04d

  • SHA256

    c2a3177be0d98638ff6ebd0d01e67aad91e514b0610e30adfbf2253689966e82

  • SHA512

    f5410bb19326efae1018a1ec8d2fb4101aa01f00ffca707c1d3efc28830cba990c9c6d9422f1f704022fa3ff00a6e8bcc74743c078dc85b43043b50ddf1ecd16

  • SSDEEP

    24576:iDgSH/xGAfakDmdEuUiTCqRyTU6olyG/wr+TJxvfiA/4dP:iDgSfxAvUiTCqRyTU6os+TJxv4R

Malware Config

Extracted

Family

hook

C2

http://185.130.226.87

AES_key
1
374b396842365a4777623946726e3152487379577256426b783361594c704543

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.dehodigipuhixoyi.mafuko
    1⤵
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4785

Network

  • flag-us
    DNS
    www.youtube.com
    Remote address:
    1.1.1.1:53
    Request
    www.youtube.com
    IN A
    Response
    www.youtube.com
    IN CNAME
    youtube-ui.l.google.com
    youtube-ui.l.google.com
    IN A
    142.250.187.238
    youtube-ui.l.google.com
    IN A
    172.217.169.14
    youtube-ui.l.google.com
    IN A
    142.250.187.206
    youtube-ui.l.google.com
    IN A
    142.250.200.14
    youtube-ui.l.google.com
    IN A
    142.250.179.238
    youtube-ui.l.google.com
    IN A
    172.217.169.46
    youtube-ui.l.google.com
    IN A
    142.250.178.14
    youtube-ui.l.google.com
    IN A
    216.58.201.110
    youtube-ui.l.google.com
    IN A
    216.58.213.14
    youtube-ui.l.google.com
    IN A
    142.250.200.46
    youtube-ui.l.google.com
    IN A
    172.217.16.238
    youtube-ui.l.google.com
    IN A
    142.250.180.14
    youtube-ui.l.google.com
    IN A
    216.58.204.78
    youtube-ui.l.google.com
    IN A
    172.217.169.78
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.187.232
  • flag-us
    DNS
    www.google.com
    Remote address:
    1.1.1.1:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    142.250.178.4
  • 216.239.36.223:443
    tls, https
    840 B
    40 B
    1
    1
  • 142.250.187.238:443
    www.youtube.com
    tls
    2.1kB
    8.3kB
    18
    15
  • 185.130.226.87:80
    240 B
    4
  • 142.250.187.232:443
    ssl.google-analytics.com
    tls
    1.4kB
    5.9kB
    10
    9
  • 185.130.226.87:80
    420 B
    7
  • 185.130.226.87:80
    420 B
    7
  • 185.130.226.87:80
    240 B
    4
  • 185.130.226.87:80
    240 B
    4
  • 185.130.226.87:80
    240 B
    4
  • 185.130.226.87:80
    240 B
    4
  • 185.130.226.87:80
    240 B
    4
  • 142.250.178.4:443
    www.google.com
    tls
    2.0kB
    5.6kB
    14
    14
  • 185.130.226.87:80
    240 B
    4
  • 185.130.226.87:80
    240 B
    4
  • 185.130.226.87:80
    240 B
    4
  • 185.130.226.87:80
    240 B
    4
  • 142.250.178.4:443
    www.google.com
    tls
    1.5kB
    5.5kB
    12
    12
  • 142.250.187.225:443
    tls
    187 B
    40 B
    3
    1
  • 142.250.179.225:443
    tls
    135 B
    40 B
    2
    1
  • 216.239.32.223:443
    tls, https
    128 B
    40 B
    2
    1
  • 216.239.32.223:443
    tls, https
    128 B
    40 B
    2
    1
  • 224.0.0.251:5353
    3.9kB
    13
  • 1.1.1.1:53
    www.youtube.com
    dns
    61 B
    319 B
    1
    1

    DNS Request

    www.youtube.com

    DNS Response

    142.250.187.238
    172.217.169.14
    142.250.187.206
    142.250.200.14
    142.250.179.238
    172.217.169.46
    142.250.178.14
    216.58.201.110
    216.58.213.14
    142.250.200.46
    172.217.16.238
    142.250.180.14
    216.58.204.78
    172.217.169.78

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
    86 B
    1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.187.232

  • 1.1.1.1:53
    www.google.com
    dns
    60 B
    76 B
    1
    1

    DNS Request

    www.google.com

    DNS Response

    142.250.178.4

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.dehodigipuhixoyi.mafuko/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

  • /data/data/com.dehodigipuhixoyi.mafuko/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    6c97940c3ad9fa92d62c7348f5661e37

    SHA1

    c2378d5fc60c0db5f48e79d6be383e2f50031d13

    SHA256

    f04bf440863cf455cec97dcf83c0549295429b698123ff36423f4b4cf00b8ec6

    SHA512

    1300dd407d5116ab865f237560db138a8e005047eb873f6137973597e954093b5e76c63e97543c5be0784c89ab26effec663e1439c140a693eb7429d816d8331

  • /data/data/com.dehodigipuhixoyi.mafuko/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.dehodigipuhixoyi.mafuko/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    a772e9fa3aa47ccb796b0bbf738e0f39

    SHA1

    d4f81ba5451749ea1d9198e357434ece48646fad

    SHA256

    a7b1fd0b93913b905ade940c5f82d0715ae6b344af17c71429640686ab2a0b41

    SHA512

    5ee0f7d99e753bb703a799a02f5bf05a0195cdd4c893ea24d725e3131bcf487604e3e4f289f38c4f211a004d25a6646a5a460aa16a538083cf7acd2f921a226e

  • /data/data/com.dehodigipuhixoyi.mafuko/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    6b8ac14655b42944b4336b40501d5944

    SHA1

    54fa3992e213146464ab2ae4167ecf34ab66909c

    SHA256

    dc53484af2526137e3d0758d8d80a13c80cff0b621f7e3e49297eb106e2c3548

    SHA512

    f10d7399dbe86939a29b60eb3dc6d90c8b26244c027c98853d29f75630127271d01a853434898a064f4dfe6c2417cedf4c3a81f9932df531dcec9c9d417154bc

  • /data/data/com.dehodigipuhixoyi.mafuko/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    742e9a3988e16732d69b40b628969e71

    SHA1

    02d6fa805780ef098c82d82a6cf4a15548c9560f

    SHA256

    2fa30a6fb8c1828aeb78a87925e5367febc59262952e4f81d24cebb7d7ac7c6e

    SHA512

    6a3af875f0561ab0c35a178f3d8b05fcf289bb17f6c24eb34f56b853e4ea87dce7f7826681b1a060272e9301bd0ed18f07de0b11686e89f3d75e20576711d884

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.