Overview

overview

10

Static

static

6

5de9b18eb6...37.apk

android-9-x86

10

5de9b18eb6...37.apk

android-10-x64

10

5de9b18eb6...37.apk

android-11-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    152s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    11-09-2024 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5de9b18eb629991bd38a9b22085528dbe5c2b3e5abb79648b8a9d7bf706c4437.apk

  • Size

    4.5MB

  • MD5

    9d5629af991b9f6bbc86ac50414c0ad3

  • SHA1

    ff1b949363e5f686e28211a5518fa0bd41c14ee8

  • SHA256

    5de9b18eb629991bd38a9b22085528dbe5c2b3e5abb79648b8a9d7bf706c4437

  • SHA512

    f26518fd13418f55b44b4289e71bfe2f80d8ed30959016820e4986c7274b369aaa0f87f0dea5ec78375c5fc2488683369fce66d44619b00e5107cd8e6e085e15

  • SSDEEP

    98304:TMMX0EU1WCo9yqhyT0p+COx118Pe+a1OLHkBypAw9vJr1YSvsb:TcibHfVOxIPe+asoAp9JJJVUb

Score
10/10
hookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://185.147.124.43

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.yzlvmrqbv.ruqgfhpry
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4218

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.yzlvmrqbv.ruqgfhpry/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    2d10abaa6c72b86efb44fbf62c8c5c88

    SHA1

    0084afcc3b1ea93ee778968283f4732af685e091

    SHA256

    8b7dbd90277c5f6e1241534916e62a3ab918fb7abbdb5057c0218112e18bfe20

    SHA512

    91cb08b8439de750ef6d94f7c6a1a604cf4555f7e6d9dd6135843c15724ebdf60befda16cc443d24e8f4f6c8df9945e3e324fab212571347492ce39685ac6491

    Download Submit

  • /data/data/com.yzlvmrqbv.ruqgfhpry/cache/classes.dex
    Filesize

    1.0MB

    MD5

    5410574df16c6692a231cb7d9ab6043c

    SHA1

    03b108a9a310ba9e77b764a89464667343c6de15

    SHA256

    8ff42bd8cdf087458edf35316bef720cbe2c7f6b7e34f7b98a3fde5d086aba29

    SHA512

    db8b4b1924a9434c73545c2ace43fa83a1316ccc4f7a4f5622db34134d83a0a42ea7d167bdf0b7e255f73b945cc078fbdba0ff5b4666d1827695221540af1bb7

    Download Submit

  • /data/data/com.yzlvmrqbv.ruqgfhpry/cache/classes.zip
    Filesize

    1.0MB

    MD5

    792b8ee06333453836e7d853b66dddf3

    SHA1

    2107527d5b32d6182181b831d4ade89bc37aee6f

    SHA256

    823e0dc79d607ea7aece5a4bb9608986d8760be7d6f850c7ed94b82af6098847

    SHA512

    4f4f5455eeb8692c23b29e5d3ec7382c97d19b9efbce1de340b9101dde3bad4a96321184795de86b51999e724184854db599175836b1e628bf6e239cdc903b3a

    Download Submit

  • /data/data/com.yzlvmrqbv.ruqgfhpry/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.yzlvmrqbv.ruqgfhpry/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    76699f34ffbdc594e6cd88806089221c

    SHA1

    97084571f88ea7c5f1f7c6cbea1c2d8227f3bc09

    SHA256

    96377fea02099f036b48ca699962092dd948eaf432837c79e0819d5595f313dd

    SHA512

    0897e53abc02a482339d45fc00ad458c0ff1cf51dbda737289982e8afb9a5040506f4c7aa05c1b88c804f03cc5887e348e9543ff9adf244deea2be709b2b3768

    Download Submit

  • /data/data/com.yzlvmrqbv.ruqgfhpry/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.yzlvmrqbv.ruqgfhpry/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    0f2a7b601b70f3647a8f601d635b79e6

    SHA1

    981efe61e8a61219e9b9e7892bed893d43b308a6

    SHA256

    c3bb5a66e7e0b44ed030945495f731950274a2693f4a07cc9b7c9cc3f49b1417

    SHA512

    d6f2b78448dd713123bc925cf2aa2eff259da64f9adbb2367f07e1773931eaca6ad46b22ff735e9963ff6b79e3b7b7a969bb0a4510c086aab79b2fc1ef1cd194

    Download Submit

  • /data/data/com.yzlvmrqbv.ruqgfhpry/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    8d69630aaa8e5626afd8fb23232191c3

    SHA1

    1aff3d38dbbbe6d3fe7ae46cbce07aca13bc5583

    SHA256

    7daabf846c1de1c1362401191bd69726f262cb8dc9e8094fe8301f9bb0c6258d

    SHA512

    def83f89d76bc4a8c129676852fda06ba8331b0c4527efce3bec04322851864e9fd70846079be167f2b86dac9e9ab228a57f9cc9fe9de3e7cc87324831fca1c8

    Download Submit

  • /data/data/com.yzlvmrqbv.ruqgfhpry/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    5dcafef720b7b39501343e363cc424a1

    SHA1

    898240386e98b59ac15c918cbf89424fb9256555

    SHA256

    6e5ed70b6049ce8979263a5cc67487123bacdc282a20c999523500514536af03

    SHA512

    7d626f57bd5c6ddaca0060acf5beb60d192c73244ce4935e3a3df2cfd7e0fc6d3389d66833bddda5a128d0d3940e2f106862fb44a7c38785ebd98ed7704b8be0

    Download Submit