Overview

overview

10

Static

static

10

5ce7c6ae08...20.apk

android-9-x86

10

5ce7c6ae08...20.apk

android-10-x64

10

5ce7c6ae08...20.apk

android-11-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    18-09-2024 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ce7c6ae088efd353b49ef6292d80cfae53b4268bf4330cb9fb34a2f9ee7d320.apk

  • Size

    1.2MB

  • MD5

    4b5d51c0babbdce86dc80cb27d56670e

  • SHA1

    964df3e00c1aac52847e1e16511bca339d436aaf

  • SHA256

    5ce7c6ae088efd353b49ef6292d80cfae53b4268bf4330cb9fb34a2f9ee7d320

  • SHA512

    2eddfe59350e0434c4f5f587b0bfb1f3e7d8796cd854d5d69a86959af06e8d1ff82fa9d4ae67c0e3420d55d809ea5d8d779775db69fb298f53509fa65935cf79

  • SSDEEP

    24576:bDgSNMNyA4bBGhiYSmSdXplCxo9AJkDPX5fjTPS:bDgSmNJSmCLCxo6JO5LTPS

Score
10/10
hookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://185.147.124.43

AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.dehodigipuhixoyi.mafuko
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4341

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.dehodigipuhixoyi.mafuko/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.dehodigipuhixoyi.mafuko/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    55ca56236b59a44f7aa976d885669614

    SHA1

    567a5e2de3bd322d3c1f1cd0fdedb0f47ef5f1b8

    SHA256

    5c5b77200318b884ee0631bdd94282160f29f49aa3bf4f43bac7fcdf507e81f0

    SHA512

    71e994c60a60f5c7b7768193ae565f4b0eaf4b99d53720403dc0c8ed1f1dbb81cba1b1ebca90e7d3f4cc15dc833deae07b85bdad8cc44d33b00009daa064be8a

    Download Submit

  • /data/data/com.dehodigipuhixoyi.mafuko/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.dehodigipuhixoyi.mafuko/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    1d67db628c77c83855fd61f2742c1a99

    SHA1

    d1588461a718d99c452f282877bac1a3ba542950

    SHA256

    f10190f87781f0002cb3b897d1a30e0c1ec949ed9866d7d6f132a77b2c5e0f62

    SHA512

    9113b1f436ef033da905c90c5ed3de387b7849ae8ceaebc1117b34f0e2e510491d6bde7af99d286f8ca23aab1c660b9aa08e38cbeef3d62b893e18aee0eae05c

    Download Submit

  • /data/data/com.dehodigipuhixoyi.mafuko/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    b72ce2667f69c398c3b5a79336b049e4

    SHA1

    4a964cc2128deb87852f501f56c611b498dd9ebc

    SHA256

    190c99362815a4aa0bc0efee47fb1856662e4c4c33e1a7a031d490526134d306

    SHA512

    025872f4a9e0e07c02f0e5372f507a2660fd01a595dab36251f375263d031f26484e718f96eea83a864ad78fd88e911003fee2c11eeeb4598f4c157ad058fb2d

    Download Submit

  • /data/data/com.dehodigipuhixoyi.mafuko/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    4e4fbb1aafc93661baaf13170892236f

    SHA1

    13f4a7fb41ff6fcec7b0bb999f8798e062909132

    SHA256

    f7105d180e3e672faac97851bc78fbe20dbde34cbdb792a21582c7c6f71ca4ca

    SHA512

    431e4dd581e5e507068b68eee539fd52cd4b522b582be6cf210377dc11ec2a5ae617349cc4fc163b7d78bdb3b6d02fb973f000d9d34cc2df897a354d22e91ef0

    Download Submit