General

  • Target

    12a772c4d08dc57b353897483aad5624614dacb704eff7fcf1caf52f16f95684.bin

  • Size

    1.2MB

  • Sample

    240930-1x59caxckn

  • MD5

    712372139d65274457c93bed9c9aa87c

  • SHA1

    981529c7c0be5d0ee478ba390b6dafa90f746877

  • SHA256

    12a772c4d08dc57b353897483aad5624614dacb704eff7fcf1caf52f16f95684

  • SHA512

    7c2ef2e9b368e36f8ab426100172546ddeee702389c985dd7d5f299340dea20f5151bbcaeedefe510b26e64bf1431b47c16df6bfbb6bae118e1d7a3b6b14ea02

  • SSDEEP

    24576:NDgSXBt8AnEXdwUvhxIeD3S2pcboVzKa9jNw2eA+Kh:NDgSRtUvIqiF8GYPB+A

Malware Config

Extracted

Family

hook

C2

http://176.111.174.205

AES_key

Targets

    • Target

      12a772c4d08dc57b353897483aad5624614dacb704eff7fcf1caf52f16f95684.bin

    • Size

      1.2MB

    • MD5

      712372139d65274457c93bed9c9aa87c

    • SHA1

      981529c7c0be5d0ee478ba390b6dafa90f746877

    • SHA256

      12a772c4d08dc57b353897483aad5624614dacb704eff7fcf1caf52f16f95684

    • SHA512

      7c2ef2e9b368e36f8ab426100172546ddeee702389c985dd7d5f299340dea20f5151bbcaeedefe510b26e64bf1431b47c16df6bfbb6bae118e1d7a3b6b14ea02

    • SSDEEP

      24576:NDgSXBt8AnEXdwUvhxIeD3S2pcboVzKa9jNw2eA+Kh:NDgSRtUvIqiF8GYPB+A

    • Hook

      Hook is an Android malware that is based on Ermac with RAT capabilities.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries information about running processes on the device

      Application may abuse the framework's APIs to collect information about running processes on the device.

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries information about the current Wi-Fi connection

      Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    • Queries the mobile country code (MCC)

    • Reads information about phone network operator.

    • Requests accessing notifications (often used to intercept notifications before users become aware).

MITRE ATT&CK Mobile v15

Tasks