Overview

overview

10

Static

static

6

3c5df0d5ea...31.apk

android-9-x86

10

3c5df0d5ea...31.apk

android-10-x64

10

3c5df0d5ea...31.apk

android-11-x64

10

Analysis

  • max time kernel
    22s
  • max time network
    160s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    19-10-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c5df0d5ea87aa008027fbb2559182f1bc9b28124a99e8c06c896b54c9b32331.apk

  • Size

    3.9MB

  • MD5

    dc7c596f2f46a111f1b07e166dc8e121

  • SHA1

    c02eb39c3733a5607920423d17b1ab582571f0ed

  • SHA256

    3c5df0d5ea87aa008027fbb2559182f1bc9b28124a99e8c06c896b54c9b32331

  • SHA512

    f095cff4ce154672068eff96bd1cae64816dee31114dfd2574ead6581d1a20afb8d9b5a037a459fec3d7ba719f8a932901120f87481b37c3c9620886e0784201

  • SSDEEP

    98304:EslzqC/U6pMXJ+9xSGDlLiECV/VMSssHAaTQx7:LlzqfvGDl+ECkS/MZ

Score
10/10
hookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://193.143.1.24

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.jbtifafwc.twzgptlfx
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4973

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.jbtifafwc.twzgptlfx/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    e521d2d76a16981564e86cca27161adf

    SHA1

    6618c4d0195a555bb3fb19b75916b04b9237115e

    SHA256

    7d73cfd36bd05f7176bf2f3518d0f5a32c5823cebd0e4bef19e92eded6369b36

    SHA512

    2eb0cc25393510b886661c99ffbf1d61939c105546d4ebc105aa3de88f5c16f3a7fd2ad6073b819c7be660f607c13d77d7656d15ae98cfc68f8d2a7fbd9745e4

    Download Submit

  • /data/data/com.jbtifafwc.twzgptlfx/cache/classes.dex
    Filesize

    1.0MB

    MD5

    a05ac6dfc2b6cb301327989f165526db

    SHA1

    d5dc7e537693fc95a0330cfcb41ddb95779a689f

    SHA256

    d88c1fca75226169d075fc3809f83919e9e5b11f3b2240c7c6a8e15f5ad462d5

    SHA512

    ed9fa84c5d6a696662f2f2d9ba87d6927f9bed95bcce3c4ca8e3c9eff60812ac6b8248b2c860c84d73036de19591cdba445b3bdb7e0cc4330c9956042bf91add

    Download Submit

  • /data/data/com.jbtifafwc.twzgptlfx/cache/classes.zip
    Filesize

    1.0MB

    MD5

    3800f20d5c723cc56254e06f65bcfa90

    SHA1

    7ed1b80fcd059b740b77a8cf83929527fdc94b0b

    SHA256

    f4d075eed2ec15216f817781caef50840ffdcd0290557d56b92187be49feea5c

    SHA512

    58d06d3cb25b778d4b6d6fe2ce876c9b2fe7a62001718fbb87737dca52aa0b8369ae52799f38c1878396bb3d29e27e0a0a51a2668fe1d824617dd79dfbc27f7c

    Download Submit

  • /data/data/com.jbtifafwc.twzgptlfx/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.jbtifafwc.twzgptlfx/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    7ac2413aa56f77bf2062d67312748aeb

    SHA1

    73c62a7db4329f21d185ea61157d5db22ad154aa

    SHA256

    acd5a0228b2ed2f177ebb285f4cff0b52b7e11fafada44a142a371418a882ad1

    SHA512

    9ea0a35d56984f398a361be9e9076ee9b10163e529ff2aa6ece61fc5e6b5958576cb07c7fa53d8cb199c0154d369a2c2727ec5a1608739edae3b9cdbfe88b472

    Download Submit

  • /data/data/com.jbtifafwc.twzgptlfx/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.jbtifafwc.twzgptlfx/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    cb5c2f84974aa143f9c9083cc286ecca

    SHA1

    59a4445f5ad06f5d0ca73868ceebee4a30ffc5d1

    SHA256

    02de058b72bb66b378af185fed66f98c5e8bd964f6a13e296462ffdd074974aa

    SHA512

    89034b8ddde5aec49fa89105e03199019ffc22dc40f1452daf9da09176dca84ba2b1c72f35466a8d166e4304528c138aa28be4c17cc1059813202168e3810860

    Download Submit

  • /data/data/com.jbtifafwc.twzgptlfx/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    aa42b580306e03d49b19a0f123adff63

    SHA1

    a866985b24fae64b45911bf9484029f52d266715

    SHA256

    1632102f12cf5fb4b963b1f252889cbff54f2d362af79080be00a0fa7a4d3ef8

    SHA512

    c701f9f4c603b5d110bb21f7ed711ea4bedded73720dcfcd1931cf4d06d4d9c9ace827c3254b41380796a0bad0015006d481f7f0d8c5d278b770a510a9b9bf1c

    Download Submit

  • /data/data/com.jbtifafwc.twzgptlfx/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    bb76a47987cf02dcdb86d03b4441cad6

    SHA1

    00bfbfc85942922c22478798f2712359e7e784e3

    SHA256

    5b182d4a55dc3e587c193fa26f4f5422f709f1a4d606698808573e9710955acc

    SHA512

    bb5283818de8c90e5eac134267538f6ef8e4ffa175ef5688a82413592b32b27e98cfa1fc36f24118bd7d86177a813c6176e2722b3f303e57fbeecdfced59da92

    Download Submit