Overview

overview

10

Static

static

6

3c5df0d5ea...31.apk

android-9-x86

10

3c5df0d5ea...31.apk

android-10-x64

10

3c5df0d5ea...31.apk

android-11-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    160s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    19-10-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c5df0d5ea87aa008027fbb2559182f1bc9b28124a99e8c06c896b54c9b32331.apk

  • Size

    3.9MB

  • MD5

    dc7c596f2f46a111f1b07e166dc8e121

  • SHA1

    c02eb39c3733a5607920423d17b1ab582571f0ed

  • SHA256

    3c5df0d5ea87aa008027fbb2559182f1bc9b28124a99e8c06c896b54c9b32331

  • SHA512

    f095cff4ce154672068eff96bd1cae64816dee31114dfd2574ead6581d1a20afb8d9b5a037a459fec3d7ba719f8a932901120f87481b37c3c9620886e0784201

  • SSDEEP

    98304:EslzqC/U6pMXJ+9xSGDlLiECV/VMSssHAaTQx7:LlzqfvGDl+ECkS/MZ

Score
10/10
hookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://193.143.1.24

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.jbtifafwc.twzgptlfx
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4499

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.jbtifafwc.twzgptlfx/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    e521d2d76a16981564e86cca27161adf

    SHA1

    6618c4d0195a555bb3fb19b75916b04b9237115e

    SHA256

    7d73cfd36bd05f7176bf2f3518d0f5a32c5823cebd0e4bef19e92eded6369b36

    SHA512

    2eb0cc25393510b886661c99ffbf1d61939c105546d4ebc105aa3de88f5c16f3a7fd2ad6073b819c7be660f607c13d77d7656d15ae98cfc68f8d2a7fbd9745e4

    Download Submit

  • /data/data/com.jbtifafwc.twzgptlfx/cache/classes.dex
    Filesize

    1.0MB

    MD5

    a05ac6dfc2b6cb301327989f165526db

    SHA1

    d5dc7e537693fc95a0330cfcb41ddb95779a689f

    SHA256

    d88c1fca75226169d075fc3809f83919e9e5b11f3b2240c7c6a8e15f5ad462d5

    SHA512

    ed9fa84c5d6a696662f2f2d9ba87d6927f9bed95bcce3c4ca8e3c9eff60812ac6b8248b2c860c84d73036de19591cdba445b3bdb7e0cc4330c9956042bf91add

    Download Submit

  • /data/data/com.jbtifafwc.twzgptlfx/cache/classes.zip
    Filesize

    1.0MB

    MD5

    3800f20d5c723cc56254e06f65bcfa90

    SHA1

    7ed1b80fcd059b740b77a8cf83929527fdc94b0b

    SHA256

    f4d075eed2ec15216f817781caef50840ffdcd0290557d56b92187be49feea5c

    SHA512

    58d06d3cb25b778d4b6d6fe2ce876c9b2fe7a62001718fbb87737dca52aa0b8369ae52799f38c1878396bb3d29e27e0a0a51a2668fe1d824617dd79dfbc27f7c

    Download Submit

  • /data/data/com.jbtifafwc.twzgptlfx/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/data/com.jbtifafwc.twzgptlfx/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    df6341936681ea27af04128e14363c8d

    SHA1

    8efba1d3c541765eab383a0fcc71c97578bd0b9b

    SHA256

    90020915dc0cf43a06554e796b51e60cfd813cde7b32e17c2d323804776be1ff

    SHA512

    ea6238efe49f90dbad73b2396417ed388ba76640bb2129dfa1784d214f6e557248e3350f156ad24ba53a5462adac015b28c8c6bc269927a691df3d9d60474ec9

    Download Submit

  • /data/data/com.jbtifafwc.twzgptlfx/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.jbtifafwc.twzgptlfx/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    aaf352e4fb661561e01bbfcda7939853

    SHA1

    0e20fda5bfda0a08718a7d5c8b301a4abd078ff8

    SHA256

    cf5e52ef43c2009baaf55da7b43e75e4f2b09f14ceea32c3b6655e5d8bfcfc4a

    SHA512

    636cfc285e4a0dd99e822d92bb1923928175ef83dd4fd8adb1a0a05536fc7992fcea36493631b56a32f5dd0c78d9a383362e6ee22757182943333260734a5c38

    Download Submit

  • /data/data/com.jbtifafwc.twzgptlfx/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    3381575fa3c3b103be25448a57442a26

    SHA1

    3fabd24c48fbeb7aed475135e7b7953f06e76562

    SHA256

    b7feee6c94cb063bf997ab27024be41d98a45ac696c47352f410ab6ee1c5c1ac

    SHA512

    4edb8df47cfa6a6740d68d4e39238b733cf694eada1e1d0fada14b83e849be52e2ec617ba56bb3a7825245ba5d03ac0f17846f671134a40fe0c815d0b1567067

    Download Submit

  • /data/data/com.jbtifafwc.twzgptlfx/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    2263a31b5dc8fd86e7699e3c7af77ae6

    SHA1

    5b7dfd5d8d08a48f811a758cc6344680e0173490

    SHA256

    53815eff1ed35968151700e0ddc34393dc51e9a0598eafd586b2ade4a9426b80

    SHA512

    d523ac3d0c7bc10d7a7d84acda0a6982d480b067faa031d5d4e2740c7016452e16d87a5846307b6cdc1e87b83e3ee4b850d1b0e810639033ca97b9f3521dcd5d

    Download Submit