Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    22-10-2024 22:10

General

  • Target

    324bd98cbb87e9cb9223a0fd77b20c165d1730040adb71ed02c6fbacc284624c.apk

  • Size

    1.9MB

  • MD5

    9929f0608da6542b836db3144ba14751

  • SHA1

    e54f820a36607eaadfed39c7c413608be689bd15

  • SHA256

    324bd98cbb87e9cb9223a0fd77b20c165d1730040adb71ed02c6fbacc284624c

  • SHA512

    f43334f12f8fd918a08da575e7482daa72cf1fbbd007d2394f5436da0f4098ad14e23e783dfca94180d6d25ebf926e5da8aba42d4246a3bcc9ec2f958471f480

  • SSDEEP

    24576:9fA4p9YH6AwocbmFp7o5xIL2Lq70EWJIP5mdZS1mtxMr6e1l+wCKK9ye47g8IH:K4E9Yxjbpe1o/z47g8W

Malware Config

Extracted

Family

hook

C2

http://

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 10 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

Processes

  • com.rOvbzVbGcmRj.HHyPcHFZfqTp
    1⤵
    • Removes its main activity from the application launcher
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:5240

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.rOvbzVbGcmRj.HHyPcHFZfqTp/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.rOvbzVbGcmRj.HHyPcHFZfqTp/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    55734ef0b937b0e0ca3b0e6f3b1bf3cd

    SHA1

    d78272ddd41a7843ac7a920ed7dee598c503df16

    SHA256

    0bd27c6c18381cfeb8dcd835f3d6fbf400f6d8e3a4a1da9860158edaa6b69383

    SHA512

    0be02a09da9bca7422731cfaef218a0f146f400f7b8f55ccf47bc7eccbb86dd72c268bc6de9eb14c94fbc11ccf3015e34eb8dffe4604634d344f3526807ad91f

  • /data/data/com.rOvbzVbGcmRj.HHyPcHFZfqTp/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.rOvbzVbGcmRj.HHyPcHFZfqTp/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    732039df672c4bfa8d229e392e7018c2

    SHA1

    c27024e61836eeeeb7e99b8d92de956a69cf8a4b

    SHA256

    0c6902ac884c93778e27cb49898eaa91abfc748fe6a6836340b454a070a94857

    SHA512

    6b93338fc769bde223a15a7794e1f878c53bc0e619b7c7c2419e82929b853795fd5a45a88098905456b9b97908e4353130bd24b890984ad635c74792dbb8bc4e

  • /data/data/com.rOvbzVbGcmRj.HHyPcHFZfqTp/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    b8b63364370f8fadf575ffcf6e4f5b4e

    SHA1

    4779b9459fd7b18c4f87818dce8216f7b9e492ac

    SHA256

    4de2e2bfc467eb25e445289833241d8e66a57bd3b75e797ba545fa14e4c229f4

    SHA512

    fed4d1d5136f4363e5d5f863540271531336025e4cfbb1c51589277940cb02d6b315c704989a1e83e512109c17a4e2ca4f0433e9899674598500ae7ae8321b90

  • /data/data/com.rOvbzVbGcmRj.HHyPcHFZfqTp/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    cc8cc61f319a683f6a539ed7c907e460

    SHA1

    9a7cbc680d1fd3b923ad9a50887a4b7c81875635

    SHA256

    9d6369d09bdc6ea82a7ce8ae7767b2a4870c8ebc5101780e827935c2a49c4afe

    SHA512

    d2b2d7ddac079182a55f2af6ee46d55a25256841016dc58f5a31a3f8c13907cc2bdd54397ccb8099e2553d81711dd15f3c9cb6d5a10f209de87b00a51b8e78ee