Overview

overview

10

Static

static

6

03a9af0671...82.apk

android-9-x86

10

03a9af0671...82.apk

android-10-x64

7

03a9af0671...82.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    159s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    29-10-2024 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03a9af067118dc7c5d9df9f0cf669f2f92f7722063afa7a51580e35702d86182.apk

  • Size

    4.0MB

  • MD5

    cf0083caba824a7d09686e4257ecedae

  • SHA1

    aaba79566f991dac52008c46c2c4949acd71f781

  • SHA256

    03a9af067118dc7c5d9df9f0cf669f2f92f7722063afa7a51580e35702d86182

  • SHA512

    2154574a5679b9e9f23aa6efb3ffabd4060df14ade2ade42342d6cb63a8b3a425de72245dde4a497d6b5b9492ca7d9d984c8c21c59a4a7174375f9855bad1961

  • SSDEEP

    98304:GFnW/CGiMLz5ECkw7gO7/0ymv1rgaJWiSDwhUq4+hfBi:+iLVEoz/Mv1ca4lwhA+hg

Score
10/10
hookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://193.143.1.24

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.krhizmubn.uunuofzil
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4278
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.krhizmubn.uunuofzil/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.krhizmubn.uunuofzil/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4309

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.krhizmubn.uunuofzil/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    f1a48d7ecca85b7082923faebcb751dd

    SHA1

    32ae30387a0f21b0d2807352a3004b7466bfba7f

    SHA256

    6d1cd1b0ef318d9fca619ede30c2357e9225262c2707e8599c27239df2617af1

    SHA512

    8622ae5d65bd4dfc6be7ce2969cb17660b70e8ee64c470e467f945697f766caa7a1fa9ac173058dc24631389bce779d1b5d150b6c75b1bcc0fec0df56afcee2e

    Download Submit

  • /data/data/com.krhizmubn.uunuofzil/cache/classes.dex
    Filesize

    1.0MB

    MD5

    f256da0b63ad75ce9f41a64239dac69d

    SHA1

    17658fb19c05552bba53fae94261dcaac19b4dfb

    SHA256

    291350d7b29a9c2bf8777f131e48c68f8f14f8725112849990c554f0c6e8a776

    SHA512

    3627cf64ff122e292002cbc10abfd508ca435f37504aae9999cac905b8b72ada64739aee1fecd32dbf8c7bef9d82699ba6d64cc55d83f6e3cf87e933942e2f62

    Download Submit

  • /data/data/com.krhizmubn.uunuofzil/cache/classes.zip
    Filesize

    1.0MB

    MD5

    541182d66aab841aac1445942870214d

    SHA1

    2d6c765ca777527a4c9b6c6c9e44317656c0c054

    SHA256

    19fd41d28d352bed10bbb997b5c2752d0f9def1036d5b12394fb189e0b6c22cd

    SHA512

    274719d79501d7e1a83f77ab1b85dd850be785db73435982897085f5f0e9864406dc9d24e014cd2379cc31a3df708d7b2acf243075ef4eb9696aa41b838277f4

    Download Submit

  • /data/data/com.krhizmubn.uunuofzil/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.krhizmubn.uunuofzil/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    577e9da6d75b1e87088670bde04ec808

    SHA1

    269f7433388d867eec76a0acdb185c5a993c3bdf

    SHA256

    bba27e537ad4a1b3e707302e0d3e59053bc6ac1aa9af5e824a23315230c13c2e

    SHA512

    8377529323eb0878e7288857e0d4ceb6e891a8fe99e5e93110a8726a97aa1ae4c091e513f0426727ba4fb70fbe966a87dd9889aefd231aafc899c0279d589948

    Download Submit

  • /data/data/com.krhizmubn.uunuofzil/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.krhizmubn.uunuofzil/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    60a609a8dc1ac5e9903831fca234cfd6

    SHA1

    35c90b446f8745a43a324c336603836c25b99e4c

    SHA256

    62c5db0104dad592897ff0b0ea7b82c1ee872f66ec2bdc55d29975ff4812cc53

    SHA512

    16f52295bd268a20c2f24bacded73b0c2171847764608b481d6e06c4ff2ad35975a2e696936bbc9b6f569c758b4b352665cf8d34e0599011b42baa8b6fa5ba00

    Download Submit

  • /data/data/com.krhizmubn.uunuofzil/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    a7c1bc72279e5dac82b5eb6a4548aad2

    SHA1

    57cf9e93b5eebdb65eee65ed2b4fd684346d9bb8

    SHA256

    6beae56f63a476eda8188f698cdc777c78eb84dd7b3b0ceaf7f1f3ae073331e6

    SHA512

    0bedd6225b0034d4f7465944e7cc3f5d3c1307ae59790b000f7489777a8db3013d39273bc254f729fd0da8dee496ade6c36eec58b3203b54bc63851ffe2b12eb

    Download Submit

  • /data/data/com.krhizmubn.uunuofzil/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    f0790a46476ad1fb019171d92aef88a8

    SHA1

    91e814f7f4d73ca98c3a9d3cfcf29bebccaf773c

    SHA256

    feb25d0e18e061a1a97ee329028a4513625d36eee9fea61661f54b1dcb3eeab2

    SHA512

    2c325d0731440ba1489481b12276fc1e22bab82b21c5969a962923b581be76b8ce0360cc0ff028ffa5ec4e16a673b0e0c43558d1cd2dc4a4a357e42bee199ca7

    Download Submit

  • /data/user/0/com.krhizmubn.uunuofzil/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    3336c6dd4a9eace9c994a68724284653

    SHA1

    584e19a28860e1d1b5033b279e527de648454996

    SHA256

    9b3f12f0b3cbee0f6ef8df3903ce4e46fa98de68f0661194ee71fcc652127ea6

    SHA512

    aa5ae3dc1c737185a7dc6c5276141b21e77be26eedfee70a433d891e423eba8765917217dab3508368e7f86ecb562ce490ee945262804d1321415ff621b5e738

    Download Submit