Overview

overview

10

Static

static

6

c8200eaad4...5f.apk

android-9-x86

10

c8200eaad4...5f.apk

android-10-x64

10

c8200eaad4...5f.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    05/11/2024, 22:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c8200eaad4e13d3d7c35eeb2ac54e7e89a39b38891a1a345a740f5b533eb925f.apk

  • Size

    4.2MB

  • MD5

    e09f806e15f3cd41dde1a382b2c00933

  • SHA1

    814c126bd525ad32e5d2f4b3e89e204fe58b36a2

  • SHA256

    c8200eaad4e13d3d7c35eeb2ac54e7e89a39b38891a1a345a740f5b533eb925f

  • SHA512

    0bf79e20533833569449411703ed0c9d22c5ca004450e9434900c6b06df6485825fbd5c46c2a35f9abbb20ca32a292249ede23d7b43596048bed99259ffb6dbf

  • SSDEEP

    98304:k54Oy6Z/5P8molTjcJSoq0RteIpjBCzX1CQIa6Q9QXGOhPwREEgcSRW:i4p6Z5QTjcJSweIpjBCb1Cab90foREEn

Score
10/10
hookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://94.141.120.170

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.ybrgnfcjj.xohwzaamj
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4246
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ybrgnfcjj.xohwzaamj/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.ybrgnfcjj.xohwzaamj/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4274

Network

        MITRE ATT&CK Mobile v15

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1603

        Persistence

        Event Triggered Execution

        1
        T1624

        Broadcast Receivers

        1
        T1624.001

        Foreground Persistence

        1
        T1541

        Scheduled Task/Job

        1
        T1603

        Privilege Escalation

        Defense Evasion

        Download New Code at Runtime

        1
        T1407

        Foreground Persistence

        1
        T1541

        Impair Defenses

        1
        T1629

        Prevent Application Removal

        1
        T1629.001

        Input Injection

        1
        T1516

        Virtualization/Sandbox Evasion

        2
        T1633

        System Checks

        2
        T1633.001

        Credential Access

        Access Notifications

        1
        T1517

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Discovery

        Process Discovery

        1
        T1424

        Software Discovery

        1
        T1418

        Security Software Discovery

        1
        T1418.001

        System Information Discovery

        2
        T1426

        System Network Configuration Discovery

        3
        T1422

        System Network Connections Discovery

        1
        T1421

        Lateral Movement

        Collection

        Access Notifications

        1
        T1517

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Screen Capture

        1
        T1513

        Command and Control

        Exfiltration

        Impact

        Data Encrypted for Impact

        1
        T1471

        Input Injection

        1
        T1516

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/com.ybrgnfcjj.xohwzaamj/app_dex/classes.dex
          Filesize

          2.9MB

          MD5

          982df7bc074ef36d309a6468bd0b3e1c

          SHA1

          e836a2e3c54ffdb06375e1e0d83c4d33965c6386

          SHA256

          17a2fc279da43a9fe3bd0131251c45dd8ee26bae1fbb7180024ca2654b627d55

          SHA512

          bc6218499157c0075e4c5547572d22630a672a0d5c1b53b063c635c51e3d94f50b034940ede1ab5562388e974f9a131532a2f1706d6f9e25d3b28e7861feadc9

          Download Submit

        • /data/data/com.ybrgnfcjj.xohwzaamj/cache/classes.dex
          Filesize

          1.0MB

          MD5

          66c30f2f15865d98548b1b246f9e8ff3

          SHA1

          2f26780fa1087c8a9e0f374cd6c3f67dff327b0a

          SHA256

          2525dc01a4d4af6fba997344df5d63bb3db4dcbbb72fba245657794122a4c1db

          SHA512

          0a375dbc8ec63bfb60b4b2d7e0e4a0cf36bdcac07a2a1aeb43e2f5d278495409b6a4881921161e350385ad2af683b937ab9aebe154b140b7c9ce69f73f8d5017

          Download Submit

        • /data/data/com.ybrgnfcjj.xohwzaamj/cache/classes.zip
          Filesize

          1.0MB

          MD5

          5112b5fdce794f97fe3a76f036516067

          SHA1

          c6238df555b5d0963077aab53a4076f16588a147

          SHA256

          3edf63903f9e93172685ae686abea3d6060167358c59c368829fcc8270b58172

          SHA512

          07e2de19c2a4cc12883dd777df9d58ee9fd2a0e234468ed42ec9f7f89f635587e0a58e3fe348296beb2976d009f24100cc8c714a7844f3ae938b5b1381e82348

          Download Submit

        • /data/data/com.ybrgnfcjj.xohwzaamj/no_backup/androidx.work.workdb
          Filesize

          4KB

          MD5

          f2b4b0190b9f384ca885f0c8c9b14700

          SHA1

          934ff2646757b5b6e7f20f6a0aa76c7f995d9361

          SHA256

          0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

          SHA512

          ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

          Download Submit

        • /data/data/com.ybrgnfcjj.xohwzaamj/no_backup/androidx.work.workdb-journal
          Filesize

          512B

          MD5

          54ed3aecdf278f77312c6f2f09d119e9

          SHA1

          7e827b26a43bd28df59dbd54818f2537b8278080

          SHA256

          53824bd630c354772b76ee8407f643f873a31dbcda68d5979bd4f2868751b094

          SHA512

          08f8416d53dac9fa16f97483e65b800801094fb87b86216f3827555a0c7d7dc30ed5f0cc4a8f517769c91378052ff3053f776a8cac01d4ddcf635fdf00dad49e

          Download Submit

        • /data/data/com.ybrgnfcjj.xohwzaamj/no_backup/androidx.work.workdb-shm
          Filesize

          32KB

          MD5

          bb7df04e1b0a2570657527a7e108ae23

          SHA1

          5188431849b4613152fd7bdba6a3ff0a4fd6424b

          SHA256

          c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

          SHA512

          768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

          Download Submit

        • /data/data/com.ybrgnfcjj.xohwzaamj/no_backup/androidx.work.workdb-wal
          Filesize

          108KB

          MD5

          d4d98640d908cffa16a5d36a34a8d486

          SHA1

          01722748eeb500f1ede1684448c5a9fd8ef188a7

          SHA256

          b93968facaf30e9af364cf3762643282f74ae802cfb384297542ea3a41ba0d35

          SHA512

          8f627ca51f837b815d9bf3320f6f4b655455cd18505615591701872e48648ed57b65a3ded3463f46925115bcc0b32e52dec6bd8a2491a14bf565659cb301c712

          Download Submit

        • /data/data/com.ybrgnfcjj.xohwzaamj/no_backup/androidx.work.workdb-wal
          Filesize

          173KB

          MD5

          fe86e1e149338aba4988083c2744d753

          SHA1

          fa472cae4d5be165148417a28182b9e13f8e1f83

          SHA256

          af8731d5db415f88e0bd67b79759b6cb243286e8af362529442247a1fd2b861c

          SHA512

          44ecc906cc25697cc6b4959562ccf7d2b22b38ccd62d5bc1bb8f176c82fb09cef23fc46085927ad290f4bd3b5b3a1334f9f380dcdd27a3001126c9aa0f697470

          Download Submit

        • /data/data/com.ybrgnfcjj.xohwzaamj/no_backup/androidx.work.workdb-wal
          Filesize

          16KB

          MD5

          77629a2736cf306fa417bc15eb49f023

          SHA1

          7b0a9e7b92c195d9d1273bc3ded6a6e7c87ebcfa

          SHA256

          194a72c22a9e7614422576b7886de016a4580953620046602e3fe650ab22ee34

          SHA512

          468d4e90cd8e82a45c917e446102acb7c84bd30ab8f066ef6a10c601686814f968ed0011b6a51511738f1bece388912babb7f6029c61cc1d3dd9e94e9458be04

          Download Submit

        • /data/user/0/com.ybrgnfcjj.xohwzaamj/app_dex/classes.dex
          Filesize

          2.9MB

          MD5

          0ebbc1466908a48b6c4d41a86c275514

          SHA1

          f8f8978711b40619569f93782af8020bcab49513

          SHA256

          8bf415c49773c6b0def022d8ba9b561c7dd9f135598af76656730fbaec99c88c

          SHA512

          76dba5edbbe1e9a762b1dfdde330b41161bb5df347142d91da773d31ca77bb3cef3271b553dedc6f59a6b9786e2242bd27fbeee05167f022b7218ff2ddbb6d63

          Download Submit