Overview

overview

10

Static

static

6

35dc83b868...ac.apk

android-9-x86

10

35dc83b868...ac.apk

android-10-x64

10

35dc83b868...ac.apk

android-11-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    155s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    11/11/2024, 22:02

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    35dc83b868ede705f2095db3bb162d07d452fb54b34881613e2eeda988a175ac.apk

  • Size

    4.2MB

  • MD5

    d747554f5c988cfd287aa604e9522557

  • SHA1

    9f7db7025e897288e1b50951ba0a94afb4ebac5a

  • SHA256

    35dc83b868ede705f2095db3bb162d07d452fb54b34881613e2eeda988a175ac

  • SHA512

    84fe8acdef749427cb50292dce6b49b3f93a3195e88fe98ff2d37e2664a26eeb66cdfb9ddd5ac843956d94c38191a398ac48f6a24f18ec74ae6a06fe05ac288c

  • SSDEEP

    98304:zYQ1H4bS8Dd1eojQhDxDKCCY/SresT8qWGpOVXMGnDa+xFE25:cQGbBd1eo+8JSSresT8kum+J5

Score
10/10
hookcollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://94.141.120.170

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.rhdjqosmq.fgclvszcs
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4450

Network

        MITRE ATT&CK Mobile v15

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1603

        Persistence

        Foreground Persistence

        1
        T1541

        Scheduled Task/Job

        1
        T1603

        Privilege Escalation

        Defense Evasion

        Download New Code at Runtime

        1
        T1407

        Foreground Persistence

        1
        T1541

        Impair Defenses

        1
        T1629

        Prevent Application Removal

        1
        T1629.001

        Input Injection

        1
        T1516

        Virtualization/Sandbox Evasion

        2
        T1633

        System Checks

        2
        T1633.001

        Credential Access

        Clipboard Data

        1
        T1414

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Discovery

        Process Discovery

        1
        T1424

        System Information Discovery

        2
        T1426

        System Network Configuration Discovery

        2
        T1422

        System Network Connections Discovery

        1
        T1421

        Lateral Movement

        Collection

        Clipboard Data

        1
        T1414

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Screen Capture

        1
        T1513

        Command and Control

        Exfiltration

        Impact

        Data Encrypted for Impact

        1
        T1471

        Data Manipulation

        1
        T1641

        Transmitted Data Manipulation

        1
        T1641.001

        Input Injection

        1
        T1516

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/com.rhdjqosmq.fgclvszcs/app_dex/classes.dex
          Filesize

          2.9MB

          MD5

          ae49661c19512148f67f24ad37a69082

          SHA1

          d1f6ea727f651ff74cc8b4a2b2382778c343c1e3

          SHA256

          b829b24787b06dad1cc66f00f33401ba4a465e33d61421768248895f50521eee

          SHA512

          955d915503f43754701c76ebf4e1c1a2d2fb4e7f84b3a53634f155245b48810cb6d951c4a27505e5b7121296c3807aab553450a478ac9f63f7061577562d067c

          Download Submit

        • /data/data/com.rhdjqosmq.fgclvszcs/cache/classes.dex
          Filesize

          1.0MB

          MD5

          cca51404679594decb0ec5566926acaa

          SHA1

          94fc646b1047f3600a052f8c9fccae9bd1281328

          SHA256

          e1db066416428fd12ec1a0e321983b1188986664ede9e9da1026d28efae9c2e1

          SHA512

          ee286a72ae8661e4b759be6a9fb234017376866e38da15acdfb57f4c334bfa951bb433657921eb72f2c116e80df435559c4bbd4c8e36261e5d25d6b2ac99d8bf

          Download Submit

        • /data/data/com.rhdjqosmq.fgclvszcs/cache/classes.zip
          Filesize

          1.0MB

          MD5

          0cfb10c2a0d208fa6b97f8353ce971fa

          SHA1

          cc527ad24dd6ebdc9ed367d0e9634da47fc99723

          SHA256

          be106a291296756b977b04cb550a0dc85c7475249ed303c6da4977928411f47a

          SHA512

          11d5dfcf0ff0e17c773195ae0202c8764d9d1be101511a86b21b24f097060fff3249b856c1ad76e6e8383337e7d32245fc7def8b7799e132c8fbfc0446eafbd1

          Download Submit

        • /data/data/com.rhdjqosmq.fgclvszcs/no_backup/androidx.work.workdb
          Filesize

          4KB

          MD5

          7e858c4054eb00fcddc653a04e5cd1c6

          SHA1

          2e056bf31a8d78df136f02a62afeeca77f4faccf

          SHA256

          9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

          SHA512

          d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

          Download Submit

        • /data/data/com.rhdjqosmq.fgclvszcs/no_backup/androidx.work.workdb-journal
          Filesize

          512B

          MD5

          fd917688de3ab9ec48e23ef458325f8c

          SHA1

          f394c78d58f1925d44c99ee567bb124f1d007b00

          SHA256

          69957ad3ec2de087312daab3202eb0f5aab449b9eb3919cf8a4e7ccd2d61ce31

          SHA512

          5a9c2b0969572f6ea78699d706b2390b858c74b9916b2eb3eee9deea2a38c92c041cf2ab47b2ffad968ade873dac223dffd0df93768df40b6555ea13207a62b7

          Download Submit

        • /data/data/com.rhdjqosmq.fgclvszcs/no_backup/androidx.work.workdb-shm
          Filesize

          32KB

          MD5

          bb7df04e1b0a2570657527a7e108ae23

          SHA1

          5188431849b4613152fd7bdba6a3ff0a4fd6424b

          SHA256

          c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

          SHA512

          768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

          Download Submit

        • /data/data/com.rhdjqosmq.fgclvszcs/no_backup/androidx.work.workdb-wal
          Filesize

          16KB

          MD5

          799adca96ef87dde57f76562d0b66623

          SHA1

          190ace3a863d9636b9003d36c17d5e0f7cf70fdc

          SHA256

          bab9c78f27445f805ed9b9a8b602c2c33eb8f994f0885d3584986b346b8d1241

          SHA512

          bedb92e9dcfe3df4079b939f0d3f988310e1a829cdd491c1e7b76bfbfc1a5fbba1c63066b4b93bda52ea49ad86e7646e5ff286907ba5c01cabe532550166bdcf

          Download Submit

        • /data/data/com.rhdjqosmq.fgclvszcs/no_backup/androidx.work.workdb-wal
          Filesize

          108KB

          MD5

          957215e11731612868bca1c9f31557c8

          SHA1

          a25a112a010e4f878e6776b080062a1e7a826d79

          SHA256

          10a2699d64e04a4237c664242ccdde5361707b9e4ae67804b7f2b42db5c44715

          SHA512

          30f71fc08d29e3d0a3ac54e385c0190ed6e91967d966420cb77421ece9027fff618c46ad45f8a894fb0bf2f52d59e1f6c29cbb75e39b861c05e476017bdbd2bc

          Download Submit

        • /data/data/com.rhdjqosmq.fgclvszcs/no_backup/androidx.work.workdb-wal
          Filesize

          173KB

          MD5

          c19d3d976ef49c63fae0f3a19c45bb5b

          SHA1

          4d7c0d59efda1a7337417f2d2304202dec4a5bd6

          SHA256

          06e7ce985e507afd9288a11e953daa0698bb0c67ad71be239f52514b3741c7d0

          SHA512

          0fb1b472ed5c3a9657e14035499000b183765329bbf21883c587542f4208f56cf707c88b45b5ebbc3398bb83ed46bc05e342a2414d4e7ea640e8ecd5ada7f294

          Download Submit