General

  • Target

    8bddf2344ed43f36c39ff4d3f7895884b6fd0fb2f2772f3899f59d775c93507d.bin

  • Size

    1.3MB

  • Sample

    241117-13xt6atqgp

  • MD5

    1ddfdb871efaa80ce16f786fbd9de2bb

  • SHA1

    855cd7ecdaf888aa9536113c3c61c7c480abd85d

  • SHA256

    8bddf2344ed43f36c39ff4d3f7895884b6fd0fb2f2772f3899f59d775c93507d

  • SHA512

    1a5b8735888ed27e0f2f224fed7aa7d9bc84f9f0ac90a7755c149ae3465325a92101fb3118ab2f2464ff68ea879e4ab995177062bc92a5c4503e1bbe51d66b3d

  • SSDEEP

    24576:e4DgSy1/A8ZN4v77B8dMAhMwIQF4zaXdgdCbvIK/it7acAYf:e4DgS6UC5lSJMbwig7OYf

Malware Config

Extracted

Family

hook

C2

http://154.216.17.184

AES_key

Targets

    • Target

      8bddf2344ed43f36c39ff4d3f7895884b6fd0fb2f2772f3899f59d775c93507d.bin

    • Size

      1.3MB

    • MD5

      1ddfdb871efaa80ce16f786fbd9de2bb

    • SHA1

      855cd7ecdaf888aa9536113c3c61c7c480abd85d

    • SHA256

      8bddf2344ed43f36c39ff4d3f7895884b6fd0fb2f2772f3899f59d775c93507d

    • SHA512

      1a5b8735888ed27e0f2f224fed7aa7d9bc84f9f0ac90a7755c149ae3465325a92101fb3118ab2f2464ff68ea879e4ab995177062bc92a5c4503e1bbe51d66b3d

    • SSDEEP

      24576:e4DgSy1/A8ZN4v77B8dMAhMwIQF4zaXdgdCbvIK/it7acAYf:e4DgS6UC5lSJMbwig7OYf

    • Hook

      Hook is an Android malware that is based on Ermac with RAT capabilities.

    • Hook family

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries information about running processes on the device

      Application may abuse the framework's APIs to collect information about running processes on the device.

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries information about the current Wi-Fi connection

      Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    • Queries the mobile country code (MCC)

    • Reads information about phone network operator.

    • Requests accessing notifications (often used to intercept notifications before users become aware).

MITRE ATT&CK Mobile v15

Tasks