Analysis

  • max time kernel
    130s
  • max time network
    159s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    17-11-2024 22:01

General

  • Target

    a1cde728e002bea0c7a8ccbcdc768c07070595722586a96311cb8ee67c96541c.apk

  • Size

    4.5MB

  • MD5

    3a3b6b6addb9363d29d71f812a206edf

  • SHA1

    bc41f94bf099801f63ededa7cdc910d58f494611

  • SHA256

    a1cde728e002bea0c7a8ccbcdc768c07070595722586a96311cb8ee67c96541c

  • SHA512

    cf22aba65860af243eade0af31e31775307175693a01156f6a9bd07824c548a8a191d8ba56cf274521b43168b20309ffad479e4df3241af345c1142185d4a783

  • SSDEEP

    98304:N7siz9gQAT+2isbirbnlad66nAJ4m8Th6NPk1FEQMQdsV2L:xLza96MbwLN6nAOPTh6NQMim2L

Malware Config

Extracted

Family

hook

C2

http://154.216.17.184

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.bitejkoup.ksmlommbb
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4516

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.bitejkoup.ksmlommbb/app_dex/classes.dex

    Filesize

    2.9MB

    MD5

    25c51549ad94398e5cc70218ff594d83

    SHA1

    e6b015de8602920cee2e6a061901cb383a4f430f

    SHA256

    3ae726c5690e141f75dc336fb1f3b406729c96d6c620ad32cc79a08f2a00e354

    SHA512

    8706c6882de933d94f7df7937f0e1049570d29b6b0e1e10b70fd3589fc429ad9546e816cc10c8e03ededc0f40828aaad7091f542280981c443f1708c9deaf173

  • /data/data/com.bitejkoup.ksmlommbb/cache/classes.dex

    Filesize

    1.0MB

    MD5

    4ce48ab27e54230b63b0612bf5cbb718

    SHA1

    6b564617f8f684a05dea4a33d2e83f8dad1e39a0

    SHA256

    3332c82cf7498d6c10b1d95b6239e71acfdd4aa9df5075b2b3a25dac4c372476

    SHA512

    cad2af7f81e2a6b2af5f6256996039516b6e089975f8be1609968ef1d24a581a83613def7cec9db32bf20354101b60939246ba930c6dd0a2580ba7c47427f5cf

  • /data/data/com.bitejkoup.ksmlommbb/cache/classes.zip

    Filesize

    1.0MB

    MD5

    6931b2ef642907d143d9bba65cb2982d

    SHA1

    3ad37de5876dc2e742b6d7d922efe6a6a4edafae

    SHA256

    03e611aaaa0dd48347ebcec30ef700feb81616eb1e51669ac12df786fb9b7564

    SHA512

    6579ca60f392fd4030ce160a94ce2410257ce1fe488df2bc34668e6f991347a12c8bed2d83f834b638be09bbe3f198c59bd549f20c2c7e3194fa2197952d3493

  • /data/data/com.bitejkoup.ksmlommbb/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

  • /data/data/com.bitejkoup.ksmlommbb/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    071d00a6a3bc888f7edf51df1eca5467

    SHA1

    d0c8dd2b3aeeb69766e72eff0b979f82e52c0817

    SHA256

    0463704a4ddfd9b1f16744347c2f67fe95fe3b62fc3402088ab88c73f1099052

    SHA512

    680b78f519222c2e2839084177c15768b9e907e87e3226fe7e7e2fe8699ad94401913436741140a076a3ac9143d6f211d47b962ae1a8c2cd4855192bbf4dcce8

  • /data/data/com.bitejkoup.ksmlommbb/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.bitejkoup.ksmlommbb/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    c7747bc4ec9d67316ebfeb4e7d6d857b

    SHA1

    92f9c9a434e15b21801a522af63c67cf33d331d4

    SHA256

    7b066b97c6de9841df9855b9ed3ae5df85d4276cc4068d750a0dacd1b23c6651

    SHA512

    905d95f5aa33504381d53b1d0ab33c8e15bbff5c900a03d639118e6a309e220837b7a308e7dff2de86a4831575763391e7efcf0efe6ce1ebdfa99a1512731823

  • /data/data/com.bitejkoup.ksmlommbb/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    f69cf06ef06360b75627045bc37e9dfd

    SHA1

    3a74bc0ac03df5be860a5a9d2ec0dd6f93ceb44a

    SHA256

    5d12ac9e48ffa0bf13bc92b38d3bff0ce18f60627b7ebb534e6d45fabd1e49c7

    SHA512

    d9a8a05c98ab536ec0aad87dbf44451deeab0fdf10ed4afad323097ad621e8541f906495ac7fc012702715da02574fa43f28a56104f2771948a109c772e3584d

  • /data/data/com.bitejkoup.ksmlommbb/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    a85a2614d114b809911e97f49555e70e

    SHA1

    84cc88e50eb377de2cbe8dfa4bcbb3af21bdf173

    SHA256

    129e4ae1bbb666a7446312676c1df451406a7023811046c684a9a7274812f13c

    SHA512

    2c92707b45c33f8fecae90d2bbe271b3e492f3c0429fac9089e64d6f071d39f1ae8829d781ec0f5dab3967d9b100c7ba7b02fe87ed48ef648c287d20b9895348