Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    19-11-2024 22:06

General

  • Target

    3c44af86acb77cb7b03d4380eaa117347f62853ef7603d58b5df8727e3bb25ab.apk

  • Size

    4.1MB

  • MD5

    428511bbb686703e0e7da106eea33555

  • SHA1

    b25652bb4fd64a3362005618c242d6dd54f36818

  • SHA256

    3c44af86acb77cb7b03d4380eaa117347f62853ef7603d58b5df8727e3bb25ab

  • SHA512

    29654d654be13bcb94003d2473f84c5593a11e6002c2b0c56cb2e0fd69b0e1a96389ddb45d1a62894e84c60eda01c812e10d3477bdec5a5c1604fe51ad1df2a3

  • SSDEEP

    98304:ykEwezCzu/lnTWmE5U5EUQRNFsi0Fq2ceePMCn5nVuW:XlezCz6q9UifNFsi0FuJPh5VuW

Malware Config

Extracted

Family

hook

C2

http://85.28.47.32

AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.xvufmyjui.lvpbmzncn
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4323
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xvufmyjui.lvpbmzncn/app_app_dex/ywmkqqf.xfw --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.xvufmyjui.lvpbmzncn/app_app_dex/oat/x86/ywmkqqf.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4348

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.xvufmyjui.lvpbmzncn/app_app_dex/ywmkqqf.xfw

    Filesize

    2.9MB

    MD5

    2109c4374feffdf3dd44559939218d80

    SHA1

    fc9c7ef5cfcefe1db0cddc26841c253a062cd36c

    SHA256

    0e7f6a649f03a7222948907e79ccdbcc8353d3ea5a299e3665db88aa38a2b232

    SHA512

    cda3fe9abb736eb6325bcc3d8f13f6720271d63c9a5598895c32a7822054d9c24bff97720488701a5a694b82ac30743846cf4ff7759ea9be1c0f578273bb324e

  • /data/data/com.xvufmyjui.lvpbmzncn/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.xvufmyjui.lvpbmzncn/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    717f7d0a13d1daadaf112f82551fa318

    SHA1

    39d01efe4e640bc11f412d7e8534765df82baf9e

    SHA256

    3a6411cc83e42283c445d658a0c05b92bf59de6757b908ae16c7c057b7190af5

    SHA512

    be19361e2f6f6cb7e7570b8e5bc07e9dda41c69a5813db2cf582c0d228c22f7645e3001469383e48d88b2514b8d7ad0d5e4ea2e5dae78e7dcbb13f749d8d4ebe

  • /data/data/com.xvufmyjui.lvpbmzncn/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.xvufmyjui.lvpbmzncn/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    6195555b9427a1d7a4789087e2c6399d

    SHA1

    ae7891f9c6d0a168a434ceffa1272365db9b84c4

    SHA256

    51b659786bed1f00322ef923815a216f46a01cb5b892b3dbd7cf43ed047c131a

    SHA512

    b2a728e4376449b05758a4ac01d2e9df2733f78d342a2dfd222ecb6430dff1d688344ab0b3b694c8891eeaa7eb3b7cc8271b7d7186e5dbf4848b1c976d88ee63

  • /data/data/com.xvufmyjui.lvpbmzncn/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    17ee1c53dd56fd77598355539f11909b

    SHA1

    a69a7c8a438e74e20ec21f6d781a6351deaaab97

    SHA256

    ba576dc8a763fa282b29afa543bb6942facf160da148379783df4cfb4695204f

    SHA512

    18b66d2866b50bc1daef7a462ba2fff0289936bb3798901d7a11c114235ff87ad5ccab8ca7f551bfebeabf0e8086de4ec2ba5e2055ed0f351e1006d1d9352070

  • /data/data/com.xvufmyjui.lvpbmzncn/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    3fd0edb59e6779c2f08ca0809b4332bd

    SHA1

    acba23c29f5aabbaa2086b933bf93efcdc5a07e4

    SHA256

    1accbc2aded23b147f037a675a97775856dfb53a1ffb68c29aa6381746ca7505

    SHA512

    64b8d4d050a523ea24c9a9d72a331d48e2599e1f7f283ff71bb971c144a2ce77c4e1f1bd582bae5d2065ae26d22d1898c57dc534515e50fa563a1e7239dff9e5

  • /data/user/0/com.xvufmyjui.lvpbmzncn/app_app_dex/ywmkqqf.xfw

    Filesize

    2.9MB

    MD5

    4c1d7315a9722c663103ccc01055a6aa

    SHA1

    1f23832f83b0c1ebf2ef0957899e2d21bb8cea45

    SHA256

    fb63a2d4138af370ec20dbca4f5a6a4a702bfbde8c49934ade0e7f2e952ec37e

    SHA512

    87c19329bdad947a18c88ed593b6e38c8e1233c2cb2a19fa11c250a7a2ba2461be9e47e3ab9b29eb9f15de4a030610b45a331ea3c45c74e1373d887088524df1