Analysis

  • max time kernel
    143s
  • max time network
    158s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    22-11-2024 22:04

General

  • Target

    609eb001b2ef877d2d75446b0382321ec8aa4c2cea9d7cbddde479962687ad76.apk

  • Size

    4.6MB

  • MD5

    2857b4fb409629ae5f161c96470d58ba

  • SHA1

    282a482d799d792cb2df8002f27a4e6c5029a85f

  • SHA256

    609eb001b2ef877d2d75446b0382321ec8aa4c2cea9d7cbddde479962687ad76

  • SHA512

    a2756c95f20bfea7d067fae37a20b68732b8d39f29e7051c96bf45168073b8009ddd58720dcc46d4e3c98b57a9c2524e3bd9ac6f7988f98b32fa237557f12295

  • SSDEEP

    98304:nTymrArg5a4/+P++6i4ZAWBUMkhwdi+BJFuAESn7YzhbP8Tna7E:T7rlBC+W4ZhBVkqdiQJcAhn7YVQuo

Malware Config

Extracted

Family

hook

C2

http://185.147.124.250

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.gbqxnvcjv.ucoujosyu
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4475

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.gbqxnvcjv.ucoujosyu/app_dex/classes.dex

    Filesize

    2.9MB

    MD5

    cd656538ea17b154ce6e5e924ce51226

    SHA1

    c0c3e008fcfb283a1485275f3f0793a3550fcab5

    SHA256

    1f8d6ff3ea76583a2116a0dd16dea77e7aa79bd74b6bc19f65005b5c6fb470e1

    SHA512

    fec605c89a58dcad69be6f22f3efae9bc5c798cacb57522d26cf230ba8c1d48cb20c50d1d4226128347c842975fe689f6a662dfdf355d4b029012bf72b74cac2

  • /data/data/com.gbqxnvcjv.ucoujosyu/cache/classes.dex

    Filesize

    1.0MB

    MD5

    2eef054e2aa0d5b5b860a5aff35449b2

    SHA1

    d80251639ab6486d83bebfa77d1590a01c265e5c

    SHA256

    16b476cffa816758ab2cc1d5c61a13543e483bfc5cfd97589eccf9a4313f13ac

    SHA512

    80638f11bf1ec9a31d0baa0049fb7c2ca2a38576fc6d5abe7193887f85160fd0a644c9133f9f66d7aa8d7420267cd83e845d490da0a2f753d4e226c57691c32e

  • /data/data/com.gbqxnvcjv.ucoujosyu/cache/classes.zip

    Filesize

    1.0MB

    MD5

    556c86801ccf48bc917e38546b067308

    SHA1

    a996c082a2b4a1785a41167ca5d418c06dd01a87

    SHA256

    c287f01e17975b0aec265756b2ce369dbda205182b165c9ce5ffd1cceb626a26

    SHA512

    71fa6711d665da5aa70126fa3fe78e3619fd5189b93ee9398cd452d621e60f4cdf00b358c5aa3daa8dc7d8f3ed33a9f3538730808015ffc3ba1eb941dcb1e9b5

  • /data/data/com.gbqxnvcjv.ucoujosyu/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

  • /data/data/com.gbqxnvcjv.ucoujosyu/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    5bfc5bd93e4bfaeb1da4c273a9e21ab6

    SHA1

    b92a90d372e05349c851b086ecb3b36562b2c574

    SHA256

    7816debd45d411923e0ba0f2fa5e098ea355061f05194227ce138ad8582e5f0f

    SHA512

    f13bc33cb8b7148afcea795235a3c024b504629526bd8d8b01c88eed620c3cf9a46eae9c095ce546c01ae1836eb17bc0bea4c60a5eff4f41b27f7428c411359f

  • /data/data/com.gbqxnvcjv.ucoujosyu/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.gbqxnvcjv.ucoujosyu/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    7bc3ce0ffac157ec33b8ae60768ed97b

    SHA1

    75c689086cd55c1fa9ac2332db2a5f6e5203d78c

    SHA256

    d69c097bd1783336f1b0f0b9f6e18f3c300e05aea9077c27152d32b0baab176c

    SHA512

    d173c4d5649e18ecc89f684018b6b64f41b52005f04714f6466c1eb1a6aa34dc08298f0d742074512d9b8ee4d3733da97a983b6debde60d01f1baf676f483675

  • /data/data/com.gbqxnvcjv.ucoujosyu/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    1300e9ace761445c8717605931100a08

    SHA1

    982ba9c818e2ba0fcba3331536201d37f771e6f4

    SHA256

    73b16673618509132b41528a2985918d438da38fccff7818774198515521b3ca

    SHA512

    807a4e046f270deeb13b1893a1c25e292fcbf8348c421e83a00bca78fa29f417ec3171b16ebcbd9ccdbf87debb1940f6d77135f3a5e712785ff1cfbd75fad1ab

  • /data/data/com.gbqxnvcjv.ucoujosyu/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    81764c0b2c435633758f29374197a2a5

    SHA1

    1a4b36e84bac4aaf401989789f1881dd09b20a93

    SHA256

    46b3dd7b99c1defb50aabeac2c61fa5e8176418f88c25057f471bfdf4058f96e

    SHA512

    c9aa2d9c1c4e9972b6fa755255aea60e4f915141550320709d4d9ce2b9c56da7bdaee9a67796a9b0d22c27e87a3a1b3374df0c62444d00d8c34bace3fae2d214