Analysis

  • max time kernel
    148s
  • max time network
    158s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    24-11-2024 22:00

General

  • Target

    b7742c9c70e896b31d68b4cdf345ac1d77192ae381f6e49907197fe2bd97eb2b.apk

  • Size

    4.6MB

  • MD5

    7ebb1a9bd104996f722ec77affce15c4

  • SHA1

    c59502a830d4bfbc31da6640a4ad9566d41a0786

  • SHA256

    b7742c9c70e896b31d68b4cdf345ac1d77192ae381f6e49907197fe2bd97eb2b

  • SHA512

    74575c2eb3193f8ed8005775387e0d2aa357afc4909c1490df85a5820f4d67e6687881cb666d0dd0311866a5cdf00cc9c1f0fda395ae61b5ef4c45f2f437aa8b

  • SSDEEP

    98304:GK+KlMqXInLSSU6rB4bq6D7l4wmHa42F7b62orR8krE:0KaqXMD/N426Kda4uBw0

Malware Config

Extracted

Family

hook

C2

http://185.147.124.250

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.wwfvynwml.wjpuuowbi
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4269
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wwfvynwml.wjpuuowbi/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.wwfvynwml.wjpuuowbi/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4294

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.wwfvynwml.wjpuuowbi/app_dex/classes.dex

    Filesize

    2.9MB

    MD5

    c7699693c2ca0401fdd78b06c2a446d4

    SHA1

    8218183d5cf401728e6467d81a8805b392e40697

    SHA256

    82f6e4403759bd9396bd4b20396b3fc9194c76fc952e728052c5589846b24131

    SHA512

    c7b4c3213c9039e57abb229de59a78749312e6a9d5341410dac23d3d21a554fede9df184896fb8ab4d94eaa8a7cfec848243a41465a6e29502de836e80dda141

  • /data/data/com.wwfvynwml.wjpuuowbi/cache/classes.dex

    Filesize

    1.0MB

    MD5

    44ad8ad4679956dd01f4fba5bebdf06a

    SHA1

    126b28b77eccc8beb2fb4e0ed728da8a7860c1db

    SHA256

    5edd22cebf6a52fe7ab53694a7550f3202af3888646d3427d089eeee0a2ede29

    SHA512

    bb4e63fa1ac04f03bb875cb57a2d35ea02af19537a0c0c9fdc46a0039c1fb1da8e77a3b2c6a7813cb37d7c176b42af08463cab7eb9d053246be97df5e1c6c99a

  • /data/data/com.wwfvynwml.wjpuuowbi/cache/classes.zip

    Filesize

    1.0MB

    MD5

    a0503a60ef6fc55513388785cd01465f

    SHA1

    294025fa0759d4c1438b528979e784c15714cb94

    SHA256

    cef4433dca6437c14b90c291439ea1cefc4f3f4b4571e7ff64d3d5bdd549cd4e

    SHA512

    2020eaba4b7b21e32b3e44de2a7fc6dbcb10c634a748cd330d172a534a438fb8cb139b8ba89001077828c9870318c08becdc3ea154b3741cacca596ce8e028ae

  • /data/data/com.wwfvynwml.wjpuuowbi/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.wwfvynwml.wjpuuowbi/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    8beb4cdba4163f553fa1568e4648efb2

    SHA1

    b8403b43fe576527f902294075fffa0a5bdd42f4

    SHA256

    6ee7bb9c873896a7e48ec1a7d4c5f23f5566f52a06d7aaf6e396b47359a2fff4

    SHA512

    1de1d4d09fa8f0dda1f26e591255736641b36ffa9129c23e2dacfd0e97d8bb3732dd6088a229b48ed3a69785824fccc7718502297bba961ab67a20a756507cef

  • /data/data/com.wwfvynwml.wjpuuowbi/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.wwfvynwml.wjpuuowbi/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    e99e10fae93f9a7e89116461894df0a4

    SHA1

    49c7e98202184ddee660ba81241bd446be07b2d3

    SHA256

    1d89cd7a61a07158e5343aa0172edfcc1d66d8cf13a59af2fe3cbc9051443854

    SHA512

    a98516bfb8eca369df1afd9bea2a524e5d731bc8509fe9dc489240a040f4bd6fc6e62cf76a4bcce8a212c45907faeaec64219c7870dac76298fb8a7e3eadbd73

  • /data/data/com.wwfvynwml.wjpuuowbi/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    cb9b4fced3c3da069d5ad1ba632e7983

    SHA1

    a62444a23869d49068c66bcce2689cbddf0a33ec

    SHA256

    05def34996b6aae84f42f88f6f4c103268d39db29a08a1844a2f1d91e9625ad8

    SHA512

    dd294a720e6b588793b3d4f073272ad2c97ba9ab89dd684101188cf08a8775aa6a5288754555a83b3cd8c1cd38fcd45827eec0b6c695c08b8865345ee862ebe5

  • /data/data/com.wwfvynwml.wjpuuowbi/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    1e0db5b6d585ee729978d534e4a2807b

    SHA1

    e738a8c36b128740d812ec18aa612c77e47223bc

    SHA256

    55c29223b36398978a84108673daf71b4abef446631d570cba6590a4ec768b33

    SHA512

    54d3db6fcdd1158f27daefa53d418dde1963929c9a181e1895372a4d57a4a19f1dfa09c5689eb14eaabc8c4125f746f5551e5bf997ca182e2ad7ceca50793d05

  • /data/user/0/com.wwfvynwml.wjpuuowbi/app_dex/classes.dex

    Filesize

    2.9MB

    MD5

    419585d7bafa3bd32d82b86b63f9adbd

    SHA1

    f0ffe2c5af5a743e85dc24abca3207c165785226

    SHA256

    b31d39c30f8b8a6e4a0d7cc131b2bec7e3ecea6a024a0d7254243580cbd63de9

    SHA512

    58d03bed060f720cd749819bc764c2e07cdf46c9f16abb7f70312e21ff61cdc3c21e6f612dd4c111e794645d1707f17c6d61c27a3c1a20ad62fa7d5f867a70a4