Analysis

  • max time kernel
    147s
  • max time network
    158s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    24-11-2024 22:01

General

  • Target

    8dc420efd61e175140c215fb0f514c728312a1db2f2be48438ed1fe8a81eef0e.apk

  • Size

    4.6MB

  • MD5

    4e124742f97c21743f4eab69ea4fe27e

  • SHA1

    caefae5c6e217169fe683bcc1e61b582620b7b04

  • SHA256

    8dc420efd61e175140c215fb0f514c728312a1db2f2be48438ed1fe8a81eef0e

  • SHA512

    c3af9b30d06b02028ff6212c4b59ea30f8abb5dc13848ec9660f74a2e8003b1244f5cf0d384949ef36c074d995d8ffe1aa9b3e9d80863130d07eb47ba95c9878

  • SSDEEP

    98304:xgO1xEQCdw0PoqzbP9oWx8qfKUfuwcpGYObG0JI0Jw:hiQCdwwoAP9rxdiUhyObw

Malware Config

Extracted

Family

hook

C2

http://154.216.17.184

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.muzeauuvq.consstfgr
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4271
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.muzeauuvq.consstfgr/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.muzeauuvq.consstfgr/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4300

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.muzeauuvq.consstfgr/app_dex/classes.dex

    Filesize

    2.9MB

    MD5

    91945e8e9424b112b54c0b7d096e8140

    SHA1

    2a682040772ea08ee1cdaeadfa11d082c5e814a9

    SHA256

    65a4cb850f8259ccdd53097a96d12d6f21a63361fd4260e08740e57bebbc5a7f

    SHA512

    d0cd2e8c60bde9ae1251feece71d01dd02b640ee3331def50dadb82fe01eaf6eb29e99a4b8ebbf65378ad0f8e2ed6e0260e12a7994c7979ae77883d6989f5fb1

  • /data/data/com.muzeauuvq.consstfgr/cache/classes.dex

    Filesize

    1.0MB

    MD5

    f227ac280380931d865e58cbfdc15752

    SHA1

    0bdffd65f16503727fcb0b678392150e2867ff66

    SHA256

    4a172f9862f44cee2068bbf6106aad4fec4b4d33327ad52a785a0e45de47f9ef

    SHA512

    45d328fe58bdaa47cfb260920d18278296b1741874461ff42d67a16ee1871dd113a2d6173c95bae0491d098a1a0d45700cf82d9d7f7d0498071e98d9cfc5e333

  • /data/data/com.muzeauuvq.consstfgr/cache/classes.zip

    Filesize

    1.0MB

    MD5

    b003a2054e04d4cd3d0873dec66e4ec1

    SHA1

    2fce0eeee50bf02419aa57864cf67233e9ea5f8a

    SHA256

    fd7e64679ceefb7bb4e9c8b08d9997892b516ca6b2698f0f183965f946577443

    SHA512

    8e59945ccc15eb660dd0617d2dde7d06e073c07486c0e5ac5bc9d038780ef9f68cea3cc11c4f24ae7d0efd2159e6a40d677129960b8ecc7d34cb537d41217487

  • /data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    e1e758aaf86a13bfa08b71c86c5c6374

    SHA1

    9a766d4a8a6114b6c278d99585a8d6eef029b8b3

    SHA256

    2d91e623bcb94a9b9cf11967c5b3397dca698200f1d685a3cff87c7216ad1b77

    SHA512

    717c257787445e172429cbd6feb2a1824cd0c2dbfd128599a54d802da600558e52c17d14c9091175c9d036fb1ec2cb84e7c89c00879e10203def45759a3bb483

  • /data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    95aee670571021d6b537c765c3e3078a

    SHA1

    3f4f171f3acc55a2a215d10904b10e7cfbf1a512

    SHA256

    dc922b258424b594464b6216beb39129865791f4000c75f0af6e12305bb3b0ff

    SHA512

    0a50b468f860273dcf2b9752dc00bf1871e175bec91a6ed079c0005e48e356d48da72bb2646725aa36f469f5d5a4ab374f74ea46b9ecdd975b4ecd92d5232d9e

  • /data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    5ba6200b5a9ce6cca8f24ca3999727e9

    SHA1

    8e9fa3d663df61a768beaeb1aee97eb4595215ab

    SHA256

    4e98e299be375a38d6d42fe0f4d800ced6d653c4b890f6dedbfa444be4c523f2

    SHA512

    228c0c1e75063ab9a2a4f5d640e86fcf07aced9701de6f601b9184553f347d07f868a512bb0da1b477d08fde2c119fa8480540cca91401a3e6f4098251d25b88

  • /data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    01d4fecdb2bfff7b10d4c0ae5a0af391

    SHA1

    485d24644731c68f59b54723fa1f403a9705e26c

    SHA256

    30854a92d692fda00870fcb8f069650212687b5a39404bb72fdc51253b7bed2f

    SHA512

    e6cd85a8c5f8cbf326ecca28a55a78ae7e0fb8decb1e8e64127a9bfba7bd260b5df336d2a884c3bd01b111e73e6c53ecd962a8c0dc4c49a61ba1e9de8bf3a9d8

  • /data/user/0/com.muzeauuvq.consstfgr/app_dex/classes.dex

    Filesize

    2.9MB

    MD5

    b9430a2b2c5bbf32bca5642e1a86c050

    SHA1

    83eab457c72953ca5503d956c508b868e071aaba

    SHA256

    0aa0e212c793277828347d736d4de9d44856d47f143a421eeb5285afb33ad3fc

    SHA512

    c7ad78ebafa3a55c25001ccded7c042150c4c8b09476f75f6db12b86851629e0022e3793ca685cf59699e3876151166b204ff43a2d7017a474a778fe143aa520