Overview

overview

10

Static

static

6

6737333644...d5.apk

android-9-x86

10

6737333644...d5.apk

android-10-x64

10

6737333644...d5.apk

android-11-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    160s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    24-11-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67373336444cf92861d23ae41b534d2f7ad3722a3fc4a23ef97a5e31d34782d5.apk

  • Size

    4.6MB

  • MD5

    df766b5790e29da663fdfd318395f2aa

  • SHA1

    352727a10de625e12b53259ef363cc8de5181f02

  • SHA256

    67373336444cf92861d23ae41b534d2f7ad3722a3fc4a23ef97a5e31d34782d5

  • SHA512

    e0964d5e8abd06f311358add145bd2e95893d01ac684aed6fc86814135b48044012d86b4fd806fc4ba7f511201a79a789762ea7d106be829cc8532163fca47f7

  • SSDEEP

    98304:CVziM+K+UCY/U4C1NGGEbZKJlD+16zr6ZSEn+mIC3qN6P2GYLlR2MNJl3:OD+Gz4UKkWfmIdNlZQMx3

Score
10/10
hookcollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://185.147.124.250

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.rxpdnpgga.abhpsrmqg
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:5056

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.rxpdnpgga.abhpsrmqg/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    357f0b57c3a6362184605e5bd940e33f

    SHA1

    37d587e78e22756abfcc706019ab1edf3288d47a

    SHA256

    5b7f0bb3f4ec19c8fcfe86f4d81bc21b2e52592d6a4035c7f6e27c96abf51325

    SHA512

    06f46e7940445a34cdef68bc7a105e265a55562022106dcd9debbbafa78e00b57827975f70da7fa4d4522dfc9a5b71e7644304cc519417a7f68dc894090f0ecf

    Download Submit

  • /data/data/com.rxpdnpgga.abhpsrmqg/cache/classes.dex
    Filesize

    1.0MB

    MD5

    bdc3c530f389ffe9124c53c8c2c9186b

    SHA1

    9119f877986d2f6c9a589bb782c50885ef56f3bc

    SHA256

    e134703948aa0d722e807d1a5802fc635b821de5794319ce5ef0ea3b28e3d622

    SHA512

    963acec4ececd695ecb607b75d9e12af502aa4cd213d873461b4b1140336bbc2df957a5787e802ae2a15779f90409953a8f268893fb156f027c53d1e6b043b7c

    Download Submit

  • /data/data/com.rxpdnpgga.abhpsrmqg/cache/classes.zip
    Filesize

    1.0MB

    MD5

    04b117e0718666eff9c4f90ca9aa70f5

    SHA1

    90a74e83e45aef3910f185676ade0e83fdd6c3a6

    SHA256

    5be978cfefa01aed5a3d0e294866a10990e6399a4f1ff7edb4d0d0efc1a94211

    SHA512

    aa7470dab915b0254dbda03332f9ba5ebd0f6682c27d4736edae5a63588cee4f11206ddffa66673d352098546a5f8677e7cefa2dd7629742bfe3a79c94de9b40

    Download Submit

  • /data/data/com.rxpdnpgga.abhpsrmqg/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.rxpdnpgga.abhpsrmqg/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    b3b94529bf4131e5e7f9790bbc23169f

    SHA1

    12041aa2ecb12cc7c2df85d2d28bb2aab39ec63c

    SHA256

    86142072dc083d1b88cd8e86f0110c0aa49e0e0d002c29b35a6b7969406b8f1a

    SHA512

    143e32bc09d5e6e130ce85a5801d3581a715b0e77292cc4e544eec9bfad400314e2ecb91fe4312bd8e45e2ae508962eb581986bd0cadccfbc0feb26f785228b5

    Download Submit

  • /data/data/com.rxpdnpgga.abhpsrmqg/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.rxpdnpgga.abhpsrmqg/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    98088be7c0980de153efb7742ccc8e1d

    SHA1

    019882028e99d21494061af4d04d2645407f01b7

    SHA256

    b814e816c67b7a3c8c263f6c30989cc2cb07436be85c2c853a2c72eb51b9f0a8

    SHA512

    e1d78bdad735303f5afe6416f3ab805f8a9b75fb64f1c2be022881f8b573d7ab5bed36b451e124b5e66cbaa1e37e0edaa3ccb5b866e56cf51276442bd207346b

    Download Submit

  • /data/data/com.rxpdnpgga.abhpsrmqg/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    232972840222ceeb88c55fa4c72198d8

    SHA1

    5925b3e6c877c519a1fadb72c789dcd959765836

    SHA256

    80cb09c74ffb3a4463384b5be8ff4068ac59f5f8938bb755268b457ec3f753e8

    SHA512

    e1e47a088f6c40026c723a8c4582619e773105f253f4f85a28aebc65599826d862de70c57c017aeb53d30054cb428f74b153150b7ec451cf56c2422b467f369e

    Download Submit

  • /data/data/com.rxpdnpgga.abhpsrmqg/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    567c11c89e23b4dca72a93300c93bbb4

    SHA1

    50274a4ad5fb4604377e69ba7c0f5ee6bc8c9dcf

    SHA256

    6e7900858773927ae5c75a4eaede5014a2970b185f34e3eebfeaf41165646bc2

    SHA512

    fbfd1221221b123ff9b7fbf9f1967ecfa1b3eb4af5f81d86d63d3fbf413bfd9af81ee2596993f74cda470640a13644054ea5f4ab0e5b88ea1fba2e73775821f7

    Download Submit