Analysis

  • max time kernel
    145s
  • max time network
    159s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    25-11-2024 22:00

General

  • Target

    8564583d8884530c37150a5193cabb1949c05fc07cf5c8c119b1c03fde25d0e3.apk

  • Size

    4.6MB

  • MD5

    889abd05c789ca7870cbc8380cbb9e9a

  • SHA1

    549ce6cdf003a052a52220b438ccea56c40b5fd5

  • SHA256

    8564583d8884530c37150a5193cabb1949c05fc07cf5c8c119b1c03fde25d0e3

  • SHA512

    73ff7fee227c36849289617eea7e0f694f0538d4d06f1e8ead9a6f09e0a0994e6a3f3139faad919aea43933ed11078e6a9d856eabb0f78e0d9fc78342d01e99e

  • SSDEEP

    98304:gVzChgizffJ66E7kQTdhWEMN/+yR1LAUCKlfj/fExSgaLvj3Q6ag:EzCaizc7n5MR+URlfo5Yvjrag

Malware Config

Extracted

Family

hook

C2

http://185.147.124.250

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.yxsqkgwvz.bfqiecahy
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4936

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.yxsqkgwvz.bfqiecahy/app_dex/classes.dex

    Filesize

    2.9MB

    MD5

    4890df35d01cb3f5abe2fe48468808b1

    SHA1

    e34d25fbadeb8797a267f0b14147d6fec3436cfe

    SHA256

    3c11b1fe8e48ea3c0ef920bf17b38bd09888c2e7d5c7328913043a06879f90dd

    SHA512

    a5e5bc39898e96196e9b308a811a640c635e6b9db3c415eec5a5c38e031de83330c7acfa771320234247eb07d601f4c2ae04ca1523778514759b923ada77171f

  • /data/data/com.yxsqkgwvz.bfqiecahy/cache/classes.dex

    Filesize

    1.0MB

    MD5

    10efa14909800042f90a47c5bdc5e1d2

    SHA1

    1824e614dc129b4e58b96c077a6af87db5ec368d

    SHA256

    fc3099255ce95efcbfacf646610d6b940789aa71d850f87d3636f2b36c7435a7

    SHA512

    94e8027c38008165b3ccef7732f53187789f3bb7c0dc3881f01f15b16bde89613376e9f02838dc3aff9ddbb1548ea670a91ba9991f8161a07ed937f0a16447a4

  • /data/data/com.yxsqkgwvz.bfqiecahy/cache/classes.zip

    Filesize

    1.0MB

    MD5

    ba8134fe531d50d6e1255426d99eac48

    SHA1

    83be6708993e2065b1c1e8ecd61ffec34f193c3d

    SHA256

    aadb67dd5bf02b7a595456cac0d4c08bf57f0ce0f2368d033182721762a6a18e

    SHA512

    76f45f1a637d4f9d9c2406037661c330c5c2336ce9c4ef4e082f0f48990378a2877ae7de2947e99ffaea31ac49ea17f52b3ac5b1d186a6fd675e5fee762779dc

  • /data/data/com.yxsqkgwvz.bfqiecahy/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.yxsqkgwvz.bfqiecahy/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    f2de86d6469b395ddaacfc41036298ee

    SHA1

    9d379f8a488ba7f271ffc28488b675a035024cf1

    SHA256

    d439108f4e085f5cc6583e2a9d6bc50517a8024d958b7da41c75b19d33ca4d66

    SHA512

    346cbe098c477d88f43946fa2fa27526c75ed37f16b9bbe470d229f761f53f3724c00ef864cb74edaebe4f9f72cede18e677fdc437a880126313df1953014d22

  • /data/data/com.yxsqkgwvz.bfqiecahy/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.yxsqkgwvz.bfqiecahy/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    f587e0d775972866d2405c70d4618205

    SHA1

    d854cf23cd140a000b17729a394de29ef59a2e41

    SHA256

    a64795a2890f721b315583ad6f0181883403978354dcecaddbc0f10d762855cc

    SHA512

    adc7a44d469b8450c04ac3abdb7e17427f33d425c48dd255ab8e3bed0f89378771ff78c3b246bc9294d601c77fc39dda0b00addbf239180e3d6b3e65206d7abe

  • /data/data/com.yxsqkgwvz.bfqiecahy/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    a17a0de92a1e9f1bb2b1f347aab26036

    SHA1

    3aa13c8c04ec7fd9dc4b857f0d55c6b8aae4912c

    SHA256

    a5ae0194c36dcb5f49e9ca8bdd3d7e031423b4a2741e2ec7cd3508804c550321

    SHA512

    fde208b9d920a542cd5c94fd484f3adbbbc11ad28f48b72f7ccd40ea69d305843ec2309a41130cb441006dd2eca289ddbc9475d23b0f9bc8f839cee9fed401fe

  • /data/data/com.yxsqkgwvz.bfqiecahy/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    69fc3f33697e5bfb4d8bb89e890e3bb2

    SHA1

    43b6cff222a530d37679288d54c291f46292ac5d

    SHA256

    6e2c6c83b889de7bec34e13a185d27ffb4e0d6eb27b7f069754fff9add0a23a2

    SHA512

    50e48a084556fad0d04740388d113029b817ef484f570e254e1acd91510012ab8734fa6eb4416e396c59b16a728eac1f1112f5753b834c08faa24262e04c59fe