Overview

overview

10

Static

static

6

d8723fca41...d9.apk

android-9-x86

d8723fca41...d9.apk

android-10-x64

10

d8723fca41...d9.apk

android-11-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    156s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    04-12-2024 22:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d8723fca41fab2dd936c63609e87af0173ca43703362d9703f5d492c278037d9.apk

  • Size

    4.6MB

  • MD5

    ae30b2eb0d439fe48461102dc986cf4e

  • SHA1

    3061a2bae5aa158adacc19559f9368a79907fe6c

  • SHA256

    d8723fca41fab2dd936c63609e87af0173ca43703362d9703f5d492c278037d9

  • SHA512

    51daff41234fb3d92b9caea2697f66c8a64b37afa3a1f1d3b885e3593fc3bba8f4fa0426db4fa51ff86f354192c6e5ae371eb83d9539b14459f2430bc63f6a6b

  • SSDEEP

    98304:r9xqoY/NDAoGJt0L97oJMAGvUfV2BujvXUJt7/2y0MoIlicA:TqZ/Ncrs9qMA4UtRbkDl0MxlZA

Score
10/10
hookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://92.255.57.103

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.rrnynabnv.cgofowmor
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4613

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.rrnynabnv.cgofowmor/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    4111c550f121390f5437cf2f52860dde

    SHA1

    f125212b3b9abd032d42a065c54d8fa9d7b5b243

    SHA256

    63e5086013899fe9bd9b6b5f15d61df10668152bf3da7e322cfcc37538bc1cf5

    SHA512

    2808c1d0157455b3e8ab3d1ed1a140da0b5ed31cd41d2c7718c70477110f4615298ea09f7a177e01eec75266267a73a05a19434b1b4f4b9065b86bf8bbfbc9f8

    Download Submit

  • /data/data/com.rrnynabnv.cgofowmor/cache/classes.dex
    Filesize

    1.0MB

    MD5

    03d0772a882c474e2a3bc1e80687651c

    SHA1

    1f34d128231a088eb93a88e58e97a820770508ab

    SHA256

    a0f97a4def683991ca2ae10975b262ea71870a2e620d004b6bfac91f14e28625

    SHA512

    71259da7353ac0e3b9021465b34417b46334af850b2efb19ef22b4d7b7f679f0265f72313b9e581d060f894231e54bd0026844193ea9fd47d6207d11d144140e

    Download Submit

  • /data/data/com.rrnynabnv.cgofowmor/cache/classes.zip
    Filesize

    1.0MB

    MD5

    0d832f56410f3d98d2ba8c3313eef752

    SHA1

    b104fa6d3062a1506830cc60b55f95fe1e4dfe88

    SHA256

    338d8cfb42a9fef683e651276e68628440598bbe6e313b82210d946c47e2a0d3

    SHA512

    c6769859e4096b76b146a3929be3755eea970d86b34dace054ac14385d74090c215067b6f8ab7c11346a5c5c1a459c8d55c30789d1bceb7a49bfe1598e1e9fa6

    Download Submit

  • /data/data/com.rrnynabnv.cgofowmor/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/data/com.rrnynabnv.cgofowmor/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    44a6eea38f9da810eaeb760dc3210ae7

    SHA1

    83e10e67721ebfcfa3e81a629a4de92f7adaef2e

    SHA256

    fe15aaaba96da26dc1e9acac92da3d9c42bcc5bfc252f3d7d5959f64d18d29dc

    SHA512

    666470d9fb732e1b6219869edf49d9c1ad4409a343856d3b5b71a3c72989d1d9feaf20682c22332f3072ccae7d2d42c7db795cd6cb4c5f94581008435e64d391

    Download Submit

  • /data/data/com.rrnynabnv.cgofowmor/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.rrnynabnv.cgofowmor/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    16da4450e88fcece99134cb4bd7f3f2f

    SHA1

    438d7fb02ca19893242f127d20b1ad0a6815d444

    SHA256

    4d4da15f1da4238e9c8b6e6576f2c3f4da269b2a34fa7be810ff496b6ccbaa5c

    SHA512

    f12c85647c8972766a80900431300dfede34486ceacb3231bf151879af7a2c3ab5bb9b593b03162266fe56aa28d847144012ff8a46664c12579d612042862b18

    Download Submit

  • /data/data/com.rrnynabnv.cgofowmor/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    9461ae9971edc1963a416b5b6770053f

    SHA1

    b1b75fae9049ba92ecc76def4fb74f1f34c7179b

    SHA256

    85e65d90d50df21a9b556e3443c32c4eddc93c886a33af95fcaa42c8a7dac80d

    SHA512

    8d55d170eb2e9ecddc875f6f9164aba0931463be924c00854bfc68c5a41f75b30557b191716289688b9c2e65c1bb85cbf9091f1ebb83733b7f780a8be76e87e9

    Download Submit

  • /data/data/com.rrnynabnv.cgofowmor/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    e0e9864544cc33b3526974236a866f5e

    SHA1

    8ecf39d520ee6d43b5f99607fd4d513b3da28c56

    SHA256

    202d402c077892edb83abe01d8f2ce266c99ea08e9da873b8a1bbf4b7c0984ca

    SHA512

    4303233082cd6bd4e00aa9f246098f2d0bf7560bfa15a3f26f2700a1ccd3b5b8969582bdcdf11766febeb6c0ea44f85d9ea5305104bf8961584006b800ecd484

    Download Submit