Overview

overview

10

Static

static

6

b70a063fb4...49.apk

android-9-x86

10

b70a063fb4...49.apk

android-10-x64

10

b70a063fb4...49.apk

android-11-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    162s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    05-12-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b70a063fb4ef21ea9adbcf18bd601f5358207ccc491d7e05bb638288282a8649.apk

  • Size

    4.5MB

  • MD5

    d3f7ab3aaa6735e77c6b2a66ae63c634

  • SHA1

    4aa804d9d28ccc7e54122218d6ca2830a71a74f9

  • SHA256

    b70a063fb4ef21ea9adbcf18bd601f5358207ccc491d7e05bb638288282a8649

  • SHA512

    7e1be4cccd9ce8e0576b82743bc3e978456329658daa1e98579fbe6c8287341387725c3f6a92f7281a32eb6d11fc61a4b0c1d41d6a50063bf14cb619e373a89a

  • SSDEEP

    98304:rHqy0aUVCvbQW2r75a+WWNAo8SlIVGZLNHWoHckbwyKp0:EPWY/8+Jb8SyGZLN24ckbwJ2

Score
10/10
hookcollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://154.216.17.184

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.jiuogyqli.wownkjdpn
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4403
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.jiuogyqli.wownkjdpn/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.jiuogyqli.wownkjdpn/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4428

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.jiuogyqli.wownkjdpn/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    768396fd05be9fa92bc613e0b2be5bb1

    SHA1

    9bf331746784e1556f40d277bf2ace4422d0f5a3

    SHA256

    434f9df3feefd7799922db5535018627c1cceddb24a5c37ddaba82d7d59efbda

    SHA512

    88247b1ec58e58b3ec3ac53620e0cc799dc7955033cb1c0805208a340d2734ca28afb1507280794306b4151f9461d132c11c761b62e34ced756b570f31b4b7bb

    Download Submit

  • /data/data/com.jiuogyqli.wownkjdpn/cache/classes.dex
    Filesize

    1.0MB

    MD5

    86e18fc698b0eaecaccf05c893614e64

    SHA1

    9a7aea94d6b07f02742e19be56e40d6814a5ec15

    SHA256

    69d617fdd3c9a033f6afbaba0574d970a60eb0e60a271852538e2d8cb4d8ae55

    SHA512

    e2b87b651308eb6b3ca181ce75e7ae6ef106e2885e23c40c0f9c0359f08e3f5020a4f1b2b415186878666c6bcc40a10509e56c37350693cb7ec5b73461d178ac

    Download Submit

  • /data/data/com.jiuogyqli.wownkjdpn/cache/classes.zip
    Filesize

    1.0MB

    MD5

    d3b4012025bb1cb9bf8ef3c037394133

    SHA1

    60554398feab97d2091ca04ee30111e1e3795525

    SHA256

    93587959381b442412c4d9b5b0693e42661c29be12c6a779d572fc44c638db82

    SHA512

    e88dd48b64252dc6b95b2d34219f1275034bac59c5fbd9400b1bbc884950c85710cce7f81a8b8b664c241ba4c30433324111239b92e65df0cbfda3c42f15c58a

    Download Submit

  • /data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    e36e754f77956207e749533f874a6c45

    SHA1

    3fbf1c4349faa94b45689c45ff261fcc8524dbcd

    SHA256

    d204596cda0eff29179102c1994e86941be7056c202825be18caa4866b268751

    SHA512

    2e1cde2fd90dae8f592a825c58192f1514f6758185e9270fb4df5c41cbd6ab7aaca57a2cf53d5b5ed03e3646b0287cfe0952f681f7ed859ad7105b5f5ed4d5ee

    Download Submit

  • /data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    c63a850e14ed0b88e22dd73be03fd212

    SHA1

    40bdd9c6c76f1afc5858c14d24d45df6961f5d75

    SHA256

    7c1f17413c7eedf2069d706935a27319f9725e255f48d6bb933a837744c12b98

    SHA512

    8d993ac0694ea1dadd9e88c34292645fb59f428ab5396baa3a856941e2cb5bcc4fa8fe9120e829ee622e1929711d33469b46b82e215bbb3df425ea3a3883f467

    Download Submit

  • /data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    54a50b18c0ce345f95df9f01621f3a64

    SHA1

    690ac600e03ccce8324d6bad78a36f67b1a4ce5f

    SHA256

    87779e4e811196d3733b40c078eb8321ec339109aa8f3db458de2edadff508fa

    SHA512

    260c5cb3828a519f1236549bc1d3956876ae610831948e44c07b90e59bbebc43f60a6a7943e42d3195dc432598957952420f7d31b3484c1d21fe4bebe2d05194

    Download Submit

  • /data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    1b70a87a1c51e5013fc23ecdb39bfb7b

    SHA1

    18c17f80f704715d91a39c966c0aee2a870e3717

    SHA256

    5d0d0d6507e4110844e89db26f351a08c9e6c157aac1d7065f17325a5737b934

    SHA512

    4e6055216b88fdf7b66e45facb4c168236e1ece1d3a744c350201e3db3a26e547e6a2a04eec792099d6e366c930da9cadc9272b1b8834202582e79362e508a89

    Download Submit

  • /data/user/0/com.jiuogyqli.wownkjdpn/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    21384cc7d4d51665e44ed01d0dfded51

    SHA1

    9204592113178c31751a584d6536de1c1fb7be10

    SHA256

    a1130d60dddc740b2868973c6e23b46a931461ce37c73544ec38d7ccd15fbacf

    SHA512

    1154096277236ed5f98fad266f3f9b66e211c671b7b44e23f7dc1c94c7bc117782aaa47fd54835fdcad336f77543018e0009db012d9e2014a0885a4536b37fa1

    Download Submit