Overview

overview

10

Static

static

6

be972dd8e3...53.apk

android-9-x86

10

be972dd8e3...53.apk

android-10-x64

10

be972dd8e3...53.apk

android-11-x64

10

Analysis

  • max time kernel
    38s
  • max time network
    157s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    06-12-2024 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be972dd8e3ffd84d67f572f44832f656706ecb2809c661d4d5380861a4f10253.apk

  • Size

    4.6MB

  • MD5

    aaa31e49fcb91581f5933ba7166dd9c0

  • SHA1

    10c8575cb77e46072f6a318afcec152c2bbbc785

  • SHA256

    be972dd8e3ffd84d67f572f44832f656706ecb2809c661d4d5380861a4f10253

  • SHA512

    2b10b8d69bdf0a25bb5e645080814cc387da9e144e6f0cd5f9e3b74321d909a08fcadcc4cc557dd536ef7a02f4876cbdea3ce09257828001e8980ef4ed1c0cbb

  • SSDEEP

    98304:QABAZQC+TvwcUT4iAiAyuzysAFhJtB3GWMpKe+UwdQO+Lh:4ZQNzwcBiNuzSttXtbRAh

Score
10/10
hookbankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

hook

C2

http://154.216.20.102

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 13 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.qbhmdvvck.qknxgmgfh
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4261
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qbhmdvvck.qknxgmgfh/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.qbhmdvvck.qknxgmgfh/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4291

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.qbhmdvvck.qknxgmgfh/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    f88c9fa9a35b996bd2a38f084c8be8ad

    SHA1

    351c3ad315592d10869b3edbfbaadab20c322bfc

    SHA256

    4797b57011346fb164d32d6aa0db449da0fba12c8a53e6efb6a5e8b6183f01e1

    SHA512

    10b14f37972858e67ee33c71a65c612230d0bfa8663fbcd75fe2a6abe783c2c3ef9c7479a66d88dde11bcac2a7c58688252449efa51601055503b1a521d6c292

    Download Submit

  • /data/data/com.qbhmdvvck.qknxgmgfh/cache/classes.dex
    Filesize

    1.0MB

    MD5

    4a4877082705cb49d293543ec5e3119a

    SHA1

    a606217bdf148bddb12b0c2e6388aa3de111f73a

    SHA256

    780d109e953a9d4ee881fde9707feaffa23af85d9e00e9c43c5747c3d13d1838

    SHA512

    bc64141cfe3eb3da514235bfeb2ff96a5bf5cbf1395e8b3c02b2598c3e94f9150e34b9031d8564223abe967d7c0af891e5da03eb49fd0b6d381138de7f9fb102

    Download Submit

  • /data/data/com.qbhmdvvck.qknxgmgfh/cache/classes.zip
    Filesize

    1.0MB

    MD5

    6bc2f742eee1ab597e6382586dc6c7a2

    SHA1

    64e0f28f61a9e1ba3f769beaac422fa4b5e823e4

    SHA256

    546ef83291daa6cff448ed7ce1fafa45d1aba49235b6b42bf65f8d42394a0a56

    SHA512

    b6c8bac5db10a9d9aaaaae7e7e3adeb4dc6a81fbec74999f07edce106d4d8832a6677f818ed21789cb417cd621b50482340f1128e467cd549243070e81e77a9b

    Download Submit

  • /data/data/com.qbhmdvvck.qknxgmgfh/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.qbhmdvvck.qknxgmgfh/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    6341102bb03d3b20380b613a53c7299b

    SHA1

    3e817a6ac0dbe00c20c2a318f74b8883e475cf86

    SHA256

    ed8207477f9589c67b2f74e731008008ff327d5e02bfc30e09a787d34e3e3ba2

    SHA512

    a6108b4d989b9343e8c811050bd94a47ab2c0af93cdb8b39f4569c18adbb369340e6a6b03da354e903344c472c99c1a35ae09ffff98f8f3e5c32c465f1099abb

    Download Submit

  • /data/data/com.qbhmdvvck.qknxgmgfh/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.qbhmdvvck.qknxgmgfh/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    9696077330c3fc143539e320912a9e99

    SHA1

    b6205a359033d5e24e6c04dea027b2d80801d14d

    SHA256

    19e1eec494b4f6d4a985a3cd4f169f4dee275e95b1165fe3ac2d7eeb92bd61ec

    SHA512

    7e3696fee7d6fc37aef355ed70dd91dea4139e27c8c996a4001bdd80f4f42dfe2d915e54cca59db5d084b55de0df849bcd7a3f1886e27449525c826077f99e48

    Download Submit

  • /data/data/com.qbhmdvvck.qknxgmgfh/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    9943c8911170119cee35f1b6a81a0e12

    SHA1

    bb5194ec1c84c3979f7b208e6e87dc2a4803ae7e

    SHA256

    5a25962fb625fc25aa8854390b149d6145b2c71b0d364d20ebf9eada5bc09ea6

    SHA512

    a41a5fadf97cbfd0e693f976235263b4f43b451839f2a967c056989bed7aa12d892c6530974601424b8b6a177b802dc3e0d4e8f1b9a4cb1dce589c4afc0bde29

    Download Submit

  • /data/data/com.qbhmdvvck.qknxgmgfh/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    6e424706d4c824a9e3b0610308b5efa6

    SHA1

    117303e5c589337365c8470dd440c15f82d3b2d9

    SHA256

    752e5b9017b06cd15b321327668bd49714910d2fdc5c7949c6732186115554a9

    SHA512

    ca3d8ecceb9f3da8a6112cf1140e5662fccc7a8728493ff87526ec421889f7ce43d28d75a2501f915c7a6b7920c05c331a01ca4506dcae3cb74b4f140eb38b81

    Download Submit

  • /data/user/0/com.qbhmdvvck.qknxgmgfh/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    dd33981ef5e56da2f1e7879a80ff3e0c

    SHA1

    2197154db4989c8d1257f28bdb9e5013435d4ad1

    SHA256

    6f83a22a2fc6d77c11e8e124c73f2e6d5df348b6bb333ddc548c240503d0a85e

    SHA512

    011ff4856685bf012dc51f3b54607be311391090eabee7cb05f6a9e1e95c2c801f1269b75dfea7cc11f42b0593682286b9e2306cc2f4252ba9e98dea9575eb42

    Download Submit