Analysis

  • max time kernel
    148s
  • max time network
    161s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    09-12-2024 22:09

General

  • Target

    79219ec025b01ba08b08e9734db24e51b549d2a75d2a63ae48c4711ca7ca80d4.apk

  • Size

    4.6MB

  • MD5

    0311383ed8ab2648e46d550dd98c77cd

  • SHA1

    84bc0f8a3c8f5d3344915d4c5f2d62244679a123

  • SHA256

    79219ec025b01ba08b08e9734db24e51b549d2a75d2a63ae48c4711ca7ca80d4

  • SHA512

    c89f9d63a29cd5488b46c470b087d5987ea6dcbdd80c44704953badfe56fc1d737016e1bc6ec76f40b47b3d65e4fe8fe27710183f5014ca7d86cd0619a029a7e

  • SSDEEP

    98304:3fwJqEScs8FzBB7URVBkOMPBQo2/PqnkQbyZTSbJqIgd9A:yqN4JIRV2OGF2/okQbyZT+qIgA

Malware Config

Extracted

Family

hook

C2

http://154.216.19.93

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.gselqrjdt.fbjofrdes
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4210
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.gselqrjdt.fbjofrdes/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.gselqrjdt.fbjofrdes/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4236

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.gselqrjdt.fbjofrdes/app_dex/classes.dex

    Filesize

    2.9MB

    MD5

    4e5666891f5538cdf3555e01177a91c7

    SHA1

    cc9b9a2ecef1f56bf04a326ecacbdec6b3330c44

    SHA256

    ee02e8d7fdf75fcc8a8bfffee8616a3bcb6f461efbf1c89b0e1f859ce268f950

    SHA512

    3111496c0fe413e535bff9ce301fb7a30d5b7bc5c5a7eb7fc97ece4567b6e92bbd28b91259a03663af6657515ee254effd20b061f45b9937846dbb9ec8cb18e9

  • /data/data/com.gselqrjdt.fbjofrdes/cache/classes.dex

    Filesize

    1.0MB

    MD5

    9dca2adea53f7795350be0a75115e152

    SHA1

    8d0965a89da3b4a2ede2e6a62cb7236f718becb2

    SHA256

    a470d5b36d90e694093739a3103a7ee1531ed7b770dba724f6822e00deda7108

    SHA512

    c241a932a2ebce50d0ce14a21c8f94e03d9a7b36a1e22ba30daae80c42e5c7bf46685db3e1d12aa960851b744814da3a7ae965e31f9f6d99f11a853eb3ce8e81

  • /data/data/com.gselqrjdt.fbjofrdes/cache/classes.zip

    Filesize

    1.0MB

    MD5

    c681c85cefc7f8ca81598dff7313a001

    SHA1

    e4c23dfe4364544297d23eb9a2efc790146dfa27

    SHA256

    7c9e11c5d136fb5f8c4beda3a7702c4c01336cfdec66c93e7d02d4701c4ced6a

    SHA512

    0a6fb1b7207722992516b5a0c410e232f4d096e5103739f08cc3569403820604a5f85b7bf6f2a67966d2b28662fa698326010d27f889d5a65e6b0ecb0c30fd59

  • /data/data/com.gselqrjdt.fbjofrdes/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.gselqrjdt.fbjofrdes/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    5bd81ab00966945c51efec6103205383

    SHA1

    3c680ad0fab235089f3a87d74c00e47eab691927

    SHA256

    c2feffa48452f336acdd3e8330a75bd726d0283e8189f8f0b3b421709ec5af9b

    SHA512

    8a22eb719a0fe63d83c165194e42cf2a65d1f0ca522dc1eeeac4d50a58f3e07acca74ed26f1113e1cae66cb2f265aca91a8e071c4e3f001e8c7c8ee74069b461

  • /data/data/com.gselqrjdt.fbjofrdes/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.gselqrjdt.fbjofrdes/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    aa52761c03651606596dbddcd59ae993

    SHA1

    dbece8c5d9b390a5cd9c2a2e91bfcad915dec3f2

    SHA256

    c577bd79be152a94b30c0e259f73643ed0349ef1cf5dc50ee8f55ebaefeb7e7d

    SHA512

    01bb3b87db9dfe2e4b8eb75b2d2f05f7edeaaaee2f79bb138e802a25de41a954f9d2b9cfd948fa35cafbbaa2f9e4dfe5bc3a441838d1cd5670e548f7af675d54

  • /data/data/com.gselqrjdt.fbjofrdes/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    02fd1a484cfd1b0b001b1c99365a642f

    SHA1

    8d5711763f9368587b864bc81fce79e8e33d128b

    SHA256

    5c4d64dfc10cd6ea787aa4be2967816d92429cebb83ac7d56a3671d1eff26f67

    SHA512

    462cabc61f7be631994da3c440502bd89ae3b046a9e8a656c3cfa3b61ecfb3b6f9e769a4edaf7886eccd212d961f431c9f12dafa7acb415b2aa3789fd09ad3ef

  • /data/data/com.gselqrjdt.fbjofrdes/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    b9f321f3c6fb30aeb0dec10ab73b1455

    SHA1

    e6ee316314ed5fe9fb1bacdc934babfad82dd606

    SHA256

    30f7c0259af14e999a5aa25115cf8acad9b4bcd436f9a804e9eb8d86d2dd347b

    SHA512

    2ebca71724ec185dca1f629dd11092150e356e634cd73f1b83846f8e3d4dc883f643e307e05f5d7a05df4e7e395cb64abfefcff183941abc03b415e9bc156af8

  • /data/user/0/com.gselqrjdt.fbjofrdes/app_dex/classes.dex

    Filesize

    2.9MB

    MD5

    36146acda96b44606a11eeafd76baf43

    SHA1

    e7473c99e753f621d4a7ff68637de3476d501b9f

    SHA256

    99bb7b1e4b5fbfa3bfebc88f8aca5b523e1330222271edd7ed61b15b0e0b1e8c

    SHA512

    356dc8e545eddf9b82854cbed92c78b09e4737eec53a0d5761d8f47baec16230112a91cd292d3c9812b03fb1a1b8747f970cc4bfaa91074fc76b5abc81ec1f51