Analysis

  • max time kernel
    148s
  • max time network
    159s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    09-12-2024 22:09

General

  • Target

    79219ec025b01ba08b08e9734db24e51b549d2a75d2a63ae48c4711ca7ca80d4.apk

  • Size

    4.6MB

  • MD5

    0311383ed8ab2648e46d550dd98c77cd

  • SHA1

    84bc0f8a3c8f5d3344915d4c5f2d62244679a123

  • SHA256

    79219ec025b01ba08b08e9734db24e51b549d2a75d2a63ae48c4711ca7ca80d4

  • SHA512

    c89f9d63a29cd5488b46c470b087d5987ea6dcbdd80c44704953badfe56fc1d737016e1bc6ec76f40b47b3d65e4fe8fe27710183f5014ca7d86cd0619a029a7e

  • SSDEEP

    98304:3fwJqEScs8FzBB7URVBkOMPBQo2/PqnkQbyZTSbJqIgd9A:yqN4JIRV2OGF2/okQbyZT+qIgA

Malware Config

Extracted

Family

hook

C2

http://154.216.19.93

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.gselqrjdt.fbjofrdes
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:5237

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.gselqrjdt.fbjofrdes/app_dex/classes.dex

    Filesize

    2.9MB

    MD5

    4e5666891f5538cdf3555e01177a91c7

    SHA1

    cc9b9a2ecef1f56bf04a326ecacbdec6b3330c44

    SHA256

    ee02e8d7fdf75fcc8a8bfffee8616a3bcb6f461efbf1c89b0e1f859ce268f950

    SHA512

    3111496c0fe413e535bff9ce301fb7a30d5b7bc5c5a7eb7fc97ece4567b6e92bbd28b91259a03663af6657515ee254effd20b061f45b9937846dbb9ec8cb18e9

  • /data/data/com.gselqrjdt.fbjofrdes/cache/classes.dex

    Filesize

    1.0MB

    MD5

    9dca2adea53f7795350be0a75115e152

    SHA1

    8d0965a89da3b4a2ede2e6a62cb7236f718becb2

    SHA256

    a470d5b36d90e694093739a3103a7ee1531ed7b770dba724f6822e00deda7108

    SHA512

    c241a932a2ebce50d0ce14a21c8f94e03d9a7b36a1e22ba30daae80c42e5c7bf46685db3e1d12aa960851b744814da3a7ae965e31f9f6d99f11a853eb3ce8e81

  • /data/data/com.gselqrjdt.fbjofrdes/cache/classes.zip

    Filesize

    1.0MB

    MD5

    c681c85cefc7f8ca81598dff7313a001

    SHA1

    e4c23dfe4364544297d23eb9a2efc790146dfa27

    SHA256

    7c9e11c5d136fb5f8c4beda3a7702c4c01336cfdec66c93e7d02d4701c4ced6a

    SHA512

    0a6fb1b7207722992516b5a0c410e232f4d096e5103739f08cc3569403820604a5f85b7bf6f2a67966d2b28662fa698326010d27f889d5a65e6b0ecb0c30fd59

  • /data/data/com.gselqrjdt.fbjofrdes/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.gselqrjdt.fbjofrdes/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    d59b96f93ffb27d7eb4ab1ac8cdbdeb4

    SHA1

    df11b94ec4d8d7e7c89437acd9c8ff577be453cf

    SHA256

    dabc27872ef134747c9e1003e1a599f5d266b80cfd3e70d5adb083d9a139bfde

    SHA512

    38cd02c0ea0d8982585d6ea1eff5ee1fdddf4636526012ae3db0d594e5194bf97fb6525b3e2908594adb5b2ed0a1997c1ad1621944df5fa8144eff53b17eebc7

  • /data/data/com.gselqrjdt.fbjofrdes/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.gselqrjdt.fbjofrdes/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    2e15ea9b73e74357a93bf347a59cabf0

    SHA1

    abdaed5c788018fa646ee853d8003dbf6c6f65b0

    SHA256

    0f9ed427b60fe596986b64957a365c676954a568f1871ba6c495351357324611

    SHA512

    8b06694cbd85abd10e85a06213ad2775b511db74400c5702a87bb6f9e9e9a2bbb7cf9f1293559b81deea7041ec12fbe4a9565a2469fab147dcafec550c15dac5

  • /data/data/com.gselqrjdt.fbjofrdes/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    5307b6d735b051973bd70b54375fc56b

    SHA1

    4466d097106e0fef2e2b81b0a5d966865810660c

    SHA256

    8781b30ab415683835bd80608e2352bcd31072c38b644b1a5167e77e1b26209d

    SHA512

    6d6dda3e3d00d6c8b166674fbd2367c9951a17ef0c2db0816589f90a0ba2407d43bd289e804866edeca7c103f62fdbabef84d805328e3792a367a19a93eee398

  • /data/data/com.gselqrjdt.fbjofrdes/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    0003828dc275a6202c5607e007b2063a

    SHA1

    39dda10ead68a03fbd8a8699c524f2ae1335de58

    SHA256

    fe5c4bce97ec2c5efa3ff36d1e0a3d1d2ff3987a81227a03409b92936272b91a

    SHA512

    be5d14175277ecdb2bc24adb4a6e9ea492dbf0093ae816c9cb0919a55e13bbc617cbf1300e2c8be7355605911d69c4ce07187498d0b5f8b4db911d13beefe91c