Analysis

  • max time kernel
    128s
  • max time network
    159s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    09-12-2024 22:09

General

  • Target

    79219ec025b01ba08b08e9734db24e51b549d2a75d2a63ae48c4711ca7ca80d4.apk

  • Size

    4.6MB

  • MD5

    0311383ed8ab2648e46d550dd98c77cd

  • SHA1

    84bc0f8a3c8f5d3344915d4c5f2d62244679a123

  • SHA256

    79219ec025b01ba08b08e9734db24e51b549d2a75d2a63ae48c4711ca7ca80d4

  • SHA512

    c89f9d63a29cd5488b46c470b087d5987ea6dcbdd80c44704953badfe56fc1d737016e1bc6ec76f40b47b3d65e4fe8fe27710183f5014ca7d86cd0619a029a7e

  • SSDEEP

    98304:3fwJqEScs8FzBB7URVBkOMPBQo2/PqnkQbyZTSbJqIgd9A:yqN4JIRV2OGF2/okQbyZT+qIgA

Malware Config

Extracted

Family

hook

C2

http://154.216.19.93

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.gselqrjdt.fbjofrdes
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4613

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.gselqrjdt.fbjofrdes/app_dex/classes.dex

    Filesize

    2.9MB

    MD5

    4e5666891f5538cdf3555e01177a91c7

    SHA1

    cc9b9a2ecef1f56bf04a326ecacbdec6b3330c44

    SHA256

    ee02e8d7fdf75fcc8a8bfffee8616a3bcb6f461efbf1c89b0e1f859ce268f950

    SHA512

    3111496c0fe413e535bff9ce301fb7a30d5b7bc5c5a7eb7fc97ece4567b6e92bbd28b91259a03663af6657515ee254effd20b061f45b9937846dbb9ec8cb18e9

  • /data/data/com.gselqrjdt.fbjofrdes/cache/classes.dex

    Filesize

    1.0MB

    MD5

    9dca2adea53f7795350be0a75115e152

    SHA1

    8d0965a89da3b4a2ede2e6a62cb7236f718becb2

    SHA256

    a470d5b36d90e694093739a3103a7ee1531ed7b770dba724f6822e00deda7108

    SHA512

    c241a932a2ebce50d0ce14a21c8f94e03d9a7b36a1e22ba30daae80c42e5c7bf46685db3e1d12aa960851b744814da3a7ae965e31f9f6d99f11a853eb3ce8e81

  • /data/data/com.gselqrjdt.fbjofrdes/cache/classes.zip

    Filesize

    1.0MB

    MD5

    c681c85cefc7f8ca81598dff7313a001

    SHA1

    e4c23dfe4364544297d23eb9a2efc790146dfa27

    SHA256

    7c9e11c5d136fb5f8c4beda3a7702c4c01336cfdec66c93e7d02d4701c4ced6a

    SHA512

    0a6fb1b7207722992516b5a0c410e232f4d096e5103739f08cc3569403820604a5f85b7bf6f2a67966d2b28662fa698326010d27f889d5a65e6b0ecb0c30fd59

  • /data/data/com.gselqrjdt.fbjofrdes/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

  • /data/data/com.gselqrjdt.fbjofrdes/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    d6ee521c1d7fb58b5d00d299c49496d3

    SHA1

    7094114032a099b77081591d358a69ee4eeb8a85

    SHA256

    104f2c882bdbaddbdcb3ceee9fe23cb90cd379b299c2ccb0894a7a88b8f991c3

    SHA512

    d0edecdb14e631880a7ebc647eeaa48091bf6dd418fd3f284352f0cf79292d6e42ad389d5088c9de88c25ada0d69a73e34d897aeb36eb9ce3e4fba677b166f21

  • /data/data/com.gselqrjdt.fbjofrdes/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.gselqrjdt.fbjofrdes/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    cd1a9d922df4f477f5769daf681a46f2

    SHA1

    6f78427d9e227653e2b666e70ca7ff7f8d246f19

    SHA256

    310e3f93f1ab176874e27db673bf7203fe727f00cd3463c2f45f4861a155304a

    SHA512

    52980e196dce919818c913363b54144c9075148d67827bcbe9eaeda22e03167e37b28bd4518facfe7ab71295f9e860d616192c7e216e803068a148292d783d42

  • /data/data/com.gselqrjdt.fbjofrdes/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    f91a83c3c2daec1fb637ed8be26cbf20

    SHA1

    ba412917259018074b1df07eb41bf14b5f457218

    SHA256

    e765a9ec0587eee3b5724d09d35fa95c5841f2d858163f8cc9cbe9705fba6f4d

    SHA512

    56cee07c0afb9f30e739f4c97134b94497b7d7abeb541b9aca8fe98343b9558b5b4e6fc1d071205ccd94f9b1dfb03ca81940a3d60074a7cd2f40143e9b81884e

  • /data/data/com.gselqrjdt.fbjofrdes/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    14011c289619ba8578700b3852dbd406

    SHA1

    2439c3d56f9b9faaff8e5d3abdcaa54c496fc209

    SHA256

    82e86741ffa65456f09d73c22b34f6e79829da448178eb0fa0a9da419fd2ce2d

    SHA512

    23f05318ea7004897de10927d48cb4982e01def8f6989d95b58e30a8152c072c706dd4ce33a405c3d2964fbceb5f08c03264167314a7491fc3c15aa3d9459bc7