Analysis

  • max time kernel
    147s
  • max time network
    158s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    13-12-2024 22:04

General

  • Target

    4370336bd73e915cfeb97e3fe83162c93d84f9afbabe7abec1e1747b407eeba5.apk

  • Size

    4.6MB

  • MD5

    3027217d201b494a391930e86536b306

  • SHA1

    1d4105b6ffe5612d96694ab2841125387118d216

  • SHA256

    4370336bd73e915cfeb97e3fe83162c93d84f9afbabe7abec1e1747b407eeba5

  • SHA512

    31dc177257fafd60042c948859650cb6cee9b7ece80b43b3ec986269e988f0f9a226cdf469a5ef6487a7f0d5b9c7bbe41b2cdc1290491e351e5bac4e9183dd3e

  • SSDEEP

    98304:3OdnuxYQ7TPu8vvF/slzHhGJtY1pqRURIDtJN8p0P1fgxkRpD:+sTW8vOaJwpDWxGmfgxEpD

Malware Config

Extracted

Family

hook

C2

http://185.147.124.250

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.uqdgtyueu.qhpqybnfs
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4949

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.uqdgtyueu.qhpqybnfs/app_dex/classes.dex

    Filesize

    2.9MB

    MD5

    2c2970d6fbee0fabe270cc435676d6dc

    SHA1

    0c8ae7b972e19c207f4c1cc93433341f46733f3d

    SHA256

    19625ea42ec3edf0f18093f592cb8b9fb7f5173265eb9cc72b396837aa3cda17

    SHA512

    7b67106d9adeb506b6e6910cb398b1e3184b4d7e3ccbecd704245ef0855ec76a29aa3df2a9a2850431957a512554c4d0e6e82cc42cc04872bf837b6bb1543412

  • /data/data/com.uqdgtyueu.qhpqybnfs/cache/classes.dex

    Filesize

    1.0MB

    MD5

    b97e2891f67e261115fded30944eafe3

    SHA1

    71d9faa2adefa697b357097b5bcb4555e7e11cdf

    SHA256

    592f7ffc21002776c48bd690d7e2906ce16a3cfb2e77944dce59e257d138fec1

    SHA512

    05c64468ce0aebd3c326aee59d2ba9f2d7f33defbbb3a1e24e16ce5201c0d82a94cbb374608f562dbd065fb598b8681e7101ac0091bde3cf64d6eec16a8673b4

  • /data/data/com.uqdgtyueu.qhpqybnfs/cache/classes.zip

    Filesize

    1.0MB

    MD5

    994b5f2b8033ca8cf537719cd6519e19

    SHA1

    767ffc71e10123cc05a476e630f0d664f88e34f2

    SHA256

    6326be0f88333dce8b2874a98d435ddbfee8c2329cf1ac9cd03f2ce06b364230

    SHA512

    7a72e66d9c3b981bcf1b8a99faaa8adbe22b57602d306ee2ec9c181d97c0b005d2ab819c0cc4e52c94083a5c515cd6152e6bcf4276b30230abdd32a68eb64c77

  • /data/data/com.uqdgtyueu.qhpqybnfs/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.uqdgtyueu.qhpqybnfs/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    00176e1ab117b195eb59205310418328

    SHA1

    57cc58ed5b3e42198fb087a985bb563a2fba5140

    SHA256

    a8fcfad145246cc18684113dc58f6e90cf442ba53a1990285e46f127e591d3cd

    SHA512

    10a5bb8eb41b196b08d309fa05fa6a0b9d29fb710eda0e3710e3204588b6e4567fc3a04be9781f1e69a7d65930ef00418f13fea040d213d5a58d91a18c549daa

  • /data/data/com.uqdgtyueu.qhpqybnfs/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.uqdgtyueu.qhpqybnfs/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    5edd5b1a205f69982a160efa51644dcd

    SHA1

    119842b63ff6e51bf7a2a74ac527dc0cf24ac08f

    SHA256

    0d8b98e9b7bd43d54be2604397e64e28afb59e33badac0920834cb397040c249

    SHA512

    ab451cdb391fd6eaaa67b0a47d5c6fd4acee7600688211500e66ef469e0af5466d13e5927cb4d39137ac1c2ab8361507e566d626b4708b88845efa37dbce4c26

  • /data/data/com.uqdgtyueu.qhpqybnfs/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    d9ca3653d9feed548f4107472dfdf560

    SHA1

    e80df2d4ac3cd9c7b60025eb2f4a9629f3184187

    SHA256

    db183b6e2d76af5cc9fd2b3c03ad4dfde0ff7f22a86ee0c1509c7a17c042bef9

    SHA512

    ad43ec4774f58c9c64a91d745e3e7595a96e95532c35a58d4d859e03caec083993eaa21d3110c1ff02bc6df2786b2900e48cff7e4bd263a667c6d2a109ff2706

  • /data/data/com.uqdgtyueu.qhpqybnfs/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    7b6b29765b2618743b7be1f227d647af

    SHA1

    29169e4ce2fa095c73f68ee4e2132229c1acf668

    SHA256

    757f9c1002ff5b46601be2e8bdb9d07ed3a1107801e01552c704a41f98da520e

    SHA512

    16b0763f8e22445583e41e726857357e1d8f5372ea6dcf156dea5d9f5cf5fd2f126ac305fa54b0668856a2ef6d8dafd6354869a7c8fe88937df6f04f0b4cabf7