Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    13-12-2024 22:04

General

  • Target

    4370336bd73e915cfeb97e3fe83162c93d84f9afbabe7abec1e1747b407eeba5.apk

  • Size

    4.6MB

  • MD5

    3027217d201b494a391930e86536b306

  • SHA1

    1d4105b6ffe5612d96694ab2841125387118d216

  • SHA256

    4370336bd73e915cfeb97e3fe83162c93d84f9afbabe7abec1e1747b407eeba5

  • SHA512

    31dc177257fafd60042c948859650cb6cee9b7ece80b43b3ec986269e988f0f9a226cdf469a5ef6487a7f0d5b9c7bbe41b2cdc1290491e351e5bac4e9183dd3e

  • SSDEEP

    98304:3OdnuxYQ7TPu8vvF/slzHhGJtY1pqRURIDtJN8p0P1fgxkRpD:+sTW8vOaJwpDWxGmfgxEpD

Malware Config

Extracted

Family

hook

C2

http://185.147.124.250

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.uqdgtyueu.qhpqybnfs
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4771

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.uqdgtyueu.qhpqybnfs/app_dex/classes.dex

    Filesize

    2.9MB

    MD5

    2c2970d6fbee0fabe270cc435676d6dc

    SHA1

    0c8ae7b972e19c207f4c1cc93433341f46733f3d

    SHA256

    19625ea42ec3edf0f18093f592cb8b9fb7f5173265eb9cc72b396837aa3cda17

    SHA512

    7b67106d9adeb506b6e6910cb398b1e3184b4d7e3ccbecd704245ef0855ec76a29aa3df2a9a2850431957a512554c4d0e6e82cc42cc04872bf837b6bb1543412

  • /data/data/com.uqdgtyueu.qhpqybnfs/cache/classes.dex

    Filesize

    1.0MB

    MD5

    b97e2891f67e261115fded30944eafe3

    SHA1

    71d9faa2adefa697b357097b5bcb4555e7e11cdf

    SHA256

    592f7ffc21002776c48bd690d7e2906ce16a3cfb2e77944dce59e257d138fec1

    SHA512

    05c64468ce0aebd3c326aee59d2ba9f2d7f33defbbb3a1e24e16ce5201c0d82a94cbb374608f562dbd065fb598b8681e7101ac0091bde3cf64d6eec16a8673b4

  • /data/data/com.uqdgtyueu.qhpqybnfs/cache/classes.zip

    Filesize

    1.0MB

    MD5

    994b5f2b8033ca8cf537719cd6519e19

    SHA1

    767ffc71e10123cc05a476e630f0d664f88e34f2

    SHA256

    6326be0f88333dce8b2874a98d435ddbfee8c2329cf1ac9cd03f2ce06b364230

    SHA512

    7a72e66d9c3b981bcf1b8a99faaa8adbe22b57602d306ee2ec9c181d97c0b005d2ab819c0cc4e52c94083a5c515cd6152e6bcf4276b30230abdd32a68eb64c77

  • /data/data/com.uqdgtyueu.qhpqybnfs/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

  • /data/data/com.uqdgtyueu.qhpqybnfs/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    520267074deec39489f339c222895cef

    SHA1

    ce7b08b46d8a9047b4b2ccd5af390632aef04c07

    SHA256

    e8e411ba2b8450ccd1c99b638fd4a68599803c60f379c49a9a0cf318ed105e3e

    SHA512

    1d8e9d3678fa092c9d744c9dc579c29f343f0a773d8c997a844de131824c9ac530be9530674a02dd5ef3c1f5d2a683b2f6832beb81e0310ce8f6831fd184086f

  • /data/data/com.uqdgtyueu.qhpqybnfs/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.uqdgtyueu.qhpqybnfs/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    6f3f99f99446e87c6531ef1f41329e61

    SHA1

    2c08de271d445c42a87fb021e6c968deb80e6a75

    SHA256

    c317b07ee3d0f9851df1796bf799466a15f8f61638dfe21ff4fac2bb92e2ecd3

    SHA512

    015c78f402ddddce027686a51bc07d9bdde38fcbc0b7c89eb40db802f6b98587954f305b721338b404ab4060d908ed248db39b475d88d2ec3cd4eff81170c1a3

  • /data/data/com.uqdgtyueu.qhpqybnfs/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    7ea62c98507d1cd243bfd259fb909798

    SHA1

    5fde3469b9410c13d79d321dfe0e1d82bf26b03e

    SHA256

    e5ff7f7ca4482b6a22c285dc6d5f4df89905b5135f51b42d1dd01fa45b76eb16

    SHA512

    f22e214ad363e32ac48656ad9126b79fd4c56d58ea185bce3f67b6a49dd67a824c9590b90fb234b972c886a470399dd58d49cb0f88023b1dd7ce300edf5d0961

  • /data/data/com.uqdgtyueu.qhpqybnfs/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    988a9b67f9d5c775fcdbe73965d9e563

    SHA1

    9ab2237503a88fc89de99472220023e8978eb9e4

    SHA256

    cc8322e344c33cd44fd170155572ec6828eac44c4b1f31bbeb61c1add1106299

    SHA512

    aeca0151a7dbf95813ad3a9a9d1a8e788bac0479432aa54902f660f7cec25870e1c8ab0a6d0d61fc689384e676d6b51417e5771c54b69e3b33a4b021c040dfd8