Analysis
-
max time kernel
22s -
max time network
132s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
16-12-2024 11:34
Static task
static1
Behavioral task
behavioral1
Sample
deper.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
deper.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
deper.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
deper.apk
-
Size
4.5MB
-
MD5
2822ee6f2c62e0d59e3a6e3b49936bff
-
SHA1
fa1d9b7d1ea36004c5de7b7e5dbf4e59d6993881
-
SHA256
2da377529967c57cf738206ad5a1414485658daf7c26e66a6c474b165442f1b6
-
SHA512
00f39e5ec2bc113c8e6e23d1dba2b41fcba84788a6729592451e9c635cc9d36e2bfa0c6d68531fa82d81d4549a17a56355961a2bdd9bcf30f4c0fd7cd7fd4443
-
SSDEEP
98304:19HLjEpXQoLXV4W0WiWmOC3POywZLRnKhbLJaojI+lnLwTNSM1eR:7cXDXeKyyJobLJjrlLwTYM1m
Malware Config
Extracted
hook
http://rocketstylebuildinftoday.online; http://rocketstylebuildinftoday.xyz; http://rocketstylebuildinftoday.icu; http://rocketstylebuildinftoday.live; http://rocketstylebuildinftoday.shop
http://rocketstylebuildinftoday.online
http://rocketstylebuildinftoday.xyz
http://rocketstylebuildinftoday.icu
http://rocketstylebuildinftoday.live
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.ygkaxidkh.ffldaorgq/app_dex/classes.dex 4510 com.ygkaxidkh.ffldaorgq /data/user/0/com.ygkaxidkh.ffldaorgq/app_dex/classes.dex 4510 com.ygkaxidkh.ffldaorgq -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.ygkaxidkh.ffldaorgq Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.ygkaxidkh.ffldaorgq Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.ygkaxidkh.ffldaorgq -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.ygkaxidkh.ffldaorgq -
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
description ioc Process Framework service call android.app.IActivityManager.getRunningAppProcesses com.ygkaxidkh.ffldaorgq -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.ygkaxidkh.ffldaorgq -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.ygkaxidkh.ffldaorgq -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ygkaxidkh.ffldaorgq android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ygkaxidkh.ffldaorgq android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ygkaxidkh.ffldaorgq android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ygkaxidkh.ffldaorgq android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ygkaxidkh.ffldaorgq -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.ygkaxidkh.ffldaorgq -
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.ygkaxidkh.ffldaorgq -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.ygkaxidkh.ffldaorgq -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.ygkaxidkh.ffldaorgq -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.ygkaxidkh.ffldaorgq
Processes
-
com.ygkaxidkh.ffldaorgq1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4510
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1System Information Discovery
2System Network Configuration Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD544723267c98402b080805eaac5c75a44
SHA17be7566788529318eeee233078e881f7616ca414
SHA2564a22f11437441381266c2fd88b640502a3ee25415983a16c8eab1eab326fa272
SHA512da8ac124a46d08eb8bb88eedc1f83e586c93c8ffeab07467260d07429cafb8b0b4a42e068e2c6170d6f252116866e8048e4920ceeee9c032ac751cf1d720c9ae
-
Filesize
981KB
MD55ea9b6336fb131fdae456fb6601d2eae
SHA11f6478804f427703db8fce112b02ecaf8d64499c
SHA25662aaeb31eeaaef03a9c60c2b97d3190baadba125919e337fe1dd6a75432d6e9a
SHA5121bf6daa3ac921f86ae75505963e3d4dc9ea312ddccdb5caf0dc4b9965d449263d1f84cbbc68397d362a71ed931b7fda8360d5afd1271b1b26e782dadf1dfa5fc
-
Filesize
981KB
MD58d6918c1f9765d4336e429c8841de7bc
SHA1a66e74297ba0f5ab1a9c8be19b2f112660336b77
SHA2565573a9c320c20a51fb4431999efd0b937b3ea8daa1c98c4b21be87f71a2a9a31
SHA512bdd2a3376f6b4626ebaab50f61da77e6881e1f1548afb4c7e49bd8dad475b8b9675ffe9d3182a66e05ad7bad0e198950983a50434ad2d0e7d591c3a51b4b2897
-
Filesize
4KB
MD57e858c4054eb00fcddc653a04e5cd1c6
SHA12e056bf31a8d78df136f02a62afeeca77f4faccf
SHA2569010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb
-
Filesize
512B
MD53c45e574498f998537dbf0e1ea849e20
SHA1be4228a8ebf0f9204092d31ead30fbc01d532b74
SHA25673aa4ad06461dcc9bbe3eb2689c3d94d36c93e80ae1da9cbd34c4e84682e30c0
SHA512e4589d5ab00b22bf800d7620a77ee106edfee859e5d2cc4aaad97cbea7dd79bd84fc48151c2d836425e4dfd98103a8192b9dbe90794b3a893d80806daecbb225
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD596c9f749a6a545ad93d384bc85c6ab61
SHA17752f6094e173a038b77275ce0aec3c50d3d921b
SHA2565cdf2b13ea53f34384e8b9fb85856929412ffaf259050dff7490f8030bd18ba5
SHA512c3c71fb0dcb7b6edf837336a00e438d46caf665a225798a7192278366f85cfb2160559d560a499bc6a27d2e887b0a78875d1988a4fc10680db5a33df8f9934f5
-
Filesize
108KB
MD5fd67c29c1fe443d29531c3cbc83cabee
SHA1f69b34f9f69249d07fa34e418ffcac06779b37b8
SHA256b19ae9ac9605e14dce6f2c11d90546a889378db69b3bf4e38308e33a09f3895b
SHA512a392273e39e207280114fc870ab3de7e913cd714e05330a0ad9d8c1abd54969b5f1cb35e064857f9e049db54b6069c5e58cd8eaf223c7cbb4832ec461af5061e
-
Filesize
173KB
MD52e9715a98823afb5a1d147062f82ec00
SHA100a550e7c650f569e84894e88e1caa57070231ce
SHA2561b9db5cc9f23ff58b92094d16c1191feb40f552269c4368272134382198b0820
SHA512d3f09c6dc658d0eafcf8803b4afebdb899a3b92b71695c37e72213da129586fd39d5955ead60c22d8e640d1535c69076d8b8a84d4cadff19cb889631196abade