Analysis

  • max time kernel
    22s
  • max time network
    132s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    16-12-2024 11:34

General

  • Target

    deper.apk

  • Size

    4.5MB

  • MD5

    2822ee6f2c62e0d59e3a6e3b49936bff

  • SHA1

    fa1d9b7d1ea36004c5de7b7e5dbf4e59d6993881

  • SHA256

    2da377529967c57cf738206ad5a1414485658daf7c26e66a6c474b165442f1b6

  • SHA512

    00f39e5ec2bc113c8e6e23d1dba2b41fcba84788a6729592451e9c635cc9d36e2bfa0c6d68531fa82d81d4549a17a56355961a2bdd9bcf30f4c0fd7cd7fd4443

  • SSDEEP

    98304:19HLjEpXQoLXV4W0WiWmOC3POywZLRnKhbLJaojI+lnLwTNSM1eR:7cXDXeKyyJobLJjrlLwTYM1m

Malware Config

Extracted

Family

hook

C2

http://rocketstylebuildinftoday.online; http://rocketstylebuildinftoday.xyz; http://rocketstylebuildinftoday.icu; http://rocketstylebuildinftoday.live; http://rocketstylebuildinftoday.shop

http://rocketstylebuildinftoday.online

http://rocketstylebuildinftoday.xyz

http://rocketstylebuildinftoday.icu

http://rocketstylebuildinftoday.live

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.ygkaxidkh.ffldaorgq
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4510

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.ygkaxidkh.ffldaorgq/app_dex/classes.dex

    Filesize

    2.0MB

    MD5

    44723267c98402b080805eaac5c75a44

    SHA1

    7be7566788529318eeee233078e881f7616ca414

    SHA256

    4a22f11437441381266c2fd88b640502a3ee25415983a16c8eab1eab326fa272

    SHA512

    da8ac124a46d08eb8bb88eedc1f83e586c93c8ffeab07467260d07429cafb8b0b4a42e068e2c6170d6f252116866e8048e4920ceeee9c032ac751cf1d720c9ae

  • /data/user/0/com.ygkaxidkh.ffldaorgq/cache/classes.dex

    Filesize

    981KB

    MD5

    5ea9b6336fb131fdae456fb6601d2eae

    SHA1

    1f6478804f427703db8fce112b02ecaf8d64499c

    SHA256

    62aaeb31eeaaef03a9c60c2b97d3190baadba125919e337fe1dd6a75432d6e9a

    SHA512

    1bf6daa3ac921f86ae75505963e3d4dc9ea312ddccdb5caf0dc4b9965d449263d1f84cbbc68397d362a71ed931b7fda8360d5afd1271b1b26e782dadf1dfa5fc

  • /data/user/0/com.ygkaxidkh.ffldaorgq/cache/classes.zip

    Filesize

    981KB

    MD5

    8d6918c1f9765d4336e429c8841de7bc

    SHA1

    a66e74297ba0f5ab1a9c8be19b2f112660336b77

    SHA256

    5573a9c320c20a51fb4431999efd0b937b3ea8daa1c98c4b21be87f71a2a9a31

    SHA512

    bdd2a3376f6b4626ebaab50f61da77e6881e1f1548afb4c7e49bd8dad475b8b9675ffe9d3182a66e05ad7bad0e198950983a50434ad2d0e7d591c3a51b4b2897

  • /data/user/0/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

  • /data/user/0/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    3c45e574498f998537dbf0e1ea849e20

    SHA1

    be4228a8ebf0f9204092d31ead30fbc01d532b74

    SHA256

    73aa4ad06461dcc9bbe3eb2689c3d94d36c93e80ae1da9cbd34c4e84682e30c0

    SHA512

    e4589d5ab00b22bf800d7620a77ee106edfee859e5d2cc4aaad97cbea7dd79bd84fc48151c2d836425e4dfd98103a8192b9dbe90794b3a893d80806daecbb225

  • /data/user/0/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/user/0/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    96c9f749a6a545ad93d384bc85c6ab61

    SHA1

    7752f6094e173a038b77275ce0aec3c50d3d921b

    SHA256

    5cdf2b13ea53f34384e8b9fb85856929412ffaf259050dff7490f8030bd18ba5

    SHA512

    c3c71fb0dcb7b6edf837336a00e438d46caf665a225798a7192278366f85cfb2160559d560a499bc6a27d2e887b0a78875d1988a4fc10680db5a33df8f9934f5

  • /data/user/0/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    fd67c29c1fe443d29531c3cbc83cabee

    SHA1

    f69b34f9f69249d07fa34e418ffcac06779b37b8

    SHA256

    b19ae9ac9605e14dce6f2c11d90546a889378db69b3bf4e38308e33a09f3895b

    SHA512

    a392273e39e207280114fc870ab3de7e913cd714e05330a0ad9d8c1abd54969b5f1cb35e064857f9e049db54b6069c5e58cd8eaf223c7cbb4832ec461af5061e

  • /data/user/0/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    2e9715a98823afb5a1d147062f82ec00

    SHA1

    00a550e7c650f569e84894e88e1caa57070231ce

    SHA256

    1b9db5cc9f23ff58b92094d16c1191feb40f552269c4368272134382198b0820

    SHA512

    d3f09c6dc658d0eafcf8803b4afebdb899a3b92b71695c37e72213da129586fd39d5955ead60c22d8e640d1535c69076d8b8a84d4cadff19cb889631196abade