Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    21-12-2024 22:15

General

  • Target

    a1cb4730227e27f7d6bd7b6782a31908d885df663cd13e2899b7bda43ec846ba.apk

  • Size

    2.5MB

  • MD5

    5d498abb0f99b3a4d57dca6ce0d5b530

  • SHA1

    fd51e64ca5ac2297b8848d85f7d22f48e92c469c

  • SHA256

    a1cb4730227e27f7d6bd7b6782a31908d885df663cd13e2899b7bda43ec846ba

  • SHA512

    99db244a2aff14b9cafb2a19f61a5550f4fb1a95f601bcb6f40dd4cda2f6ace7fd75fa7b328995a1927abf014bcbb46d955d3e1c7043726552dd0a0ff7429565

  • SSDEEP

    49152:mbPtn/srg71IMYSXwf1OhtkBeFpj6FnB8ZZK/l0fdjtkxGk:mbPtn/JO+K1OfpknO6l0fdjtkIk

Malware Config

Extracted

Family

hook

C2

http://154.216.20.102

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.pzvoxzxip.lxaqztnyy
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4319

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.pzvoxzxip.lxaqztnyy/app_dex/classes.dex

    Filesize

    2.9MB

    MD5

    c5f2d438a38147bd5039b536bb820c61

    SHA1

    e43c6378765fdf298ff5c01332004492f2916077

    SHA256

    66ab822f0ca23ddb477e6e5c8e4aeed9fc18d6ea5fd17951b55930956108267e

    SHA512

    e234916c9f9a4ed6f86f86c640734bc2ec1c620d67f69df624148d313254064c7da3b888a7919bc5723e2e782fe229b3e52da4113348d3cb99e0f8d76be49849

  • /data/data/com.pzvoxzxip.lxaqztnyy/cache/classes.dex

    Filesize

    1.0MB

    MD5

    913964c71b809c94b494db6b94bc56ec

    SHA1

    3191a872bada4c0910aa79b27337eceb2ac06127

    SHA256

    6f83e35e4b0b5bb8001d6d0e097b6ffae7911c36d59467206d9d589ee2a28067

    SHA512

    f632004c155babdc6799f5b2d9ca888819d3967df2d8e629fb2a71458c5d3150e33331d8f1566c575f0d9b4e3255fb8d212da58a0b9534edcb673c70686b8fac

  • /data/data/com.pzvoxzxip.lxaqztnyy/cache/classes.zip

    Filesize

    1.0MB

    MD5

    98271965746cab6898a39acb0dbfe86d

    SHA1

    4e04abe94c3969fa52b702cecda02bba9f6bcd68

    SHA256

    5aa8e63f609805ed76ab1778cb66a4cd4b6d7d918b9fa182b2f8651a377de41c

    SHA512

    de0dc4384269a25430d6d12725f9d91c8a862543695f6f820424dcdebc3f0d3c4499b0884164e3b910efc779f6abe2d4656a63ab2859d8148bb747e975aff73a

  • /data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    af2a705a6b3b042050ba72fc9265ce77

    SHA1

    28ab19735cf2d7b57fc4ca666b72bc9fd5c64b2a

    SHA256

    ce88274c7d19ae97928dd25efe7cbf9a76b042a02038bd2811fa4c63a1a88a4e

    SHA512

    df8e2583d00edbbad3728581925b4219b929b19b52cf2c82a9b8f7dd917269076a32b1ccb4218a9501e08e29a125a6b86ea6ef7f763e5840e68a9bff35339300

  • /data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    723a4f3744380630d6756a423f75aeef

    SHA1

    bb94647618e004613ff6817e5be98b4375a4a20d

    SHA256

    2f21b2bd5d19445f70c652700815dea542b95226c55f2ca73deac643e649eedf

    SHA512

    2d39a74d799994bf122e49e583441aa55beeb4b34d0c73ad1e987547378f6c6292d8a2d0ac212a10431325da3b73103e3e39d946c090f2a065ee7570e2a44152

  • /data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    c413b1386e04741b3b75e29950982137

    SHA1

    a8a3d7cd9f2c123fd88881dadded625c32a0f815

    SHA256

    0f1b46c12ee24cf5672af2254eab65f9658c1ddb4b49e38e41c1371d1b026b41

    SHA512

    36070d7b4cd95f533a749b7c2f8b9d6d31940ed69d76b49a04a9a8f539aaddce494c37b64babf747c033cd8b73aeace8ff6df397eda895c845befbce5729e92a

  • /data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    3c46828ff6ce604c9c69c9bf37890f24

    SHA1

    e4301980d8934a6a903c0b15b155d99185b717ae

    SHA256

    89f97d96217704f5ee9e298e8f4812a7f917462e5e9a766b8b306c930f3c65df

    SHA512

    01609cf5a663a11d4a67b66cf4cc70cb45116262e49ce254dbba49818e4855cae443ad7e05885b5390b8a9e08fb56304640a2826cea027f20c7aa1e144d9f8f0