Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    22-12-2024 22:01

General

  • Target

    ece12fa8dd038b6fa6750790ea0bbc1a21d38bbbc0e6c6f02c872fa94cd5fb09.apk

  • Size

    1.2MB

  • MD5

    ebccd261a807f8ef28e687a8f17a334a

  • SHA1

    727ab2e896852072440972898bd5c7980c62f322

  • SHA256

    ece12fa8dd038b6fa6750790ea0bbc1a21d38bbbc0e6c6f02c872fa94cd5fb09

  • SHA512

    e0e37a13466b12180b5f67d118f2e82b6fa78a1126528b06d6c6bb5ef27b3e12f2e3dbfec45177fb1c9234d1a3c99d6f790772d5f2f46b5f75febd98ba4d0aa1

  • SSDEEP

    24576:P7g8TyUcm4t64TudslPkhuS5SD1rCP9BnVEv9Q5vOSERCy+JvsBiUU:P7g8uU3slPkhuH1Irg9qvOSEsy+JkBiX

Malware Config

Extracted

Family

hook

C2

http://154.216.20.225:3434

AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

  • Hook family
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests enabling of the accessibility settings. 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.tencent.mm
    1⤵
    • Removes its main activity from the application launcher
    • Makes use of the framework's Accessibility service
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests enabling of the accessibility settings.
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4725

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    1eb0872d3cf7bcbf644af090af9065fa

    SHA1

    c7c08a8c4d4d7798435fe34b236e341431e8d4a9

    SHA256

    8864cb72f3a3183ec124bfe925db2b163fcdeab684e202105da76944dc117ac5

    SHA512

    8324737f71f32cb6b1977806c8bd8c07c6b32c89706a8c7c0bf236d0ab02b545e29df9bdc2d7cedec528e74df3665104865c715ffa2f8a35e55e30b137c15eae

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    23d3c996a74eb338653e493584bd2035

    SHA1

    ed6ff01515913ab281df2a888e61db5920ab8b0e

    SHA256

    278f8a8cbda0f6da143696cba8fa5a3bf7294326ad077cb09efcc463e4b49efc

    SHA512

    30f16f4f52646066b16fb21995119b126fc541465a8019310538e033e95afbbdfac62950c4cfa2467e5c1d70b47144f63d9b84faeee51b32bec6bddd11d1a7a4

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

    Filesize

    108KB

    MD5

    806e21d23e389f3601424fee3cf00bb4

    SHA1

    30f20e203f0f6f41aaefc519c001f41f86494b63

    SHA256

    ec69e1e5e9f92c6b9ba456ae58e1c5d19cba96fdff142597054bfad8ef866a7c

    SHA512

    8e8f971266144dce8a078c32bba1a11c5c556bb4bf4fab74142694e4d152e20c700e4f73f6a282dd3d3db38f8a0edca58f3d0da27865eb66c6bb234ba17696d8

  • /data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

    Filesize

    173KB

    MD5

    3c943eb0d07952c190adc9c0b9dfbb1b

    SHA1

    3110d3689212cdc6bf6677077c1a640e95bf9bbf

    SHA256

    3995a7e0da0c19c394f5b4ee2df775441f7b6023d4ac29bac95a5f2492434bbc

    SHA512

    c3bab96bfea04d010c546bed3feba4cd3f98ba03598d6948d4cceebcc72ef3fcb8cda299537eeb10891569cd90b3c2ef6bcb5bfd8b6231382408d3e020f88763