Overview

overview

10

Static

static

6

c68ac554dc...df.apk

android-9-x86

10

c68ac554dc...df.apk

android-10-x64

10

c68ac554dc...df.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    10-01-2025 03:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c68ac554dc7b0c8fec61b7d5527a05e1ecb1c2eac904a460ae839c43c69c67df.apk

  • Size

    5.3MB

  • MD5

    44d3a7095205fce503413a86cdb065a1

  • SHA1

    ea70080acdc22ff68c241cd03c499a245b25807e

  • SHA256

    c68ac554dc7b0c8fec61b7d5527a05e1ecb1c2eac904a460ae839c43c69c67df

  • SHA512

    703771f98e5ddf628549cf1fb13ca7d7c3c3fe55b48b023ebe7539da2f2ef01aba5e094a6a6f984be821da4a268dc037961c163591522d11093f232092de4185

  • SSDEEP

    98304:bfaNr28dhXTBBBCXconxLiicJybgYu7kbEhXGCN5KRGzsQ/dCV8JuSSQGTsxfxA+:jaY8pCXc+LKyFIrhXJn1/TJxSQxfxu38

Score
10/10
hookcollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://lankfnajasdfzcvvxzxcrrtfas.pro; http://lankfnajasdfasdfcxcescgt.pro; http://lankfnajasdfdsfngaaslsss.pro; http://lankfnajasdfanbabwqeda.pro; http://lankfnajasdfasnbadsfaaa.pro

http://lankfnajasdfzcvvxzxcrrtfas.pro

http://lankfnajasdfasdfcxcescgt.pro

http://lankfnajasdfdsfngaaslsss.pro

http://lankfnajasdfanbabwqeda.pro

http://lankfnajasdfasnbadsfaaa.pro
DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.sobleuiac.ptskggnze
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4516

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.sobleuiac.ptskggnze/app_dex/classes.dex
    Filesize

    2.1MB

    MD5

    125f76b00f5e4499ac35fa58885ad484

    SHA1

    434f8caf56e4a3db9c51e9a77d1646ba650d3eba

    SHA256

    fbdb9c952a96cc40f067cecb3e361acfe4601ed33bfc75f16f8f3748ccc0e69e

    SHA512

    e6f56367d375f00873b9ffb7e20cc55ef3681125aab701796cb8320689300663a2917338cbe8301b139dcf345eee702b89701ce251b41e3511b1d173447b2caf

    Download Submit

  • /data/user/0/com.sobleuiac.ptskggnze/cache/classes.dex
    Filesize

    986KB

    MD5

    67fa328c5203072c63147e723982aefd

    SHA1

    b72d8bcd1100a06192b5c136c0ea3293762ee57a

    SHA256

    64a6fa6b362eddb3ec00d14fdd4ce2b39d16a7fc5ecc161961411f528cf9a2e9

    SHA512

    35c687860d70f9839c4a6dea6931609b91623bbfcc8bd34fbd9cf3d7c66115b68d18bc97c76956377bae4f22656ffc9dfcdd19c4a21f876a9e945e6775599b3b

    Download Submit

  • /data/user/0/com.sobleuiac.ptskggnze/cache/classes.zip
    Filesize

    986KB

    MD5

    721246fe1a4fba2ddc3876f84559aa25

    SHA1

    0f2ccbf4fc3d08b5ff318ea78259dee9d6f146b9

    SHA256

    b11573e6f44eeb5f31bf090c2ec4fbd8c210db8a7a7368d481befefd117f6ea1

    SHA512

    66637608969d4fe97b04928b9d8b7d2e95230489cd61fc9b2dd68e759e56273a677d9ee59086175b3319e889d15295f29df260e853d237ecf33c9cb61f0f7724

    Download Submit

  • /data/user/0/com.sobleuiac.ptskggnze/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/user/0/com.sobleuiac.ptskggnze/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    ac09bcbcbd7e4e06ca6b78d7881a7342

    SHA1

    6e508e6721b91bc73867b85858d6637a46f2c0bb

    SHA256

    0453bed7b1c15fd5e2d75a1f15d97b4af505b58a4e732eeebbae8ff40f780a1e

    SHA512

    1efeb9132758c8ea01cb324a751f4d822e5d6a6ed9c10a59911b06637793624246ae1f90e0fe5f5f37f2b4a377787f1264a643a4372d92e4f3b08bc6c995dc0b

    Download Submit

  • /data/user/0/com.sobleuiac.ptskggnze/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/user/0/com.sobleuiac.ptskggnze/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    3bb40daafa0224a619854e2c8607dd9d

    SHA1

    d5586d8581caad0e910ba23d5a236e6f3a0fb274

    SHA256

    0869fb802979623cbc2fe74750d9cbbd56733a03e70b333118776df50b888ad4

    SHA512

    c3db454cdf46de11f3ef4f0975131dd1fcd021305071543bebd2d13f21bae4466cd47ee69af9d5e3501f12f6b6188bd933bf1c1d2e0080da6306b24f12baaf7f

    Download Submit

  • /data/user/0/com.sobleuiac.ptskggnze/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    7199ec8da96c4cc8707185abbf256ca8

    SHA1

    51bc72cf92e54934b4f80fc35bde8a71b156fbc6

    SHA256

    232cd5ece715e13130e78df64b0ed361cec514707b2fe70b746f462eda916a85

    SHA512

    7c4388209d228938c70928994528d764eb83716ed503698cd536706cf713ffee6ef0da820bdc89da3f3b630dd62d6fec13516178b57e78e1351573815b419c93

    Download Submit

  • /data/user/0/com.sobleuiac.ptskggnze/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    e4b2ff923dcd40b56e15e365fd7491dc

    SHA1

    7150b88b68929c93f3737767a1c872e26cb3dd65

    SHA256

    252b2a9c6a6e927f2f4b1e0ee754e3975e861f4eeb4f8847686336adc0bf485b

    SHA512

    b84694d108c298f3b17cc487de4ad021f903bae6617252861e0efe554bb963cd40765bfe0d719ee417064bd8aee7725c9e12340ad15e1da0939efca37b0c8215

    Download Submit