Overview

overview

10

Static

static

6

22.apk

android-9-x86

10

22.apk

android-10-x64

10

22.apk

android-11-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    10-01-2025 17:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22.apk

  • Size

    4.8MB

  • MD5

    22572fd05295bdc3293060348285705b

  • SHA1

    6629ebcd3f693b69814f47bbd91fdbc152c791c8

  • SHA256

    bba4e2c4bcd19f4174421de1b8df665133725867a3f151e756570e9a6bed811b

  • SHA512

    245d9fa8662fa2dfe9c261e25bd7283b52ba5cdc24d03699b2cf246cbf6db041d8eba98c878085325f351dcd22ff43a677e4641cc9ad7b512b6faf204c4e103a

  • SSDEEP

    98304:aE1kQen1WIciiAtP4ibIqJ7wxlZTM4RWTyln0P1ayykU7tOB:aakQDkP5YFrnec5kU8

Score
10/10
hookcollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://lankfnajasdfzcvvxzxcrrtfas.pro; http://lankfnajasdfasdfcxcescgt.pro; http://lankfnajasdfdsfngaaslsss.pro; http://lankfnajasdfanbabwqeda.pro; http://lankfnajasdfasnbadsfaaa.pro

http://lankfnajasdfzcvvxzxcrrtfas.pro

http://lankfnajasdfasdfcxcescgt.pro

http://lankfnajasdfdsfngaaslsss.pro

http://lankfnajasdfanbabwqeda.pro

http://lankfnajasdfasnbadsfaaa.pro
DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.pxqqxxcnm.osmcneyig
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:5104

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.pxqqxxcnm.osmcneyig/app_dex/classes.dex
    Filesize

    2.1MB

    MD5

    5e03a4dfd1236ca8a1cca84511bc81f5

    SHA1

    edca7daab5926a68bae6fb79d1bf499292ef0bb6

    SHA256

    e4a9abec3bcc7c12c352e266267a8fe6c3f3a8e78cd455cf9d3ad053b6cf8cd5

    SHA512

    b5c8b41684f2384603ca6e75d9d9e9ea4e778bffb19084c35f1be864a399b7f4fa3ca400d058c56bff25a0256f1f74da136805eb76692d5d79282c2d5926a56b

    Download Submit

  • /data/data/com.pxqqxxcnm.osmcneyig/cache/classes.dex
    Filesize

    983KB

    MD5

    9e5fc1d1a90e9544436cd88640a4d76b

    SHA1

    b9ddeee1e146be6583b79ac8fa434fa76665941f

    SHA256

    31f6826ade193dfb951718864aa0acc7fd1f74117b222a97ddc03fcd811b4721

    SHA512

    b72ba1fc620e45554789e8c8ca7409e754cc06d5820ed9354ffeb3c8e2ead428b70a21a9c0ae1ea29ce165b7bbb4990a8660c5875b652c3da92373f3daf5e0fb

    Download Submit

  • /data/data/com.pxqqxxcnm.osmcneyig/cache/classes.zip
    Filesize

    984KB

    MD5

    d73033f96bc938f609d8138e90eed237

    SHA1

    419e832a8b4f57e5f6be0b2bd28d2f0c1702e6f4

    SHA256

    1bb427d3e792fdca5b8ce333b11b6a6e376de99f9829c7d3bbbe908c0e8f2c2d

    SHA512

    2784e4c301a7278c463c6330e11dfab36564263eed0d3f932bd7756c872c3e6335affec5604a8ed5a7444b6a8a8041a378144b290beff43f6bffe2a290082a72

    Download Submit

  • /data/data/com.pxqqxxcnm.osmcneyig/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.pxqqxxcnm.osmcneyig/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    d8427bd20c2c3a139934a52b6f7e1af4

    SHA1

    6dfa846a081e6572396a15c97cbea2e0811ec553

    SHA256

    83fc84460b5d284895129fd438897d969cc2915d5f4ad5b1a9bda40eae689c6f

    SHA512

    9219e3db460ad7d5d4ce8a01b7f79e568160e7d6d57d3902b60b7be2632f134369699408f0a0b7fa40d88f6818d254b445dbe27d5c08693bc37fc73d2e7def47

    Download Submit

  • /data/data/com.pxqqxxcnm.osmcneyig/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.pxqqxxcnm.osmcneyig/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    b9d0712ba4c1eb942e16803e046c090b

    SHA1

    6dbbd647a3f3d8508b96ff4925bdf908851fa7e7

    SHA256

    fefdbb9ded74861f6758b42132959aaac9c7f8085cfc5501e49dde918cb4dd29

    SHA512

    e238a1e41c91619f35db618fc690b0198803652ff5af686fbd1aae336ea01c19be0436e4af152164eb1acd556562ad02bbfb6067737d6c8e6bac65c12fa821a6

    Download Submit

  • /data/data/com.pxqqxxcnm.osmcneyig/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    e63805170abacc251233ce40d93b2587

    SHA1

    db6f56e91a1b5c2d4aeb58ff85c5a6bcfe2fcd3e

    SHA256

    eda135992211ccaa4ff3ef220ba20dc54a58b60bc50f5cb0eff264a7130f66c7

    SHA512

    c06c7b7fd6dafebb8d24d195b5b1d690f90c077e5e8bea2dc2867c84463e9e5eacb0d969a2f232c35e15c0a27706ca173e0a74f5e619cfb5829ade14b2e41a24

    Download Submit

  • /data/data/com.pxqqxxcnm.osmcneyig/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    37cf76eabeca2b5c5809c83e9ebe445e

    SHA1

    4c0d09c972d764b264ff16be2a8c3d4f2fd7dcc5

    SHA256

    79c7209c39f9191c7348125d66cbbca03d34088a764df94b28e88df76af184fe

    SHA512

    c2551d405d8bea35929b4a6b49b1c5957ead82edf118def392645c762faff857b4a4def348da42efdb2a611ccd735d22d54b1f36f679daf2dd0a14d9f2cc7d26

    Download Submit