Overview

overview

10

Static

static

6

bba4e2c4bc...1b.apk

android-9-x86

10

bba4e2c4bc...1b.apk

android-10-x64

10

bba4e2c4bc...1b.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    159s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    11-01-2025 04:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bba4e2c4bcd19f4174421de1b8df665133725867a3f151e756570e9a6bed811b.apk

  • Size

    4.8MB

  • MD5

    22572fd05295bdc3293060348285705b

  • SHA1

    6629ebcd3f693b69814f47bbd91fdbc152c791c8

  • SHA256

    bba4e2c4bcd19f4174421de1b8df665133725867a3f151e756570e9a6bed811b

  • SHA512

    245d9fa8662fa2dfe9c261e25bd7283b52ba5cdc24d03699b2cf246cbf6db041d8eba98c878085325f351dcd22ff43a677e4641cc9ad7b512b6faf204c4e103a

  • SSDEEP

    98304:aE1kQen1WIciiAtP4ibIqJ7wxlZTM4RWTyln0P1ayykU7tOB:aakQDkP5YFrnec5kU8

Score
10/10
hookcollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://lankfnajasdfzcvvxzxcrrtfas.pro; http://lankfnajasdfasdfcxcescgt.pro; http://lankfnajasdfdsfngaaslsss.pro; http://lankfnajasdfanbabwqeda.pro; http://lankfnajasdfasnbadsfaaa.pro

http://lankfnajasdfzcvvxzxcrrtfas.pro

http://lankfnajasdfasdfcxcescgt.pro

http://lankfnajasdfdsfngaaslsss.pro

http://lankfnajasdfanbabwqeda.pro

http://lankfnajasdfasnbadsfaaa.pro
DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.pxqqxxcnm.osmcneyig
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4973

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.pxqqxxcnm.osmcneyig/app_dex/classes.dex
    Filesize

    2.1MB

    MD5

    5e03a4dfd1236ca8a1cca84511bc81f5

    SHA1

    edca7daab5926a68bae6fb79d1bf499292ef0bb6

    SHA256

    e4a9abec3bcc7c12c352e266267a8fe6c3f3a8e78cd455cf9d3ad053b6cf8cd5

    SHA512

    b5c8b41684f2384603ca6e75d9d9e9ea4e778bffb19084c35f1be864a399b7f4fa3ca400d058c56bff25a0256f1f74da136805eb76692d5d79282c2d5926a56b

    Download Submit

  • /data/data/com.pxqqxxcnm.osmcneyig/cache/classes.dex
    Filesize

    983KB

    MD5

    9e5fc1d1a90e9544436cd88640a4d76b

    SHA1

    b9ddeee1e146be6583b79ac8fa434fa76665941f

    SHA256

    31f6826ade193dfb951718864aa0acc7fd1f74117b222a97ddc03fcd811b4721

    SHA512

    b72ba1fc620e45554789e8c8ca7409e754cc06d5820ed9354ffeb3c8e2ead428b70a21a9c0ae1ea29ce165b7bbb4990a8660c5875b652c3da92373f3daf5e0fb

    Download Submit

  • /data/data/com.pxqqxxcnm.osmcneyig/cache/classes.zip
    Filesize

    984KB

    MD5

    d73033f96bc938f609d8138e90eed237

    SHA1

    419e832a8b4f57e5f6be0b2bd28d2f0c1702e6f4

    SHA256

    1bb427d3e792fdca5b8ce333b11b6a6e376de99f9829c7d3bbbe908c0e8f2c2d

    SHA512

    2784e4c301a7278c463c6330e11dfab36564263eed0d3f932bd7756c872c3e6335affec5604a8ed5a7444b6a8a8041a378144b290beff43f6bffe2a290082a72

    Download Submit

  • /data/data/com.pxqqxxcnm.osmcneyig/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.pxqqxxcnm.osmcneyig/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    cb1122b7cd41ced30f474a1bf3f5e9a6

    SHA1

    cbb57d7e33d0c358c090e8bb4a0ace4fa4361758

    SHA256

    d259084e10e5505af207cc4fd401a5cc9a54e61a119c47e39ab290f96128fa50

    SHA512

    ea9d3e7adbc4317c5c2fa303c97c307ac4fc3cc27b48f0ce8990e4371875a722477740a8290ba6e2a995de8fd56bc695547975872a4460057ffbb37fba677dc5

    Download Submit

  • /data/data/com.pxqqxxcnm.osmcneyig/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.pxqqxxcnm.osmcneyig/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    239cd0da1f704e347da5150545d585d7

    SHA1

    55e241b71d9977390091bb639227e0d77663d4ee

    SHA256

    bec2d573fa98ac8f0ea1df7091cfda316c3c5520987867fee52d3de01e432ecf

    SHA512

    7843b380fd4bd66bfefb9d0861adf4df0995dcbc5dde763bd903459ae64e777a45132ce528d5321dee48addeaeb645a5081f6815e39e24292b8778d52819b60f

    Download Submit

  • /data/data/com.pxqqxxcnm.osmcneyig/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    a495e5c69aa97f1a332bad648a30fb1c

    SHA1

    7c46788efdf2a3ed4666bf6469573717b2ff589f

    SHA256

    70485cf3210c16f7f3108b149dc65498d0315a51b15882b2116977c2b53684c0

    SHA512

    cec11c3527ebea34833260617285844363d2284f8593fc734a0957bc0b4f781c4e0d07f073c96122d97e70779081ed6926bfd0f172424819d1ea9176ce5ef668

    Download Submit

  • /data/data/com.pxqqxxcnm.osmcneyig/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    83d7d6141173be70739767c4d9edecc1

    SHA1

    810e44337bdc3fd5284d840f45a553e1b525c646

    SHA256

    b503a286674bdc861ea84da2f1769c2cc777231f8ec78384a6b3992d74fe6c8d

    SHA512

    634f35eaea877efd019f34708bd509ce4cfa88d95277dfd9e8496c58f719eecf0a739f9afdd7ab1afc3c702101e2ea16f771e86073f9f10a41876f41bd406ece

    Download Submit