Analysis
-
max time kernel
148s -
max time network
158s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
17-01-2025 22:01
General
-
Target
077f1c38a4cbaabb88f400bda2437b3b3ae31f6b369d52ae59c1d57056ccffb9.apk
-
Size
5.0MB
-
MD5
5825dd3844c7dcb70d44b949da8c1bb3
-
SHA1
98ac3ff5254eed74f488c0e22e586e9cf2e1cfa2
-
SHA256
077f1c38a4cbaabb88f400bda2437b3b3ae31f6b369d52ae59c1d57056ccffb9
-
SHA512
9e92b5c6178b933b6a4969dde9dd9e8a121209d41a121ac260a41ffd930562568135fb6b4b0813b5f88b3b7b353c854222514445e07f03fc08d3d9b04bf8ef6e
-
SSDEEP
98304:yzeNaBVQmY/yaFrk58f4CMlTSPs9ONvNhhn8+Ib7tGym4wosiml:NNaB2mY/E16s9ON1hhn8+Ib5G6w99
Malware Config
Extracted
hook
http://154.216.17.69
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.mxdzftcek.nnafdewej1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.mxdzftcek.nnafdewej/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.mxdzftcek.nnafdewej/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD50d7d9356b26d9b11d4e39fe10480c2fc
SHA168ae54bcace0b30543c2a0559785a9a3e8e3e0ef
SHA256e98c71a9c79147b85f10db33e0cf996775df4e76aa41aac22c3c06f0ae8a5e53
SHA512dc95471c6b7292d9ac6a9ddf0fecaf827910a018b6ce0ad3e176c976472eaf24375023aa20bd88e7eacbb502a11e7959052c6dc851cc994c9802612ea2841bc6
-
Filesize
1.0MB
MD50ccc3dd061e0afd04d2838a00fc8fcbe
SHA17966cf300897e207c466fe7d44ac5a3040d4800f
SHA2568c506bd337cbbe36658f2b6416e930eaed0f6eb0df95a469f346825c3a44af9e
SHA5124e233916901fb43ff2ca5ef96166176bbc80d83b2951f780da4ca12455666e39952d893a13088c7d5a07459770228b65b02186bb8858e2ccf51bc3836cb880a0
-
Filesize
1.0MB
MD58e2bb4eb31ed33f74a1ef37b17b2a050
SHA1884a0e722e00335f2ef418bcd66ff13059957d73
SHA256893c55ea3f5cbad166714204184bc682ddae18007af20a0ac7cc69d27afa16b8
SHA51292b61f2a49cf31f1c16d794284c5874c0d9aa0b1b34a8efdb0a482f2c02f7bc05b432e1476b456e09ec87f98cf1eea30750019ae63eac3db03a7bde706521bbd
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD591f24e8b67a62aedc8eaf58cfea13514
SHA18fa32bbb6e4df99960436b39a695cbd23537d1ea
SHA2568d91c35dad2cfb79bf1eb164fb2d69280c80ba28a716726e035b99ecea251998
SHA512f6ca810360c7505f1485d22133ea575b9e7e7bbfe72ae194b7ef56c97c7dd776b3d95812b82b74efc3252670a1c5183b0ed1e5601816a92457bd724e7249cf8e
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD58382f635e08fdd31a89e1816df32cae4
SHA11dd82fd0c9b535ff6aa5ec43891ab08fd56b3326
SHA256d136f84418cbe0c9e3016a3c8d78bf044878e188a4c5f26c36a5f3d44b76176a
SHA5128122382c2f534b0c1b6f0b55310695a600cc0d39374138806b18731e6ce4e3b9a5dc33c4f590cb596b0fd78459d650479e1515f1151334867b604b2b71a94a77
-
Filesize
173KB
MD5040d36583f04d3ee57f8eebaf7163a0c
SHA16f884a681001df9aaf7b6d21b0fe13e99571ba69
SHA2566b2f4712d7e62697df27f818548d6c1208221e86484e2362a86ba5d3c8be575f
SHA51261dda66a5ade5268b2f9fa88b60ea269f60ae653567f74228872b9371176cb823c2684069fbde9456fa5b20d1af2b9141b737b7416114c7b9926269d657f108b
-
Filesize
16KB
MD5e31a515a750e0cee8b3a136997f13875
SHA1210541903034483d08b9ab40f3eb8c1c1862125a
SHA256c57fba933559cedb299da588c8273fa2c606d4c620bfddcc7b2823f9db9a3f27
SHA51240c2bffff1e063f2a697f5a72b28a7f3b87850e8fbf5f0947a4e9c1fb59f0cce9b61e0c0b006e4ba74f8504270be94fa86c0774db190c05c8680ca8b2869ee97
-
Filesize
2.9MB
MD58580e2f7d0bfba6111755217749067a6
SHA108217edf7d483086649dd016301504ae2615ef2b
SHA256e25da5e1168a56506291665bd1eb9ea09fb14e8ff9d73c47bc6bf153804f1064
SHA512a8ba9c907d989967e472d40eda5caf0cabce6c5ff06bdd43d72113461362accaaf03b66b56b484dc1d97f6f07bb660220ef4456927dc0a03128fc1380a4d2521