Analysis
-
max time kernel
149s -
max time network
152s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
13-02-2025 22:04
General
-
Target
c1d33a05269fe06bd5ec9a2c9c8496f9e2d64b2299aa88fc5a4976e2f64cc806.apk
-
Size
4.9MB
-
MD5
583d358ff60f7c40fa4c4a408746307b
-
SHA1
df4a72c62ee5a0a3cec8d1eb04215e66d3352635
-
SHA256
c1d33a05269fe06bd5ec9a2c9c8496f9e2d64b2299aa88fc5a4976e2f64cc806
-
SHA512
e1930961953cd8abb7bcb9b0186d2b041fdeb2bc6537dc8286879d4bc497f9e8955f3ccbfdd46eede675ab046b8bb5268a04c9cc40bf287618898506a25c6c1f
-
SSDEEP
98304:xZ2zMftM0Lhe4DQ8ZvippmqGNyLnJ77fcfR0TUy76yamq+bmebhtMU2nEdV:xwutM0L/ZvY4y7ZfcfROOxB+CmNJT
Malware Config
Extracted
hook
http://176.65.134.87
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.uuucfgfjg.gbpeuhueo1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.uuucfgfjg.gbpeuhueo/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.uuucfgfjg.gbpeuhueo/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD59549030a483dcd23bc1ad5682a30462f
SHA163f61a94b6dfc9e988f63a6f0e8817acd012c433
SHA256c4b0d4f9bb2e8de5ed907865d4905ef36845c3e8fc8b33a82918c8abd2c4a773
SHA5126a374c86b1bebe04a15aa82b3bce1b0c1bc19934198be8340ff97d77ca49bff1afbcec0a853205fa8cbc9707bd5cb651ff2e63f7ec3041560a35cc11470da13d
-
Filesize
1.0MB
MD5d377533dfd1d649461227fafbab61b5d
SHA1ef486b0d8e37deacb9a0228a7b6e3aa510309216
SHA25653d4054b9e8f02c0fa1a163cf55743006b3e036045ed0bc600d0941ca7131384
SHA51250ee5bfa8a82f3adb824ed6ecdc6e97f29f22a82bb8e86f96490522538ee48df12a08938d09d000765a6deaede529cd3e17211b46c7d307c7d680ec2a8d34b48
-
Filesize
1.0MB
MD593d6ee371978056a6fad04ac50a908ba
SHA1a5380e1978d6d8b956fceeb7661a049367eed072
SHA25658745815a923683c9dd200a996ab314cf4c8ee26537d62e8d72422d89e19a33d
SHA5128256ceacd840d572d7f7e432a09bb0554fdc02774f61e345f475f0225092d826db3933b1af994c0faf15695a0fec2f5c24707c670dba88651e3554b3f2927c10
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5fb5f9b8ad7a9847baccd59157d0a5385
SHA1aac99a41193222a69d8be864b72ba85d1db62e1d
SHA256106cec56fb26c8577286dc6f733cb25ea4e174cd7b67c19cb05c466f1fe857a5
SHA512b036adb859c5a55e67f8575345c76eabd6690ec1d4946fc1fddc8e59c18cbfee1c9909c3fda40bff0e866a9d4f6d00ba396f0cad250023ff8a936978109cb9b1
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD59a76e94e976a13572a0e6e80e9dd0da3
SHA1b600f5739851c680793130fcf279b63f7f1e064e
SHA25612c96e1b2bc9b62d946a4a500e59b1b3ac07256c21b94f05442f631e2eb31568
SHA512954990262936161707c0f7e8656841dcffb7513d193ad61528038cd671a2e07e5caf8a72b47ea3363fd9184f238790f35d942d18241be4da9adf6151c3eda6c9
-
Filesize
173KB
MD55a7d314b24f40d9ffe0bfe90b496da0c
SHA1b7327b5d99e94874a9ce1c874eaeb3b28f377d06
SHA2562555e0f9aedbef984e1c5b6bf7d5252044ff2bbafb5edc35f60891ac466b39ca
SHA512fa0c8c3d41790d89e43e16f0038fbee9048c7b426e1f9fc1a56d5360eaa385008dde2807b4186b7e546edac0448cbd3e5f05a8bc28cbafb41abbeb34e159e02d
-
Filesize
16KB
MD52e69a128d9e6e318c0b5c3a0b14f911b
SHA10a13754d505e8b6ed5a821e4363ea75b75528123
SHA256947c35ce8555819f59dbbcba1405a86f1bc661e651368c937c48fe70fabaac82
SHA5125f153214b2d73006608ab727e620c977af2762664b622eea8fd8cf43f90cf9b91b4715c82e2da2fa1c709b261fe405b5e3644d145a16fe0270bb9c7629df6efe
-
Filesize
2.9MB
MD59a0ac867ece90021a5b7d658a29bfa80
SHA104673ce93dedea662be5a036ac57154cb5142b2a
SHA256ecdf0921b62b73aeff57e8af72da6ce184e718e1d9e27ca32dded9f3ef906dcb
SHA512cb68bad4a4138cf371d35ef96b9c575a9bca9b0543a8292fad64407af1e0a77210609a4185c72d58b12ad6ce2d89162cd26a98bbf5c1bf8ffa63b07b8a27b2b7