Overview

overview

10

Static

static

6

fea50b6212...0f.apk

android-9-x86

fea50b6212...0f.apk

android-10-x64

10

fea50b6212...0f.apk

android-11-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    157s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    14-02-2025 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fea50b6212487985474e9e99c822b9aa163e4ca80716afda5deccabaf5b6070f.apk

  • Size

    4.8MB

  • MD5

    f3f2e6b14356f048cd6fc706e2a241a3

  • SHA1

    f6adcc71518c39b6ca2875ef72fbcfa4eac8aa12

  • SHA256

    fea50b6212487985474e9e99c822b9aa163e4ca80716afda5deccabaf5b6070f

  • SHA512

    aa64acc22c60eba5800ed0f7960ab0f1d9c010645509096fab454e6d8be769fafe94823a0574a8f3d3bffee8d7b4592f9b6ffd52c81197a870bd775af18e59f0

  • SSDEEP

    98304:tZmkBS8N1NGT93+xQauJJzdxfpUYX3BZbpAOSKDfW1FXnoV:tVI8r8ThgYrppUYX3BuoV

Score
10/10
hookbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://176.65.134.87

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.leyetbncj.uitqzcaeg
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4968

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.leyetbncj.uitqzcaeg/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    6a82c33a37da95f9e508a67318ecee26

    SHA1

    413778bb255c3bbfd1cce28544955bc83450c857

    SHA256

    c84f009404bfc4f248a289e29202bfd81679453763df895bc9e51898eef95156

    SHA512

    f654dc41cc9329f674dce0cd20a21b5b2e57957361e1df56b6ec236f3654cd136ae9e4a996642121ecd19ea6509d54bb24275b9a6ecff75c97159570fbce1dff

    Download Submit

  • /data/data/com.leyetbncj.uitqzcaeg/cache/classes.dex
    Filesize

    1.0MB

    MD5

    35657cdfccfe272af1ebf3396f9a8dbe

    SHA1

    7cbe88d162dab65e58eb1a845f14911f055e6180

    SHA256

    4166548bfd8de94d908f0406721b17835d1d07f28c638b6f710b47aec15b2d4e

    SHA512

    5e63b9182c525e58a1349e353a9d7d6ef3fe05f59fb62275232be5adf312b95295d3c771d1c1b35882aa3c290903d221ef91dd83d03c4a0c0a8b0b4e716b84be

    Download Submit

  • /data/data/com.leyetbncj.uitqzcaeg/cache/classes.zip
    Filesize

    1.0MB

    MD5

    a14470c498205ceedb616c6fc9c06064

    SHA1

    0285a2b9ff5dbabec10c53dd7359bbbaf9a01711

    SHA256

    2d69b664432d30b9121e15c304a431ce2b45e57df1304850c86228d087964f34

    SHA512

    dbbd04ec4e16505501aa786b5f354ba1dbd02ebd16961f6d8c14dc3602d0d49a815c65a82cba54c4a8a16a6177c2ac0633c2242c40b0f310622b131aa946b282

    Download Submit

  • /data/data/com.leyetbncj.uitqzcaeg/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.leyetbncj.uitqzcaeg/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    07e9f4ee2adcd582cf22f72ff92bbeda

    SHA1

    72bc03916d1a853f475c3a1b55587585b1519b0e

    SHA256

    600b5edcc7afcd46736565da8f60cef7b1aed47c91cc3bf0680847d79f372fc9

    SHA512

    e89339cc2ef2e548fa0bf6786f942804464ccc7f2a1bec47832d87088800465eeb89fcd335b024d2e6628501589f4284c554373fe7f580a2a5bf65ac2b9b2db6

    Download Submit

  • /data/data/com.leyetbncj.uitqzcaeg/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.leyetbncj.uitqzcaeg/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    2b913855a89f9b09515ff1d39ca759c0

    SHA1

    7bca591c22d5df508345ce7af294534ce43f3f24

    SHA256

    9fe5870d1e887df12c612565671087a86df4d33d3f7408b019fdeed74461712f

    SHA512

    e00902e78ecd9f66978471e1de44d46255f6bf13a0cdc758533c9a9e1e5ddeb8c410f5e59fa73dd273818e6d44864896ca766d43aa112624b212a1faeed7ec06

    Download Submit

  • /data/data/com.leyetbncj.uitqzcaeg/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    c4ed2197a9029fc686f6a080ebdf786f

    SHA1

    a5c910d93599727d7b94231a2664fbbc50057275

    SHA256

    f8c10feab4c4fd9a36fe54d2a6a5d54d51d997d0973e32dd07218b28f940ab91

    SHA512

    5db76451583eaf42022c3066684681c23c1e17e88c51259061a8f372498b2de66b28951bd65ac4d3512c048eb651eba139cf83b7fa4bb96dc2faf421c902404e

    Download Submit

  • /data/data/com.leyetbncj.uitqzcaeg/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    06fa47e9ff5345a6bb2ba3b0181abc99

    SHA1

    734078081b9936d485cd9f5008d27ef20ff399c4

    SHA256

    190bcaed1d2ac6f617bfa6a6598b14bcfb73d2fa1fd90d6ce7e8afa8c2690334

    SHA512

    9af373435e17db71d711d4470ffdb229dd13f1ef66c232fbbcfd40fbfb5c68e5edc870ed711d80d4ea24b932f18f98c5720586f6aeff60ab843e1878de8e12bb

    Download Submit