hook | ba77429169f0dd19d90b7cd55524569dc6823ea708e26ecac9c2f3ea9e059ab2

General

Target

ba77429169f0dd19d90b7cd55524569dc6823ea708e26ecac9c2f3ea9e059ab2.apk
Size

3.7MB
MD5

9479dd378d9fdaf5968bf0c1b25bfa89
SHA1

503e752805e5d924bab849e57fafc0df2958ed57
SHA256

ba77429169f0dd19d90b7cd55524569dc6823ea708e26ecac9c2f3ea9e059ab2
SHA512

a84afa74265cf2ca550a869405bff4bfa434fb735f1e1ea2d66ef9bae412261e8022ab4d0502b11f767c3c92b15132448c203d5e87fc71390137f6ead673f44d
SSDEEP

98304:vIpQbV2OxM597muPOB+eC11UsaJHqVMKKRW:vaGLa9LPdTfaVquKKQ

Score

10^/10

hook collection credential_access defense_evasion discovery impact infostealer rat trojan

Malware Config

Extracted

Family

hook

C2

https://net.syshimyjoki.shop

AES_key

Signatures

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook
Hook family
hook

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.tencent.mm

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.tencent.mm

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.tencent.mm

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mm

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.tencent.mm

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.tencent.mm

com.tencent.mm
1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4798

Network

MITRE ATT&CK Mobile v16

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Input Injection

1

T1516

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Information Discovery

2

T1426

System Network Configuration Discovery

3

T1422

System Network Connections Discovery

1

T1421

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1

T1471

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb

Filesize
4KB

MD5
7e858c4054eb00fcddc653a04e5cd1c6

SHA1
2e056bf31a8d78df136f02a62afeeca77f4faccf

SHA256
9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

SHA512
d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

Download Submit
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
f98c0627bb1635c058264e2a736239ff

SHA1
3e86df3f79ac513902f2249ebe3eb29b59dfc767

SHA256
b6232f412591d32ae6b7ad739b0a9e90d8de7d4888294099b48c89f0b3b5e3f3

SHA512
899e401f3b7e68522d9b28a1814114a852e7aa1d01a9d14af2f1a5fde98e2e5cb4d99d724c82474e9e77e1685eda5ecb59ab2fd4e22de31ee55e513927c75ecb

Download Submit
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
3f26c7955d90c092b9325a88007ff536

SHA1
f77cc436948ad7a8b7754e9691feb9f42c2b2b70

SHA256
ff4a09a427233f383df9a9e5acb496a020cc4d1e733872b2a730a817cd7fb35f

SHA512
a8bbeee48420fe4dc3c4c828846e2ed440bcc10779d5ef24c7063fe2c39298293f8ffd6184e9914df0e937e91f5bc0b5438dab9d9e95255adf9caa1e751dd0e4

Download Submit
/data/user/0/com.tencent.mm/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
f1c0c245632e30bd8b14ac2e384d7aba

SHA1
d498db35897fff90203c9ff3020c707bc81c4a77

SHA256
3aa7a28ef23cbbb2d15d63f05bef8535a3ce2958dd8455651e7036c6ad0ef193

SHA512
e9292c7a541ecb01c3b7e92f0421cd998e0733a2c98ba46ce6fc006d4467d05f4e52cd32e139c9f578128d39943f89af9f949505bde2a0f68e42e4f35948e73d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v16

Replay Monitor

Loading Replay Monitor...

Downloads